IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: automatically redirect logged in users to topic when... (#31301)

Browse Source 
...loading an invite link that points to a topic they already have
access to.

This "feature" was removed in 07ef1a80a1
as part of the security fix.

Internal ref - t/145628
This commit is contained in:
Régis Hanol 2025-02-12 17:48:59 +01:00 committed by GitHub
parent 6f5cdfccf5
commit 2e10fe98a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/invites_controller.rb
View File

@ -28,6 +28,13 @@ class InvitesController < ApplicationController
invite = Invite.find_by(invite_key: params[:id]) invite = Invite.find_by(invite_key: params[:id])
# automatically redirect to the topic if the user is logged in and can see it
if current_user
if topic = invite.topics.first
return redirect_to(topic.url) if current_user.guardian.can_see?(topic)
end
end
if invite.present? && invite.redeemable? if invite.present? && invite.redeemable?
show_invite(invite) show_invite(invite)
else else

26
spec/requests/invites_controller_spec.rb
View File

@ -102,6 +102,24 @@ RSpec.describe InvitesController do
before { sign_in(user) } before { sign_in(user) }
it "automatically redirects to the topic if the user can access it" do
invite.update!(topics: [Fabricate(:topic)])
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(302)
expect(response.location).to eq(invite.topics.first.url)
end
it "doesn't automatically redirect to the topic if the user can't access it" do
secret_group = Fabricate(:group)
invite.update!(
topics: [Fabricate(:topic, category: Fabricate(:private_category, group: secret_group))],
)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
end
it "shows the accept invite page when user's email matches the invite email" do it "shows the accept invite page when user's email matches the invite email" do
invite.update_columns(email: user.email) invite.update_columns(email: user.email)
@ -592,14 +610,16 @@ RSpec.describe InvitesController do
expect(json["successful_invitations"].length).to eq(2) expect(json["successful_invitations"].length).to eq(2)
end end
it "creates many invite codes with one request" do #change to it "creates many invite codes with one request" do
sign_in(admin) sign_in(admin)
num_emails = 5 # increase manually for load testing
num_emails = 5
post "/invites/create-multiple.json", post "/invites/create-multiple.json",
params: { params: {
email: 1.upto(num_emails).map { |i| "test#{i}@example.com" }, email: 1.upto(num_emails).map { |i| "test#{i}@example.com" },
#email: %w[test+1@example.com test1@example.com]
} }
expect(response.status).to eq(200) expect(response.status).to eq(200)
json = JSON(response.body) json = JSON(response.body)
expect(json["failed_invitations"].length).to eq(0) expect(json["failed_invitations"].length).to eq(0)