IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Limit email invitations to topic

Browse Source
This commit is contained in:
Krzysztof Kotlarek 2022-08-10 15:39:26 +10:00 committed by Loïc Guitaut
parent a0537816fb
commit cc84ea2444
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/invite.rb
View File

@ -113,6 +113,8 @@ class Invite < ActiveRecord::Base
invite.destroy invite.destroy
invite = nil invite = nil
end end
email_digest = Digest::SHA256.hexdigest(email)
RateLimiter.new(invited_by, "reinvites-per-day-#{email_digest}", 3, 1.day.to_i).performed!
end end
emailed_status = if opts[:skip_email] || invite&.emailed_status == emailed_status_types[:not_required] emailed_status = if opts[:skip_email] || invite&.emailed_status == emailed_status_types[:not_required]

18
spec/models/invite_spec.rb
View File

@ -176,6 +176,24 @@ RSpec.describe Invite do
expect(invite.invite_key).not_to eq(another_invite.invite_key) expect(invite.invite_key).not_to eq(another_invite.invite_key)
end end
context "when email is already invited 3 times" do
before do
RateLimiter.enable
3.times do
Invite.generate(user, email: "test@example.com")
end
end
after do
RateLimiter.clear_all!
end
it "raises an error" do
expect { Invite.generate(user, email: "test@example.com") }
.to raise_error(RateLimiter::LimitExceeded)
end
end
end end
context 'when inviting to a topic' do context 'when inviting to a topic' do