test: add tests for join request page

2026-03-10 17:18:14 +01:00 · 2026-03-10 17:18:14 +01:00 · eadf90b5fc
commit eadf90b5fc
parent 21812542ad
5 changed files with 173 additions and 4 deletions
--- a/test/membership/join_request_test.exs
+++ b/test/membership/join_request_test.exs
@ -121,6 +121,32 @@ defmodule Mv.Membership.JoinRequestTest do
    end
  end

+  describe "allowlist (server-side field filter)" do
+    test "submit with non-allowlisted form_data keys does not persist those keys" do
+      # Allowlist restricts which fields are accepted; extra keys must not be stored.
+      {:ok, settings} = Membership.get_settings()
+      Mv.Membership.update_settings(settings, %{
+        join_form_enabled: true,
+        join_form_field_ids: ["email", "first_name"],
+        join_form_field_required: %{"email" => true, "first_name" => false}
+      })
+
+      attrs = %{
+        email: "allowlist#{System.unique_integer([:positive])}@example.com",
+        first_name: "Allowed",
+        confirmation_token: "tok-#{System.unique_integer([:positive])}",
+        form_data: %{"city" => "Berlin", "internal_or_secret" => "must not persist"},
+        schema_version: 1
+      }
+
+      assert {:ok, request} = Membership.submit_join_request(attrs, actor: nil)
+      assert request.email == attrs.email
+      assert request.first_name == attrs.first_name
+      refute Map.has_key?(request.form_data || %{}, "internal_or_secret")
+      assert (request.form_data || %{})["city"] == "Berlin"
+    end
+  end
+
  defp error_message(errors, field) do
    errors
    |> Enum.filter(fn err -> Map.get(err, :field) == field end)