Prevent a user with a different email from accepting the team invite (#24491)

## Changes - Fixes the case where a logged in user can accept an email invitation even if their email address does not match the address in the invitation
author: Jack Hay <jack@allspice.io> 2023-05-03 21:21:58 -0400
committer: GitHub <noreply@github.com> 2023-05-03 21:21:58 -0400
commit: 402df1d6b461824b197c2b29166df2d66cf9ae1e (patch)
tree: 403bc891bea5842c8c2e6a65b2ac26e639e73025 /routers/web/org
parent: dbb37367854d108ebfffcac27837c0afac199a8e (diff)
download: gitea-402df1d6b461824b197c2b29166df2d66cf9ae1e.tar.gz
gitea-402df1d6b461824b197c2b29166df2d66cf9ae1e.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 2ce4bf5322..9a0f49b688 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -552,6 +552,7 @@ func TeamInvite(ctx *context.Context) {
 	ctx.Data["Organization"] = org
 	ctx.Data["Team"] = team
 	ctx.Data["Inviter"] = inviter
+	ctx.Data["EmailMismatch"] = ctx.Doer.Email != invite.Email
 
 	ctx.HTML(http.StatusOK, tplTeamInvite)
 }
@@ -568,6 +569,13 @@ func TeamInvitePost(ctx *context.Context) {
 		return
 	}
 
+	// check that the Doer is the invitee
+	if ctx.Doer.Email != invite.Email {
+		log.Info("invite %d does not apply to the current user %d", invite.ID, ctx.Doer.ID)
+		ctx.NotFound("ErrTeamInviteNotFound", err)
+		return
+	}
+
 	if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
 		ctx.ServerError("AddTeamMember", err)
 		return
author	Jack Hay <jack@allspice.io>	2023-05-03 21:21:58 -0400
committer	GitHub <noreply@github.com>	2023-05-03 21:21:58 -0400
commit	402df1d6b461824b197c2b29166df2d66cf9ae1e (patch)
tree	403bc891bea5842c8c2e6a65b2ac26e639e73025 /routers/web/org
parent	dbb37367854d108ebfffcac27837c0afac199a8e (diff)
download	gitea-402df1d6b461824b197c2b29166df2d66cf9ae1e.tar.gz gitea-402df1d6b461824b197c2b29166df2d66cf9ae1e.zip