Prevent a user with a different email from accepting the team invite (#24491)
## Changes - Fixes the case where a logged in user can accept an email invitation even if their email address does not match the address in the invitation
This commit is contained in:
parent
dbb3736785
commit
402df1d6b4
3 changed files with 26 additions and 11 deletions
|
@ -2559,6 +2559,7 @@ teams.all_repositories_admin_permission_desc = This team grants <strong>Admin</s
|
||||||
teams.invite.title = You've been invited to join team <strong>%s</strong> in organization <strong>%s</strong>.
|
teams.invite.title = You've been invited to join team <strong>%s</strong> in organization <strong>%s</strong>.
|
||||||
teams.invite.by = Invited by %s
|
teams.invite.by = Invited by %s
|
||||||
teams.invite.description = Please click the button below to join the team.
|
teams.invite.description = Please click the button below to join the team.
|
||||||
|
teams.invite.email_mismatch = Your email address does not match this invite.
|
||||||
|
|
||||||
[admin]
|
[admin]
|
||||||
dashboard = Dashboard
|
dashboard = Dashboard
|
||||||
|
|
|
@ -552,6 +552,7 @@ func TeamInvite(ctx *context.Context) {
|
||||||
ctx.Data["Organization"] = org
|
ctx.Data["Organization"] = org
|
||||||
ctx.Data["Team"] = team
|
ctx.Data["Team"] = team
|
||||||
ctx.Data["Inviter"] = inviter
|
ctx.Data["Inviter"] = inviter
|
||||||
|
ctx.Data["EmailMismatch"] = ctx.Doer.Email != invite.Email
|
||||||
|
|
||||||
ctx.HTML(http.StatusOK, tplTeamInvite)
|
ctx.HTML(http.StatusOK, tplTeamInvite)
|
||||||
}
|
}
|
||||||
|
@ -568,6 +569,13 @@ func TeamInvitePost(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check that the Doer is the invitee
|
||||||
|
if ctx.Doer.Email != invite.Email {
|
||||||
|
log.Info("invite %d does not apply to the current user %d", invite.ID, ctx.Doer.ID)
|
||||||
|
ctx.NotFound("ErrTeamInviteNotFound", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
|
if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
|
||||||
ctx.ServerError("AddTeamMember", err)
|
ctx.ServerError("AddTeamMember", err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -6,17 +6,23 @@
|
||||||
<div class="image">
|
<div class="image">
|
||||||
{{avatar $.Context .Organization 140}}
|
{{avatar $.Context .Organization 140}}
|
||||||
</div>
|
</div>
|
||||||
<div class="content">
|
{{if .EmailMismatch}}
|
||||||
<div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div>
|
<div class="content">
|
||||||
<div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div>
|
<div class="header">{{.locale.Tr "org.teams.invite.email_mismatch"}}</div>
|
||||||
<div class="description">{{.locale.Tr "org.teams.invite.description"}}</div>
|
</div>
|
||||||
</div>
|
{{else}}
|
||||||
<div class="extra content">
|
<div class="content">
|
||||||
<form class="ui form" action="" method="post">
|
<div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div>
|
||||||
{{.CsrfTokenHtml}}
|
<div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div>
|
||||||
<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button>
|
<div class="description">{{.locale.Tr "org.teams.invite.description"}}</div>
|
||||||
</form>
|
</div>
|
||||||
</div>
|
<div class="extra content">
|
||||||
|
<form class="ui form" action="" method="post">
|
||||||
|
{{.CsrfTokenHtml}}
|
||||||
|
<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
Loading…
Reference in a new issue