From 3da06fecd5967f09f0048fdceaba907f1cf11e67 Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Thu, 21 Mar 2019 15:37:15 -0700 Subject: [PATCH] invite: Fix validation of referred_by field. Previously, we could 500 if an organization administrator scanned possible PreregistrationUser IDs looking for a valid invitation they can interact with. They couldn't do anything, so no security issue, but this fixes that case to just be a 400 error as it should be. --- zerver/lib/actions.py | 4 ++++ zerver/views/invite.py | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py index 2eabb32eff..fbabafbd02 100644 --- a/zerver/lib/actions.py +++ b/zerver/lib/actions.py @@ -4957,6 +4957,10 @@ def do_revoke_multi_use_invite(multiuse_invite: MultiuseInvite) -> None: notify_invites_changed(multiuse_invite.referred_by) def do_resend_user_invite_email(prereg_user: PreregistrationUser) -> int: + # These are two structurally for the caller's code path. + assert prereg_user.referred_by is not None + assert prereg_user.realm is not None + check_invite_limit(prereg_user.referred_by.realm, 1) prereg_user.invited_at = timezone_now() diff --git a/zerver/views/invite.py b/zerver/views/invite.py index 03a8fad94b..93ec38db5c 100644 --- a/zerver/views/invite.py +++ b/zerver/views/invite.py @@ -109,7 +109,9 @@ def resend_user_invite_email(request: HttpRequest, user_profile: UserProfile, except PreregistrationUser.DoesNotExist: raise JsonableError(_("No such invitation")) - if (prereg_user.referred_by.realm != user_profile.realm): + # Structurally, any invitation the user can actually access should + # have a referred_by set for the user who created it. + if prereg_user.referred_by is None or prereg_user.referred_by.realm != user_profile.realm: raise JsonableError(_("No such invitation")) timestamp = do_resend_user_invite_email(prereg_user)