github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-06 13:06:56 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: Obfuscate emails on invite show page (#12433)

Browse Source 
The email should not be ever displayed in clear text, except the case
when the user authenticates using another service.
This commit is contained in:
Dan Ungureanu
2021-03-18 19:09:23 +02:00
committed by GitHub
parent da1e37d2ce
commit 033d6b6437
3 changed files with 58 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
app/controllers/invites_controller.rb
View File

@ -17,9 +17,19 @@ class InvitesController < ApplicationController
invite = Invite.find_by(invite_key: params[:id]) invite = Invite.find_by(invite_key: params[:id])
if invite.present? && !invite.expired? && !invite.redeemed? if invite.present? && !invite.expired? && !invite.redeemed?
email = Email.obfuscate(invite.email)
# Show email if the user already authenticated their email
if session[:authentication]
auth_result = Auth::Result.from_session_data(session[:authentication], user: nil)
if invite.email == auth_result.email
email = invite.email
end
end
store_preloaded("invite_info", MultiJson.dump( store_preloaded("invite_info", MultiJson.dump(
invited_by: UserNameSerializer.new(invite.invited_by, scope: guardian, root: false), invited_by: UserNameSerializer.new(invite.invited_by, scope: guardian, root: false),
email: invite.email, email: email,
username: UserNameSuggester.suggest(invite.email), username: UserNameSuggester.suggest(invite.email),
is_invite_link: invite.is_invite_link? is_invite_link: invite.is_invite_link?
)) ))

26
lib/email.rb
View File

@ -16,6 +16,20 @@ module Email
email.downcase email.downcase
end end
def self.obfuscate(email)
return email if !Email.is_valid?(email)
first, _, last = email.rpartition('@')
# Obfuscate each last part, except tld
last = last.split('.')
tld = last.pop
last.map! { |part| obfuscate_part(part) }
last << tld
"#{obfuscate_part(first)}@#{last.join('.')}"
end
def self.cleanup_alias(name) def self.cleanup_alias(name)
name ? name.gsub(/[:<>,"]/, '') : name name ? name.gsub(/[:<>,"]/, '') : name
end end
@ -51,4 +65,16 @@ module Email
return message_id if !(message_id =~ MESSAGE_ID_REGEX) return message_id if !(message_id =~ MESSAGE_ID_REGEX)
message_id.tr("<>", "") message_id.tr("<>", "")
end end
private
def self.obfuscate_part(part)
if part.size < 3
"*" * part.size
elsif part.size < 5
part[0] + "*" * (part.size - 1)
else
part[0] + "*" * (part.size - 2) + part[-1]
end
end
end end

21
spec/components/email/email_spec.rb
View File

@ -44,4 +44,25 @@ describe Email do
end end
describe "obfuscate" do
it 'correctly obfuscates emails' do
expect(Email.obfuscate('a@b.com')).to eq('*@*.com')
expect(Email.obfuscate('test@test.co.uk')).to eq('t***@t***.**.uk')
expect(Email.obfuscate('simple@example.com')).to eq('s****e@e*****e.com')
expect(Email.obfuscate('very.common@example.com')).to eq('v*********n@e*****e.com')
expect(Email.obfuscate('disposable.style.email.with+symbol@example.com')).to eq('d********************************l@e*****e.com')
expect(Email.obfuscate('other.email-with-hyphen@example.com')).to eq('o*********************n@e*****e.com')
expect(Email.obfuscate('fully-qualified-domain@example.com')).to eq('f********************n@e*****e.com')
expect(Email.obfuscate('user.name+tag+sorting@example.com')).to eq('u*******************g@e*****e.com')
expect(Email.obfuscate('x@example.com')).to eq('*@e*****e.com')
expect(Email.obfuscate('example-indeed@strange-example.com')).to eq('e************d@s*************e.com')
expect(Email.obfuscate('example@s.example')).to eq('e*****e@*.example')
expect(Email.obfuscate('mailhost!username@example.org')).to eq('m***************e@e*****e.org')
expect(Email.obfuscate('user%example.com@example.org')).to eq('u**************m@e*****e.org')
expect(Email.obfuscate('user-@example.org')).to eq('u***-@e*****e.org')
end
end
end end