Commit 912285aa authored by Sean Arnold's avatar Sean Arnold

Merge branch '328028-reply-by-email-to-notification-is-attributed-to-wrong-user' into 'master'

Reject reply by email to notification if the from email is not verified

See merge request gitlab-org/gitlab!79932
parents 56b78e45 6c33182c
...@@ -9,11 +9,12 @@ RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do ...@@ -9,11 +9,12 @@ RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do
stub_incoming_email_setting(enabled: true, address: "reply+%{key}@appmail.adventuretime.ooo") stub_incoming_email_setting(enabled: true, address: "reply+%{key}@appmail.adventuretime.ooo")
stub_config_setting(host: 'localhost') stub_config_setting(host: 'localhost')
stub_licensed_features(epics: true) stub_licensed_features(epics: true)
group.add_developer(user)
end end
let(:email_raw) { fixture_file('emails/valid_reply.eml') } let(:email_raw) { fixture_file('emails/valid_reply.eml') }
let(:group) { create(:group_with_members) } let(:group) { create(:group) }
let(:user) { group.users.first } let(:user) { create(:user, email: 'jake@adventuretime.ooo') }
let(:noteable) { create(:epic, group: group) } let(:noteable) { create(:epic, group: group) }
let(:note) { create(:note, project: nil, noteable: noteable)} let(:note) { create(:note, project: nil, noteable: noteable)}
......
...@@ -24,6 +24,8 @@ module Gitlab ...@@ -24,6 +24,8 @@ module Gitlab
validate_permission!(:create_note) validate_permission!(:create_note)
validate_from_address!
raise NoteableNotFoundError unless noteable raise NoteableNotFoundError unless noteable
raise EmptyEmailError if note_message.blank? raise EmptyEmailError if note_message.blank?
...@@ -56,6 +58,17 @@ module Gitlab ...@@ -56,6 +58,17 @@ module Gitlab
message_with_appended_reply message_with_appended_reply
end end
def from_address
mail.from&.first
end
def validate_from_address!
# Recipieint is always set to Support bot for ServiceDesk issues so we should exclude those.
return if author == User.support_bot
raise UserNotFoundError unless from_address && author.verified_email?(from_address)
end
end end
end end
end end
......
...@@ -5,7 +5,7 @@ require 'spec_helper' ...@@ -5,7 +5,7 @@ require 'spec_helper'
RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do
include_context :email_shared_context include_context :email_shared_context
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user, email: 'jake@adventuretime.ooo') }
let_it_be(:project) { create(:project, :public, :repository) } let_it_be(:project) { create(:project, :public, :repository) }
let(:noteable) { note.noteable } let(:noteable) { note.noteable }
...@@ -39,6 +39,43 @@ RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do ...@@ -39,6 +39,43 @@ RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do
end end
end end
context 'when the incoming email is from a different email address' do
before do
SentNotification.find_by(reply_key: mail_key).update!(recipient: original_recipient)
end
context 'when the issue is not a Service Desk issue' do
let(:original_recipient) { create(:user, email: 'john@somethingelse.com') }
context 'with only one email address' do
it 'raises a UserNotFoundError' do
expect { receiver.execute }.to raise_error(Gitlab::Email::UserNotFoundError)
end
end
context 'with a secondary verified email address' do
let(:verified_email) { 'alan@adventuretime.ooo'}
let(:email_raw) { fixture_file('emails/valid_reply.eml').gsub('jake@adventuretime.ooo', verified_email) }
before do
create(:email, :confirmed, user: original_recipient, email: verified_email)
end
it 'does not raise a UserNotFoundError' do
expect { receiver.execute }.not_to raise_error(Gitlab::Email::UserNotFoundError)
end
end
end
context 'when the issue is a Service Desk issue' do
let(:original_recipient) { User.support_bot }
it 'does not raise a UserNotFoundError' do
expect { receiver.execute }.not_to raise_error(Gitlab::Email::UserNotFoundError)
end
end
end
context 'when no sent notification for the mail key could be found' do context 'when no sent notification for the mail key could be found' do
let(:email_raw) { fixture_file('emails/wrong_mail_key.eml') } let(:email_raw) { fixture_file('emails/wrong_mail_key.eml') }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment