From c7a6d9bc3a4ce048359bf69763ced4727f08edc6 Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Thu, 13 Jan 2022 10:42:48 +0200
Subject: [PATCH] SECURITY: Do not sign in unapproved users (#15552)

---
 app/controllers/invites_controller.rb    | 10 +++++++---
 spec/requests/invites_controller_spec.rb | 16 ++++++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index 722fa3572eb..9d1e1b2cda4 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -238,17 +238,21 @@ class InvitesController < ApplicationController
         return render json: failed_json.merge(message: I18n.t('invite.not_found_json')), status: 404
       end
 
-      log_on_user(user) if user.active?
+      log_on_user(user) if user.active? && user.guardian.can_access_forum?
       user.update_timezone_if_missing(params[:timezone])
       post_process_invite(user)
 
       topic = invite.topics.first
       response = {}
 
-      if user.present? && user.active?
+      if user.present? && user.active? && user.guardian.can_access_forum?
         response[:redirect_to] = topic.present? ? path(topic.relative_url) : path("/")
       elsif user.present?
-        response[:message] = I18n.t('invite.confirm_email')
+        response[:message] = if user.active?
+          I18n.t('activation.approval_required')
+        else
+          I18n.t('invite.confirm_email')
+        end
         cookies[:destination_url] = path(topic.relative_url) if topic.present?
       end
 
diff --git a/spec/requests/invites_controller_spec.rb b/spec/requests/invites_controller_spec.rb
index aecfa505cae..e5802fed7b7 100644
--- a/spec/requests/invites_controller_spec.rb
+++ b/spec/requests/invites_controller_spec.rb
@@ -447,6 +447,22 @@ describe InvitesController do
         expect(response.status).to eq(412)
       end
 
+      it 'does not log in the user if they were not approved' do
+        SiteSetting.must_approve_users = true
+
+        put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex, email_token: invite.email_token }
+
+        expect(session[:current_user_id]).to eq(nil)
+        expect(response.parsed_body["message"]).to eq(I18n.t('activation.approval_required'))
+      end
+
+      it 'does not log in the user if they were not activated' do
+        put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex }
+
+        expect(session[:current_user_id]).to eq(nil)
+        expect(response.parsed_body["message"]).to eq(I18n.t('invite.confirm_email'))
+      end
+
       it 'fails when local login is disabled and no external auth is configured' do
         SiteSetting.enable_local_logins = false