Discource-C/discourse
1
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-07 20:08:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Do not sign in unapproved users (#15552)

Browse Source
This commit is contained in:
Dan Ungureanu 2022-01-12 22:24:54 +02:00 committed by GitHub
parent 6750c682ac
commit 584c6a2e8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/controllers/invites_controller.rb
View File

@ -298,7 +298,7 @@ class InvitesController < ApplicationController
return render json: failed_json.merge(message: I18n.t('invite.not_found_json')), status: 404 return render json: failed_json.merge(message: I18n.t('invite.not_found_json')), status: 404
end end
log_on_user(user) if user.active? log_on_user(user) if user.active? && user.guardian.can_access_forum?
user.update_timezone_if_missing(params[:timezone]) user.update_timezone_if_missing(params[:timezone])
post_process_invite(user) post_process_invite(user)
create_topic_invite_notifications(invite, user) create_topic_invite_notifications(invite, user)
@ -307,14 +307,19 @@ class InvitesController < ApplicationController
response = {} response = {}
if user.present? if user.present?
if user.active? if user.active? && user.guardian.can_access_forum?
if user.guardian.can_see?(topic) if user.guardian.can_see?(topic)
response[:redirect_to] = path(topic.relative_url) response[:redirect_to] = path(topic.relative_url)
else else
response[:redirect_to] = path("/") response[:redirect_to] = path("/")
end end
else else
response[:message] = I18n.t('invite.confirm_email') response[:message] = if user.active?
I18n.t('activation.approval_required')
else
I18n.t('invite.confirm_email')
end
if user.guardian.can_see?(topic) if user.guardian.can_see?(topic)
cookies[:destination_url] = path(topic.relative_url) cookies[:destination_url] = path(topic.relative_url)
end end

16
spec/requests/invites_controller_spec.rb
View File

@ -510,6 +510,22 @@ describe InvitesController do
expect(response.status).to eq(412) expect(response.status).to eq(412)
end end
it 'does not log in the user if they were not approved' do
SiteSetting.must_approve_users = true
put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex, email_token: invite.email_token }
expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t('activation.approval_required'))
end
it 'does not log in the user if they were not activated' do
put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex }
expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t('invite.confirm_email'))
end
it 'fails when local login is disabled and no external auth is configured' do it 'fails when local login is disabled and no external auth is configured' do
SiteSetting.enable_local_logins = false SiteSetting.enable_local_logins = false