SECURITY: Confirm new administrator accounts via email

2025-09-06 10:50:21 +08:00 · 2017-04-04 13:59:22 -04:00 · 2017-04-04 13:59:22 -04:00 · 17f2974d0a
commit 17f2974d0a
parent a649014adf
13 changed files with 293 additions and 20 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -3,11 +3,12 @@ require_dependency 'user_name_suggester'
 require_dependency 'rate_limiter'
 require_dependency 'wizard'
 require_dependency 'wizard/builder'
+require_dependency 'admin_confirmation'

 class UsersController < ApplicationController

  skip_before_filter :authorize_mini_profiler, only: [:avatar]
-  skip_before_filter :check_xhr, only: [:show, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login]
+  skip_before_filter :check_xhr, only: [:show, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin]

  before_filter :ensure_logged_in, only: [:username, :update, :user_preferences_redirect, :upload_user_image,
                                          :pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state]
@ -27,7 +28,8 @@ class UsersController < ApplicationController
                                                            :send_activation_email,
                                                            :password_reset,
                                                            :confirm_email_token,
-                                                            :admin_login]
+                                                            :admin_login,
+                                                            :confirm_admin]

  def index
  end
@ -726,6 +728,21 @@ class UsersController < ApplicationController
    render json: result
  end

+  def confirm_admin
+    @confirmation = AdminConfirmation.find_by_code(params[:token])
+
+    raise Discourse::NotFound unless @confirmation
+    raise Discourse::InvalidAccess.new unless
+      @confirmation.performed_by.id == (current_user&.id || @confirmation.performed_by.id)
+
+    if request.post?
+      @confirmation.email_confirmed!
+      @confirmed = true
+    end
+
+    render layout: 'no_ember'
+  end
+
  private

    def honeypot_value