github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-23 06:29:30 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
f70d71c5e3
discourse/app/controllers/finish_installation_controller.rb
Dan Ungureanu fa8cd629f1
DEV: Hash tokens stored from email_tokens (#14493) 
This commit adds token_hash and scopes columns to email_tokens table.
token_hash is a replacement for the token column to avoid storing email
tokens in plaintext as it can pose a security risk. The new scope column
ensures that email tokens cannot be used to perform a different action
than the one intended.

To sum up, this commit:

* Adds token_hash and scope to email_tokens

* Reuses code that schedules critical_user_email

* Refactors EmailToken.confirm and EmailToken.atomic_confirm methods

* Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 09:34:39 +02:00

73 lines
1.9 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
class FinishInstallationController < ApplicationController
skip_before_action :check_xhr, :preload_json, :redirect_to_login_if_required
layout 'finish_installation'
before_action :ensure_no_admins, except: ['confirm_email', 'resend_email']
def index
end
def register
@allowed_emails = find_allowed_emails
@user = User.new
if request.post?
email = params[:email].strip
raise Discourse::InvalidParameters.new unless @allowed_emails.include?(email)
if existing_user = User.find_by_email(email)
@user = existing_user
send_signup_email
return redirect_confirm(email)
end
@user.email = email
@user.username = params[:username]
@user.password = params[:password]
@user.password_required!
if @user.save
@user.change_trust_level!(1) if @user.trust_level < 1
send_signup_email
redirect_confirm(@user.email)
end
end
end
def confirm_email
@email = session[:registered_email]
end
def resend_email
@email = session[:registered_email]
@user = User.find_by_email(@email)
send_signup_email if @user.present?
end
protected
def send_signup_email
return if @user.active && @user.email_confirmed?
email_token = @user.email_tokens.create!(email: @user.email, scope: EmailToken.scopes[:signup])
EmailToken.enqueue_signup_email(email_token)
end
def redirect_confirm(email)
session[:registered_email] = email
redirect_to(finish_installation_confirm_email_path)
end
def find_allowed_emails
return [] unless GlobalSetting.respond_to?(:developer_emails) && GlobalSetting.developer_emails.present?
GlobalSetting.developer_emails.split(",").map(&:strip)
end
def ensure_no_admins
preload_anonymous_data
raise Discourse::InvalidAccess.new unless SiteSetting.has_login_hint?
end
end
Reference in New Issue View Git Blame Copy Permalink