Fix sign-ups without checked user agreement being accepted through th…

…e web form (mastodon#13088)

* Fix user agreement not being verified

* Fix tests

* Fix up agreement field being dismissed

app/controllers/auth/registrations_controller.rb

@@ -32,15 +32,14 @@ def build_resource(hash = nil)
 
     resource.locale             = I18n.locale
     resource.invite_code        = params[:invite_code] if resource.invite_code.blank?
-    resource.agreement          = true
     resource.current_sign_in_ip = request.remote_ip
 
     resource.build_account if resource.account.nil?
   end
 
   def configure_sign_up_params
     devise_parameter_sanitizer.permit(:sign_up) do |u|
-      u.permit({ account_attributes: [:username], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code)
+      u.permit({ account_attributes: [:username], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code, :agreement)
     end
   end
 

spec/controllers/auth/registrations_controller_spec.rb

@@ -91,7 +91,7 @@
       subject do
         Setting.registrations_mode = 'open'
         request.headers["Accept-Language"] = accept_language
-        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678' } }
+        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', agreement: 'true' } }
       end
 
       it 'redirects to login page' do
@@ -107,6 +107,26 @@
       end
     end
 
+    context 'when user has not agreed to terms of service' do
+      around do |example|
+        registrations_mode = Setting.registrations_mode
+        example.run
+        Setting.registrations_mode = registrations_mode
+      end
+
+      subject do
+        Setting.registrations_mode = 'open'
+        request.headers["Accept-Language"] = accept_language
+        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', agreement: 'false' } }
+      end
+
+      it 'does not create user' do
+        subject
+        user = User.find_by(email: 'test@example.com')
+        expect(user).to be_nil
+      end
+    end
+
     context 'approval-based registrations without invite' do
       around do |example|
         registrations_mode = Setting.registrations_mode
@@ -117,7 +137,7 @@
       subject do
         Setting.registrations_mode = 'approved'
         request.headers["Accept-Language"] = accept_language
-        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678' } }
+        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', agreement: 'true' } }
       end
 
       it 'redirects to login page' do
@@ -145,7 +165,7 @@
         Setting.registrations_mode = 'approved'
         request.headers["Accept-Language"] = accept_language
         invite = Fabricate(:invite, max_uses: nil, expires_at: 1.hour.ago)
-        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
+        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code, agreement: 'true' } }
       end
 
       it 'redirects to login page' do
@@ -173,7 +193,7 @@
         Setting.registrations_mode = 'approved'
         request.headers["Accept-Language"] = accept_language
         invite = Fabricate(:invite, max_uses: nil, expires_at: 1.hour.from_now)
-        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
+        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code, agreement: 'true' } }
       end
 
       it 'redirects to login page' do