From 0e38ca1fd72771949d842dcc962cd5aa3ebcfe72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Alby?= <timothee.alby@gmail.com>
Date: Thu, 16 May 2019 09:24:25 +0200
Subject: [PATCH] Merge pull request #1775 from
 overleaf/ta-fetch-user-before-confirm

Check User Exists Before Confirming Email

GitOrigin-RevId: 3622044f31f78e8499ccd084ca99297ca297ca97
---
 .../User/UserEmailsConfirmationHandler.coffee      |  7 ++++++-
 .../User/UserEmailsConfirmationHandlerTests.coffee | 14 +++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/services/web/app/coffee/Features/User/UserEmailsConfirmationHandler.coffee b/services/web/app/coffee/Features/User/UserEmailsConfirmationHandler.coffee
index dd79a06e4b..ad46922a92 100644
--- a/services/web/app/coffee/Features/User/UserEmailsConfirmationHandler.coffee
+++ b/services/web/app/coffee/Features/User/UserEmailsConfirmationHandler.coffee
@@ -5,6 +5,7 @@ settings = require 'settings-sharelatex'
 Errors = require "../Errors/Errors"
 logger = require "logger-sharelatex"
 UserUpdater = require "./UserUpdater"
+UserGetter = require "./UserGetter"
 
 ONE_YEAR_IN_S = 365 * 24 * 60 * 60
 
@@ -34,4 +35,8 @@ module.exports = UserEmailsConfirmationHandler =
 			logger.log {data, user_id, email, token_start: token.slice(0,8)}, 'found data for email confirmation'
 			if !user_id? or email != EmailHelper.parseEmail(email)
 				return callback(new Errors.NotFoundError('invalid data'))
-			UserUpdater.confirmEmail user_id, email, callback
+			UserGetter.getUser user_id, {}, (error, user) ->
+				return callback(error) if error?
+				unless user?._id
+					return callback(new Errors.NotFoundError('user not found'))
+				UserUpdater.confirmEmail user_id, email, callback
diff --git a/services/web/test/unit/coffee/User/UserEmailsConfirmationHandlerTests.coffee b/services/web/test/unit/coffee/User/UserEmailsConfirmationHandlerTests.coffee
index 0ab84cda7c..79aba74fe7 100644
--- a/services/web/test/unit/coffee/User/UserEmailsConfirmationHandlerTests.coffee
+++ b/services/web/test/unit/coffee/User/UserEmailsConfirmationHandlerTests.coffee
@@ -17,9 +17,12 @@ describe "UserEmailsConfirmationHandler", ->
 			"../Security/OneTimeTokenHandler": @OneTimeTokenHandler = {}
 			"../Errors/Errors": Errors
 			"./UserUpdater": @UserUpdater = {}
+			"./UserGetter": @UserGetter =
+				getUser: sinon.stub().yields(null, @mockUser)
 			"../Email/EmailHandler": @EmailHandler = {}
 			"../Helpers/EmailHelper": EmailHelper
-		@user_id = "mock-user-id"
+		@mockUser = _id:  "mock-user-id"
+		@user_id = @mockUser._id
 		@email = "mock@example.com"
 		@callback = sinon.stub()
 
@@ -124,3 +127,12 @@ describe "UserEmailsConfirmationHandler", ->
 			it "should call the callback with a NotFoundError", ->
 				@callback.calledWith(sinon.match.instanceOf(Errors.NotFoundError)).should.equal true
 
+
+		describe 'with no user found', ->
+			beforeEach ->
+				@UserGetter.getUser.yields(null, null)
+				@UserEmailsConfirmationHandler.confirmEmailFromToken @token = 'mock-token', @callback
+
+			it "should call the callback with a NotFoundError", ->
+				@callback.calledWith(sinon.match.instanceOf(Errors.NotFoundError)).should.equal true
+