From 0f6a2b912a596135f7e120fc78c9119fe78f09f3 Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 13 Mar 2017 10:32:24 -0400 Subject: [PATCH] SECURITY: always allow staff to resend activation mails --- app/controllers/users_controller.rb | 2 +- spec/controllers/users_controller_spec.rb | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index f11ef856ce0..ece3aa99f60 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -543,7 +543,7 @@ class UsersController < ApplicationController raise Discourse::NotFound unless @user - if (current_user && !current_user.staff?) || + if !current_user&.staff? && @user.id != session[SessionController::ACTIVATE_USER_KEY] raise Discourse::InvalidAccess diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 5a3e803e922..525049bc1f5 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -1426,9 +1426,15 @@ describe UsersController do it 'should not be valid' do user = Fabricate(:user) xhr :post, :send_activation_email, username: user.username - expect(response.status).to eq(403) end + + it 'should allow staff regardless' do + log_in :admin + user = Fabricate(:user, active: false) + xhr :post, :send_activation_email, username: user.username + expect(response.status).to eq(200) + end end context 'with a valid email_token' do