Commit Graph

49 Commits

Author SHA1 Message Date
David Taylor
07ef1a80a1
SECURITY: Fix invite link email validation (#18817)
See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278

Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 16:33:32 +00:00
Bianca Nenciu
a842b71a05
FIX: Do not redeem invites if user resets password (#17486)
The invites should be redeemed during the signup process. This was a
problem because when user tried to redeem an admin invite it tried to
authenticate the user using information from the session that was not
available.
2022-07-19 22:25:01 +03:00
David Taylor
9ddd1f739e
DEV: Update :critical_user_email calls to use strings (#15827)
Symbols are converted to strings anyway, so there is no change in behaviour. The latest version of sidekiq introduced a warning for this.
2022-02-04 23:43:53 +00:00
Alan Guo Xiang Tan
6fb89c153a Revert "DEV: Remove stale ignored_columns from models."
This reverts commit 9f5c8644d0.

Have to revert because the ignored columns have not been dropped.
2022-01-11 11:00:58 +08:00
Alan Guo Xiang Tan
9f5c8644d0 DEV: Remove stale ignored_columns from models. 2022-01-11 10:38:10 +08:00
Dan Ungureanu
3d4aee1487
DEV: Drop unused column email_tokens.token (#15203) 2021-12-13 16:29:47 +11:00
Dan Ungureanu
9a6ec1d0c6 PERF: Add index on email_tokens.token_hash 2021-12-07 10:17:45 +08:00
Dan Ungureanu
fa8cd629f1
DEV: Hash tokens stored from email_tokens (#14493)
This commit adds token_hash and scopes columns to email_tokens table.
token_hash is a replacement for the token column to avoid storing email
tokens in plaintext as it can pose a security risk. The new scope column
ensures that email tokens cannot be used to perform a different action
than the one intended.

To sum up, this commit:

* Adds token_hash and scope to email_tokens

* Reuses code that schedules critical_user_email

* Refactors EmailToken.confirm and EmailToken.atomic_confirm methods

* Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 09:34:39 +02:00
Osama Sayegh
45ccadeeeb
DEV: Upgrade Rails to 6.1.3.1 (#12688)
Rails 6.1.3.1 deprecates a few API and has some internal changes that break our tests suite, so this commit fixes all the deprecations and errors and now Discourse should be fully compatible with Rails 6.1.3.1. We also have a new release of the rails_failover gem that's compatible with Rails 6.1.3.1.
2021-04-21 12:36:32 +03:00
wilson29thid
d5b30b9b7b
FEATURE: Add user_confirmed_email to user event webhook (#12539) 2021-04-12 12:48:42 +10:00
Arpit Jalan
25b39b86ae FIX: reload the user record instead of fetching via email 2019-05-13 15:16:53 +05:30
Sam Saffron
30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Bianca Nenciu
3d545d66df FEATURE: Send user activation reminders. (#7280) 2019-04-10 16:53:52 +02:00
Robin Ward
82bddcbe51 FIX: Don't create two reviewable scores for a user 2019-04-03 16:03:32 -04:00
Robin Ward
c1ea63bdc1 FIX: Reviewables should not be created for users until they are active
Conversely, if a user is deactivated the reviewable should automatically
be rejected.

Before this fix, if a user was not active they'd still show in the
review queue but without an "Approve" button which was confusing.
2019-04-03 15:25:00 -04:00
Robin Ward
95f263995d FIX: Previous annotations were broken 2019-01-11 14:30:19 -05:00
Robin Ward
a3839495e0 Update annotations 2019-01-11 12:19:43 -05:00
Guo Xiang Tan
226ace1643 Update annotations. 2018-02-20 14:28:58 +08:00
Arpit Jalan
daeb7694bc update annotations 2017-12-05 21:03:20 +05:30
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Leo McArdle
d0b027d88d FEATURE: phase 1 of supporting multiple email addresses 2017-07-20 11:22:27 +09:00
Régis Hanol
d6c63cc5b2 FIX: user's default group should only be set once
Setting a user's default groups based on their email address should only be done once, ie. when they confirm their email address.
Previously we were doing this everytime we'd save a user record 🤷
2017-06-14 19:20:18 +02:00
Sam
eb2db23b40 FEATURE: remove email_token_grace_period_hours
The site setting email_token_grace_period_hours just causes confusion and
should not be used anyway.

Out of the box, tokens stop working once confirmed, no need to add complexity here
2016-12-19 17:15:20 +11:00
Régis Hanol
8e611ec7a1 FEATURE: handle bounced emails 2016-05-02 23:15:32 +02:00
Robin Ward
5771d2aee2 SECURITY: Support for confirm old as well as new email accounts 2016-03-08 14:52:22 -05:00
Sam
32c681c96b annotate models 2016-02-23 10:33:53 +11:00
Neil Lalonde
c7df6783a9 FIX: only invalidate password reset links using javascript 2016-01-04 11:48:54 -05:00
Arpit Jalan
03665e8466 FIX: mark user as approved if an invite is already present 2015-06-26 01:57:29 +05:30
Godfrey Chan
7ddf1df3e0 FIX: honor email_token_grace_period_hours setting correctly
The documentation said that the unit for this setting is in *hours*, but the
code is treating it as *seconds*. Also, `Numeric#ago` has been deprecated since
Rails 4.1 (precisely to help prevent these kind of bugs) and will go away in
Rails 4.2.
2014-10-11 15:02:15 -07:00
Akshay
9524b514c6 Fix access specifiers with private_class_methods instead of removing directly 2014-10-04 09:20:41 +05:30
Sam
414c6d191f FIX: remove nullable dates post upgrade to Rails 4 2014-08-27 15:19:25 +10:00
Robin Ward
ed125975a1 SECURITY: Prefix session key and validate token format. 2014-08-25 15:31:49 -04:00
Neil Lalonde
5454c1ed24 Updated model anotations 2014-08-22 13:01:44 -04:00
Neil Lalonde
01a68f8cc7 Emails are case insensitive 2014-07-16 10:22:01 -04:00
Arpit Jalan
b301391116 FEATURE: redeem Invite when user sign up 2014-07-04 02:03:04 +05:30
Sam
60d93a62f6 FIX: tighten up email token durations 2014-07-02 09:08:25 +10:00
Sam
b1d5f4440b Annotate models 2014-05-28 12:30:57 +10:00
Sam
862a6696c0 Correct annotations
allow longer usernames (up to 60)
2014-04-15 15:53:48 +10:00
Régis Hanol
6373de550f update annotations 2014-04-08 17:35:44 +02:00
Robin Ward
aa3f7f764d You can only reuse email tokens within 24 hours. 2014-03-04 14:03:04 -05:00
Robin Ward
90a1cb5bec Change email token expiry to 24 hours instead of 1 week 2014-03-04 13:02:48 -05:00
Stephan Kaag
89b621d31a Refactor update_all statements in order to prevent deprecation warnings in Rails 4 2013-07-02 18:36:47 +02:00
Sam
ca2dee52db moved comments to the bottom, they are way less intrusive there 2013-05-24 12:48:32 +10:00
Sam
2cd95bc649 lets try out annotations 2013-05-24 12:35:14 +10:00
Gosha Arinich
6e5399d544 minor cleanup, using AR querying DSL over raw SQL in some places 2013-02-28 21:54:12 +03:00
Neil Lalonde
fc33c63585 EmailToken.active needs to check created_at too 2013-02-22 15:20:00 -05:00
Neil Lalonde
ff3e012034 Add a link that allows you to send activation email again 2013-02-22 11:49:58 -05:00
Jakub Arnold
61654ab8f0 Fix all the trailing whitespace 2013-02-07 16:45:24 +01:00
Robin Ward
21b5628528 Initial release of Discourse 2013-02-05 14:16:51 -05:00