SECURITY: Disable access to "activate-account" route for existing users

2025-05-31 21:55:25 +08:00 · 2024-12-27 13:42:03 -05:00
parent 17116c440b
commit b89cf9b443
5 changed files with 39 additions and 9 deletions
--- a/config/routes.rb
+++ b/config/routes.rb
@ -597,11 +597,17 @@ Discourse::Application.routes.draw do
            format: "json",
          }
      put "#{root_path}/password-reset/:token" => "users#password_reset_update"
-      get "#{root_path}/activate-account/:token" => "users#activate_account"
+      get "#{root_path}/activate-account/:token" => "users#activate_account",
+          :constraints => {
+            token: /[0-9a-f]+/,
+          }
      put(
-        { "#{root_path}/activate-account/:token" => "users#perform_account_activation" }.merge(
-          index == 1 ? { as: "perform_activate_account" } : {},
-        ),
+        {
+          "#{root_path}/activate-account/:token" => "users#perform_account_activation",
+          :constraints => {
+            token: /[0-9a-f]+/,
+          },
+        }.merge(index == 1 ? { as: "perform_activate_account" } : {}),
      )

      get "#{root_path}/confirm-old-email/:token" => "users_email#show_confirm_old_email"