github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Only allow users to resend activation email with a valid session.

Browse Source 
* Improve error when an active user tries to request for an activation email.
This commit is contained in:
Guo Xiang Tan
2017-03-13 19:19:42 +08:00
parent dd60cb82c3
commit 7ebfa3c901
5 changed files with 51 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/controllers/users_controller.rb
View File

@ -567,13 +567,25 @@ class UsersController < ApplicationController
RateLimiter.new(nil, "activate-min-#{request.remote_ip}", 6, 1.minute).performed!
end
if (current_user && !current_user.staff?) ||
(params[:username] != session[SessionController::ACTIVATE_USER_KEY])
raise Discourse::InvalidAccess
end
@user = User.find_by_username_or_email(params[:username].to_s)
raise Discourse::NotFound unless @user
@email_token = @user.email_tokens.unconfirmed.active.first
enqueue_activation_email if @user
render nothing: true
session.delete(SessionController::ACTIVATE_USER_KEY)
if @user.active
render_json_error(I18n.t('activation.activated'), status: 409)
elsif @user
@email_token = @user.email_tokens.unconfirmed.active.first
enqueue_activation_email
render nothing: true
end
end
def enqueue_activation_email