remove cert fingerprints for disabled users, so that they cannot send email anymore. closes #7690

5 files changed, 34 insertions, 12 deletions

diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index 70f483e..261f201 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../test_helper'
 
 class UsersControllerTest < ActionController::TestCase
 
diff --git a/test/functional/v1/certs_controller_test.rb b/test/functional/v1/certs_controller_test.rb
index ec34b01..04c1c86 100644
--- a/test/functional/v1/certs_controller_test.rb
+++ b/test/functional/v1/certs_controller_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../../test_helper'
 
 class V1::CertsControllerTest < ActionController::TestCase
 
@@ -21,6 +21,12 @@ class V1::CertsControllerTest < ActionController::TestCase
     end
   end
 
+  test "fail to create cert when disabled" do
+    login :enabled? => false
+    post :create
+    assert_access_denied
+  end
+
   test "create unlimited cert" do
     login effective_service_level: ServiceLevel.new(id: 2)
     cert = expect_cert('UNLIMITED')
diff --git a/test/functional/v1/smtp_certs_controller_test.rb b/test/functional/v1/smtp_certs_controller_test.rb
index ba70410..1b03995 100644
--- a/test/functional/v1/smtp_certs_controller_test.rb
+++ b/test/functional/v1/smtp_certs_controller_test.rb
@@ -24,6 +24,12 @@ class V1::SmtpCertsControllerTest < ActionController::TestCase
     assert_equal cert.to_s, @response.body
   end
 
+  test "fail to create cert when disabled" do
+    login :enabled? => false
+    post :create
+    assert_access_denied
+  end
+
   protected
 
   def expect_cert(email)
diff --git a/test/unit/account_test.rb b/test/unit/account_test.rb
index 6b814b6..7c26d5c 100644
--- a/test/unit/account_test.rb
+++ b/test/unit/account_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../test_helper'
 
 class AccountTest < ActiveSupport::TestCase
 
@@ -23,10 +23,10 @@ class AccountTest < ActiveSupport::TestCase
 
   test "create a new account" do
     with_config invite_required: false do
-    user = Account.create(FactoryGirl.attributes_for(:user))
-    assert user.valid?, "unexpected errors: #{user.errors.inspect}"
-    assert user.persisted?
-    user.account.destroy
+      user = Account.create(FactoryGirl.attributes_for(:user))
+      assert user.valid?, "unexpected errors: #{user.errors.inspect}"
+      assert user.persisted?
+      user.account.destroy
     end
   end
 
@@ -80,4 +80,14 @@ class AccountTest < ActiveSupport::TestCase
 
     assert_equal 0, user_code.invite_count
   end
+
+  test "disabled accounts have no cert fingerprints" do
+    user = Account.create(FactoryGirl.attributes_for(:user))
+    cert = stub(expiry: 1.month.from_now, fingerprint: SecureRandom.hex)
+    user.identity.register_cert cert
+    user.identity.save
+    assert_equal cert.fingerprint, Identity.for(user).cert_fingerprints.keys.first
+    user.account.disable
+    assert_equal({}, Identity.for(user).cert_fingerprints)
+  end
 end
diff --git a/test/unit/identity_test.rb b/test/unit/identity_test.rb
index f5c95f8..1f93109 100644
--- a/test/unit/identity_test.rb
+++ b/test/unit/identity_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../test_helper'
 
 class IdentityTest < ActiveSupport::TestCase
   include StubRecordHelper
@@ -177,9 +177,9 @@ class IdentityTest < ActiveSupport::TestCase
   end
 
   def cert_stub
-    # make this expire later than the others so it's on top
-    # when sorting by expiry descending.
-    @cert_stub ||= stub expiry: 2.month.from_now,
-    fingerprint: SecureRandom.hex
+    # make this expire later than the other test identities
+    # so that the query that returns certs sorted by expiry will
+    # return cert_stub first.
+    @cert_stub ||= stub(expiry: 2.month.from_now, fingerprint: SecureRandom.hex)
   end
 end