fix: verify email domain in ChangeEmail as well (#175)

hez2010 · web-flow · commit 93c7be77816d · 2023-11-04T01:44:08.000+08:00
diff --git a/src/GZCTF/Controllers/AccountController.cs b/src/GZCTF/Controllers/AccountController.cs
@@ -51,9 +51,7 @@ public async Task<IActionResult> Register([FromBody] RegisterModel model, Cancel
         if (accountPolicy.Value.UseCaptcha && !await captcha.VerifyAsync(model, HttpContext, token))
             return BadRequest(new RequestResponse("验证码校验失败"));
 
-        var mailDomain = model.Email.Split('@')[1];
-        if (!string.IsNullOrWhiteSpace(accountPolicy.Value.EmailDomainList) &&
-            accountPolicy.Value.EmailDomainList.Split(',').All(d => d != mailDomain))
+        if (!VerifyEmailDomain(model.Email.Split('@')[1]))
             return BadRequest(new RequestResponse($"可用邮箱后缀：{accountPolicy.Value.EmailDomainList}"));
 
         var user = new UserInfo { UserName = model.UserName, Email = model.Email, Role = Role.User };
@@ -111,6 +109,14 @@ public async Task<IActionResult> Register([FromBody] RegisterModel model, Cancel
             RegisterStatus.EmailConfirmationRequired, StatusCodes.Status200OK));
     }
 
+    private bool VerifyEmailDomain(string email)
+    {
+        var mailDomain = email.Split('@')[1];
+
+        return string.IsNullOrWhiteSpace(accountPolicy.Value.EmailDomainList)
+            || accountPolicy.Value.EmailDomainList.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries).Any(d => d.Equals(mailDomain, StringComparison.InvariantCulture));
+    }
+
     /// <summary>
     /// 用户找回密码请求接口
     /// </summary>
@@ -374,6 +380,9 @@ public async Task<IActionResult> ChangeEmail([FromBody] MailChangeModel model)
         if (await userManager.FindByEmailAsync(model.NewMail) is not null)
             return BadRequest(new RequestResponse("邮箱已经被占用"));
 
+        if (!VerifyEmailDomain(model.NewMail.Split('@')[1]))
+            return BadRequest(new RequestResponse($"可用邮箱后缀：{accountPolicy.Value.EmailDomainList}"));
+
         UserInfo? user = await userManager.GetUserAsync(User);
 
         if (!accountPolicy.Value.EmailConfirmationRequired)
