SECURITY: Do not sign in unapproved users (#15552)

2022-01-12 22:24:54 +02:00 · 2022-01-12 22:24:54 +02:00 · 584c6a2e8b
parent 6750c682ac
commit 584c6a2e8b
2 changed files with 24 additions and 3 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -298,7 +298,7 @@ class InvitesController < ApplicationController
        return render json: failed_json.merge(message: I18n.t('invite.not_found_json')), status: 404
      end

-      log_on_user(user) if user.active?
+      log_on_user(user) if user.active? && user.guardian.can_access_forum?
      user.update_timezone_if_missing(params[:timezone])
      post_process_invite(user)
      create_topic_invite_notifications(invite, user)
@ -307,14 +307,19 @@ class InvitesController < ApplicationController
      response = {}

      if user.present?
-        if user.active?
+        if user.active? && user.guardian.can_access_forum?
          if user.guardian.can_see?(topic)
            response[:redirect_to] = path(topic.relative_url)
          else
            response[:redirect_to] = path("/")
          end
        else
-          response[:message] = I18n.t('invite.confirm_email')
+          response[:message] = if user.active?
+            I18n.t('activation.approval_required')
+          else
+            I18n.t('invite.confirm_email')
+          end
+
          if user.guardian.can_see?(topic)
            cookies[:destination_url] = path(topic.relative_url)
          end
--- a/spec/requests/invites_controller_spec.rb
+++ b/spec/requests/invites_controller_spec.rb
@ -510,6 +510,22 @@ describe InvitesController do
        expect(response.status).to eq(412)
      end

+      it 'does not log in the user if they were not approved' do
+        SiteSetting.must_approve_users = true
+
+        put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex, email_token: invite.email_token }
+
+        expect(session[:current_user_id]).to eq(nil)
+        expect(response.parsed_body["message"]).to eq(I18n.t('activation.approval_required'))
+      end
+
+      it 'does not log in the user if they were not activated' do
+        put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex }
+
+        expect(session[:current_user_id]).to eq(nil)
+        expect(response.parsed_body["message"]).to eq(I18n.t('invite.confirm_email'))
+      end
+
      it 'fails when local login is disabled and no external auth is configured' do
        SiteSetting.enable_local_logins = false