Skip to content

LG-542 Don't allow LOA3 users to request delete account #2421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jmhooper merged 2 commits into from
Aug 13, 2018
Merged

LG-542 Don't allow LOA3 users to request delete account #2421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0e98f6a
LG-542 Don't allow LOA3 users to request delete account
jmhooper Aug 10, 2018
194f8d8
typo
jmhooper Aug 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions app/controllers/account_reset/request_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ class RequestController < ApplicationController

before_action :check_account_reset_enabled
before_action :confirm_two_factor_enabled
before_action :confirm_user_not_verified

def show; end

Expand All @@ -21,6 +22,11 @@ def check_account_reset_enabled
redirect_to root_url unless FeatureManagement.account_reset_enabled?
end

def confirm_user_not_verified
# IAL2 users should not be able to reset account to comply with AAL2 reqs
redirect_to account_url if decorated_user.identity_verified?
end

def reset_session_with_email
email = current_user.email
sign_out
Expand Down
5 changes: 5 additions & 0 deletions app/presenters/two_factor_login_options_presenter.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ def options
end
end

def should_display_account_reset_or_cancel_link?
# IAL2 users should not be able to reset account to comply with AAL2 reqs
!current_user.decorate.identity_verified?
end

def account_reset_or_cancel_link
account_reset_token_valid? ? account_reset_cancel_link : account_reset_link
end
Expand Down
2 changes: 1 addition & 1 deletion app/services/account_reset_service.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ def self.send_notifications_with_sql(users_sql)
def self.reset_and_notify(arr)
user = arr.user
return false unless AccountResetService.new(user).grant_request
UserMailer.account_reset_granted(user, arr).deliver_later
UserMailer.account_reset_granted(user, arr.reload).deliver_later
Copy link
Contributor

@stevegsa stevegsa Aug 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EXCELLENT!

true
end
private_class_method :reset_and_notify
Expand Down
3 changes: 2 additions & 1 deletion app/views/two_factor_authentication/options/index.html.slim
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,6 @@ p.mt-tiny.mb3 = @presenter.info
= f.button :submit, t('forms.buttons.continue')

br
p = @presenter.account_reset_or_cancel_link
- if @presenter.should_display_account_reset_or_cancel_link?
p = @presenter.account_reset_or_cancel_link
= render 'shared/cancel', link: destroy_user_session_path
66 changes: 66 additions & 0 deletions spec/features/account_reset/delete_account_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
require 'rails_helper'
Copy link
Contributor

@stevegsa stevegsa Aug 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NICE!


describe 'Account Reset Request: Delete Account', email: true do
let(:user) { create(:user, :signed_up) }

before do
TwilioService::Utils.telephony_service = FakeSms
end

context 'as an LOA1 user' do
it 'allows the user to delete their account after 24 hours' do
signin(user.email, user.password)
click_link t('two_factor_authentication.login_options_link_text')
click_link t('devise.two_factor_authentication.account_reset.link')
click_button t('account_reset.request.yes_continue')
reset_email

Timecop.travel(Time.zone.now + 2.days) do
AccountResetService.grant_tokens_and_send_notifications
open_last_email
click_email_link_matching(/delete_account\?token/)

expect(page).to have_content(t('account_reset.delete_account.title'))
expect(page).to have_current_path(account_reset_delete_account_path)

click_on t('account_reset.delete_account.delete_button')

expect(page).to have_content(
strip_tags(
t(
'account_reset.confirm_delete_account.info',
email: user.email,
link: t('account_reset.confirm_delete_account.link_text')
)
)
)
expect(page).to have_current_path(account_reset_confirm_delete_account_path)
expect(User.where(id: user.id)).to be_empty
end
end
end

context 'as an LOA3 user' do
let(:user) do
create(
:profile,
:active,
:verified,
pii: { first_name: 'John', ssn: '111223333' }
).user
end

it 'does not allow the user to delete their account from 2FA screen' do
signin(user.email, user.password)
click_link t('two_factor_authentication.login_options_link_text')

# Account reset link should not be present
expect(page).to_not have_content(t('devise.two_factor_authentication.account_reset.link'))

# Visiting account reset directly should redirect to 2FA
visit account_reset_request_path

expect(page.current_path).to eq(login_two_factor_path(otp_delivery_preference: :sms))
end
end
end