discourse/spec
Gerhard Schlager 7c4e2d33fa
SECURITY: Remove auto approval when redeeming an invite (#16974)
This security fix affects sites which have `SiteSetting.must_approve_users`
enabled. There are intentional and unintentional cases where invited
users can be auto approved and are deemed to have skipped the staff approval process.
Instead of trying to reason about when auto-approval should happen, we have decided that
enabling the `must_approve_users` setting going forward will just mean that all new users
must be explicitly approved by a staff user in the review queue. The only case where users are auto
approved is when the `auto_approve_email_domains` site setting is used.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2022-06-02 16:10:48 +02:00
..
fabricators FIX: respect user timezone in emails about silencing and suspending (#16918) 2022-05-27 13:58:54 +04:00
fixtures FIX: Missing translation when translation override contained a %{key} (#16625) 2022-05-04 17:35:22 +02:00
helpers DEV: Allow Ember CLI assets to be used by development Rails app (#16511) 2022-04-21 16:26:34 +01:00
import_export DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
initializers DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
integration DEV: Apply Rails 6.1 defaults 2022-05-24 17:13:44 +02:00
integrity DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
jobs FIX: Skip pulling hotlinked images for nil user bio (#16901) 2022-05-24 11:52:13 +01:00
lib FIX: tracked filter did not account for max_category_nesting of 3 (#16963) 2022-06-01 12:09:58 +08:00
mailers FIX: respect user timezone in emails about silencing and suspending (#16918) 2022-05-27 13:58:54 +04:00
models SECURITY: Remove auto approval when redeeming an invite (#16974) 2022-06-02 16:10:48 +02:00
multisite FEATURE: Make S3 presigned GET URL expiry configurable (#16912) 2022-05-26 09:53:01 +10:00
requests SECURITY: Remove auto approval when redeeming an invite (#16974) 2022-06-02 16:10:48 +02:00
script/import_scripts FEATURE: Promote polymorphic bookmarks to default and migrate (#16729) 2022-05-23 10:07:15 +10:00
serializers FEATURE: user status (#16875) 2022-05-27 13:15:14 +04:00
services FIX: fallback to default push notification icon if none exists (#16961) 2022-06-01 12:00:05 +10:00
support FIX: Allow .ics for polymorphic bookmarks (#16694) 2022-05-11 09:29:24 +10:00
tasks PERF: Speed up secure media and ACL sync rake tasks (#16849) 2022-05-23 13:14:11 +10:00
views DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
rails_helper.rb DEV: Apply Rails 6.1 defaults 2022-05-24 17:13:44 +02:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00