More tests

2025-10-26 23:56:02 +11:00
parent 0ce38e3202
commit a2a954b4c3
6 changed files with 576 additions and 6 deletions
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -31,7 +31,7 @@ module Authentication

    def request_authentication
      session[:return_to_after_authenticating] = request.url
-      redirect_to new_session_path
+      redirect_to signin_path
    end

    def after_authentication_url
--- a/app/controllers/invitations_controller.rb
+++ b/app/controllers/invitations_controller.rb
@@ -8,7 +8,16 @@ class InvitationsController < ApplicationController
  end

  def update
-    if @user.update(params.permit(:password, :password_confirmation))
+    # Validate password manually since empty passwords might not trigger validation
+    password = params[:password]
+    password_confirmation = params[:password_confirmation]
+
+    if password.blank? || password_confirmation.blank? || password != password_confirmation || password.length < 8
+      redirect_to invitation_path(params[:token]), alert: "Passwords did not match."
+      return
+    end
+
+    if @user.update(password: password, password_confirmation: password_confirmation)
      @user.update!(status: :active)
      @user.sessions.destroy_all
      start_new_session_for @user
@@ -24,10 +33,18 @@ class InvitationsController < ApplicationController
    @user = User.find_by_token_for(:invitation_login, params[:token])

    # Check if user is still pending invitation
-    unless @user.pending_invitation?
-      redirect_to new_session_path, alert: "This invitation has already been used or is no longer valid."
+    if @user.nil?
+      redirect_to signin_path, alert: "Invitation link is invalid or has expired."
+      return false
+    elsif @user.pending_invitation?
+      # User is valid and pending - proceed
+      return true
+    else
+      redirect_to signin_path, alert: "This invitation has already been used or is no longer valid."
+      return false
    end
  rescue ActiveSupport::MessageVerifier::InvalidSignature
-    redirect_to new_session_path, alert: "Invitation link is invalid or has expired."
+    redirect_to signin_path, alert: "Invitation link is invalid or has expired."
+    return false
  end
 end