github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-22 20:05:24 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Don't create email invites when SSO is on or local logins are off (#11951)

Browse Source 
A more general, lower-level change in addition to #11950.

Most code paths already check if SSO is enabled or if local logins are disabled before trying to create an email invite.
This is a safety net to ensure no invalid invites sneak by. 

Also includes:
FIX: Don't allow to bulk invite when SSO is on (or when local logins are disabled)
This mirrors can_invite_to_forum? and other email invite code paths.
This commit is contained in:
Jarek Radosz 2021-02-03 19:01:23 +01:00 committed by GitHub
parent 704778f448
commit 8ad5284cf7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/models/invite.rb
View File

@ -39,6 +39,7 @@ class Invite < ActiveRecord::Base
validate :ensure_max_redemptions_allowed validate :ensure_max_redemptions_allowed
validate :user_doesnt_already_exist validate :user_doesnt_already_exist
validate :ensure_no_invalid_email_invites
attr_accessor :email_already_exists attr_accessor :email_already_exists
scope :single_use_invites, -> { where('invites.max_redemptions_allowed = 1') } scope :single_use_invites, -> { where('invites.max_redemptions_allowed = 1') }
@ -355,6 +356,16 @@ class Invite < ActiveRecord::Base
end end
end end
end end
def ensure_no_invalid_email_invites
return if email.blank?
if SiteSetting.enable_sso?
errors.add(:email, I18n.t("invite.disabled_errors.sso_enabled"))
elsif !SiteSetting.enable_local_logins?
errors.add(:email, I18n.t("invite.disabled_errors.local_logins_disabled"))
end
end
end end
# == Schema Information # == Schema Information

4
lib/guardian.rb
View File

@ -395,7 +395,9 @@ class Guardian
end end
def can_bulk_invite_to_forum?(user) def can_bulk_invite_to_forum?(user)
user.admin? user.admin? &&
!SiteSetting.enable_sso &&
SiteSetting.enable_local_logins
end end
def can_send_invite_links?(user) def can_send_invite_links?(user)

11
spec/models/invite_spec.rb
View File

@ -50,6 +50,17 @@ describe Invite do
end end
end end
context "SSO validation" do
it "prevents creating an email invite when SSO is enabled" do
SiteSetting.sso_url = "https://www.example.com/sso"
SiteSetting.enable_sso = true
invite = Fabricate.build(:invite, email: "test@mail.com")
expect(invite).not_to be_valid
expect(invite.errors.details[:email].first[:error]).to eq(I18n.t("invite.disabled_errors.sso_enabled"))
end
end
context '#create' do context '#create' do
context 'saved' do context 'saved' do
subject { Fabricate(:invite) } subject { Fabricate(:invite) }

2
spec/requests/invites_controller_spec.rb
View File

@ -443,6 +443,7 @@ describe InvitesController do
end end
it "does not send password reset email if sso is enabled" do it "does not send password reset email if sso is enabled" do
invite # create the invite before enabling SSO
SiteSetting.sso_url = "https://www.example.com/sso" SiteSetting.sso_url = "https://www.example.com/sso"
SiteSetting.enable_sso = true SiteSetting.enable_sso = true
put "/invites/show/#{invite.invite_key}.json" put "/invites/show/#{invite.invite_key}.json"
@ -453,6 +454,7 @@ describe InvitesController do
end end
it "does not send password reset email if local login is disabled" do it "does not send password reset email if local login is disabled" do
invite # create the invite before enabling SSO
SiteSetting.enable_local_logins = false SiteSetting.enable_local_logins = false
put "/invites/show/#{invite.invite_key}.json" put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200) expect(response.status).to eq(200)