From 704778f448f57bfc700347a717b948793ebee720 Mon Sep 17 00:00:00 2001 From: Jarek Radosz Date: Wed, 3 Feb 2021 18:13:00 +0100 Subject: [PATCH] FIX: Don't invite new users via group with SSO on or local logins off (#11950) Issue originally reported in https://meta.discourse.org/t/bypass-sso-by-adding-unkown-email-to-group/177339 Inviting people via email address to a group when SSO is enabled (or local logins are disabled) led to a situation where user records were being created bypassing single sign-on. We already prevent that in most places. This adds required checks to `GroupsController`. --- app/controllers/groups_controller.rb | 14 ++++++++++--- config/locales/server.en.yml | 3 +++ spec/requests/groups_controller_spec.rb | 28 +++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 965cdaeaafe..251235d9484 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -333,15 +333,23 @@ class GroupsController < ApplicationController end if users.empty? && emails.empty? - raise Discourse::InvalidParameters.new( - 'usernames or emails must be present' - ) + raise Discourse::InvalidParameters.new(I18n.t("usernames_or_emails_required")) end + + if emails.any? + if SiteSetting.enable_sso? + raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_sso")) + elsif !SiteSetting.enable_local_logins? + raise Discourse::InvalidParameters.new(I18n.t("no_invites_without_local_logins")) + end + end + if users.length > ADD_MEMBERS_LIMIT return render_json_error( I18n.t("groups.errors.adding_too_many_users", count: ADD_MEMBERS_LIMIT) ) end + usernames_already_in_group = group.users.where(id: users.map(&:id)).pluck(:username) if usernames_already_in_group.present? && usernames_already_in_group.length == users.length render_json_error(I18n.t( diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 223591005c5..68511726d1c 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -447,6 +447,9 @@ en: adding_too_many_users: one: "Maximum %{count} user can be added at once" other: "Maximum %{count} users can be added at once" + usernames_or_emails_required: "Usernames or emails must be present" + no_invites_with_sso: "You can invite only registered users when SSO is enabled" + no_invites_without_local_logins: "You can invite only registered users when local logins are disabled" default_names: everyone: "everyone" admins: "admins" diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb index 08853589d72..af12e4be42c 100644 --- a/spec/requests/groups_controller_spec.rb +++ b/spec/requests/groups_controller_spec.rb @@ -1346,6 +1346,34 @@ describe GroupsController do end end + it "adds known users by email when SSO is enabled" do + SiteSetting.sso_url = "https://www.example.com/sso" + SiteSetting.enable_sso = true + + expect do + put "/groups/#{group.id}/members.json", params: { emails: other_user.email } + end.to change { group.users.count }.by(1) + + expect(response.status).to eq(200) + end + + it "rejects unknown emails when SSO is enabled" do + SiteSetting.sso_url = "https://www.example.com/sso" + SiteSetting.enable_sso = true + put "/groups/#{group.id}/members.json", params: { emails: "newuser@example.com" } + + expect(response.status).to eq(400) + expect(response.parsed_body["error_type"]).to eq("invalid_parameters") + end + + it "rejects unknown emails when local logins are disabled" do + SiteSetting.enable_local_logins = false + put "/groups/#{group.id}/members.json", params: { emails: "newuser@example.com" } + + expect(response.status).to eq(400) + expect(response.parsed_body["error_type"]).to eq("invalid_parameters") + end + it "will find users by email, and invite the correct user" do new_user = Fabricate(:user) expect(new_user.group_ids.include?(group.id)).to eq(false)