SECURITY: Remove disposable invite feature

2025-06-02 03:06:45 +08:00 · 2017-07-07 20:24:39 -04:00
parent 9fb180f839
commit f1a6449e4b
6 changed files with 4 additions and 192 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -7,8 +7,8 @@ class InvitesController < ApplicationController
  skip_before_filter :redirect_to_login_if_required

  before_filter :ensure_logged_in, only: [:destroy, :create, :create_invite_link, :rescind_all_invites, :resend_invite, :resend_all_invites, :upload_csv]
-  before_filter :ensure_new_registrations_allowed, only: [:show, :perform_accept_invitation, :redeem_disposable_invite]
-  before_filter :ensure_not_logged_in, only: [:show, :perform_accept_invitation, :redeem_disposable_invite]
+  before_filter :ensure_new_registrations_allowed, only: [:show, :perform_accept_invitation]
+  before_filter :ensure_not_logged_in, only: [:show, :perform_accept_invitation]

  def show
    expires_now
@ -104,42 +104,6 @@ class InvitesController < ApplicationController
    end
  end

-  def create_disposable_invite
-    guardian.ensure_can_create_disposable_invite!(current_user)
-    params.permit(:username, :email, :quantity, :group_names)
-
-    username_or_email = params[:username] ? fetch_username : fetch_email
-    user = User.find_by_username_or_email(username_or_email)
-
-    # generate invite tokens
-    invite_tokens = Invite.generate_disposable_tokens(user, params[:quantity], params[:group_names])
-
-    render_json_dump(invite_tokens)
-  end
-
-  def redeem_disposable_invite
-    params.require(:email)
-    params.permit(:username, :name, :topic)
-    params[:email] = params[:email].split(' ').join('+')
-
-    invite = Invite.find_by(invite_key: params[:token])
-
-    if invite.present?
-      user = Invite.redeem_from_token(params[:token], params[:email], params[:username], params[:name], params[:topic].to_i)
-      if user.present?
-        log_on_user(user)
-        post_process_invite(user)
-        topic = invite.topics.first
-        if topic.present?
-          redirect_to path("#{topic.relative_url}")
-          return
-        end
-      end
-    end
-
-    redirect_to path("/")
-  end
-
  def destroy
    params.require(:email)