discourse/lib/validators/email_validator.rb

# frozen_string_literal: true

class EmailValidator < ActiveModel::EachValidator
  def validate_each(record, attribute, value)
    if value.blank?
      record.errors.add(attribute, I18n.t(:"user.email.blank"))
      invalid = true
    elsif !EmailAddressValidator.valid_value?(value)
      if Invite === record && attribute == :email
        record.errors.add(:base, I18n.t(:"invite.invalid_email", email: CGI.escapeHTML(value)))
      else
        record.errors.add(attribute, I18n.t(:"user.email.invalid"))
      end
      invalid = true
    end

    if !EmailValidator.allowed?(value)
      record.errors.add(attribute, I18n.t(:"user.email.not_allowed"))
      invalid = true
    end

    if !invalid && ScreenedEmail.should_block?(value)
      record.errors.add(attribute, I18n.t(:"user.email.blocked"))
    end
  end

  def self.allowed?(email)
    if (setting = SiteSetting.allowed_email_domains).present?
      return email_in_restriction_setting?(setting, email) || is_developer?(email)
    elsif (setting = SiteSetting.blocked_email_domains).present?
      return !(email_in_restriction_setting?(setting, email) && !is_developer?(email))
    end

    true
  end

  def self.can_auto_approve_user?(email)
    if (setting = SiteSetting.auto_approve_email_domains).present?
      return !!(EmailValidator.allowed?(email) && email_in_restriction_setting?(setting, email))
    end

    false
  end

  def self.email_in_restriction_setting?(setting, value)
    domains = setting.gsub(".", '\.')
    regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
    value =~ regexp
  end

  def self.is_developer?(value)
    Rails.configuration.respond_to?(:developer_emails) &&
      Rails.configuration.developer_emails.include?(value)
  end

  def self.email_regex
    Discourse.deprecate(
      "EmailValidator.email_regex is deprecated. Please use EmailAddressValidator instead.",
      output_in_test: true,
      drop_from: "2.9.0",
    )
    EmailAddressValidator.email_regex
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

Add BlockedEmail, to block signups based on email. Track stats of how many times each email address is blocked, and last time it was blocked. Move email validation out of User model and into EmailValidator. Signup form remembers which email addresses have failed and shows validation error on email field. 2013-07-25 13:01:27 -04:00			`class EmailValidator < ActiveModel::EachValidator`
			`def validate_each(record, attribute, value)`
FIX: skip email if blank while syncing SSO attributes. (#19939) Also, return email blank error in `EmailValidator` when the email is blank. 2023-01-23 22:40:24 -05:00			`if value.blank?`
			`record.errors.add(attribute, I18n.t(:"user.email.blank"))`
			`invalid = true`
			`elsif !EmailAddressValidator.valid_value?(value)`
FIX: Improve error messages for invites (#12714) The error messages used to include an unnecessary 'Validation failed: Email' prefix which was removed. 2021-04-15 07:46:32 -04:00			`if Invite === record && attribute == :email`
FIX: Mark invites flash messages as HTML safe. (#15539) * FIX: Mark invites flash messages as HTML safe. This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client. Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220 * If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend. * Escape user input instead of sanitizing 2022-01-18 07:38:31 -05:00			`record.errors.add(:base, I18n.t(:"invite.invalid_email", email: CGI.escapeHTML(value)))`
FIX: Improve error messages for invites (#12714) The error messages used to include an unnecessary 'Validation failed: Email' prefix which was removed. 2021-04-15 07:46:32 -04:00			`else`
			`record.errors.add(attribute, I18n.t(:"user.email.invalid"))`
			`end`
			`invalid = true`
FIX: `EmailValidator` needs to validate format of email. 2020-06-02 22:13:25 -04:00			`end`

DEV: pull email address validation out to a new EmailAddressValidator We validate the format of email addresses in many places with a match against a regex, often with very slightly different syntax. Adding a separate EmailAddressValidator simplifies the code in a few spots and feels cleaner. Deprecated the old location in case someone is using it in a plugin. No functionality change is in this commit. Note: the regex used at the moment does not support using address literals, e.g.: * localpart@[192.168.0.1] * localpart@[2001:db8::1] 2022-02-17 20:12:51 -05:00			`if !EmailValidator.allowed?(value)`
FIX: respect email domain whitelist/blacklist when creating staged users 2017-10-03 05:23:18 -04:00			`record.errors.add(attribute, I18n.t(:"user.email.not_allowed"))`
FIX: Improve error messages for invites (#12714) The error messages used to include an unnecessary 'Validation failed: Email' prefix which was removed. 2021-04-15 07:46:32 -04:00			`invalid = true`
Add BlockedEmail, to block signups based on email. Track stats of how many times each email address is blocked, and last time it was blocked. Move email validation out of User model and into EmailValidator. Signup form remembers which email addresses have failed and shows validation error on email field. 2013-07-25 13:01:27 -04:00			`end`
FIX: respect email domain whitelist/blacklist when creating staged users 2017-10-03 05:23:18 -04:00
FIX: Improve error messages for invites (#12714) The error messages used to include an unnecessary 'Validation failed: Email' prefix which was removed. 2021-04-15 07:46:32 -04:00			`if !invalid && ScreenedEmail.should_block?(value)`
Add BlockedEmail, to block signups based on email. Track stats of how many times each email address is blocked, and last time it was blocked. Move email validation out of User model and into EmailValidator. Signup form remembers which email addresses have failed and shows validation error on email field. 2013-07-25 13:01:27 -04:00			`record.errors.add(attribute, I18n.t(:"user.email.blocked"))`
			`end`
			`end`

FIX: respect email domain whitelist/blacklist when creating staged users 2017-10-03 05:23:18 -04:00			`def self.allowed?(email)`
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist. 2020-07-26 20:23:54 -04:00			`if (setting = SiteSetting.allowed_email_domains).present?`
FIX: respect email domain whitelist/blacklist when creating staged users 2017-10-03 05:23:18 -04:00			`return email_in_restriction_setting?(setting, email) \|\| is_developer?(email)`
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist. 2020-07-26 20:23:54 -04:00			`elsif (setting = SiteSetting.blocked_email_domains).present?`
FIX: respect email domain whitelist/blacklist when creating staged users 2017-10-03 05:23:18 -04:00			`return !(email_in_restriction_setting?(setting, email) && !is_developer?(email))`
			`end`

			`true`
			`end`

FEATURE: add setting `auto_approve_email_domains` to auto approve users (#9323) * FEATURE: add setting `auto_approve_email_domains` to auto approve users This commit adds a new site setting `auto_approve_email_domains` to auto approve users based on their email address domain. Note that if a domain already exists in `email_domains_whitelist` then `auto_approve_email_domains` needs to be duplicated there as well, since users won’t be able to register with email address that is not allowed in `email_domains_whitelist`. * Update config/locales/server.en.yml Co-Authored-By: Robin Ward <robin.ward@gmail.com> 2020-03-31 14:29:15 -04:00			`def self.can_auto_approve_user?(email)`
			`if (setting = SiteSetting.auto_approve_email_domains).present?`
			`return !!(EmailValidator.allowed?(email) && email_in_restriction_setting?(setting, email))`
			`end`

			`false`
			`end`

FIX: respect email domain whitelist/blacklist when creating staged users 2017-10-03 05:23:18 -04:00			`def self.email_in_restriction_setting?(setting, value)`
Add BlockedEmail, to block signups based on email. Track stats of how many times each email address is blocked, and last time it was blocked. Move email validation out of User model and into EmailValidator. Signup form remembers which email addresses have failed and shows validation error on email field. 2013-07-25 13:01:27 -04:00			`domains = setting.gsub(".", '\.')`
SECURITY: email domain whitelist could be bypassed 2018-01-17 15:45:32 -05:00			`regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)`
Add BlockedEmail, to block signups based on email. Track stats of how many times each email address is blocked, and last time it was blocked. Move email validation out of User model and into EmailValidator. Signup form remembers which email addresses have failed and shows validation error on email field. 2013-07-25 13:01:27 -04:00			`value =~ regexp`
			`end`

FIX: respect email domain whitelist/blacklist when creating staged users 2017-10-03 05:23:18 -04:00			`def self.is_developer?(value)`
FIX: allow developer emails to bypass email blacklist/whitelist restriction 2015-01-29 12:52:59 -05:00			`Rails.configuration.respond_to?(:developer_emails) &&`
			`Rails.configuration.developer_emails.include?(value)`
			`end`

Add ability to run validation on site settings. notification_email and other email address settings are now validated. 2014-06-09 15:17:36 -04:00			`def self.email_regex`
DEV: pull email address validation out to a new EmailAddressValidator We validate the format of email addresses in many places with a match against a regex, often with very slightly different syntax. Adding a separate EmailAddressValidator simplifies the code in a few spots and feels cleaner. Deprecated the old location in case someone is using it in a plugin. No functionality change is in this commit. Note: the regex used at the moment does not support using address literals, e.g.: * localpart@[192.168.0.1] * localpart@[2001:db8::1] 2022-02-17 20:12:51 -05:00			`Discourse.deprecate(`
			`"EmailValidator.email_regex is deprecated. Please use EmailAddressValidator instead.",`
			`output_in_test: true,`
			`drop_from: "2.9.0",`
			`)`
			`EmailAddressValidator.email_regex`
Add ability to run validation on site settings. notification_email and other email address settings are now validated. 2014-06-09 15:17:36 -04:00			`end`
FIX: disposable invite was giving email validation error 2014-10-23 13:25:49 -04:00			`end`