mirror of
https://github.com/discourse/discourse.git
synced 2025-05-28 13:51:18 +08:00
UX: Ignore name parameter from IDP when it is equal to email (#8869)
Some auth providers (e.g. Auth0 with default configuration) send the email address in the name field. In Discourse, the name field is made public, so this commit adds a safeguard to prevent emails being made public.
This commit is contained in:
@ -92,6 +92,11 @@ class Auth::ManagedAuthenticator < Auth::Authenticator
|
||||
info = auth_token[:info]
|
||||
result.email = info[:email]
|
||||
result.name = (info[:first_name] && info[:last_name]) ? "#{info[:first_name]} #{info[:last_name]}" : info[:name]
|
||||
if result.name.present? && result.name == result.email
|
||||
# Some IDPs send the email address in the name parameter (e.g. Auth0 with default configuration)
|
||||
# We add some generic protection here, so that users don't accidently make their email addresses public
|
||||
result.name = nil
|
||||
end
|
||||
result.username = info[:nickname]
|
||||
result.email_valid = primary_email_verified?(auth_token) if result.email
|
||||
result.extra_data = {
|
||||
|
Reference in New Issue
Block a user