Merge pull request #23636 from code-dot-org/refactor-user-destroy

Refactor registrations#destroy to validate password if required
code-dot-org · Jul 11, 2018 · a1d97d1 · a1d97d1
2 parents 3078a16 + ccd0f74
commit a1d97d1
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 0 deletions.
diff --git a/dashboard/app/controllers/registrations_controller.rb b/dashboard/app/controllers/registrations_controller.rb
@@ -51,6 +51,27 @@ def create
     end
   end
 
+  def destroy
+    # TODO: (madelynkasula) Remove the new_destroy_flow check when the
+    # ACCOUNT_DELETION_NEW_FLOW experiment is removed.
+    if params[:new_destroy_flow]
+      password_required = current_user.encrypted_password.present?
+      invalid_password = !current_user.valid_password?(params[:password_confirmation])
+      if password_required && invalid_password
+        current_user.errors.add :current_password
+        render json: {
+          error: current_user.errors.as_json(full_messages: true)
+        }, status: :bad_request
+        return
+      end
+      current_user.destroy
+      Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
+      return head :no_content
+    else
+      super
+    end
+  end
+
   def sign_up_params
     super.tap do |params|
       if params[:user_type] == "teacher"

diff --git a/dashboard/test/controllers/registrations_controller/destroy_test.rb b/dashboard/test/controllers/registrations_controller/destroy_test.rb
@@ -0,0 +1,63 @@
+# -*- coding: utf-8 -*-
+require 'test_helper'
+
+module RegistrationsControllerTests
+  #
+  # Tests over DELETE /users
+  #
+  class DestroyTest < ActionDispatch::IntegrationTest
+    #
+    # Tests for old destroy flow
+    #
+
+    test "destroys the user" do
+      user = create :user
+      sign_in user
+      assert_destroys(User) do
+        delete '/users'
+      end
+      assert_redirected_to '/'
+    end
+
+    #
+    # Tests for new destroy flow
+    #
+
+    test "returns bad request if password is required and not provided" do
+      user = create :user, password: 'password'
+      sign_in user
+      assert_does_not_destroy(User) do
+        delete '/users', params: {new_destroy_flow: true}
+      end
+      assert_response :bad_request
+    end
+
+    test "returns bad request if password is required and incorrect" do
+      user = create :user, password: 'password'
+      sign_in user
+      assert_does_not_destroy(User) do
+        delete '/users', params: {new_destroy_flow: true, password_confirmation: 'notmypassword'}
+      end
+      assert_response :bad_request
+    end
+
+    test "destroys the user if password is required and correct" do
+      user = create :user, password: 'password'
+      sign_in user
+      assert_destroys(User) do
+        delete '/users', params: {new_destroy_flow: true, password_confirmation: 'password'}
+      end
+      assert_response :success
+    end
+
+    test "destroys the user if password is not required" do
+      user = create :user, :with_migrated_google_authentication_option
+      user.update_attribute(:encrypted_password, nil)
+      sign_in user
+      assert_destroys(User) do
+        delete '/users', params: {new_destroy_flow: true}
+      end
+      assert_response :success
+    end
+  end
+end