Enforces terms in the web application

This enforces the terms in the web application. These cases are specced: - Logging in: When terms are enforced, and a user logs in that has not accepted the terms, they are presented with the screen. They get directed to their customized root path afterwards. - Signing up: After signing up, the first screen the user is presented with the screen to accept the terms. After they accept they are directed to the dashboard. - While a session is active: - For a GET: The user will be directed to the terms page first, after they accept the terms, they will be directed to the page they were going to - For any other request: They are directed to the terms, after they accept the terms, they are directed back to the page they came from to retry the request. Any information entered would be persisted in localstorage and available on the page.
author: Bob Van Landuyt <bob@vanlanduyt.co> 2018-04-27 17:50:33 +0300
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2018-05-04 14:54:43 +0300
commit: 7684217d6806408cd338260119364419260d1720 (patch)
tree: 7b913d6c6c051a463d99ad286e2ac04a6b8d5632 /spec/controllers
parent: 10aa55a770c2985c22c92d17b8a7ea90b0a09085 (diff)
3 files changed, 153 insertions, 0 deletions
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index fe95d1ef9cd..f0caac40afd 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe ApplicationController do
+  include TermsHelper
+
   let(:user) { create(:user) }
 
   describe '#check_password_expiration' do
@@ -406,4 +408,65 @@ describe ApplicationController do
       end
     end
   end
+
+  context 'terms' do
+    controller(described_class) do
+      def index
+        render text: 'authenticated'
+      end
+    end
+
+    before do
+      stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
+      sign_in user
+    end
+
+    it 'does not query more when terms are enforced' do
+      control = ActiveRecord::QueryRecorder.new { get :index }
+
+      enforce_terms
+
+      expect { get :index }.not_to exceed_query_limit(control)
+    end
+
+    context 'when terms are enforced' do
+      before do
+        enforce_terms
+      end
+
+      it 'redirects if the user did not accept the terms'  do
+        get :index
+
+        expect(response).to have_gitlab_http_status(302)
+      end
+
+      it 'does not redirect when the user accepted terms' do
+        accept_terms(user)
+
+        get :index
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      context 'for sessionless users' do
+        before do
+          sign_out user
+        end
+
+        it 'renders a 403 when the sessionless user did not accept the terms' do
+          get :index, rss_token: user.rss_token, format: :atom
+
+          expect(response).to have_gitlab_http_status(403)
+        end
+
+        it 'renders a 200 when the sessionless user accepted the terms' do
+          accept_terms(user)
+
+          get :index, rss_token: user.rss_token, format: :atom
+
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
+    end
+  end
 end
diff --git a/spec/controllers/concerns/internal_redirect_spec.rb b/spec/controllers/concerns/internal_redirect_spec.rb
new file mode 100644
index 00000000000..a0ee13b2352
--- /dev/null
+++ b/spec/controllers/concerns/internal_redirect_spec.rb
@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+describe InternalRedirect do
+  let(:controller_class) do
+    Class.new do
+      include InternalRedirect
+
+      def request
+        @request ||= Struct.new(:host, :port).new('test.host', 80)
+      end
+    end
+  end
+  subject(:controller) { controller_class.new }
+
+  describe '#safe_redirect_path' do
+    it 'is `nil` for invalid uris' do
+      expect(controller.safe_redirect_path('Hello world')).to be_nil
+    end
+
+    it 'is `nil` for paths trying to include a host' do
+      expect(controller.safe_redirect_path('//example.com/hello/world')).to be_nil
+    end
+
+    it 'returns the path if it is valid' do
+      expect(controller.safe_redirect_path('/hello/world')).to eq('/hello/world')
+    end
+
+    it 'returns the path with querystring if it is valid' do
+      expect(controller.safe_redirect_path('/hello/world?hello=world#L123'))
+        .to eq('/hello/world?hello=world#L123')
+    end
+  end
+
+  describe '#safe_redirect_path_for_url' do
+    it 'is `nil` for invalid urls' do
+      expect(controller.safe_redirect_path_for_url('Hello world')).to be_nil
+    end
+
+    it 'is `nil` for urls from a with a different host' do
+      expect(controller.safe_redirect_path_for_url('http://example.com/hello/world')).to be_nil
+    end
+
+    it 'is `nil` for urls from a with a different port' do
+      expect(controller.safe_redirect_path_for_url('http://test.host:3000/hello/world')).to be_nil
+    end
+
+    it 'returns the path if the url is on the same host' do
+      expect(controller.safe_redirect_path_for_url('http://test.host/hello/world')).to eq('/hello/world')
+    end
+
+    it 'returns the path including querystring if the url is on the same host' do
+      expect(controller.safe_redirect_path_for_url('http://test.host/hello/world?hello=world#L123'))
+        .to eq('/hello/world?hello=world#L123')
+    end
+  end
+
+  describe '#host_allowed?' do
+    it 'allows uris with the same host and port' do
+      expect(controller.host_allowed?(URI('http://test.host/test'))).to be(true)
+    end
+
+    it 'rejects uris with other host and port' do
+      expect(controller.host_allowed?(URI('http://example.com/test'))).to be(false)
+    end
+  end
+end
diff --git a/spec/controllers/users/terms_controller_spec.rb b/spec/controllers/users/terms_controller_spec.rb
index 50e818a4520..a744463413c 100644
--- a/spec/controllers/users/terms_controller_spec.rb
+++ b/spec/controllers/users/terms_controller_spec.rb
@@ -36,6 +36,30 @@ describe Users::TermsController do
 
       expect(response).to redirect_to(groups_path)
     end
+
+    it 'redirects to the referer when no redirect specified' do
+      request.env["HTTP_REFERER"] = groups_url
+
+      post :accept, id: term.id
+
+      expect(response).to redirect_to(groups_path)
+    end
+
+    context 'redirecting to another domain' do
+      it 'is prevented when passing a redirect param' do
+        post :accept, id: term.id, redirect: '//example.com/random/path'
+
+        expect(response).to redirect_to(root_path)
+      end
+
+      it 'is prevented when redirecting to the referer' do
+        request.env["HTTP_REFERER"] = 'http://example.com/and/a/path'
+
+        post :accept, id: term.id
+
+        expect(response).to redirect_to(root_path)
+      end
+    end
   end
 
   describe 'POST #decline' do
author	Bob Van Landuyt <bob@vanlanduyt.co>	2018-04-27 17:50:33 +0300
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2018-05-04 14:54:43 +0300
commit	7684217d6806408cd338260119364419260d1720 (patch)
tree	7b913d6c6c051a463d99ad286e2ac04a6b8d5632 /spec/controllers
parent	10aa55a770c2985c22c92d17b8a7ea90b0a09085 (diff)