Skip to content

security: require verified email to accept invite when logged in #66849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

security: require verified email to accept invite when logged in #66849

wants to merge 4 commits into from

Conversation

mdtro
Copy link
Member

@mdtro mdtro commented Mar 13, 2024

See #64707

Users do not expect to be able to accept an invite with an email that does not align to the original invite's target email when they are already logged in. This PR changes the current behavior to only accept the invite if the logged in account has the email as an existing verified email.

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Mar 13, 2024
@mdtro mdtro changed the title Mdtro/invite flow revamp security: require verified email to accept invite when logged in Mar 13, 2024
@mdtro mdtro linked an issue Mar 13, 2024 that may be closed by this pull request
Use a more secure approach to the invite flow #64707
Open
@mdtro mdtro marked this pull request as draft March 13, 2024 00:27
@codecov Codecov
Copy link

codecov bot commented Mar 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.32%. Comparing base (b898450) to head (e4d3d68).

❗ Current head e4d3d68 differs from pull request most recent head b0494ad. Consider uploading reports for the commit b0494ad to get more accurate results

Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #66849       +/-   ##
===========================================
+ Coverage   48.69%   84.32%   +35.63%     
===========================================
  Files        6455     5306     -1149     
  Lines      287155   237136    -50019     
  Branches    49482    41016     -8466     
===========================================
+ Hits       139823   199966    +60143     
+ Misses     146786    36952   -109834     
+ Partials      546      218      -328
Files Coverage Δ
...sentry/api/endpoints/accept_organization_invite.py 97.97% <100.00%> (+66.40%) ⬆️
src/sentry/api/invite_helper.py 95.52% <ø> (+60.44%) ⬆️

... and 5538 files with indirect coverage changes

@mdtro mdtro force-pushed the mdtro/invite-flow-revamp branch 2 times, most recently from e525517 to 966b563 Compare March 18, 2024 16:38
@mdtro mdtro force-pushed the mdtro/invite-flow-revamp branch from 2360e14 to e4d3d68 Compare March 18, 2024 21:10
@getsantry
Copy link
Contributor

getsantry bot commented Apr 9, 2024

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you add the label WIP, I will leave it alone unless WIP is removed ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

@getsantry getsantry bot added the Stale label Apr 9, 2024
@mdtro mdtro added WIP and removed Stale labels Apr 9, 2024
@mdtro mdtro force-pushed the mdtro/invite-flow-revamp branch from e4d3d68 to 1f809c3 Compare April 29, 2024 16:58
@mdtro mdtro force-pushed the mdtro/invite-flow-revamp branch from b0494ad to 1f809c3 Compare April 29, 2024 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components WIP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use a more secure approach to the invite flow
1 participant
@mdtro