Invite bypasses user approval
Package
Discourse
(Discourse)
Affected versions
stable <= 2.8.3; beta <= 2.9.0.beta4; tests-passed <= 2.9.0.beta4
Patched versions
stable >= 2.8.4; beta >= 2.9.0.beta5; tests-passed >= 2.9.0.beta5
Impact
Inviting users on sites that use SSO could bypass the
must_approve_userscheck and invites by staff are always approved automatically.Patches
This issue is patched in the latest
stable,betaandtests-passedversions of DiscourseWorkarounds
Disable invites. Administrators can increase min_trust_level_to_allow_invite to reduce the attack surface to more trusted users (e.g. trust level 4).