Prevent a user with a different email from accepting the team invite (#24491)

## Changes - Fixes the case where a logged in user can accept an email invitation even if their email address does not match the address in the invitation
2025-07-22 02:08:36 +00:00 · 2023-05-03 21:21:58 -04:00
parent dbb3736785
commit 402df1d6b4
3 changed files with 26 additions and 11 deletions
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -552,6 +552,7 @@ func TeamInvite(ctx *context.Context) {
 	ctx.Data["Organization"] = org
 	ctx.Data["Team"] = team
 	ctx.Data["Inviter"] = inviter
+	ctx.Data["EmailMismatch"] = ctx.Doer.Email != invite.Email

 	ctx.HTML(http.StatusOK, tplTeamInvite)
 }
@@ -568,6 +569,13 @@ func TeamInvitePost(ctx *context.Context) {
 		return
 	}

+	// check that the Doer is the invitee
+	if ctx.Doer.Email != invite.Email {
+		log.Info("invite %d does not apply to the current user %d", invite.ID, ctx.Doer.ID)
+		ctx.NotFound("ErrTeamInviteNotFound", err)
+		return
+	}
+
 	if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
 		ctx.ServerError("AddTeamMember", err)
 		return