github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-05 09:43:53 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
aca0f239c8
discourse/app/controllers
History
Martin Brennan aca0f239c8
SECURITY: Prevent email from being nil in InviteRedeemer (#19005) 
This commit adds some protections in InviteRedeemer to ensure that email
can never be nil, which could cause issues with inviting the invited
person to private topics since there was an incorrect inner join.

If the email is nil and the invite is scoped to an email, we just use
that invite.email unconditionally.  If a redeeming_user (an existing
    user) is passed in when redeeming an email, we use their email to
override the passed in email.  Otherwise we just use the passed in
email.  We now raise an error after all this if the email is still nil.
This commit also adds some tests to catch the private topic fix, and
some general improvements and comments around the invite code.

This commit also includes a migration to delete TopicAllowedUser records
for users who were mistakenly added to topics as part of the invite
redemption process.
2022-11-14 12:02:09 +10:00
..
admin SECURITY: Expand and improve SSRF Protections (stable) (#18816) 2022-11-01 16:34:12 +00:00
users FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
about_controller.rb
application_controller.rb SECURITY: banner-info (#17071) (#17073) 2022-06-13 11:47:44 -06:00
associated_groups_controller.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
badges_controller.rb UX: Add image uploader widget for uploading badge images (#12377) 2021-03-17 08:55:23 +03:00
bookmarks_controller.rb FEATURE: Topic-level bookmarks (#14353) 2021-09-21 08:45:47 +10:00
bootstrap_controller.rb DEV: Support for running theme test with Ember CLI (third attempt) 2022-01-13 16:02:07 -05:00
categories_controller.rb SECURITY: Category group permissions leaked to normal users. 2022-04-08 11:04:59 +02:00
clicks_controller.rb
composer_messages_controller.rb
csp_reports_controller.rb
directory_columns_controller.rb DEV: Plugin API to add directory columns (#13440) 2021-06-22 13:00:04 -05:00
directory_items_controller.rb FIX: Include user_field_ids in pagination URL for directory items (#13569) 2021-06-29 14:43:38 -05:00
do_not_disturb_controller.rb DEV: Replace 'processed' column on notifications with new table (#11864) 2021-01-27 10:29:24 -06:00
drafts_controller.rb DEV: do not return no_result_help from the server (#15220) 2021-12-08 21:46:54 +04:00
edit_directory_columns_controller.rb FIX: Always serialize the correct attributes for DirectoryItems (#13510) 2021-06-23 14:55:17 -05:00
email_controller.rb FIX: set mailing_list_mode to false when unsubscribing from all (#10354) 2020-08-03 16:59:54 +10:00
embed_controller.rb UX: display correct replies count in embedded comments view. (#14175) 2021-08-30 10:37:53 +05:30
exceptions_controller.rb
export_csv_controller.rb DEV: Switch to new ExportUserArchive job 2020-08-28 11:46:53 -07:00
extra_locales_controller.rb Replace base_uri with base_path (#10879) 2020-10-09 12:51:24 +01:00
finish_installation_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
forums_controller.rb DEV: Avoid $ globals (#15453) 2022-01-08 23:39:46 +01:00
groups_controller.rb FEATURE: Scheduled group email credential problem check (#15396) 2022-01-04 10:14:33 +10:00
hashtags_controller.rb
highlight_js_controller.rb DEV: apply allow origin response header for CDN requests. (#11893) 2021-01-29 07:44:49 +05:30
inline_onebox_controller.rb
invites_controller.rb SECURITY: Fix invite link validation (stable) (#18818) 2022-11-01 16:50:14 +00:00
list_controller.rb PERF: Revert all inboxes from messages route. (#14445) 2021-09-28 11:58:04 +08:00
metadata_controller.rb DEV: Upgrade Rails to 6.1.3.1 (#12688) 2021-04-21 12:36:32 +03:00
notifications_controller.rb REFACTOR: Improve support for consolidating notifications. (#14904) 2021-11-30 13:36:14 -03:00
offline_controller.rb
onebox_controller.rb DEV: Add more debugging context to onebox generation 2020-10-22 12:50:22 +08:00
permalinks_controller.rb
post_action_users_controller.rb FEATURE: Allow category group moderators to delete topics (#11069) 2020-11-05 12:18:26 -05:00
post_actions_controller.rb FEATURE: Admins can flag posts so they can review them later. (#12311) 2021-03-11 08:21:24 -03:00
post_readers_controller.rb
posts_controller.rb FEATURE: Export topics to markdown (#15615) 2022-01-17 18:05:14 -03:00
presence_controller.rb UX: Make PresenceChannel changes more responsive (#14733) 2021-10-26 21:15:20 +01:00
published_pages_controller.rb FIX: Do not enable published page if secure media enabled (#11131) 2020-11-06 10:33:19 +10:00
push_notification_controller.rb
qunit_controller.rb DEV: Support for running theme test with Ember CLI (third attempt) 2022-01-13 16:02:07 -05:00
reviewable_claimed_topics_controller.rb
reviewables_controller.rb FEATURE: Show stale reviewable to other clients (#13114) 2021-05-26 09:47:35 +10:00
robots_txt_controller.rb FEATURE: Replace Crawl-delay directive with proper rate limiting (#15131) 2021-11-30 12:55:25 +03:00
safe_mode_controller.rb
search_controller.rb FIX: global setting needs to be coerced to float (#11162) 2020-11-09 16:46:52 +11:00
session_controller.rb SECURITY: Prevent email from being nil in InviteRedeemer (#19005) 2022-11-14 12:02:09 +10:00
similar_topics_controller.rb PERF: Avoid parsing Post#cooked with Nokogiri for every search. 2020-07-24 10:43:09 +08:00
site_controller.rb DEV: Include login_required attribute in basic info endpoint (#14064) 2021-08-17 14:05:51 -04:00
static_controller.rb FIX: SiteSetting.title was being polluted in StaticController (#15385) 2021-12-21 20:51:18 +01:00
steps_controller.rb
stylesheets_controller.rb DEV: Fix stylesheet manager flaky spec (#13846) 2021-07-26 14:22:54 +10:00
svg_sprite_controller.rb FIX: Use absolute URL when redirecting SVG sprite path. 2021-06-30 11:25:05 +08:00
tag_groups_controller.rb FIX: Allow finding non-lowercase tag groups (#12787) 2021-04-21 19:15:53 +02:00
tags_controller.rb FEATURE: ability to add description to tags (#15125) 2021-12-01 09:18:56 +11:00
theme_javascripts_controller.rb FEATURE: Allow theme tests to be run in production (take 2) (#12845) 2021-04-28 23:12:08 +03:00
topics_controller.rb FEATURE: Add setting to disable notifications for topic tags edits (#14794) 2021-11-02 13:53:21 -04:00
uploads_controller.rb DEV: Extract shared external upload routes into controller helper (#14984) 2021-11-18 09:17:23 +10:00
user_actions_controller.rb DEV: do not return no_result_help from the server (#15220) 2021-12-08 21:46:54 +04:00
user_api_keys_controller.rb FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) 2021-02-08 10:04:33 +00:00
user_avatars_controller.rb DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
user_badges_controller.rb SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 2022-10-27 11:48:00 +08:00
users_controller.rb SECURITY: Prevent abuse of the update_activation_email route (stable) 2022-07-27 23:09:09 +03:00
users_email_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
webhooks_controller.rb FIX: Add random suffix to outbound Message-ID for email (#15179) 2021-12-06 10:34:39 +10:00
wizard_controller.rb