Commit 1083d987 authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

fix user email validation when importing webapp


Checking user.email is not ok because allauth allows multiple
addresses per user but grants access if any of them is verified.

-> we need to ensure that the matched address is verified


Thus a (non-admin) user can import a webapp only if the two
conditions are met:
- the user is allowed to create webapps (verified by IsProviderMixin)
- the user has a verified email address that matches the owner
  address of the imported webapp
parent 6b4fa212
Pipeline #44761 failed with stage
in 1 minute and 6 seconds
......@@ -400,17 +400,20 @@ class WebappImport(SuccessMessageMixin, LoginRequiredMixin, IsProviderMixin, For
current_user = self.request.user
if not current_user.is_superuser:
# get the user EmailAddress that matches the owner of the imported app
email_addr = EmailAddress.objects.filter(
user=current_user, email=js["user"]).first()
# ensure this app has the same owner
if current_user.email != js["user"]:
if email_addr is None:
return error("""this webapp belongs to another user (if you think
it really belongs to you, then you should contact the
administrators)""")
# ensure the user email is verified
#TODO support gitlab accounts
if not EmailAddress.objects.filter(user=current_user,
email=current_user.email, verified=True).exists():
return error("your e-mail address is not yet verified")
if not email_addr.verified:
email_addr.send_confirmation(request)
return redirect("account_email_verification_sent")
# We can import the webapp !
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment