IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't allow invites if local logins are disabled, since it provides a way to bypass external auth

Browse Source
This commit is contained in:
Neil Lalonde 2014-06-18 16:46:04 -04:00
parent 49efd30dfa
commit 4f523ae1b9
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/guardian.rb
View File

@ -191,6 +191,7 @@ class Guardian
def can_invite_to_forum?(groups=nil) def can_invite_to_forum?(groups=nil)
authenticated? && authenticated? &&
!SiteSetting.enable_sso && !SiteSetting.enable_sso &&
SiteSetting.enable_local_logins &&
( (
(!SiteSetting.must_approve_users? && @user.has_trust_level?(:regular)) || (!SiteSetting.must_approve_users? && @user.has_trust_level?(:regular)) ||
is_staff? is_staff?

12
spec/components/guardian_spec.rb
View File

@ -232,6 +232,12 @@ describe Guardian do
Guardian.new(user).can_invite_to_forum?.should be_false Guardian.new(user).can_invite_to_forum?.should be_false
end end
it 'returns false when the local logins are disabled' do
SiteSetting.stubs(:enable_local_logins).returns(false)
Guardian.new(user).can_invite_to_forum?.should be_false
Guardian.new(moderator).can_invite_to_forum?.should be_false
end
end end
describe 'can_invite_to?' do describe 'can_invite_to?' do
@ -256,6 +262,12 @@ describe Guardian do
Guardian.new(coding_horror).can_invite_to?(topic).should be_false Guardian.new(coding_horror).can_invite_to?(topic).should be_false
end end
it 'returns false when local logins are disabled' do
SiteSetting.stubs(:enable_local_logins).returns(false)
Guardian.new(moderator).can_invite_to?(topic).should be_false
Guardian.new(user).can_invite_to?(topic).should be_false
end
end end
describe 'can_see?' do describe 'can_see?' do