From e0d501f8327d66a394b2ba3f23185af640e10630 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 1 Apr 2021 17:23:43 +0100
Subject: [PATCH] Don't allow deleted users to be confirmed

---
 app/controllers/users_controller.rb       |  6 ++--
 test/controllers/users_controller_test.rb | 38 +++++++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index ca3726210..e389f6fbf 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -280,6 +280,8 @@ class UsersController < ApplicationController
       elsif !token || token.expired?
         flash[:error] = t("users.confirm.unknown token")
         redirect_to :action => "confirm"
+      elsif !token.user.visible?
+        render_unknown_user token.user.display_name
       else
         user = token.user
         user.status = "active"
@@ -309,14 +311,14 @@ class UsersController < ApplicationController
         end
       end
     else
-      user = User.find_by(:display_name => params[:display_name])
+      user = User.visible.find_by(:display_name => params[:display_name])
 
       redirect_to root_path if user.nil? || user.active?
     end
   end
 
   def confirm_resend
-    user = User.find_by(:display_name => params[:display_name])
+    user = User.visible.find_by(:display_name => params[:display_name])
     token = UserToken.find_by(:token => session[:token])
 
     if user.nil? || token.nil? || token.user != user
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 6cefcaa93..d5b915a85 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -523,6 +523,26 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_match(/already been confirmed/, flash[:error])
   end
 
+  def test_confirm_deleted
+    user = build(:user, :pending)
+    stub_gravatar_request(user.email)
+    post user_new_path, :params => { :user => user.attributes }
+    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+    confirm_string = User.find_by(:email => user.email).tokens.create.token
+
+    User.find_by(:display_name => user.display_name).update(:status => "deleted")
+
+    # Get the confirmation page
+    get user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    assert_response :redirect
+    assert_redirected_to root_path
+
+    # Confirm the user
+    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    assert_response :not_found
+    assert_template :no_such_user
+  end
+
   def test_confirm_resend_success
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
@@ -561,6 +581,24 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_match "User #{user.display_name} not found.", flash[:error]
   end
 
+  def test_confirm_resend_deleted
+    user = build(:user, :pending)
+    post user_new_path, :params => { :user => user.attributes }
+    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+
+    User.find_by(:display_name => user.display_name).update(:status => "deleted")
+
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      perform_enqueued_jobs do
+        get user_confirm_resend_path(user)
+      end
+    end
+
+    assert_response :redirect
+    assert_redirected_to login_path
+    assert_match "User #{user.display_name} not found.", flash[:error]
+  end
+
   def test_confirm_resend_unknown_user
     assert_no_difference "ActionMailer::Base.deliveries.size" do
       perform_enqueued_jobs do
-- 
2.43.2