IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

DEV: by default disable anon impersonation in dev environments

Browse Source 
The impersonate any user by anonymous feature in dev should require a
deliberate opt-in. This way developers are better aware of the security
implications of this development only feature.
This commit is contained in:
Sam Saffron 2019-06-03 10:02:10 +10:00
parent b893e9fcbb
commit e302c0af8b
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/controllers/session_controller.rb
View File

@ -103,7 +103,21 @@ class SessionController < ApplicationController
skip_before_action :check_xhr, only: [:become] skip_before_action :check_xhr, only: [:become]
def become def become
raise Discourse::InvalidAccess if Rails.env.production? raise Discourse::InvalidAccess if Rails.env.production?
if ENV['DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE'] != "1"
render(content_type: 'text/plain', inline: <<~TEXT)
To enable impersonating any user without typing passwords set the following ENV var
export DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE=1
You can do that in your bashrc of bash profile file or the script you use to launch the web server
TEXT
return
end
user = User.find_by_username(params[:session_id]) user = User.find_by_username(params[:session_id])
raise "User #{params[:session_id]} not found" if user.blank? raise "User #{params[:session_id]} not found" if user.blank?