diff --git a/app/dashboard/views/mailbox.py b/app/dashboard/views/mailbox.py index e7124716e..ee436c52c 100644 --- a/app/dashboard/views/mailbox.py +++ b/app/dashboard/views/mailbox.py @@ -121,10 +121,16 @@ def mailbox_route(): @login_required def mailbox_verify(): mailbox_id = request.args.get("mailbox_id") + if not mailbox_id: + LOG.i("Missing mailbox_id") + flash("You followed an invalid link", "error") + return redirect(url_for("dashboard.mailbox_route")) + code = request.args.get("code") if not code: # Old way return verify_with_signed_secret(mailbox_id) + try: mailbox = mailbox_utils.verify_mailbox_code(current_user, mailbox_id, code) except mailbox_utils.MailboxError as e: diff --git a/app/mailbox_utils.py b/app/mailbox_utils.py index 421826717..194995679 100644 --- a/app/mailbox_utils.py +++ b/app/mailbox_utils.py @@ -171,17 +171,17 @@ def verify_mailbox_code(user: User, mailbox_id: int, code: str) -> Mailbox: f"User {user} failed to verify mailbox {mailbox_id} because it does not exist" ) raise MailboxError("Invalid mailbox") + if mailbox.user_id != user.id: + LOG.i( + f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user" + ) + raise MailboxError("Invalid mailbox") if mailbox.verified: LOG.i( f"User {user} failed to verify mailbox {mailbox_id} because it's already verified" ) clear_activation_codes_for_mailbox(mailbox) return mailbox - if mailbox.user_id != user.id: - LOG.i( - f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user" - ) - raise MailboxError("Invalid mailbox") activation = ( MailboxActivation.filter(MailboxActivation.mailbox_id == mailbox_id) diff --git a/tests/test_mailbox_utils.py b/tests/test_mailbox_utils.py index 51aabb53b..030bf1301 100644 --- a/tests/test_mailbox_utils.py +++ b/tests/test_mailbox_utils.py @@ -286,6 +286,15 @@ def test_verify_other_users_mailbox(): mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999") +def test_verify_other_users_already_verified_mailbox(): + other = create_new_user() + mailbox = Mailbox.create( + user_id=other.id, email=random_email(), verified=True, commit=True + ) + with pytest.raises(mailbox_utils.MailboxError): + mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999") + + @mail_sender.store_emails_test_decorator def test_verify_fail(): output = mailbox_utils.create_mailbox(user, random_email())