mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 08:57:10 -06:00
SECURITY: correct edge case when SSO provides unvalidated emails
This commit is contained in:
parent
80eace4268
commit
e64402cb3b
@ -162,7 +162,8 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||
# Use a mutex here to counter SSO requests that are sent at the same time w
|
||||
# the same email payload
|
||||
DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do
|
||||
unless user = User.find_by_email(email)
|
||||
user = User.find_by_email(email) if !require_activation
|
||||
if !user
|
||||
try_name = name.presence
|
||||
try_username = username.presence
|
||||
|
||||
|
@ -377,6 +377,15 @@ describe DiscourseSingleSignOn do
|
||||
sso.require_activation = true
|
||||
user = sso.lookup_or_create_user(ip_address)
|
||||
expect(user.active).to eq(false)
|
||||
|
||||
user.activate
|
||||
|
||||
sso.external_id = "B"
|
||||
|
||||
expect do
|
||||
sso.lookup_or_create_user(ip_address)
|
||||
end.to raise_error(ActiveRecord::RecordInvalid)
|
||||
|
||||
end
|
||||
|
||||
it 'does not deactivate user if email provided is capitalized' do
|
||||
|
Loading…
Reference in New Issue
Block a user