Prevent a user with a different email from accepting the team invite (#24491)

jackHay22 · web-flow · commit 402df1d6b461 · 2023-05-03T21:21:58.000-04:00
## Changes
- Fixes the case where a logged in user can accept an email invitation
even if their email address does not match the address in the invitation
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -2559,6 +2559,7 @@ teams.all_repositories_admin_permission_desc = This team grants <strong>Admin</s
 teams.invite.title = You've been invited to join team <strong>%s</strong> in organization <strong>%s</strong>.
 teams.invite.by = Invited by %s
 teams.invite.description = Please click the button below to join the team.
+teams.invite.email_mismatch = Your email address does not match this invite.
 
 [admin]
 dashboard = Dashboard
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
@@ -552,6 +552,7 @@ func TeamInvite(ctx *context.Context) {
 	ctx.Data["Organization"] = org
 	ctx.Data["Team"] = team
 	ctx.Data["Inviter"] = inviter
+	ctx.Data["EmailMismatch"] = ctx.Doer.Email != invite.Email
 
 	ctx.HTML(http.StatusOK, tplTeamInvite)
 }
@@ -568,6 +569,13 @@ func TeamInvitePost(ctx *context.Context) {
 		return
 	}
 
+	// check that the Doer is the invitee
+	if ctx.Doer.Email != invite.Email {
+		log.Info("invite %d does not apply to the current user %d", invite.ID, ctx.Doer.ID)
+		ctx.NotFound("ErrTeamInviteNotFound", err)
+		return
+	}
+
 	if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
 		ctx.ServerError("AddTeamMember", err)
 		return
diff --git a/templates/org/team/invite.tmpl b/templates/org/team/invite.tmpl
@@ -6,17 +6,23 @@
 			<div class="image">
 				{{avatar $.Context .Organization 140}}
 			</div>
-			<div class="content">
-				<div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div>
-				<div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div>
-				<div class="description">{{.locale.Tr "org.teams.invite.description"}}</div>
-			</div>
-			<div class="extra content">
-				<form class="ui form" action="" method="post">
-					{{.CsrfTokenHtml}}
-					<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button>
-				</form>
-			</div>
+			{{if .EmailMismatch}}
+				<div class="content">
+					<div class="header">{{.locale.Tr "org.teams.invite.email_mismatch"}}</div>
+				</div>
+			{{else}}
+				<div class="content">
+					<div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div>
+					<div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div>
+					<div class="description">{{.locale.Tr "org.teams.invite.description"}}</div>
+				</div>
+				<div class="extra content">
+					<form class="ui form" action="" method="post">
+						{{.CsrfTokenHtml}}
+						<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button>
+					</form>
+				</div>
+			{{end}}
 		</div>
 	</div>
 </div>
