Skip to content
Permalink
Browse files Browse the repository at this point in the history
FIX: Approves user when redeeming an invite for invites only sites (#…
…16984)

When a site has `SiteSetting.invite_only` enabled, we create a
`ReviewableUser`record when activating a user if the user is not
approved. Therefore, we need to approve the user when redeeming an
invite.

There are some uncertainties surrounding why a `ReviewableRecord` is
created for a user in an invites only site but this commit does not seek
to address that.

Follow-up to 7c4e2d3
  • Loading branch information
tgxworld committed Jun 3, 2022
1 parent f94682e commit 0fa0094
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 2 deletions.
5 changes: 3 additions & 2 deletions app/models/invite_redeemer.rb
Expand Up @@ -40,7 +40,9 @@ def self.create_user_from_invite(email:, invite:, username: nil, name: nil, pass
registration_ip_address: ip_address
}

if SiteSetting.must_approve_users? && EmailValidator.can_auto_approve_user?(user.email)
if (!SiteSetting.must_approve_users && SiteSetting.invite_only) ||
(SiteSetting.must_approve_users? && EmailValidator.can_auto_approve_user?(user.email))

ReviewableUser.set_approved_fields!(user, Discourse.system_user)
end

Expand Down Expand Up @@ -79,7 +81,6 @@ def self.create_user_from_invite(email:, invite:, username: nil, name: nil, pass
authenticator.finish

if invite.emailed_status != Invite.emailed_status_types[:not_required] && email == invite.email && invite.email_token.present? && email_token == invite.email_token
user.email_tokens.create!(email: user.email, scope: EmailToken.scopes[:signup])
user.activate
end

Expand Down
27 changes: 27 additions & 0 deletions spec/models/invite_redeemer_spec.rb
@@ -1,6 +1,7 @@
# frozen_string_literal: true

describe InviteRedeemer do
fab!(:admin) { Fabricate(:admin) }

describe '.create_user_from_invite' do
it "should be created correctly" do
Expand Down Expand Up @@ -83,6 +84,32 @@
expect(user.approved).to eq(false)
expect(user.active).to eq(false)
end

it "approves and actives user when redeeming an invite with email token and SiteSetting.invite_only is enabled" do
SiteSetting.invite_only = true
Jobs.run_immediately!

invite = Fabricate(:invite,
invited_by: admin,
email: 'walter.white@email.com',
emailed_status: Invite.emailed_status_types[:sent],
)

user = InviteRedeemer.create_user_from_invite(
invite: invite,
email: invite.email,
email_token: invite.email_token,
username: 'walter',
name: 'Walter White'
)

expect(user.name).to eq("Walter White")
expect(user.username).to eq("walter")
expect(user.email).to eq("walter.white@email.com")
expect(user.approved).to eq(true)
expect(user.active).to eq(true)
expect(ReviewableUser.count).to eq(0)
end
end

describe "#redeem" do
Expand Down

1 comment on commit 0fa0094

@discoursebot
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit has been mentioned on Discourse Meta. There might be relevant details there:

https://meta.discourse.org/t/staff-generated-invites-bypass-the-must-approve-users-requirement/228199/28

Please sign in to comment.