diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 040e57cf4..0267e57d4 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -116,6 +116,11 @@ # Default: false config.validate_on_invite = true + # Auto-login after the user accepts the invite. If this is false, + # the user will need to manually log in after accepting the invite. + # Default: true + config.allow_insecure_sign_in_after_accept = false + # ==> Configuration for :confirmable # A period that the user is allowed to access the website even without # confirming their account. For instance, if set to 2.days, the user will be diff --git a/test/integration/inviting_users_test.rb b/test/integration/inviting_users_test.rb index 156dffea8..dd1726dc3 100644 --- a/test/integration/inviting_users_test.rb +++ b/test/integration/inviting_users_test.rb @@ -11,7 +11,24 @@ class InvitingUsersTest < ActionDispatch::IntegrationTest fill_in "Confirm new password", with: "this 1s 4 v3333ry s3cur3 p4ssw0rd.!Z" click_button "Save password" - assert_response_contains("You are now signed in") + assert_response_contains("Your password was set successfully.") + end + + should "require the invited user to sign in after setting their password" do + user = User.invite!(name: "Neptuno Keighley", email: "neptuno.keighley@office.gov.uk") + + accept_invitation( + invitation_token: user.raw_invitation_token, + password: "pretext annoying headpiece waviness header slinky", + ) + + assert_response_contains("Sign in to GOV.UK") + + fill_in "Email", with: "neptuno.keighley@office.gov.uk" + fill_in "Password", with: "pretext annoying headpiece waviness header slinky" + click_button "Sign in" + + assert_response_contains("Make your account more secure by setting up 2‑step verification.") end should "not send invitation token to Google Analytics" do