SECURITY: Do not sign in unapproved users (#15552)

2025-04-26 21:04:30 +08:00 · 2022-01-13 10:42:48 +02:00 · 2022-01-13 10:42:48 +02:00 · c7a6d9bc3a
commit c7a6d9bc3a
parent 909de9b36c
2 changed files with 23 additions and 3 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -238,17 +238,21 @@ class InvitesController < ApplicationController
        return render json: failed_json.merge(message: I18n.t('invite.not_found_json')), status: 404
      end

-      log_on_user(user) if user.active?
+      log_on_user(user) if user.active? && user.guardian.can_access_forum?
      user.update_timezone_if_missing(params[:timezone])
      post_process_invite(user)

      topic = invite.topics.first
      response = {}

-      if user.present? && user.active?
+      if user.present? && user.active? && user.guardian.can_access_forum?
        response[:redirect_to] = topic.present? ? path(topic.relative_url) : path("/")
      elsif user.present?
-        response[:message] = I18n.t('invite.confirm_email')
+        response[:message] = if user.active?
+          I18n.t('activation.approval_required')
+        else
+          I18n.t('invite.confirm_email')
+        end
        cookies[:destination_url] = path(topic.relative_url) if topic.present?
      end

--- a/spec/requests/invites_controller_spec.rb
+++ b/spec/requests/invites_controller_spec.rb
@ -447,6 +447,22 @@ describe InvitesController do
        expect(response.status).to eq(412)
      end

+      it 'does not log in the user if they were not approved' do
+        SiteSetting.must_approve_users = true
+
+        put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex, email_token: invite.email_token }
+
+        expect(session[:current_user_id]).to eq(nil)
+        expect(response.parsed_body["message"]).to eq(I18n.t('activation.approval_required'))
+      end
+
+      it 'does not log in the user if they were not activated' do
+        put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex }
+
+        expect(session[:current_user_id]).to eq(nil)
+        expect(response.parsed_body["message"]).to eq(I18n.t('invite.confirm_email'))
+      end
+
      it 'fails when local login is disabled and no external auth is configured' do
        SiteSetting.enable_local_logins = false