discourse/app/controllers
Gerhard Schlager 7c4e2d33fa
SECURITY: Remove auto approval when redeeming an invite (#16974)
This security fix affects sites which have `SiteSetting.must_approve_users`
enabled. There are intentional and unintentional cases where invited
users can be auto approved and are deemed to have skipped the staff approval process.
Instead of trying to reason about when auto-approval should happen, we have decided that
enabling the `must_approve_users` setting going forward will just mean that all new users
must be explicitly approved by a staff user in the review queue. The only case where users are auto
approved is when the `auto_approve_email_domains` site setting is used.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2022-06-02 16:10:48 +02:00
..
admin FIX: Show suspended by user (#16927) 2022-06-01 14:54:23 +02:00
users DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
about_controller.rb Revert "Revert "Merge branch 'master' of https://github.com/discourse/discourse"" 2020-05-23 00:56:13 -04:00
application_controller.rb DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
associated_groups_controller.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
badges_controller.rb UX: Add image uploader widget for uploading badge images (#12377) 2021-03-17 08:55:23 +03:00
bookmarks_controller.rb DEV: Add save_user_preferences option to BookmarkManager (#16894) 2022-05-24 11:13:21 +10:00
bootstrap_controller.rb FIX: do not looks for plugin test js in production (#16962) 2022-06-01 10:49:53 +10:00
categories_controller.rb FIX: Do not show visibility topic if visible (#16478) 2022-04-18 11:16:30 +03:00
clicks_controller.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
composer_messages_controller.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
csp_reports_controller.rb DEV: Only include "report-sample" CSP directive when reporting is enabled (#9337) 2020-04-02 11:16:38 -04:00
directory_columns_controller.rb DEV: Plugin API to add directory columns (#13440) 2021-06-22 13:00:04 -05:00
directory_items_controller.rb FIX: unable to filter user directory when sorted by user field. (#15951) 2022-02-16 07:57:35 +05:30
do_not_disturb_controller.rb DEV: Replace 'processed' column on notifications with new table (#11864) 2021-01-27 10:29:24 -06:00
drafts_controller.rb DEV: do not return no_result_help from the server (#15220) 2021-12-08 21:46:54 +04:00
edit_directory_columns_controller.rb FIX: Always serialize the correct attributes for DirectoryItems (#13510) 2021-06-23 14:55:17 -05:00
email_controller.rb FIX: set mailing_list_mode to false when unsubscribing from all (#10354) 2020-08-03 16:59:54 +10:00
embed_controller.rb FEATURE: Block indexing the embed topic list (#16495) 2022-04-19 18:24:38 -03:00
exceptions_controller.rb FEATURE: Add site setting to show more detailed 404 errors. (#8014) 2019-10-08 14:15:08 +03:00
export_csv_controller.rb DEV: Switch to new ExportUserArchive job 2020-08-28 11:46:53 -07:00
extra_locales_controller.rb Replace `base_uri` with `base_path` (#10879) 2020-10-09 12:51:24 +01:00
finish_installation_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
forums_controller.rb DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
groups_controller.rb FIX: Add `errors` field if group update confirmation (#16260) 2022-03-24 14:50:44 +02:00
hashtags_controller.rb DEV: Merge category and tag hashtags code paths (#10216) 2020-07-13 19:13:17 +03:00
highlight_js_controller.rb DEV: apply allow origin response header for CDN requests. (#11893) 2021-01-29 07:44:49 +05:30
inline_onebox_controller.rb FIX: Make inline oneboxes work with secured topics in secured contexts (#8895) 2020-02-12 12:11:28 +02:00
invites_controller.rb FIX: Apply 'hide email account' for invites 2022-05-17 09:56:06 +02:00
list_controller.rb FIX: Users with unicode usernames unable to load more topics in activity (#16627) 2022-05-05 09:48:22 +08:00
metadata_controller.rb FIX: Remove svg icons from webmanifest shortcuts (#15765) 2022-02-01 15:26:58 -03:00
notifications_controller.rb REFACTOR: Improve support for consolidating notifications. (#14904) 2021-11-30 13:36:14 -03:00
offline_controller.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
onebox_controller.rb DEV: Add more debugging context to onebox generation 2020-10-22 12:50:22 +08:00
permalinks_controller.rb FIX: Check for permalinks before showing the 404 page 2020-03-23 16:31:07 -07:00
post_action_users_controller.rb FEATURE: Allow category group moderators to delete topics (#11069) 2020-11-05 12:18:26 -05:00
post_actions_controller.rb FEATURE: Admins can flag posts so they can review them later. (#12311) 2021-03-11 08:21:24 -03:00
post_readers_controller.rb DEV: '= true' is not necessary 2019-12-03 11:32:45 -03:00
posts_controller.rb FEATURE: Promote polymorphic bookmarks to default and migrate (#16729) 2022-05-23 10:07:15 +10:00
presence_controller.rb UX: Make PresenceChannel changes more responsive (#14733) 2021-10-26 21:15:20 +01:00
published_pages_controller.rb FIX: Do not enable published page if secure media enabled (#11131) 2020-11-06 10:33:19 +10:00
push_notification_controller.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
qunit_controller.rb DEV: Allow Ember CLI assets to be used by development Rails app (#16511) 2022-04-21 16:26:34 +01:00
reviewable_claimed_topics_controller.rb FEATURE: Allow group moderators to close/archive topics 2020-07-14 12:36:19 -04:00
reviewables_controller.rb FEATURE: Show stale reviewable to other clients (#13114) 2021-05-26 09:47:35 +10:00
robots_txt_controller.rb FEATURE: Replace `Crawl-delay` directive with proper rate limiting (#15131) 2021-11-30 12:55:25 +03:00
safe_mode_controller.rb FEATURE: Always disable customizations on the `/safe-mode` route (#9052) 2020-02-28 10:53:11 +00:00
search_controller.rb FIX: Limits for PM and group header search (#16887) 2022-05-24 11:31:24 -04:00
session_controller.rb SECURITY: Remove auto approval when redeeming an invite (#16974) 2022-06-02 16:10:48 +02:00
similar_topics_controller.rb PERF: Avoid parsing `Post#cooked` with Nokogiri for every search. 2020-07-24 10:43:09 +08:00
site_controller.rb DEV: Include `login_required` attribute in basic info endpoint (#14064) 2021-08-17 14:05:51 -04:00
sitemap_controller.rb FEATURE: Let sites add a sitemap.xml file. (#16357) 2022-04-12 10:33:59 -03:00
static_controller.rb DEV: Ensure service-worker sourcemap logic works with brotli/gzip (#16718) 2022-05-11 13:42:34 +01:00
steps_controller.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
stylesheets_controller.rb DEV: Fix stylesheet manager flaky spec (#13846) 2021-07-26 14:22:54 +10:00
svg_sprite_controller.rb DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
tag_groups_controller.rb FIX: Allow finding non-lowercase tag groups (#12787) 2021-04-21 19:15:53 +02:00
tags_controller.rb FEATURE: Show prompt for required tag groups (#16458) 2022-04-21 13:13:52 +01:00
theme_javascripts_controller.rb FEATURE: Allow theme tests to be run in production (take 2) (#12845) 2021-04-28 23:12:08 +03:00
topics_controller.rb FEATURE: Promote polymorphic bookmarks to default and migrate (#16729) 2022-05-23 10:07:15 +10:00
uploads_controller.rb FEATURE: Make S3 presigned GET URL expiry configurable (#16912) 2022-05-26 09:53:01 +10:00
user_actions_controller.rb FIX: Sanitize parameters provided to user actions 2022-02-23 15:46:40 +01:00
user_api_keys_controller.rb DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
user_avatars_controller.rb DEV: allow plugins to override max file size for avatar downloads (#16970) 2022-06-01 17:12:06 -07:00
user_badges_controller.rb FIX: simplify and improve choosing favorite badges (#13743) 2021-07-16 11:13:00 +08:00
user_status_controller.rb FEATURE: user status (#16875) 2022-05-27 13:15:14 +04:00
users_controller.rb FEATURE: user status (#16875) 2022-05-27 13:15:14 +04:00
users_email_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
webhooks_controller.rb DEV: Add bounce_error_code to EmailLog (#15948) 2022-02-15 14:17:26 +10:00
wizard_controller.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00