github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Fix invite link email validation (#18817)

Browse Source 
See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278

Co-authored-by: Martin Brennan <martin@discourse.org>
This commit is contained in:
David Taylor
2022-11-01 16:33:32 +00:00
committed by GitHub
parent 68b4fe4cf8
commit 07ef1a80a1
13 changed files with 507 additions and 223 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
spec/models/invite_spec.rb
View File

@ -338,38 +338,38 @@ RSpec.describe Invite do
end
end
describe '#redeem_from_email' do
describe '#redeem_for_existing_user' do
fab!(:invite) { Fabricate(:invite, email: 'test@example.com') }
fab!(:user) { Fabricate(:user, email: invite.email) }
it 'redeems the invite from email' do
Invite.redeem_from_email(user.email)
Invite.redeem_for_existing_user(user)
expect(invite.reload).to be_redeemed
end
it 'does not redeem the invite if email does not match' do
Invite.redeem_from_email('test2@example.com')
user.update!(email: 'test2@example.com')
Invite.redeem_for_existing_user(user)
expect(invite.reload).not_to be_redeemed
end
it 'does not work with expired invites' do
invite.update!(expires_at: 1.day.ago)
Invite.redeem_from_email(user.email)
Invite.redeem_for_existing_user(user)
expect(invite).not_to be_redeemed
end
it 'does not work with deleted invites' do
invite.trash!
Invite.redeem_from_email(user.email)
Invite.redeem_for_existing_user(user)
expect(invite).not_to be_redeemed
end
it 'does not work with invalidated invites' do
invite.update!(invalidated_at: 1.day.ago)
Invite.redeem_from_email(user.email)
Invite.redeem_for_existing_user(user)
expect(invite).not_to be_redeemed
end
end
describe 'scopes' do