IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: prevent staged accounts from changing email

Browse Source
This commit is contained in:
Sam
2017-12-14 17:16:49 +11:00
parent 67aecff59c
commit 96584403cd
3 changed files with 50 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/users_controller.rb
View File

@@ -298,6 +298,8 @@ class UsersController < ApplicationController
params[:for_user_id] ? User.find(params[:for_user_id]) : current_user
end
FROM_STAGED = "from_staged".freeze
def create
params.require(:email)
params.permit(:user_fields)
@@ -322,6 +324,7 @@ class UsersController < ApplicationController
user_params.each { |k, v| user.send("#{k}=", v) }
user.staged = false
user.active = false
user.custom_fields[FROM_STAGED] = true
else
user = User.new(user_params)
end
@@ -590,7 +593,7 @@ class UsersController < ApplicationController
if user = User.where(id: session_user_id.to_i).first
@account_created[:username] = user.username
@account_created[:email] = user.email
@account_created[:show_controls] = true
@account_created[:show_controls] = !user.custom_fields[FROM_STAGED]
end
end
@@ -648,6 +651,10 @@ class UsersController < ApplicationController
raise Discourse::InvalidAccess.new
end
if @user.custom_fields[FROM_STAGED]
raise Discourse::InvalidAccess.new
end
User.transaction do
primary_email = @user.primary_email