diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 18:41:13 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 18:41:13 +0300 |
| commit | 1e61fc763e645038f2da69fc9af6fe166a6b101a (patch) | |
| tree | 76053795a637d056347c1891d98935c0361a331d /app/models | |
| parent | 57b9b49b27a730294ae37d2ac25cab943f4b801d (diff) | |
Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee
Diffstat (limited to 'app/models')
| -rw-r--r-- | app/models/notification_setting.rb | 8 | ||||
| -rw-r--r-- | app/models/user.rb | 20 |
2 files changed, 19 insertions, 9 deletions
diff --git a/app/models/notification_setting.rb b/app/models/notification_setting.rb index 38bd95e6a20..c8c1f47c182 100644 --- a/app/models/notification_setting.rb +++ b/app/models/notification_setting.rb @@ -14,6 +14,7 @@ class NotificationSetting < ApplicationRecord validates :user_id, uniqueness: { scope: [:source_type, :source_id], message: "already exists in source", allow_nil: true } + validate :owns_notification_email, if: :notification_email_changed? scope :for_groups, -> { where(source_type: 'Namespace') } @@ -97,6 +98,13 @@ class NotificationSetting < ApplicationRecord def event_enabled?(event) respond_to?(event) && !!public_send(event) # rubocop:disable GitlabSecurity/PublicSend end + + def owns_notification_email + return if user.temp_oauth_email? + return if notification_email.empty? + + errors.add(:notification_email, _("is not an email you own")) unless user.verified_emails.include?(notification_email) + end end NotificationSetting.prepend_if_ee('EE::NotificationSetting') diff --git a/app/models/user.rb b/app/models/user.rb index 81316f81818..927ffa4d12b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -756,15 +756,15 @@ class User < ApplicationRecord end def owns_notification_email - return if temp_oauth_email? + return if new_record? || temp_oauth_email? - errors.add(:notification_email, _("is not an email you own")) unless all_emails.include?(notification_email) + errors.add(:notification_email, _("is not an email you own")) unless verified_emails.include?(notification_email) end def owns_public_email return if public_email.blank? - errors.add(:public_email, _("is not an email you own")) unless all_emails.include?(public_email) + errors.add(:public_email, _("is not an email you own")) unless verified_emails.include?(public_email) end def owns_commit_email @@ -1212,18 +1212,20 @@ class User < ApplicationRecord all_emails end - def all_public_emails - all_emails(include_private_email: false) - end - - def verified_emails + def verified_emails(include_private_email: true) verified_emails = [] verified_emails << email if primary_email_verified? - verified_emails << private_commit_email + verified_emails << private_commit_email if include_private_email verified_emails.concat(emails.confirmed.pluck(:email)) verified_emails end + def public_verified_emails + emails = verified_emails(include_private_email: false) + emails << email unless temp_oauth_email? + emails.uniq + end + def any_email?(check_email) downcased = check_email.downcase |