osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

SECURITY: verify that inviter can invite new user to a topics

Browse Source
This commit is contained in:
Sam 2017-10-11 09:49:45 +11:00
parent 834eef7b67
commit a9bcc935b7
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/invites_controller.rb
View File

@ -86,6 +86,7 @@ class InvitesController < ApplicationController
group_ids = Group.lookup_group_ids(params)
topic = Topic.find_by(id: params[:topic_id])
guardian.ensure_can_invite_to_forum!(group_ids)
guardian.ensure_can_invite_to!(topic) if topic.present?
invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
if invite_exists && !guardian.can_send_multiple_invites?(current_user)

2
app/models/invite.rb
View File

@ -137,7 +137,7 @@ class Invite < ActiveRecord::Base
invite.invited_groups.create!(group_id: group_id)
end
else
if topic && topic.category # && Guardian.new(invited_by).can_invite_to?(topic)
if topic && topic.category && Guardian.new(invited_by).can_invite_to?(topic)
group_ids = topic.category.groups.pluck(:id) - invite.invited_groups.pluck(:group_id)
group_ids.each { |group_id| invite.invited_groups.create!(group_id: group_id) }
end