github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-01 01:14:29 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Ensure the invite JSON API matches the UX

Browse Source 
Anonymous users could query the invite json and see counts and
summaries which is not allowed in the UX of Discourse.

This commit has those endpoints return a 403 unless the user is
allowed to invite.
This commit is contained in:
Robin Ward
2020-03-04 11:10:23 -05:00
parent d953c908d2
commit 79ce7085c2
2 changed files with 52 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/users_controller.rb
View File

@ -274,6 +274,8 @@ class UsersController < ApplicationController
end
def invited
guardian.ensure_can_invite_to_forum!
inviter = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
offset = params[:offset].to_i || 0
filter_by = params[:filter]
@ -290,6 +292,8 @@ class UsersController < ApplicationController
end
def invited_count
guardian.ensure_can_invite_to_forum!
inviter = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
pending_count = Invite.find_pending_invites_count(inviter)