github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-01 06:59:57 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: prevent staged accounts from changing email

Browse Source
This commit is contained in:
Sam 2017-12-14 17:27:50 +11:00
parent f18f608613
commit 5748ad6f66
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/users_controller.rb
View File

@ -292,6 +292,8 @@ class UsersController < ApplicationController
params[:for_user_id] ? User.find(params[:for_user_id]) : current_user params[:for_user_id] ? User.find(params[:for_user_id]) : current_user
end end
FROM_STAGED = "from_staged"
def create def create
params.permit(:user_fields) params.permit(:user_fields)
@ -314,6 +316,8 @@ class UsersController < ApplicationController
if user = User.where(staged: true).find_by(email: params[:email].strip.downcase) if user = User.where(staged: true).find_by(email: params[:email].strip.downcase)
user_params.each { |k, v| user.send("#{k}=", v) } user_params.each { |k, v| user.send("#{k}=", v) }
user.staged = false user.staged = false
user.active = false
user.custom_fields[FROM_STAGED] = true
else else
user = User.new(user_params) user = User.new(user_params)
end end
@ -608,6 +612,7 @@ class UsersController < ApplicationController
raise Discourse::InvalidAccess.new unless @user.present? raise Discourse::InvalidAccess.new unless @user.present?
raise Discourse::InvalidAccess.new if @user.active? raise Discourse::InvalidAccess.new if @user.active?
raise Discourse::InvalidAccess.new if current_user.present? raise Discourse::InvalidAccess.new if current_user.present?
raise Discourse::InvalidAccess.new if @user.custom_fields[FROM_STAGED]
User.transaction do User.transaction do
@user.email = params[:email] @user.email = params[:email]