Staff-generated invites bypass the must_approve_users requirement

sam · June 3, 2022, 5:39am

Per:

FIX: Approves user when redeeming an invite for invites only sites (#16984)

committed 03:43AM - 03 Jun 22 UTC

When a site has `SiteSetting.invite_only` enabled, we create a `ReviewableUser`…record when activating a user if the user is not approved. Therefore, we need to approve the user when redeeming an invite. There are some uncertainties surrounding why a `ReviewableRecord` is created for a user in an invites only site but this commit does not seek to address that. Follow-up to 7c4e2d33fa4b922354c177ffc880a2f2701a91f9

And

github.com/discourse/discourse

SECURITY: Remove auto approval when redeeming an invite (#16974)

committed 02:10PM - 02 Jun 22 UTC

gschlager

+56 -108

This security fix affects sites which have `SiteSetting.must_approve_users` ena…bled. There are intentional and unintentional cases where invited users can be auto approved and are deemed to have skipped the staff approval process. Instead of trying to reason about when auto-approval should happen, we have decided that enabling the `must_approve_users` setting going forward will just mean that all new users must be explicitly approved by a staff user in the review queue. The only case where users are auto approved is when the `auto_approve_email_domains` site setting is used. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>

We are now done.

@Wall-E feel free to rebuild to get the latest fixes.

Topic		Replies	Views
Allow users invited by staff to skip approval feature invites	21	1759	April 12, 2023
Optional global invite code announcements new-feature , invites	64	18454	December 1, 2023
Use an invite code to bypass new user approval? feature	34	6637	March 15, 2020
New 'accept invitation' prompt feature causing issues with invitation links support invites	13	1822	November 22, 2022
Hide 'email account exists' for invites feature completed , invites	4	1001	May 25, 2022

Staff-generated invites bypass the must_approve_users requirement

Related Topics