From ee59a2b5c8a3b189afe8bfb6c70d02de7523ea00 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Tue, 12 Sep 2017 10:03:33 -0400 Subject: [PATCH] SECURITY: Prevent users from updating to blacklisted email domains --- app/controllers/users_controller.rb | 7 +++++-- spec/controllers/users_controller_spec.rb | 8 ++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 94639c5bd6..fcd6b9ef28 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -612,9 +612,12 @@ class UsersController < ApplicationController raise Discourse::InvalidAccess.new if current_user.present? User.transaction do - @user.email = params[:email] + primary_email = @user.primary_email - if @user.save + primary_email.email = params[:email] + primary_email.should_validate_email = true + + if primary_email.save @user.email_tokens.create(email: @user.email) enqueue_activation_email render json: success_json diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 8b3cfde377..521108e541 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -1983,6 +1983,14 @@ describe UsersController do expect(response).to_not be_success end + it "raises an error when the email is blacklisted" do + user = Fabricate(:inactive_user) + SiteSetting.email_domains_blacklist = 'example.com' + session[SessionController::ACTIVATE_USER_KEY] = user.id + xhr :put, :update_activation_email, email: 'test@example.com' + expect(response).to_not be_success + end + it "can be updated" do user = Fabricate(:inactive_user) token = user.email_tokens.first