Deactivate verified profile on password reset

**Why**: When PII is encrypted with user password and the password is reset, the PII becomes un-decryptable.
18F · Sep 29, 2016 · 2fb93af · 2fb93af
1 parent ceb053b
commit 2fb93af
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/app/controllers/users/passwords_controller.rb b/app/controllers/users/passwords_controller.rb
@@ -64,6 +64,8 @@ def handle_expired_token(user)
     end
 
     def handle_successful_password_reset
+      mark_profile_inactive
+
       analytics.track_event('Password reset', user_id: resource.uuid)
 
       flash[:notice] = t('devise.passwords.updated_not_active') if is_flashing_format?
@@ -84,6 +86,16 @@ def handle_unsuccessful_password_reset
       render :edit
     end
 
+    def mark_profile_inactive
+      active_profile = resource.active_profile
+      return unless active_profile.present?
+      active_profile.update!(active: false)
+      analytics.track_event(
+        'Deactivated verified profile via password reset',
+        user_id: resource.uuid
+      )
+    end
+
     def user_params
       params.require(:password_form).
         permit(:password, :reset_password_token)

diff --git a/spec/controllers/users/passwords_controller_spec.rb b/spec/controllers/users/passwords_controller_spec.rb
@@ -108,6 +108,7 @@
         allow(user).to receive(:reset_password_token).and_return('foo')
         allow(user).to receive(:errors).and_return({})
         allow(user).to receive(:password=).with('password')
+        allow(user).to receive(:active_profile).and_return(nil)
 
         notifier = instance_double(EmailNotifier)
         allow(EmailNotifier).to receive(:new).with(user).and_return(notifier)
@@ -123,6 +124,31 @@
         expect(flash[:notice]).to eq t('devise.passwords.updated_not_active')
       end
     end
+
+    context 'user with active profile submits valid new password' do
+      let(:profile) { create(:profile, :active, :verified) }
+      let(:user) { profile.user }
+
+      it 'redirects to sign in page' do
+        stub_analytics
+        allow(@analytics).to receive(:track_event)
+
+        params = { password: 'password', reset_password_token: 'foo' }
+
+        allow(User).to receive(:reset_password_by_token).with(params).and_return(user)
+        allow(user).to receive(:reset_password_token).and_return('foo')
+        allow(user).to receive(:errors).and_return({})
+        allow(user).to receive(:password=).with('password')
+
+        put :update, password_form: params
+
+        expect(@analytics).to have_received(:track_event).
+          with('Password reset', user_id: user.uuid)
+        expect(@analytics).to have_received(:track_event).
+          with('Deactivated verified profile via password reset', user_id: user.uuid)
+        expect(user.active_profile.present?).to eq false
+      end
+    end
   end
 
   describe '#create' do