mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 17:44:30 +08:00
SECURITY: always allow staff to resend activation mails
This commit is contained in:
parent
1c44c87945
commit
0f6a2b912a
|
@ -543,7 +543,7 @@ class UsersController < ApplicationController
|
||||||
|
|
||||||
raise Discourse::NotFound unless @user
|
raise Discourse::NotFound unless @user
|
||||||
|
|
||||||
if (current_user && !current_user.staff?) ||
|
if !current_user&.staff? &&
|
||||||
@user.id != session[SessionController::ACTIVATE_USER_KEY]
|
@user.id != session[SessionController::ACTIVATE_USER_KEY]
|
||||||
|
|
||||||
raise Discourse::InvalidAccess
|
raise Discourse::InvalidAccess
|
||||||
|
|
|
@ -1426,9 +1426,15 @@ describe UsersController do
|
||||||
it 'should not be valid' do
|
it 'should not be valid' do
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user)
|
||||||
xhr :post, :send_activation_email, username: user.username
|
xhr :post, :send_activation_email, username: user.username
|
||||||
|
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(403)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'should allow staff regardless' do
|
||||||
|
log_in :admin
|
||||||
|
user = Fabricate(:user, active: false)
|
||||||
|
xhr :post, :send_activation_email, username: user.username
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with a valid email_token' do
|
context 'with a valid email_token' do
|
||||||
|
|
Loading…
Reference in New Issue
Block a user