SECURITY: Don't allow suspending staff users via other_user_ids param

2025-05-28 12:02:05 +08:00 · 2024-05-29 00:58:34 +03:00
parent 10afe5fcf1
commit 9c4a5f39d3
4 changed files with 228 additions and 40 deletions
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@ -46,7 +46,11 @@ class Admin::UsersController < Admin::StaffController
    @user = User.find_by(id: params[:id])
    raise Discourse::NotFound unless @user

-    similar_users = User.real.where.not(id: @user.id).where(ip_address: @user.ip_address)
+    similar_users =
+      User
+        .real
+        .where.not(id: @user.id)
+        .where(ip_address: @user.ip_address, admin: false, moderator: false)

    render_serialized(
      @user,
@ -144,44 +148,20 @@ class Admin::UsersController < Admin::StaffController

    user_history = nil

+    all_users.each { |user| raise Discourse::InvalidAccess.new if !guardian.can_suspend?(user) }
+
    all_users.each do |user|
-      user.suspended_till = params[:suspend_until]
-      user.suspended_at = DateTime.now
-
-      message = params[:message]
-
-      User.transaction do
-        user.save!
-
-        user_history =
-          StaffActionLogger.new(current_user).log_user_suspend(
-            user,
-            params[:reason],
-            message: message,
-            post_id: params[:post_id],
-          )
-      end
-      user.logged_out
-
-      if message.present?
-        Jobs.enqueue(
-          :critical_user_email,
-          type: "account_suspended",
-          user_id: user.id,
-          user_history_id: user_history.id,
+      suspender =
+        UserSuspender.new(
+          user,
+          suspended_till: params[:suspend_until],
+          reason: params[:reason],
+          by_user: current_user,
+          message: params[:message],
+          post_id: params[:post_id],
        )
-      end
-
-      DiscourseEvent.trigger(
-        :user_suspended,
-        user: user,
-        reason: params[:reason],
-        message: message,
-        user_history: user_history,
-        post_id: params[:post_id],
-        suspended_till: params[:suspend_until],
-        suspended_at: DateTime.now,
-      )
+      suspender.suspend
+      user_history = suspender.user_history
    end

    perform_post_action
@ -189,7 +169,7 @@ class Admin::UsersController < Admin::StaffController
    render_json_dump(
      suspension: {
        suspend_reason: params[:reason],
-        full_suspend_reason: user_history.try(:details),
+        full_suspend_reason: user_history&.details,
        suspended_till: @user.suspended_till,
        suspended_at: @user.suspended_at,
        suspended_by: BasicUserSerializer.new(current_user, root: false).as_json,
@ -369,7 +349,6 @@ class Admin::UsersController < Admin::StaffController
  end

  def silence
-    guardian.ensure_can_silence_user! @user
    reason = params[:reason]

    if reason && (!reason.is_a?(String) || reason.size > 300)
@ -404,6 +383,10 @@ class Admin::UsersController < Admin::StaffController

    user_history = nil

+    all_users.each do |user|
+      raise Discourse::InvalidAccess.new if !guardian.can_silence_user?(user)
+    end
+
    all_users.each do |user|
      silencer =
        UserSilencer.new(