Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Do not sign in unapproved users (#15552)
  • Loading branch information
udan11 committed Jan 12, 2022
1 parent 6750c68 commit 584c6a2
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 3 deletions.
11 changes: 8 additions & 3 deletions app/controllers/invites_controller.rb
Expand Up @@ -298,7 +298,7 @@ def perform_accept_invitation
return render json: failed_json.merge(message: I18n.t('invite.not_found_json')), status: 404
end

log_on_user(user) if user.active?
log_on_user(user) if user.active? && user.guardian.can_access_forum?
user.update_timezone_if_missing(params[:timezone])
post_process_invite(user)
create_topic_invite_notifications(invite, user)
Expand All @@ -307,14 +307,19 @@ def perform_accept_invitation
response = {}

if user.present?
if user.active?
if user.active? && user.guardian.can_access_forum?
if user.guardian.can_see?(topic)
response[:redirect_to] = path(topic.relative_url)
else
response[:redirect_to] = path("/")
end
else
response[:message] = I18n.t('invite.confirm_email')
response[:message] = if user.active?
I18n.t('activation.approval_required')
else
I18n.t('invite.confirm_email')
end

if user.guardian.can_see?(topic)
cookies[:destination_url] = path(topic.relative_url)
end
Expand Down
16 changes: 16 additions & 0 deletions spec/requests/invites_controller_spec.rb
Expand Up @@ -510,6 +510,22 @@
expect(response.status).to eq(412)
end

it 'does not log in the user if they were not approved' do
SiteSetting.must_approve_users = true

put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex, email_token: invite.email_token }

expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t('activation.approval_required'))
end

it 'does not log in the user if they were not activated' do
put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex }

expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t('invite.confirm_email'))
end

it 'fails when local login is disabled and no external auth is configured' do
SiteSetting.enable_local_logins = false

Expand Down

0 comments on commit 584c6a2

Please sign in to comment.