SECURITY: always allow staff to resend activation mails
This commit is contained in:
parent
1a745ca16a
commit
a690121805
|
@ -571,7 +571,7 @@ class UsersController < ApplicationController
|
|||
|
||||
raise Discourse::NotFound unless @user
|
||||
|
||||
if (current_user && !current_user.staff?) ||
|
||||
if !current_user&.staff? &&
|
||||
@user.id != session[SessionController::ACTIVATE_USER_KEY]
|
||||
|
||||
raise Discourse::InvalidAccess
|
||||
|
|
|
@ -1423,9 +1423,15 @@ describe UsersController do
|
|||
it 'should not be valid' do
|
||||
user = Fabricate(:user)
|
||||
xhr :post, :send_activation_email, username: user.username
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
|
||||
it 'should allow staff regardless' do
|
||||
log_in :admin
|
||||
user = Fabricate(:user, active: false)
|
||||
xhr :post, :send_activation_email, username: user.username
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with a valid email_token' do
|
||||
|
|
Loading…
Reference in New Issue