github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 07:53:49 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Don't allow staff to approve users with unverified emails

Browse Source
This commit is contained in:
Robin Ward
2017-09-04 12:55:23 -04:00
parent 153eca23e3
commit db929e58fc
5 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/assets/javascripts/admin/templates/user-index.hbs
View File

@ -466,7 +466,7 @@
{{/if}} {{/if}}
<section> <section>
<hr/> <hr>
<div class="pull-right"> <div class="pull-right">
{{#unless model.anonymizeForbidden}} {{#unless model.anonymizeForbidden}}
{{d-button label="admin.user.anonymize" {{d-button label="admin.user.anonymize"
@ -487,7 +487,7 @@
{{#if model.deleteExplanation}} {{#if model.deleteExplanation}}
<div class="clearfix"></div> <div class="clearfix"></div>
<br/> <br>
<div class="pull-right"> <div class="pull-right">
{{d-icon "exclamation-triangle"}} {{model.deleteExplanation}} {{d-icon "exclamation-triangle"}} {{model.deleteExplanation}}
</div> </div>

2
lib/admin_user_index_query.rb
View File

@ -95,7 +95,7 @@ class AdminUserIndexQuery
when 'moderators' then @query.where(moderator: true) when 'moderators' then @query.where(moderator: true)
when 'blocked' then @query.blocked when 'blocked' then @query.blocked
when 'suspended' then @query.suspended when 'suspended' then @query.suspended
when 'pending' then @query.not_suspended.where(approved: false) when 'pending' then @query.not_suspended.where(approved: false, active: true)
when 'suspect' then suspect_users when 'suspect' then suspect_users
end end
end end

2
lib/guardian.rb
View File

@ -176,7 +176,7 @@ class Guardian
# Can we approve it? # Can we approve it?
def can_approve?(target) def can_approve?(target)
is_staff? && target && not(target.approved?) is_staff? && target && target.active? && not(target.approved?)
end end
def can_activate?(target) def can_activate?(target)

8
spec/components/admin_user_index_query_spec.rb
View File

@ -100,18 +100,20 @@ describe AdminUserIndexQuery do
describe "with a pending user" do describe "with a pending user" do
let!(:user) { Fabricate(:user, approved: false) } let!(:user) { Fabricate(:user, active: true, approved: false) }
let!(:inactive_user) { Fabricate(:user, approved: false, active: false) }
it "finds the unapproved user" do it "finds the unapproved user" do
query = ::AdminUserIndexQuery.new(query: 'pending') query = ::AdminUserIndexQuery.new(query: 'pending')
expect(query.find_users.count).to eq(1) expect(query.find_users).to include(user)
expect(query.find_users).not_to include(inactive_user)
end end
context 'and a suspended pending user' do context 'and a suspended pending user' do
let!(:suspended_user) { Fabricate(:user, approved: false, suspended_at: 1.hour.ago, suspended_till: 20.years.from_now) } let!(:suspended_user) { Fabricate(:user, approved: false, suspended_at: 1.hour.ago, suspended_till: 20.years.from_now) }
it "doesn't return the suspended user" do it "doesn't return the suspended user" do
query = ::AdminUserIndexQuery.new(query: 'pending') query = ::AdminUserIndexQuery.new(query: 'pending')
expect(query.find_users.count).to eq(1) expect(query.find_users).not_to include(suspended_user)
end end
end end

5
spec/components/guardian_spec.rb
View File

@ -1653,6 +1653,11 @@ describe Guardian do
expect(Guardian.new(admin).can_approve?(user)).to be_falsey expect(Guardian.new(admin).can_approve?(user)).to be_falsey
end end
it "returns false when the user is not active" do
user.active = false
expect(Guardian.new(admin).can_approve?(user)).to be_falsey
end
it "allows an admin to approve a user" do it "allows an admin to approve a user" do
expect(Guardian.new(admin).can_approve?(user)).to be_truthy expect(Guardian.new(admin).can_approve?(user)).to be_truthy
end end