discourse/app/controllers
Martin Brennan a414520742
SECURITY: Prevent email from being nil in InviteRedeemer (#19004)
This commit adds some protections in InviteRedeemer to ensure that email
can never be nil, which could cause issues with inviting the invited
person to private topics since there was an incorrect inner join.

If the email is nil and the invite is scoped to an email, we just use
that invite.email unconditionally.  If a redeeming_user (an existing
user) is passed in when redeeming an email, we use their email to
override the passed in email.  Otherwise we just use the passed in
email.  We now raise an error after all this if the email is still nil.
This commit also adds some tests to catch the private topic fix, and
some general improvements and comments around the invite code.

This commit also includes a migration to delete TopicAllowedUser records
for users who were mistakenly added to topics as part of the invite
redemption process.
2022-11-14 12:02:06 +10:00
..
admin FIX: Ensure moderators_manage_categories_and_groups is respected (#18884) 2022-11-11 11:06:05 +00:00
users DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
about_controller.rb Revert "Revert "Merge branch 'master' of https://github.com/discourse/discourse"" 2020-05-23 00:56:13 -04:00
application_controller.rb Revert "Revert "FEATURE: Preload resources via link header (#18475)" (#18511)" (#18531) 2022-10-11 20:11:44 -03:00
associated_groups_controller.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
badges_controller.rb UX: Add image uploader widget for uploading badge images (#12377) 2021-03-17 08:55:23 +03:00
bookmarks_controller.rb DEV: Add save_user_preferences option to BookmarkManager (#16894) 2022-05-24 11:13:21 +10:00
bootstrap_controller.rb DEV: Load plugin CSS in tests (#18668) 2022-10-19 18:10:06 +01:00
categories_controller.rb FIX: Welcome topic should be hidden on the /categories page as well (#18869) 2022-11-07 09:24:55 -07:00
clicks_controller.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
composer_messages_controller.rb FEATURE: add composer warning when user haven't been seen in a long time (#18340) 2022-09-27 22:06:40 +05:30
csp_reports_controller.rb FIX: stop logging blank and invalid CSP reports (#17144) 2022-06-20 16:57:46 +10:00
directory_columns_controller.rb DEV: Plugin API to add directory columns (#13440) 2021-06-22 13:00:04 -05:00
directory_items_controller.rb FIX: unable to filter user directory when sorted by user field. (#15951) 2022-02-16 07:57:35 +05:30
do_not_disturb_controller.rb DEV: Replace 'processed' column on notifications with new table (#11864) 2021-01-27 10:29:24 -06:00
drafts_controller.rb DEV: do not return no_result_help from the server (#15220) 2021-12-08 21:46:54 +04:00
edit_directory_columns_controller.rb FIX: Always serialize the correct attributes for DirectoryItems (#13510) 2021-06-23 14:55:17 -05:00
email_controller.rb FEATURE: Custom unsubscribe options (#17090) 2022-06-21 15:49:47 -03:00
embed_controller.rb FEATURE: Block indexing the embed topic list (#16495) 2022-04-19 18:24:38 -03:00
exceptions_controller.rb FEATURE: Add site setting to show more detailed 404 errors. (#8014) 2019-10-08 14:15:08 +03:00
export_csv_controller.rb DEV: Switch to new ExportUserArchive job 2020-08-28 11:46:53 -07:00
extra_locales_controller.rb Replace base_uri with base_path (#10879) 2020-10-09 12:51:24 +01:00
finish_installation_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
forums_controller.rb DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
groups_controller.rb DEV: Quote values when constructing SQL (#18827) 2022-11-01 14:05:13 -05:00
hashtags_controller.rb FEATURE: Generic hashtag autocomplete part 1 (#18592) 2022-10-19 14:03:57 +10:00
highlight_js_controller.rb DEV: Update highlight.js to version 11 (#18282) 2022-09-20 12:43:28 -03:00
inline_onebox_controller.rb FIX: Make inline oneboxes work with secured topics in secured contexts (#8895) 2020-02-12 12:11:28 +02:00
invites_controller.rb SECURITY: Fix invite link email validation (#18817) 2022-11-01 16:33:32 +00:00
list_controller.rb FIX: Users with unicode usernames unable to load more topics in activity (#16627) 2022-05-05 09:48:22 +08:00
metadata_controller.rb FIX: Remove svg icons from webmanifest shortcuts (#15765) 2022-02-01 15:26:58 -03:00
new_topic_controller.rb FIX: do not preload topic list for new topic/message routes (#18959) 2022-11-09 20:57:42 +05:30
notifications_controller.rb DEV: Include pending reviewables in the main tab in the user menu (#18471) 2022-10-05 12:30:02 +03:00
offline_controller.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
onebox_controller.rb DEV: Add more debugging context to onebox generation 2020-10-22 12:50:22 +08:00
permalinks_controller.rb FIX: Check for permalinks before showing the 404 page 2020-03-23 16:31:07 -07:00
post_action_users_controller.rb FEATURE: Allow category group moderators to delete topics (#11069) 2020-11-05 12:18:26 -05:00
post_actions_controller.rb FEATURE: Admins can flag posts so they can review them later. (#12311) 2021-03-11 08:21:24 -03:00
post_readers_controller.rb DEV: '= true' is not necessary 2019-12-03 11:32:45 -03:00
posts_controller.rb FIX: Exclude hidden topic posts and small actions from the RSS feed. (#18649) 2022-10-18 15:19:54 -03:00
presence_controller.rb FIX: Ensure presence endpoints don't break the session (#17108) 2022-06-16 14:38:43 +01:00
published_pages_controller.rb DEV: Rename secure_media to secure_uploads (#18376) 2022-09-29 09:24:33 +10:00
push_notification_controller.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
qunit_controller.rb DEV: Remove ember-cli flags from the backend (#17147) 2022-06-20 16:33:05 +02:00
reviewable_claimed_topics_controller.rb FEATURE: Allow group moderators to close/archive topics 2020-07-14 12:36:19 -04:00
reviewables_controller.rb DEV: Include pending reviewables in the main tab in the user menu (#18471) 2022-10-05 12:30:02 +03:00
robots_txt_controller.rb DEV: Add plugin API to add to robots.txt (#17378) 2022-07-12 20:52:55 +03:00
safe_mode_controller.rb UX: Improve safe-mode usability (#17929) 2022-08-15 15:15:15 +01:00
search_controller.rb FIX: Limits for PM and group header search (#16887) 2022-05-24 11:31:24 -04:00
session_controller.rb SECURITY: Prevent email from being nil in InviteRedeemer (#19004) 2022-11-14 12:02:06 +10:00
similar_topics_controller.rb PERF: Avoid parsing Post#cooked with Nokogiri for every search. 2020-07-24 10:43:09 +08:00
site_controller.rb DEV: Include login_required attribute in basic info endpoint (#14064) 2021-08-17 14:05:51 -04:00
sitemap_controller.rb FEATURE: Let sites add a sitemap.xml file. (#16357) 2022-04-12 10:33:59 -03:00
static_controller.rb DEV: Ensure service-worker sourcemap logic works with brotli/gzip (#16718) 2022-05-11 13:42:34 +01:00
steps_controller.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
stylesheets_controller.rb DEV: Fix stylesheet manager flaky spec (#13846) 2021-07-26 14:22:54 +10:00
svg_sprite_controller.rb DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
tag_groups_controller.rb FIX: Allow finding non-lowercase tag groups (#12787) 2021-04-21 19:15:53 +02:00
tags_controller.rb FIX: Allow match_all_tags to be passed as a URL param (#17972) 2022-08-19 15:41:56 -04:00
theme_javascripts_controller.rb DEV: Introduce minification and source maps for Theme JS (#18646) 2022-10-18 18:20:10 +01:00
topics_controller.rb FIX: Remove public topic invite functionality (#18488) 2022-10-10 19:21:51 +03:00
uploads_controller.rb DEV: Rename secure_media to secure_uploads (#18376) 2022-09-29 09:24:33 +10:00
user_actions_controller.rb FIX: Sanitize parameters provided to user actions 2022-02-23 15:46:40 +01:00
user_api_keys_controller.rb DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
user_avatars_controller.rb DEV: allow plugins to override max file size for avatar downloads (#16970) 2022-06-01 17:12:06 -07:00
user_badges_controller.rb SECURITY: Restrict display of topic titles associated with user badges (#18768) 2022-10-27 11:26:14 +08:00
user_status_controller.rb FEATURE: auto remove user status after predefined period (#17236) 2022-07-05 19:12:22 +04:00
users_controller.rb FIX: Follow up fixes for password-reset error page (#18794) 2022-10-28 15:41:26 -06:00
users_email_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
webhooks_controller.rb FIX: Accept HEAD requests for mandrill webhook (#17180) 2022-07-29 16:26:31 +10:00
wizard_controller.rb DEV: Make wizard an ember addon (#17027) 2022-06-17 14:50:21 +02:00