From 84f0e5ad4d6cd8e9ee2d97b74f0f1c6092608dc5 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Thu, 16 Jun 2016 12:55:47 -0400 Subject: [PATCH] SECURITY: Unapproved, active users should not receive emails --- app/models/user_email_observer.rb | 5 ++++- spec/models/user_email_observer_spec.rb | 13 ++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/models/user_email_observer.rb b/app/models/user_email_observer.rb index d153d01b504..0c243b74c2c 100644 --- a/app/models/user_email_observer.rb +++ b/app/models/user_email_observer.rb @@ -74,7 +74,10 @@ class UserEmailObserver < ActiveRecord::Observer end def perform_enqueue(type, delay) - return unless notification.user.active? || notification.user.staged? + user = notification.user + return unless user.active? || user.staged? + return if SiteSetting.must_approve_users? && !user.approved? + return unless EMAILABLE_POST_TYPES.include?(post_type) Jobs.enqueue_in(delay, :user_email, self.class.notification_params(notification, type)) diff --git a/spec/models/user_email_observer_spec.rb b/spec/models/user_email_observer_spec.rb index 2bd23dd8e18..68870ca0667 100644 --- a/spec/models/user_email_observer_spec.rb +++ b/spec/models/user_email_observer_spec.rb @@ -19,7 +19,6 @@ describe UserEmailObserver do end context "inactive user" do - before { notification.user.active = false } it "doesn't enqueue a job" do @@ -32,7 +31,19 @@ describe UserEmailObserver do Jobs.expects(:enqueue_in).with(delay, :user_email, UserEmailObserver::EmailUser.notification_params(notification,type)) UserEmailObserver.process_notification(notification) end + end + context "active but unapproved user" do + before do + SiteSetting.must_approve_users = true + notification.user.approved = false + notification.user.active = true + end + + it "doesn't enqueue a job" do + Jobs.expects(:enqueue_in).with(delay, :user_email, has_entry(type: type)).never + UserEmailObserver.process_notification(notification) + end end context "small action" do