Commit 1083d987 authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

fix user email validation when importing webapp


Checking user.email is not ok because allauth allows multiple
addresses per user but grants access if any of them is verified.

-> we need to ensure that the matched address is verified


Thus a (non-admin) user can import a webapp only if the two
conditions are met:
- the user is allowed to create webapps (verified by IsProviderMixin)
- the user has a verified email address that matches the owner
  address of the imported webapp
parent 6b4fa212
Pipeline #44761 failed with stage
in 1 minute and 6 seconds
...@@ -400,17 +400,20 @@ class WebappImport(SuccessMessageMixin, LoginRequiredMixin, IsProviderMixin, For ...@@ -400,17 +400,20 @@ class WebappImport(SuccessMessageMixin, LoginRequiredMixin, IsProviderMixin, For
current_user = self.request.user current_user = self.request.user
if not current_user.is_superuser: if not current_user.is_superuser:
# get the user EmailAddress that matches the owner of the imported app
email_addr = EmailAddress.objects.filter(
user=current_user, email=js["user"]).first()
# ensure this app has the same owner # ensure this app has the same owner
if current_user.email != js["user"]: if email_addr is None:
return error("""this webapp belongs to another user (if you think return error("""this webapp belongs to another user (if you think
it really belongs to you, then you should contact the it really belongs to you, then you should contact the
administrators)""") administrators)""")
# ensure the user email is verified # ensure the user email is verified
#TODO support gitlab accounts if not email_addr.verified:
if not EmailAddress.objects.filter(user=current_user, email_addr.send_confirmation(request)
email=current_user.email, verified=True).exists(): return redirect("account_email_verification_sent")
return error("your e-mail address is not yet verified")
# We can import the webapp ! # We can import the webapp !
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment