Impact
A user invited via email to a forum with must_approve_users enabled is going to be automatically logged in bypassing the check that does not allow unapproved users to sign in. They will be able to do everything an approved user can do. If they logout, they cannot log in back.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
Disable invites. Administrators can increase min_trust_level_to_allow_invite to reduce the attack surface to more trusted users (e.g. trust level 4).
References
https://meta.discourse.org/t/invite-redemption-allowed-user-to-access-forum-before-approval/214328
584c6a2
nathan-nz Analyst
Impact
A user invited via email to a forum with
must_approve_usersenabled is going to be automatically logged in bypassing the check that does not allow unapproved users to sign in. They will be able to do everything an approved user can do. If they logout, they cannot log in back.Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
Disable invites. Administrators can increase
min_trust_level_to_allow_inviteto reduce the attack surface to more trusted users (e.g. trust level 4).References
https://meta.discourse.org/t/invite-redemption-allowed-user-to-access-forum-before-approval/214328
584c6a2