mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-25 03:18:54 +08:00
746000edc8
Same-IP user lookups now identify the target by user_id and ip_type rather than accepting a raw IP in params, so the IP is resolved server-side and never round-trips through clients that lack permission to see it. Additionally: - Hide the `suspicious_logins` report (list, bulk, show, CSV export and the security dashboard tile) from non-admin staff lacking `can_see_ip?`. - Hide the IP column and CSV export button on the screened emails page from staff lacking `can_see_ip?`. - Omit `ip_address` from `ScreenedUrlSerializer` for staff lacking `can_see_ip?`. - Require `can_see_ip?` (in addition to `can_see_emails?`) to export the `screened_email` entity. - Record the username (not the IP) in the staff-log context for "delete other accounts with same IP" when the acting user lacks `can_see_ip?`. |
||
|---|---|---|
| .. | ||
| list_query.rb | ||
