FIX: Don't invite new users via group with SSO on or local logins off (#11950)

Issue originally reported in https://meta.discourse.org/t/bypass-sso-by-adding-unkown-email-to-group/177339 Inviting people via email address to a group when SSO is enabled (or local logins are disabled) led to a situation where user records were being created bypassing single sign-on. We already prevent that in most places. This adds required checks to `GroupsController`.
2025-06-04 05:26:02 +08:00 · 2021-02-03 18:13:00 +01:00
parent 45931f86be
commit 704778f448
3 changed files with 42 additions and 3 deletions
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@ -333,15 +333,23 @@ class GroupsController < ApplicationController
    end

    if users.empty? && emails.empty?
-      raise Discourse::InvalidParameters.new(
-        'usernames or emails must be present'
-      )
+      raise Discourse::InvalidParameters.new(I18n.t("usernames_or_emails_required"))
    end
+
+    if emails.any?
+      if SiteSetting.enable_sso?
+        raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_sso"))
+      elsif !SiteSetting.enable_local_logins?
+        raise Discourse::InvalidParameters.new(I18n.t("no_invites_without_local_logins"))
+      end
+    end
+
    if users.length > ADD_MEMBERS_LIMIT
      return render_json_error(
        I18n.t("groups.errors.adding_too_many_users", count: ADD_MEMBERS_LIMIT)
      )
    end
+
    usernames_already_in_group = group.users.where(id: users.map(&:id)).pluck(:username)
    if usernames_already_in_group.present? && usernames_already_in_group.length == users.length
      render_json_error(I18n.t(