Don't bind email unless threepid contains expected fields

This commit is contained in:
Richard van der Hoff 2016-07-19 15:50:01 +01:00
parent 0da0d0a29d
commit 8f6281ab0c

View File

@ -232,19 +232,10 @@ class RegisterRestServlet(RestServlet):
if add_email and result and LoginType.EMAIL_IDENTITY in result: if add_email and result and LoginType.EMAIL_IDENTITY in result:
threepid = result[LoginType.EMAIL_IDENTITY] threepid = result[LoginType.EMAIL_IDENTITY]
reqd = ('medium', 'address', 'validated_at')
if all(x in threepid for x in reqd):
yield self._register_email_threepid( yield self._register_email_threepid(
registered_user_id, threepid, access_token registered_user_id, threepid, access_token,
params.get("bind_email")
) )
# XXX why is bind_email not protected by this?
else:
logger.info("Can't add incomplete 3pid")
if params.get("bind_email"):
logger.info("bind_email specified: binding")
yield self._bind_email(registered_user_id, threepid)
else:
logger.info("bind_email not specified: not binding email")
result = yield self._create_registration_details(registered_user_id, result = yield self._create_registration_details(registered_user_id,
access_token) access_token)
@ -288,19 +279,28 @@ class RegisterRestServlet(RestServlet):
defer.returnValue((yield self._create_registration_details(user_id, token))) defer.returnValue((yield self._create_registration_details(user_id, token)))
@defer.inlineCallbacks @defer.inlineCallbacks
def _register_email_threepid(self, user_id, threepid, token): def _register_email_threepid(self, user_id, threepid, token, bind_email):
"""Add an email address as a 3pid identifier """Add an email address as a 3pid identifier
Also adds an email pusher for the email address, if configured in the Also adds an email pusher for the email address, if configured in the
HS config HS config
Also optionally binds emails to the given user_id on the identity server
Args: Args:
user_id (str): id of user user_id (str): id of user
threepid (object): m.login.email.identity auth response threepid (object): m.login.email.identity auth response
token (str): access_token for the user token (str): access_token for the user
bind_email (bool): true if the client requested the email to be
bound at the identity server
Returns: Returns:
defer.Deferred: defer.Deferred:
""" """
reqd = ('medium', 'address', 'validated_at')
if any(x not in threepid for x in reqd):
logger.info("Can't add incomplete 3pid")
defer.returnValue()
yield self.auth_handler.add_threepid( yield self.auth_handler.add_threepid(
user_id, user_id,
threepid['medium'], threepid['medium'],
@ -334,22 +334,19 @@ class RegisterRestServlet(RestServlet):
lang=None, # We don't know a user's language here lang=None, # We don't know a user's language here
data={}, data={},
) )
defer.returnValue()
def _bind_email(self, user_id, email_threepid): if bind_email:
"""Bind emails to the given user_id on the identity server logger.info("bind_email specified: binding")
Args:
user_id (str): user id to bind the emails to
email_threepid (object): m.login.email.identity auth response
Returns:
defer.Deferred:
"""
threepid_creds = email_threepid['threepid_creds']
logger.debug("Binding emails %s to %s" % ( logger.debug("Binding emails %s to %s" % (
email_threepid, user_id threepid, user_id
)) ))
return self.identity_handler.bind_threepid(threepid_creds, user_id) yield self.identity_handler.bind_threepid(
threepid['threepid_creds'], user_id
)
else:
logger.info("bind_email not specified: not binding email")
defer.returnValue()
@defer.inlineCallbacks @defer.inlineCallbacks
def _create_registration_details(self, user_id, token): def _create_registration_details(self, user_id, token):