SECURITY: Prevent email from being nil in InviteRedeemer (#19004)

This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2025-05-28 13:51:18 +08:00 · 2022-11-14 12:02:06 +10:00
parent 78157b43ed
commit a414520742
6 changed files with 525 additions and 232 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -760,7 +760,7 @@ class SessionController < ApplicationController
    end

    if invite.redeemable?
-      if !invite.is_invite_link? && sso.email != invite.email
+      if invite.is_email_invite? && sso.email != invite.email
        raise Invite::ValidationFailed.new(I18n.t("invite.not_matching_email"))
      end
    elsif invite.expired?