finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Prevent a user with a different email from accepting the team invite (#24491)

Browse source 
## Changes
- Fixes the case where a logged in user can accept an email invitation
even if their email address does not match the address in the invitation
This commit is contained in:
Jack Hay 2023-05-03 21:21:58 -04:00 committed by GitHub
parent dbb3736785
commit 402df1d6b4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

8
routers/web/org/teams.go
View file

@ -552,6 +552,7 @@ func TeamInvite(ctx *context.Context) {
ctx.Data["Organization"] = org
ctx.Data["Team"] = team
ctx.Data["Inviter"] = inviter
ctx.Data["EmailMismatch"] = ctx.Doer.Email != invite.Email
ctx.HTML(http.StatusOK, tplTeamInvite)
}
@ -568,6 +569,13 @@ func TeamInvitePost(ctx *context.Context) {
return
}
// check that the Doer is the invitee
if ctx.Doer.Email != invite.Email {
log.Info("invite %d does not apply to the current user %d", invite.ID, ctx.Doer.ID)
ctx.NotFound("ErrTeamInviteNotFound", err)
return
}
if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
ctx.ServerError("AddTeamMember", err)
return