FEATURE: Obfuscate emails on invite show page (#12433)

The email should not be ever displayed in clear text, except the case when the user authenticates using another service.
2025-05-28 13:51:18 +08:00 · 2021-03-18 19:09:23 +02:00
parent da1e37d2ce
commit 033d6b6437
3 changed files with 58 additions and 1 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -17,9 +17,19 @@ class InvitesController < ApplicationController

    invite = Invite.find_by(invite_key: params[:id])
    if invite.present? && !invite.expired? && !invite.redeemed?
+      email = Email.obfuscate(invite.email)
+
+      # Show email if the user already authenticated their email
+      if session[:authentication]
+        auth_result = Auth::Result.from_session_data(session[:authentication], user: nil)
+        if invite.email == auth_result.email
+          email = invite.email
+        end
+      end
+
      store_preloaded("invite_info", MultiJson.dump(
        invited_by: UserNameSerializer.new(invite.invited_by, scope: guardian, root: false),
-        email: invite.email,
+        email: email,
        username: UserNameSuggester.suggest(invite.email),
        is_invite_link: invite.is_invite_link?
      ))