From 629ae62b730409b46de6abc8c5166155841b5a00 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 20 Jul 2015 21:32:34 +0100
Subject: [PATCH] Require a valid session token to resend a confirmation

Make user#confirm_resend require a valid token in the session
that matches the requested user, and ensure trying to login as
an unconfirmed user sets such a token.

Fixes #1010
---
 app/controllers/user_controller.rb       | 15 ++++++++++-----
 test/controllers/user_controller_test.rb | 14 +++++++++++++-
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 8a5fa3fe1..0c2514927 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -318,16 +318,19 @@ class UserController < ApplicationController
     else
       user = User.find_by_display_name(params[:display_name])
 
-      redirect_to root_path if !user || user.active?
+      redirect_to root_path if user.nil? || user.active?
     end
   end
 
   def confirm_resend
-    if user = User.find_by_display_name(params[:display_name])
-      Notifier.signup_confirm(user, user.tokens.create).deliver_now
-      flash[:notice] = t "user.confirm_resend.success", :email => "your email" # user.email
-    else
+    user = User.find_by_display_name(params[:display_name])
+    token = UserToken.find_by_token(session[:token])
+
+    if user.nil? || token.nil? || token.user != user
       flash[:error] = t "user.confirm_resend.failure", :name => params[:display_name]
+    else
+      Notifier.signup_confirm(user, user.tokens.create).deliver_now
+      flash[:notice] = t "user.confirm_resend.success", :email => user.email
     end
 
     redirect_to :action => "login"
@@ -631,6 +634,8 @@ class UserController < ApplicationController
   ##
   #
   def unconfirmed_login(user)
+    session[:token] = user.tokens.create.token
+
     redirect_to :action => "confirm", :display_name => user.display_name
 
     session.delete(:remember_me)
diff --git a/test/controllers/user_controller_test.rb b/test/controllers/user_controller_test.rb
index 03238ea28..37b8a7f30 100644
--- a/test/controllers/user_controller_test.rb
+++ b/test/controllers/user_controller_test.rb
@@ -474,6 +474,8 @@ class UserControllerTest < ActionController::TestCase
   end
 
   def test_confirm_resend_success
+    session[:token] = users(:inactive_user).tokens.create.token
+
     assert_difference "ActionMailer::Base.deliveries.size", 1 do
       get :confirm_resend, :display_name => users(:inactive_user).display_name
     end
@@ -489,7 +491,17 @@ class UserControllerTest < ActionController::TestCase
     ActionMailer::Base.deliveries.clear
   end
 
-  def test_confirm_resend_failure
+  def test_confirm_resend_no_token
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      get :confirm_resend, :display_name => users(:inactive_user).display_name
+    end
+
+    assert_response :redirect
+    assert_redirected_to login_path
+    assert_match "User Inactive User not found.", flash[:error]
+  end
+
+  def test_confirm_resend_unknown_user
     assert_no_difference "ActionMailer::Base.deliveries.size" do
       get :confirm_resend, :display_name => "No Such User"
     end
-- 
2.43.2