From 740290f336cb4926bec881c36c75fa84e0fe1999 Mon Sep 17 00:00:00 2001 From: Guillaume Poirier-Morency Date: Fri, 1 Dec 2023 11:34:35 -0800 Subject: [PATCH] Ensure that only the fields from the form can be filled when registering --- .../rdp/controllers/LoginController.java | 7 +++++++ .../rdp/controllers/LoginControllerTest.java | 20 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/main/java/ubc/pavlab/rdp/controllers/LoginController.java b/src/main/java/ubc/pavlab/rdp/controllers/LoginController.java index 9a9ffb03..a211160b 100644 --- a/src/main/java/ubc/pavlab/rdp/controllers/LoginController.java +++ b/src/main/java/ubc/pavlab/rdp/controllers/LoginController.java @@ -9,7 +9,9 @@ import org.springframework.stereotype.Controller; import org.springframework.validation.BindingResult; import org.springframework.validation.annotation.Validated; +import org.springframework.web.bind.WebDataBinder; import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.InitBinder; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; @@ -42,6 +44,11 @@ public class LoginController { @Autowired private ApplicationSettings applicationSettings; + @InitBinder("user") + public void configureUserDataBinder( WebDataBinder dataBinder ) { + dataBinder.setAllowedFields( "email", "password", "profile.name", "profile.lastName" ); + } + @GetMapping("/login") public ModelAndView login() { ModelAndView modelAndView = new ModelAndView( "login" ); diff --git a/src/test/java/ubc/pavlab/rdp/controllers/LoginControllerTest.java b/src/test/java/ubc/pavlab/rdp/controllers/LoginControllerTest.java index 73e919d1..b3093c2a 100644 --- a/src/test/java/ubc/pavlab/rdp/controllers/LoginControllerTest.java +++ b/src/test/java/ubc/pavlab/rdp/controllers/LoginControllerTest.java @@ -3,6 +3,7 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; +import org.mockito.ArgumentCaptor; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.boot.test.mock.mockito.MockBean; @@ -30,6 +31,7 @@ import java.util.Locale; +import static org.assertj.core.api.Assertions.assertThat; import static org.hamcrest.Matchers.containsString; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; @@ -108,6 +110,24 @@ public void register_thenReturnSuccess() throws Exception { .andExpect( view().name( "registration" ) ) .andExpect( model().attribute( "user", new User() ) ); when( userService.create( any() ) ).thenAnswer( answer -> answer.getArgument( 0, User.class ) ); + mvc.perform( post( "/registration" ) + .param( "profile.name", "Bob" ) + .param( "profile.lastName", "Smith" ) + .param( "email", "bob@example.com" ) + .param( "password", "123456" ) + .param( "passwordConfirm", "123456" ) + .param( "id", "27" ) ) // this field is ignored + .andExpect( status().is3xxRedirection() ) + .andExpect( redirectedUrl( "/login" ) ); + ArgumentCaptor captor = ArgumentCaptor.forClass( User.class ); + verify( userService ).create( captor.capture() ); + verify( userService ).createVerificationTokenForUser( eq( captor.getValue() ), any() ); + assertThat( captor.getValue() ).satisfies( user -> { + assertThat( user.getId() ).isNull(); + assertThat( user.getEmail() ).isEqualTo( "bob@example.com" ); + assertThat( user.isEnabled() ).isFalse(); + assertThat( user.getAnonymousId() ).isNull(); + } ); } @Test