mirror of
https://github.com/outline/outline.git
synced 2026-06-13 03:14:59 +03:00
fix: Add additional checks to userInviter (#10226)
This commit is contained in:
Tom Moor
@@ -1,8 +1,9 @@
|
||||
import { faker } from "@faker-js/faker";
|
||||
import { UserRole } from "@shared/types";
|
||||
import { buildUser } from "@server/test/factories";
|
||||
import { buildTeam, buildUser } from "@server/test/factories";
|
||||
import userInviter from "./userInviter";
|
||||
import { withAPIContext } from "@server/test/support";
|
||||
import { TeamDomain } from "@server/models";
|
||||
|
||||
describe("userInviter", () => {
|
||||
it("should return sent invites", async () => {
|
||||
@@ -37,6 +38,58 @@ describe("userInviter", () => {
|
||||
expect(response.sent.length).toEqual(0);
|
||||
});
|
||||
|
||||
it("should error on non allowed domains", async () => {
|
||||
const team = await buildTeam();
|
||||
const user = await buildUser({ teamId: team.id });
|
||||
|
||||
await TeamDomain.create({
|
||||
teamId: team.id,
|
||||
name: faker.internet.domainName(),
|
||||
createdById: user.id,
|
||||
});
|
||||
|
||||
await withAPIContext(user, (ctx) =>
|
||||
expect(
|
||||
userInviter(ctx, {
|
||||
invites: [
|
||||
{
|
||||
role: UserRole.Member,
|
||||
email: "test@example.com",
|
||||
name: "Test",
|
||||
},
|
||||
],
|
||||
})
|
||||
).rejects.toThrow("The domain is not allowed for this workspace")
|
||||
);
|
||||
});
|
||||
|
||||
it("should allow invites for allowed domains", async () => {
|
||||
const team = await buildTeam();
|
||||
const user = await buildUser({ teamId: team.id });
|
||||
const allowedDomain = "google.com";
|
||||
|
||||
await TeamDomain.create({
|
||||
teamId: team.id,
|
||||
name: allowedDomain,
|
||||
createdById: user.id,
|
||||
});
|
||||
|
||||
const response = await withAPIContext(user, (ctx) =>
|
||||
userInviter(ctx, {
|
||||
invites: [
|
||||
{
|
||||
role: UserRole.Member,
|
||||
email: `test@${allowedDomain}`,
|
||||
name: "Test User",
|
||||
},
|
||||
],
|
||||
})
|
||||
);
|
||||
|
||||
expect(response.sent.length).toEqual(1);
|
||||
expect(response.sent[0].email).toEqual(`test@${allowedDomain}`);
|
||||
});
|
||||
|
||||
it("should filter obviously bunk emails", async () => {
|
||||
const user = await buildUser();
|
||||
const response = await withAPIContext(user, (ctx) =>
|
||||
|
||||
@@ -6,6 +6,7 @@ import Logger from "@server/logging/Logger";
|
||||
import { User, Team } from "@server/models";
|
||||
import { UserFlag } from "@server/models/User";
|
||||
import { APIContext } from "@server/types";
|
||||
import { DomainNotAllowedError } from "@server/errors";
|
||||
|
||||
export type Invite = {
|
||||
name: string;
|
||||
@@ -41,6 +42,13 @@ export default async function userInviter(
|
||||
);
|
||||
// filter out any existing users in the system
|
||||
const emails = normalizedInvites.map((invite) => invite.email);
|
||||
|
||||
for (const email of emails) {
|
||||
if (!(await team.isDomainAllowed(email))) {
|
||||
throw DomainNotAllowedError();
|
||||
}
|
||||
}
|
||||
|
||||
const existingUsers = await User.findAll({
|
||||
where: {
|
||||
teamId: user.teamId,
|
||||
|
||||
Reference in New Issue
Block a user