Add setting to identify email block domain (#5377)

* Add setting to identify email block domain ref: #5368 * rename Co-authored-by: Levko Kravets <levko.ne@gmail.com> * rename and add comment Co-authored-by: Levko Kravets <levko.ne@gmail.com> * Update redash/handlers/users.py Co-authored-by: Levko Kravets <levko.ne@gmail.com> * Update redash/handlers/users.py Co-authored-by: Levko Kravets <levko.ne@gmail.com> * Add more comment to settting Co-authored-by: Levko Kravets <levko.ne@gmail.com>
2025-12-25 01:03:20 -05:00 · 2021-03-13 04:06:41 +08:00
parent 9fdf1f341d
commit d4f363854d
2 changed files with 13 additions and 8 deletions
--- a/redash/handlers/users.py
+++ b/redash/handlers/users.py
@@ -64,6 +64,14 @@ def invite_user(org, inviter, user, send_email=True):
    return d


+def require_allowed_email(email):
+    # `example.com` and `example.com.` are equal - last dot stands for DNS root but usually is omitted
+    _, domain = email.lower().rstrip(".").split("@", 1)
+
+    if domain in blacklist or domain in settings.BLOCKED_DOMAINS:
+        abort(400, message="Bad email address.")
+
+
 class UserListResource(BaseResource):
    decorators = BaseResource.decorators + [
        limiter.limit("200/day;50/hour", methods=["POST"])
@@ -140,10 +148,7 @@ class UserListResource(BaseResource):

        if "@" not in req["email"]:
            abort(400, message="Bad email address.")
-        name, domain = req["email"].split("@", 1)
-
-        if domain.lower() in blacklist or domain.lower() == "qq.com":
-            abort(400, message="Bad email address.")
+        require_allowed_email(req["email"])

        user = models.User(
            org=self.current_org,
@@ -258,10 +263,7 @@ class UserResource(BaseResource):
                params.pop("group_ids")

        if "email" in params:
-            _, domain = params["email"].split("@", 1)
-
-            if domain.lower() in blacklist or domain.lower() == "qq.com":
-                abort(400, message="Bad email address.")
+            require_allowed_email(params["email"])

        email_address_changed = "email" in params and params["email"] != user.email
        needs_to_verify_email = (
--- a/redash/settings/init.py
+++ b/redash/settings/init.py
@@ -515,3 +515,6 @@ ENFORCE_CSRF = parse_boolean(
 # Databricks

 CSRF_TIME_LIMIT = int(os.environ.get("REDASH_CSRF_TIME_LIMIT", 3600 * 6))
+
+# Email blocked domains, use delimiter comma to separated multiple domains
+BLOCKED_DOMAINS = set_from_string(os.environ.get("REDASH_BLOCKED_DOMAINS", "qq.com"))