discourse

History

Isaac Janzen d39bd03d11 DEV: Fix invite-only OAuth signup bypass via non-invite origin routes (#38646 ) Fixes two bugs in `invite_required?` that allowed bypassing invite-only signup during OAuth: - `&&` → `\|\|`: a route like `/t/<invite_key>` (topics#show) had `action == "show"`, making the `&&` false and falling through to the invite key lookup - `Invite.exists?` → `Invite.find_by(...)&.redeemable?`: existence alone isn't enough — expired/redeemed invites should not grant access		2026-03-17 09:19:09 -05:00
..
associate_accounts_controller.rb	DEV: Allow `ServerSession` to store arbitrary data (#34919 )	2025-09-26 10:35:28 +02:00
discourse_id_controller.rb	FIX: Revocation endpoint is blocked when `login_required` is enabled, preventing session invalidation (#37859 )	2026-02-17 09:12:14 -05:00
omniauth_callbacks_controller.rb	DEV: Fix invite-only OAuth signup bypass via non-invite origin routes (#38646 )	2026-03-17 09:19:09 -05:00