From 42377da6c4b8bf667b51270245d93f4282fb2953 Mon Sep 17 00:00:00 2001 From: MadeTech Dushan Date: Wed, 10 Nov 2021 12:37:59 +0000 Subject: [PATCH] add test around protecting emails --- app/controllers/users/passwords_controller.rb | 7 +++++++ spec/features/user_spec.rb | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/app/controllers/users/passwords_controller.rb b/app/controllers/users/passwords_controller.rb index b28c53d18..68c87a123 100644 --- a/app/controllers/users/passwords_controller.rb +++ b/app/controllers/users/passwords_controller.rb @@ -5,6 +5,13 @@ class Users::PasswordsController < Devise::PasswordsController render "devise/confirmations/reset" end + def create + self.resource = resource_class.send_reset_password_instructions(resource_params) + yield resource if block_given? + + respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name)) + end + protected def after_sending_reset_password_instructions_path_for(resource) diff --git a/spec/features/user_spec.rb b/spec/features/user_spec.rb index 64ba34f2f..408ffbd40 100644 --- a/spec/features/user_spec.rb +++ b/spec/features/user_spec.rb @@ -36,5 +36,12 @@ RSpec.describe "User Features" do click_button("Send email") expect(page).to have_content("test@example.com") end + + it " is shown the reset password confirmation page even if their email doesn't exist in the system" do + visit("/users/password/new") + fill_in("user_email", with: "idontexist@example.com") + click_button("Send email") + expect(page).to have_current_path("/confirmations/reset?email=idontexist%40example.com") + end end end