Don't allow invites if local logins are disabled, since it provides a way to bypass external auth

2024-11-23 09:26:54 -06:00 · 2014-06-18 16:46:04 -04:00 · 2014-06-18 16:46:04 -04:00 · 4f523ae1b9
commit 4f523ae1b9
parent 49efd30dfa
2 changed files with 13 additions and 0 deletions
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -191,6 +191,7 @@ class Guardian
  def can_invite_to_forum?(groups=nil)
    authenticated? &&
    !SiteSetting.enable_sso &&
+    SiteSetting.enable_local_logins &&
    (
      (!SiteSetting.must_approve_users? && @user.has_trust_level?(:regular)) ||
      is_staff?
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -232,6 +232,12 @@ describe Guardian do
      Guardian.new(user).can_invite_to_forum?.should be_false
    end

+    it 'returns false when the local logins are disabled' do
+      SiteSetting.stubs(:enable_local_logins).returns(false)
+      Guardian.new(user).can_invite_to_forum?.should be_false
+      Guardian.new(moderator).can_invite_to_forum?.should be_false
+    end
+
  end

  describe 'can_invite_to?' do
@ -256,6 +262,12 @@ describe Guardian do
      Guardian.new(coding_horror).can_invite_to?(topic).should be_false
    end

+    it 'returns false when local logins are disabled' do
+      SiteSetting.stubs(:enable_local_logins).returns(false)
+      Guardian.new(moderator).can_invite_to?(topic).should be_false
+      Guardian.new(user).can_invite_to?(topic).should be_false
+    end
+
  end

  describe 'can_see?' do