github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-03 02:48:28 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Validate email constraints when trying to redeem an invite

Browse Source 
In certain situations, a logged in user can redeem an invite with an email that
either doesn't match the invite's email or does not adhere to the email domain
restriction of an invite link. The impact of this flaw is aggrevated
when the invite has been configured to add the user that accepts the
invite into restricted groups.
This commit is contained in:
Alan Guo Xiang Tan
2022-06-21 11:56:50 +08:00
committed by David Taylor
parent 03ffb0bf27
commit 115859964d
4 changed files with 103 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/models/invite.rb
View File

@ -165,11 +165,8 @@ class Invite < ActiveRecord::Base
def redeem(email: nil, username: nil, name: nil, password: nil, user_custom_fields: nil, ip_address: nil, session: nil, email_token: nil)
return if !redeemable?
if is_invite_link? && UserEmail.exists?(email: email)
raise UserExists.new I18n.t("invite_link.email_taken")
end
email = self.email if email.blank? && !is_invite_link?
InviteRedeemer.new(
invite: self,
email: email,