From 171d9e5aedd02129abd48826677100c3a477c8b5 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Tue, 12 Sep 2017 10:03:33 -0400
Subject: [PATCH] SECURITY: Prevent users from updating to blacklisted email
 domains

---
 app/controllers/users_controller.rb       | 7 +++++--
 spec/controllers/users_controller_spec.rb | 8 ++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 79a1cfd7682..8c35efe7ab3 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -619,9 +619,12 @@ class UsersController < ApplicationController
     raise Discourse::InvalidAccess.new if current_user.present?
 
     User.transaction do
-      @user.email = params[:email]
+      primary_email = @user.primary_email
 
-      if @user.save
+      primary_email.email = params[:email]
+      primary_email.should_validate_email = true
+
+      if primary_email.save
         @user.email_tokens.create(email: @user.email)
         enqueue_activation_email
         render json: success_json
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 8b3cfde3771..521108e5415 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -1983,6 +1983,14 @@ describe UsersController do
         expect(response).to_not be_success
       end
 
+      it "raises an error when the email is blacklisted" do
+        user = Fabricate(:inactive_user)
+        SiteSetting.email_domains_blacklist = 'example.com'
+        session[SessionController::ACTIVATE_USER_KEY] = user.id
+        xhr :put, :update_activation_email, email: 'test@example.com'
+        expect(response).to_not be_success
+      end
+
       it "can be updated" do
         user = Fabricate(:inactive_user)
         token = user.email_tokens.first