prevent users from changing email addresses to restricted domains (#7765)

2 files changed, 30 insertions, 0 deletions

diff --git a/app/user.go b/app/user.go
index 999fabbf8..60a6c887b 100644
--- a/app/user.go
+++ b/app/user.go
@@ -984,6 +984,17 @@ func (a *App) sendUpdatedUserEvent(user model.User, asAdmin bool) {
 }
 
 func (a *App) UpdateUser(user *model.User, sendNotifications bool) (*model.User, *model.AppError) {
+	if !CheckUserDomain(user, a.Config().TeamSettings.RestrictCreationToDomains) {
+		result := <-a.Srv.Store.User().Get(user.Id)
+		if result.Err != nil {
+			return nil, result.Err
+		}
+		prev := result.Data.(*model.User)
+		if !prev.IsLDAPUser() && !prev.IsSAMLUser() && user.Email != prev.Email {
+			return nil, model.NewAppError("UpdateUser", "api.user.create_user.accepted_domain.app_error", nil, "", http.StatusBadRequest)
+		}
+	}
+
 	if result := <-a.Srv.Store.User().Update(user, false); result.Err != nil {
 		return nil, result.Err
 	} else {
diff --git a/app/user_test.go b/app/user_test.go
index d9f40a604..3a924dfa7 100644
--- a/app/user_test.go
+++ b/app/user_test.go
@@ -137,6 +137,25 @@ func TestCreateProfileImage(t *testing.T) {
 	}
 }
 
+func TestUpdateUserToRestrictedDomain(t *testing.T) {
+	th := Setup()
+	defer th.TearDown()
+
+	user := th.CreateUser()
+	defer th.App.PermanentDeleteUser(user)
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		cfg.TeamSettings.RestrictCreationToDomains = "foo.com"
+	})
+
+	_, err := th.App.UpdateUser(user, false)
+	assert.True(t, err == nil)
+
+	user.Email = "asdf@ghjk.l"
+	_, err = th.App.UpdateUser(user, false)
+	assert.False(t, err == nil)
+}
+
 func TestUpdateOAuthUserAttrs(t *testing.T) {
 	th := Setup()
 	defer th.TearDown()