letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Prevent email changes if disabled

Browse Source
This commit is contained in:
Quentin Gliech
2024-03-29 14:40:44 +01:00
parent cc457bf257
commit db7bffa484
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
crates/handlers/src/views/account/emails/add.rs
View File

@@ -21,6 +21,7 @@ use mas_axum_utils::{
csrf::{CsrfExt, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_data_model::SiteConfig;
use mas_policy::Policy;
use mas_router::UrlBuilder;
use mas_storage::{
@@ -45,6 +46,7 @@ pub(crate) async fn get(
PreferredLanguage(locale): PreferredLanguage,
State(templates): State<Templates>,
State(url_builder): State<UrlBuilder>,
State(site_config): State<SiteConfig>,
activity_tracker: BoundActivityTracker,
mut repo: BoxRepository,
cookie_jar: CookieJar,
@@ -59,6 +61,15 @@ pub(crate) async fn get(
return Ok((cookie_jar, url_builder.redirect(&login)).into_response());
};
if !site_config.email_change_allowed {
// XXX: this may not be the best error message, it's not translatable
return Err(FancyError::new(
ErrorContext::new()
.with_description("Email change is not allowed".to_owned())
.with_details("The site configuration does not allow email changes".to_owned()),
));
}
activity_tracker
.record_browser_session(&clock, &session)
.await;
@@ -82,6 +93,7 @@ pub(crate) async fn post(
mut policy: Policy,
cookie_jar: CookieJar,
State(url_builder): State<UrlBuilder>,
State(site_config): State<SiteConfig>,
activity_tracker: BoundActivityTracker,
Query(query): Query<OptionalPostAuthAction>,
Form(form): Form<ProtectedForm<EmailForm>>,
@@ -97,6 +109,13 @@ pub(crate) async fn post(
};
// XXX: we really should show human readable errors on the form here
if !site_config.email_change_allowed {
return Err(FancyError::new(
ErrorContext::new()
.with_description("Email change is not allowed".to_owned())
.with_details("The site configuration does not allow email changes".to_owned()),
));
}
// Validate the email address
if form.email.parse::<lettre::Address>().is_err() {