FIX: Improve handling when email is obfuscated (#12450)

This commit ensures that email validation is skipped when the email is obfuscated, that the email is no longer send when it is not an invite link and no username is suggested if the email is hidden as it may reveal the first part of the email. Follow up to commit 033d6b6437.
2025-09-08 12:06:51 +08:00 · 2021-03-19 17:15:46 +02:00 · 2021-03-19 17:15:46 +02:00 · 534008ba24
commit 534008ba24
parent c9923a3e3e
2 changed files with 29 additions and 11 deletions
--- a/app/assets/javascripts/discourse/app/controllers/invites-show.js
+++ b/app/assets/javascripts/discourse/app/controllers/invites-show.js
@ -26,6 +26,7 @@ export default Controller.extend(

    invitedBy: readOnly("model.invited_by"),
    email: alias("model.email"),
+    hiddenEmail: alias("model.hidden_email"),
    accountUsername: alias("model.username"),
    passwordRequired: notEmpty("accountPassword"),
    successMessage: null,
@ -122,14 +123,23 @@ export default Controller.extend(
      "email",
      "rejectedEmails.[]",
      "authOptions.email",
-      "authOptions.email_valid"
+      "authOptions.email_valid",
+      "hiddenEmail"
    )
    emailValidation(
      email,
      rejectedEmails,
      externalAuthEmail,
-      externalAuthEmailValid
+      externalAuthEmailValid,
+      hiddenEmail
    ) {
+      if (hiddenEmail) {
+        return EmberObject.create({
+          ok: true,
+          reason: I18n.t("user.email.ok"),
+        });
+      }
+
      // If blank, fail without a reason
      if (isEmpty(email)) {
        return EmberObject.create({
@ -195,17 +205,22 @@ export default Controller.extend(
          });
        }

+        const data = {
+          username: this.accountUsername,
+          name: this.accountName,
+          password: this.accountPassword,
+          user_custom_fields: userCustomFields,
+          timezone: moment.tz.guess(),
+        };
+
+        if (this.isInviteLink) {
+          data.email = this.email;
+        }
+
        ajax({
          url: `/invites/show/${this.get("model.token")}.json`,
          type: "PUT",
-          data: {
-            email: this.email,
-            username: this.accountUsername,
-            name: this.accountName,
-            password: this.accountPassword,
-            user_custom_fields: userCustomFields,
-            timezone: moment.tz.guess(),
-          },
+          data,
        })
          .then((result) => {
            if (result.success) {
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -27,10 +27,13 @@ class InvitesController < ApplicationController
        end
      end

+      hidden_email = email != invite.email
+
      store_preloaded("invite_info", MultiJson.dump(
        invited_by: UserNameSerializer.new(invite.invited_by, scope: guardian, root: false),
        email: email,
-        username: UserNameSuggester.suggest(invite.email),
+        hidden_email: hidden_email,
+        username: hidden_email ? '' : UserNameSuggester.suggest(invite.email),
        is_invite_link: invite.is_invite_link?
      ))