Don’t populate invite with users from other orgs

We shouldn’t have a page where someone can look up any other user’s email address based on their user ID. We also don’t want a page where a malicious user could send someone an link which would get them invited to the service. Restricting the invite to be populated just from users in their own organisation doesn’t mitigate against this stuff completely, but they probably have a way of finding out the email address of someone in their organisation already.
2026-05-31 11:30:28 -04:00 · 2020-06-08 14:39:36 +01:00
parent deaf2059f5
commit 92c6cca6a1
3 changed files with 65 additions and 3 deletions
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -70,6 +70,10 @@ def invite_user(service_id, user_id=None):
                'views/user-already-invited.html',
                user_to_invite=user_to_invite,
            )
+        if not user_to_invite.default_organisation:
+            abort(403)
+        if user_to_invite.default_organisation.id != current_service.organisation_id:
+            abort(403)
        form.email_address.data = user_to_invite.email_address
    else:
        user_to_invite = None