SRCH-376 - passwords and password confirmations (#233)

* SRCH-376 - passwords and password confirmations

.rubocop.yml

@@ -841,7 +841,8 @@ Layout/MultilineMethodCallIndentation:
   # By default, the indentation width from Layout/IndentationWidth is used
   # But it can be overridden by setting this parameter
   IndentationWidth: ~
-
+  Exclude:
+    - 'spec/**/*'
 Layout/MultilineMethodDefinitionBraceLayout:
   Description: >-
                  Checks that the closing brace in a method definition is

config/filter_parameter_logging.rb → config/initializers/filter_parameter_logging.rb

@@ -1,4 +1,4 @@
 # Be sure to restart your server when you modify this file.
 
 # Configure sensitive parameters which will be filtered from the log file.
-Rails.application.config.filter_parameters += [:password, :password_confirmation]
+Rails.application.config.filter_parameters += [:password]

spec/controllers/user_sessions_controller_spec.rb

@@ -11,8 +11,16 @@
   end
 
   describe "#create" do
+    let(:user) { users(:affiliate_manager) }
     let(:post_create) do
-      post :create, user_session: { email: user.email , password: user.password }
+      post :create, user_session: { email: user.email, password: user.password }
+    end
+
+    it 'filters passwords in the logfile' do
+      allow(Rails.logger).to receive(:info)
+      expect(Rails.logger).to receive(:info).
+        with(/ \"password\"=>\"\[FILTERED\]\"/)
+      post_create
     end
 
     context 'when the user is not approved' do

spec/controllers/users_controller_spec.rb

@@ -11,7 +11,7 @@
   describe '#create' do
     it { is_expected.to permit(*permitted_params).for(:create, params: { user: user_params }) }
 
-     context 'when the User#save was successful and User has government affiliated email' do
+    context 'when the User#save was successful and User has government affiliated email' do
       let(:user) do
         mock_model(User,
                    has_government_affiliated_email?: true,
@@ -88,23 +88,43 @@
   end
 
   describe '#update' do
+    let(:update_user) do
+      post :update,
+           id: current_user.id,
+           user: update_params
+    end
+
     let(:update_params) do
-      { 'contact_name' => 'BAR', 'email' => '[email protected]' }
+      { 'contact_name': 'BAR',
+        'email': '[email protected]' }
     end
+
     context 'when logged in as affiliate' do
       before { activate_authlogic }
       include_context 'approved user logged in'
 
       it { is_expected.to permit(*permitted_params).for(:update, params: { user: update_params }) }
 
+      context 'when changing the password' do
+        let(:update_params) do
+          { 'current_password': current_user.password,
+            'password': 'newpassword1234!' }
+        end
+
+        it 'filters passwords in the logfile' do
+          allow(Rails.logger).to receive(:info)
+          expect(Rails.logger).to receive(:info).
+            with(/{\"current_password\"=>\"\[FILTERED\]\", \"password\"=>\"\[FILTERED\]\"}/)
+          update_user
+        end
+      end
+
       context 'when the User#update_attributes was successfully' do
         before do
-          expect(current_user).to receive(:update_attributes).with(update_params).
-            and_return(true)
+          expect(current_user).to receive(:update_attributes).
+            with(update_params).and_return(true)
 
-          post :update,
-               id: current_user.id,
-               user: { contact_name: 'BAR', email: '[email protected]' }
+          update_user
         end
 
         it { is_expected.to assign_to(:user).with(current_user) }
@@ -117,9 +137,7 @@
           expect(current_user).to receive(:update_attributes).with(update_params).
             and_return(false)
 
-          post :update,
-               id: current_user.id,
-               user: update_params
+          update_user
         end
 
         it { is_expected.to assign_to(:user).with(current_user) }