registration: Change create_preregistration_user to take realm as arg.

create_preregistration_user is a footgun, because it takes the realm from the request. The calling code is supposed to validate that registration for the realm is allowed first, but can sometimes do that on "realm" taken from something else than the request - and later on calls create_preregistration_user, thus leading to prereg user creation on unvalidated request.realm. It's safer, and makes more sense, for this function to take the intended realm as argument, instead of taking the entire request. It follows that the same should be done for prepare_activation_url.
2025-11-01 12:33:40 +00:00 · 2022-01-23 20:37:40 +01:00
parent b5c7a79bdf
commit 0c227217b2
4 changed files with 24 additions and 19 deletions
--- a/zerver/views/auth.py
+++ b/zerver/views/auth.py
@@ -91,18 +91,14 @@ def get_safe_redirect_to(url: str, redirect_host: str) -> str:

 def create_preregistration_user(
    email: str,
-    request: HttpRequest,
+    realm: Optional[Realm],
    realm_creation: bool = False,
    password_required: bool = True,
    full_name: Optional[str] = None,
    full_name_validated: bool = False,
-) -> HttpResponse:
-    realm = None
-    if not realm_creation:
-        try:
-            realm = get_realm(get_subdomain(request))
-        except Realm.DoesNotExist:
-            pass
+) -> PreregistrationUser:
+    assert not (realm_creation and realm is not None)
+
    return PreregistrationUser.objects.create(
        email=email,
        realm_creation=realm_creation,
@@ -202,7 +198,7 @@ def maybe_send_to_registration(
        except PreregistrationUser.DoesNotExist:
            prereg_user = create_preregistration_user(
                email,
-                request,
+                realm,
                password_required=password_required,
                full_name=full_name,
                full_name_validated=full_name_validated,