valitydev/redash
14
0
Fork 0
mirror of https://github.com/valitydev/redash.git synced 2024-11-07 01:25:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Don't allow updating user's email to blacklisted domain. (#3127)

Browse Source
This commit is contained in:
Arik Fraimovich 2018-11-26 21:22:14 +02:00 committed by GitHub
parent 1cdfcfaa3c
commit bd20ce12ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
redash/handlers/users.py
View File

@ -184,6 +184,12 @@ class UserResource(BaseResource):
if 'groups' in params and not self.current_user.has_permission('admin'):
abort(403, message="Must be admin to change groups membership.")
if 'email' in params:
_, domain = params['email'].split('@', 1)
if domain.lower() in blacklist or domain.lower() == 'qq.com':
abort(400, message='Bad email address.')
try:
self.update_model(user, params)

11
tests/handlers/test_users.py
View File

@ -149,6 +149,17 @@ class TestUserResourcePost(BaseTestCase):
user = models.User.query.get(self.factory.user.id)
self.assertTrue(user.verify_password(new_password))
def test_returns_400_when_using_temporary_email(self):
admin = self.factory.create_admin()
test_user = {'email': 'user@mailinator.com'}
rv = self.make_request('post', '/api/users/{}'.format(self.factory.user.id), data=test_user, user=admin)
self.assertEqual(rv.status_code, 400)
test_user['email'] = 'arik@qq.com'
rv = self.make_request('post', '/api/users', data=test_user, user=admin)
self.assertEqual(rv.status_code, 400)
class TestUserDisable(BaseTestCase):