SECURITY: Prevent users from updating to blacklisted email domains

app/controllers/users_controller.rb

@@ -619,9 +619,12 @@ class UsersController < ApplicationController
     raise Discourse::InvalidAccess.new if current_user.present?
 
     User.transaction do
-      @user.email = params[:email]
+      primary_email = @user.primary_email
 
-      if @user.save
+      primary_email.email = params[:email]
+      primary_email.should_validate_email = true
+
+      if primary_email.save
         @user.email_tokens.create(email: @user.email)
         enqueue_activation_email
         render json: success_json

spec/controllers/users_controller_spec.rb

@@ -1983,6 +1983,14 @@ describe UsersController do
         expect(response).to_not be_success
       end
 
+      it "raises an error when the email is blacklisted" do
+        user = Fabricate(:inactive_user)
+        SiteSetting.email_domains_blacklist = 'example.com'
+        session[SessionController::ACTIVATE_USER_KEY] = user.id
+        xhr :put, :update_activation_email, email: 'test@example.com'
+        expect(response).to_not be_success
+      end
+
       it "can be updated" do
         user = Fabricate(:inactive_user)
         token = user.email_tokens.first