github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-04 20:24:47 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Do not sign in unapproved users (#15552)

Browse Source
This commit is contained in:
Dan Ungureanu
2022-01-12 22:24:54 +02:00
committed by GitHub
parent 6750c682ac
commit 584c6a2e8b
2 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
app/controllers/invites_controller.rb
View File

@ -298,7 +298,7 @@ class InvitesController < ApplicationController
return render json: failed_json.merge(message: I18n.t('invite.not_found_json')), status: 404
end
log_on_user(user) if user.active?
log_on_user(user) if user.active? && user.guardian.can_access_forum?
user.update_timezone_if_missing(params[:timezone])
post_process_invite(user)
create_topic_invite_notifications(invite, user)
@ -307,14 +307,19 @@ class InvitesController < ApplicationController
response = {}
if user.present?
if user.active?
if user.active? && user.guardian.can_access_forum?
if user.guardian.can_see?(topic)
response[:redirect_to] = path(topic.relative_url)
else
response[:redirect_to] = path("/")
end
else
response[:message] = I18n.t('invite.confirm_email')
response[:message] = if user.active?
I18n.t('activation.approval_required')
else
I18n.t('invite.confirm_email')
end
if user.guardian.can_see?(topic)
cookies[:destination_url] = path(topic.relative_url)
end