mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 15:03:44 +08:00
SECURITY: always allow staff to resend activation mails
This commit is contained in:
parent
1c44c87945
commit
0f6a2b912a
|
@ -543,7 +543,7 @@ class UsersController < ApplicationController
|
|||
|
||||
raise Discourse::NotFound unless @user
|
||||
|
||||
if (current_user && !current_user.staff?) ||
|
||||
if !current_user&.staff? &&
|
||||
@user.id != session[SessionController::ACTIVATE_USER_KEY]
|
||||
|
||||
raise Discourse::InvalidAccess
|
||||
|
|
|
@ -1426,9 +1426,15 @@ describe UsersController do
|
|||
it 'should not be valid' do
|
||||
user = Fabricate(:user)
|
||||
xhr :post, :send_activation_email, username: user.username
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
|
||||
it 'should allow staff regardless' do
|
||||
log_in :admin
|
||||
user = Fabricate(:user, active: false)
|
||||
xhr :post, :send_activation_email, username: user.username
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with a valid email_token' do
|
||||
|
|
Loading…
Reference in New Issue
Block a user