Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Prevent users from updating to blacklisted email domains

This commit is contained in:
Robin Ward 2017-09-12 10:03:33 -04:00
parent 85ef3696de
commit 171d9e5aed
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/users_controller.rb
View File

@ -619,9 +619,12 @@ class UsersController < ApplicationController
raise Discourse::InvalidAccess.new if current_user.present?
User.transaction do
@user.email = params[:email]
primary_email = @user.primary_email
if @user.save
primary_email.email = params[:email]
primary_email.should_validate_email = true
if primary_email.save
@user.email_tokens.create(email: @user.email)
enqueue_activation_email
render json: success_json

8
spec/controllers/users_controller_spec.rb
View File

@ -1983,6 +1983,14 @@ describe UsersController do
expect(response).to_not be_success
end
it "raises an error when the email is blacklisted" do
user = Fabricate(:inactive_user)
SiteSetting.email_domains_blacklist = 'example.com'
session[SessionController::ACTIVATE_USER_KEY] = user.id
xhr :put, :update_activation_email, email: 'test@example.com'
expect(response).to_not be_success
end
it "can be updated" do
user = Fabricate(:inactive_user)
token = user.email_tokens.first