New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stricter whitelist rules #2213
Stricter whitelist rules #2213
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a spec showing that blacklist doesn't have the same issue?
Also ... instead of the regex approach here, what if we just extracted the hostname portion of the email and did a (case insensitive?) check that it was in the list?
spec for blacklist: on it. |
I tried to ditch the whitelist regexp, but it created some important issue in my opinion: you can't use it as wildcard to whitelist subdomains. The instance I found this issue on is a big institution using By removing the regexp, the admin has the tedious task to list all subdomain of whitelisted subdomains (and add them if they're ever created). I added a spec for specific subdomain blacklist + top domain whitelist. Anyway, tell me what's the desired approach :) |
spec/models/user_spec.rb
Outdated
@@ -87,5 +103,20 @@ | |||
user = User.new(email: 'foo@mastodon.space', account: account, password: password) | |||
expect(user.valid?).to be_truthy | |||
end | |||
|
|||
it 'should not allow a smart user to be created unless they are whitelisted' do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of "smart user" could you just describe what is being tested? This will become unclear in the future.
* Stricter whitelist rules * Linting * Added spec for blacklisting * Test subdomain blacklist on domain whitelist * No need to split * Change spec name
* Stricter whitelist rules * Linting * Added spec for blacklisting * Test subdomain blacklist on domain whitelist * No need to split * Change spec name
…upstream Merge upstream changes
I was browsing an instance where you need a whitelisted email domain, however I figured out you could circumvent the protection by using the whitelisted domain as a subdomain of your email address.