github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-16 00:13:44 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: always allow staff to resend activation mails

Browse Source
This commit is contained in:
Sam 2017-03-13 10:32:24 -04:00
parent 1c44c87945
commit 0f6a2b912a
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/users_controller.rb
View File

@ -543,7 +543,7 @@ class UsersController < ApplicationController
raise Discourse::NotFound unless @user
if (current_user && !current_user.staff?) ||
if !current_user&.staff? &&
@user.id != session[SessionController::ACTIVATE_USER_KEY]
raise Discourse::InvalidAccess

8
spec/controllers/users_controller_spec.rb
View File

@ -1426,9 +1426,15 @@ describe UsersController do
it 'should not be valid' do
user = Fabricate(:user)
xhr :post, :send_activation_email, username: user.username
expect(response.status).to eq(403)
end
it 'should allow staff regardless' do
log_in :admin
user = Fabricate(:user, active: false)
xhr :post, :send_activation_email, username: user.username
expect(response.status).to eq(200)
end
end
context 'with a valid email_token' do