Ensure that only the fields from the form can be filled when registering

PavlidisLab · Dec 1, 2023 · 740290f · 740290f
1 parent d1d1b4d
commit 740290f
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/src/main/java/ubc/pavlab/rdp/controllers/LoginController.java b/src/main/java/ubc/pavlab/rdp/controllers/LoginController.java
@@ -9,7 +9,9 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.validation.annotation.Validated;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.ModelAndView;
@@ -42,6 +44,11 @@ public class LoginController {
     @Autowired
     private ApplicationSettings applicationSettings;
 
+    @InitBinder("user")
+    public void configureUserDataBinder( WebDataBinder dataBinder ) {
+        dataBinder.setAllowedFields( "email", "password", "profile.name", "profile.lastName" );
+    }
+
     @GetMapping("/login")
     public ModelAndView login() {
         ModelAndView modelAndView = new ModelAndView( "login" );

diff --git a/src/test/java/ubc/pavlab/rdp/controllers/LoginControllerTest.java b/src/test/java/ubc/pavlab/rdp/controllers/LoginControllerTest.java
@@ -3,6 +3,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
@@ -30,6 +31,7 @@
 
 import java.util.Locale;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
@@ -108,6 +110,24 @@ public void register_thenReturnSuccess() throws Exception {
                 .andExpect( view().name( "registration" ) )
                 .andExpect( model().attribute( "user", new User() ) );
         when( userService.create( any() ) ).thenAnswer( answer -> answer.getArgument( 0, User.class ) );
+        mvc.perform( post( "/registration" )
+                        .param( "profile.name", "Bob" )
+                        .param( "profile.lastName", "Smith" )
+                        .param( "email", "bob@example.com" )
+                        .param( "password", "123456" )
+                        .param( "passwordConfirm", "123456" )
+                        .param( "id", "27" ) ) // this field is ignored
+                .andExpect( status().is3xxRedirection() )
+                .andExpect( redirectedUrl( "/login" ) );
+        ArgumentCaptor<User> captor = ArgumentCaptor.forClass( User.class );
+        verify( userService ).create( captor.capture() );
+        verify( userService ).createVerificationTokenForUser( eq( captor.getValue() ), any() );
+        assertThat( captor.getValue() ).satisfies( user -> {
+            assertThat( user.getId() ).isNull();
+            assertThat( user.getEmail() ).isEqualTo( "bob@example.com" );
+            assertThat( user.isEnabled() ).isFalse();
+            assertThat( user.getAnonymousId() ).isNull();
+        } );
     }
 
     @Test