You need to sign in or sign up before continuing.
Prevent admin or user from updating user email to an email in blacklisted email domains
Summary
Able to add user email which is in blocked domain list
Steps to reproduce
Pre-Actions: Goto Admin Page > Settings
- Check the box "Sign-up enabled"
- Add whitelist domain
- Add blacklist domain
Case 1: General User
- Sign up with the email of whitelisted domain
- Goto Profile Settings, edit the email address to an email address that belongs to a blacklisted domaiin.
- Click on Save. You will be allowed to save the email address.
Case 2. Admin User
- Browse for a user details.
- click on edit person details
- Change the user email to an email address that belongs to a blacklisted domaiin.
- Click on save, the admin user is allowed to modify the email address without any issue.
One more major difference between case 1 & 2: In case 1, the user was asked to confirm the email, but In case 2, there was such confirmation...
In my view case 2 is more dangerous than case 1.
Possible fixes
In both the cases, an error/information has to be given to the user that the email address domain is not a whitelisted one...
Edited by 🤖 GitLab Bot 🤖