From d432798ff8269f9ada949b1cc3799238afaec336 Mon Sep 17 00:00:00 2001
From: Chris Hunt <c@chrishunt.co>
Date: Wed, 5 Jun 2013 11:08:21 -0700
Subject: [PATCH] Silently fail if user tries to sneak in

When 'invite only' is enabled, there's no way for a user to create an
account unless they try and sneak in by POSTing to /users/. We will
silently fail if this happens.
---
 app/controllers/users_controller.rb       | 25 ++++++++++++++---------
 spec/controllers/users_controller_spec.rb | 13 ++++++++++++
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 32d13118b..4538c2e2c 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -145,16 +145,7 @@ class UsersController < ApplicationController
   end
 
   def create
-
-    if honeypot_or_challenge_fails?(params)
-      # Don't give any indication that we caught you in the honeypot
-      honey_pot_response = {
-        success: true,
-        active: false,
-        message: I18n.t("login.activate_email", email: params[:email])
-      }
-      return render(json: honey_pot_response)
-    end
+    return fake_success_reponse if suspicious? params
 
     user = User.new_from_params(params)
 
@@ -349,6 +340,20 @@ class UsersController < ApplicationController
       '3019774c067cc2b'
     end
 
+    def suspicious?(params)
+      honeypot_or_challenge_fails?(params) || SiteSetting.invite_only?
+    end
+
+    def fake_success_reponse
+      render(
+        json: {
+          success: true,
+          active: false,
+          message: I18n.t("login.activate_email", email: params[:email])
+        }
+      )
+    end
+
     def honeypot_or_challenge_fails?(params)
       params[:password_confirmation] != honeypot_value ||
       params[:challenge] != challenge_value.try(:reverse)
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 09bc8d064..da948eb8a 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -426,6 +426,19 @@ describe UsersController do
       it_should_behave_like 'honeypot fails'
     end
 
+    context "when 'invite only' setting is enabled" do
+      before { SiteSetting.expects(:invite_only?).returns(true) }
+
+      let(:create_params) {{
+        name: @user.name,
+        username: @user.username,
+        password: 'strongpassword',
+        email: @user.email
+      }}
+
+      it_should_behave_like 'honeypot fails'
+    end
+
     shared_examples_for 'failed signup' do
       it 'should not create a new User' do
         expect { xhr :post, :create, create_params }.to_not change { User.count }