SECURITY: Don't allow suspending staff users via other_user_ids param

2025-02-25 18:55:32 -06:00 · 2024-05-29 00:58:34 +03:00
parent 10afe5fcf1
commit 9c4a5f39d3
4 changed files with 228 additions and 40 deletions
--- a/app/services/user_suspender.rb
+++ b/app/services/user_suspender.rb
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+class UserSuspender
+  attr_reader :user_history
+
+  def initialize(user, suspended_till:, reason:, by_user:, message: nil, post_id: nil)
+    @user = user
+    @suspended_till = suspended_till
+    @reason = reason
+    @by_user = by_user
+    @message = message
+    @post_id = post_id
+  end
+
+  def suspend
+    suspended_at = DateTime.now
+
+    @user.suspended_till = @suspended_till
+    @user.suspended_at = suspended_at
+
+    @user.transaction do
+      @user.save!
+
+      @user_history =
+        StaffActionLogger.new(@by_user).log_user_suspend(
+          @user,
+          @reason,
+          message: @message,
+          post_id: @post_id,
+        )
+    end
+    @user.logged_out
+
+    if @message.present?
+      Jobs.enqueue(
+        Jobs::CriticalUserEmail,
+        type: "account_suspended",
+        user_id: @user.id,
+        user_history_id: @user_history.id,
+      )
+    end
+
+    DiscourseEvent.trigger(
+      :user_suspended,
+      user: @user,
+      reason: @reason,
+      message: @message,
+      user_history: @user_history,
+      post_id: @post_id,
+      suspended_till: @suspended_till,
+      suspended_at: suspended_at,
+    )
+    nil
+  end
+end