discourse/spec/requests
Gerhard Schlager 7c4e2d33fa
SECURITY: Remove auto approval when redeeming an invite (#16974)
This security fix affects sites which have `SiteSetting.must_approve_users`
enabled. There are intentional and unintentional cases where invited
users can be auto approved and are deemed to have skipped the staff approval process.
Instead of trying to reason about when auto-approval should happen, we have decided that
enabling the `must_approve_users` setting going forward will just mean that all new users
must be explicitly approved by a staff user in the review queue. The only case where users are auto
approved is when the `auto_approve_email_domains` site setting is used.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2022-06-02 16:10:48 +02:00
..
admin FIX: Show suspended by user (#16927) 2022-06-01 14:54:23 +02:00
api FIX: Show suspended by user (#16927) 2022-06-01 14:54:23 +02:00
about_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
application_controller_spec.rb DEV: Use FakeLogger in RequestTracker specs (#16640) 2022-05-05 09:53:54 +08:00
associate_accounts_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
badges_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
bookmarks_controller_spec.rb FEATURE: Promote polymorphic bookmarks to default and migrate (#16729) 2022-05-23 10:07:15 +10:00
bootstrap_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
categories_controller_spec.rb FEATURE: Introduce site setting to allow for non staff pm tagging (#16671) 2022-05-10 10:02:28 -05:00
clicks_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
composer_messages_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
csp_reports_controller_spec.rb DEV: Use FakeLogger in RequestTracker specs (#16640) 2022-05-05 09:53:54 +08:00
directory_columns_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
directory_items_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
do_not_disturb_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
drafts_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
email_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
embed_controller_spec.rb FEATURE: Block indexing the embed topic list (#16495) 2022-04-19 18:24:38 -03:00
exceptions_controller_spec.rb FEATURE: Add page title to 404 pages (#16846) 2022-05-17 18:37:43 +03:00
export_csv_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
extra_locales_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
finish_installation_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
forums_controller_spec.rb DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
groups_controller_spec.rb FEATURE: Introduce site setting to allow for non staff pm tagging (#16671) 2022-05-10 10:02:28 -05:00
hashtags_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
inline_onebox_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
invites_controller_spec.rb FIX: Apply 'hide email account' for invites 2022-05-17 09:56:06 +02:00
list_controller_spec.rb FIX: Harmonise category body class generation on server/client (#16967) 2022-06-01 18:18:20 +01:00
metadata_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
notifications_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
offline_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
omniauth_callbacks_controller_spec.rb DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
onebox_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
permalinks_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
post_action_users_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
post_actions_controller_spec.rb DEV: Remove PostAction/UserAction bookmark refs (#16681) 2022-05-10 10:42:18 +10:00
post_readers_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
posts_controller_spec.rb FEATURE: Promote polymorphic bookmarks to default and migrate (#16729) 2022-05-23 10:07:15 +10:00
presence_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
published_pages_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
push_notification_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
qunit_controller_spec.rb DEV: Allow Ember CLI assets to be used by development Rails app (#16511) 2022-04-21 16:26:34 +01:00
reviewable_claimed_topics_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
reviewables_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
robots_txt_controller_spec.rb FEATURE: Let sites add a sitemap.xml file. (#16357) 2022-04-12 10:33:59 -03:00
safe_mode_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
search_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
session_controller_spec.rb SECURITY: Remove auto approval when redeeming an invite (#16974) 2022-06-02 16:10:48 +02:00
similar_topics_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
site_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
sitemap_controller_spec.rb FIX: Return a 404 when a sitemap request doesn't have a format (#16506) 2022-04-19 11:07:25 -03:00
static_controller_spec.rb DEV: Ensure service-worker sourcemap logic works with brotli/gzip (#16718) 2022-05-11 13:42:34 +01:00
steps_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
stylesheets_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
svg_sprite_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
tag_groups_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
tags_controller_spec.rb FEATURE: Introduce site setting to allow for non staff pm tagging (#16671) 2022-05-10 10:02:28 -05:00
theme_javascripts_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
topics_controller_spec.rb FEATURE: Promote polymorphic bookmarks to default and migrate (#16729) 2022-05-23 10:07:15 +10:00
uploads_controller_multisite_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
uploads_controller_spec.rb FEATURE: Make S3 presigned GET URL expiry configurable (#16912) 2022-05-26 09:53:01 +10:00
user_actions_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
user_api_keys_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
user_avatars_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
user_badges_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
user_status_controller_spec.rb FEATURE: propagate user status via message bus (#16944) 2022-05-30 13:41:53 +04:00
users_controller_spec.rb FEATURE: Promote polymorphic bookmarks to default and migrate (#16729) 2022-05-23 10:07:15 +10:00
users_email_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
webhooks_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00
wizard_controller_spec.rb DEV: Automatically require 'rails_helper' in all specs (#16077) 2022-03-01 17:50:50 +00:00