sanctureplicum
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent a user with a different email from accepting the team invite (#24491) 

## Changes
- Fixes the case where a logged in user can accept an email invitation
even if their email address does not match the address in the invitation
main
Jack Hay 2023-05-03 21:21:58 -04:00 committed by GitHub
parent dbb3736785
commit 402df1d6b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
options/locale/locale_en-US.ini
Unescape Escape View File

@ -2559,6 +2559,7 @@ teams.all_repositories_admin_permission_desc = This team grants <strong>Admin</s
teams.invite.title = You've been invited to join team <strong>%s</strong> in organization <strong>%s</strong>. teams.invite.title = You've been invited to join team <strong>%s</strong> in organization <strong>%s</strong>.
teams.invite.by = Invited by %s teams.invite.by = Invited by %s
teams.invite.description = Please click the button below to join the team. teams.invite.description = Please click the button below to join the team.
teams.invite.email_mismatch = Your email address does not match this invite.
[admin] [admin]
dashboard = Dashboard dashboard = Dashboard

8
routers/web/org/teams.go
Unescape Escape View File

@ -552,6 +552,7 @@ func TeamInvite(ctx *context.Context) {
ctx.Data["Organization"] = org ctx.Data["Organization"] = org
ctx.Data["Team"] = team ctx.Data["Team"] = team
ctx.Data["Inviter"] = inviter ctx.Data["Inviter"] = inviter
ctx.Data["EmailMismatch"] = ctx.Doer.Email != invite.Email
ctx.HTML(http.StatusOK, tplTeamInvite) ctx.HTML(http.StatusOK, tplTeamInvite)
} }
@ -568,6 +569,13 @@ func TeamInvitePost(ctx *context.Context) {
return return
} }
// check that the Doer is the invitee
if ctx.Doer.Email != invite.Email {
log.Info("invite %d does not apply to the current user %d", invite.ID, ctx.Doer.ID)
ctx.NotFound("ErrTeamInviteNotFound", err)
return
}
if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil { if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
ctx.ServerError("AddTeamMember", err) ctx.ServerError("AddTeamMember", err)
return return

28
templates/org/team/invite.tmpl
Unescape Escape View File

@ -6,17 +6,23 @@
<div class="image"> <div class="image">
{{avatar $.Context .Organization 140}} {{avatar $.Context .Organization 140}}
</div> </div>
<div class="content"> {{if .EmailMismatch}}
<div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div> <div class="content">
<div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div> <div class="header">{{.locale.Tr "org.teams.invite.email_mismatch"}}</div>
<div class="description">{{.locale.Tr "org.teams.invite.description"}}</div> </div>
</div> {{else}}
<div class="extra content"> <div class="content">
<form class="ui form" action="" method="post"> <div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div>
{{.CsrfTokenHtml}} <div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div>
<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button> <div class="description">{{.locale.Tr "org.teams.invite.description"}}</div>
</form> </div>
</div> <div class="extra content">
<form class="ui form" action="" method="post">
{{.CsrfTokenHtml}}
<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button>
</form>
</div>
{{end}}
</div> </div>
</div> </div>
</div> </div>