Creation of Staged Users with blacklisted mail addresses

(Robert) #1


I put a domain in email domains blacklist but Discourse still creates staged users for its mail addresses. Is this a bug? How can I prevent this?


(Jeff Atwood) #2

Good question, @zogstrip?

(Robert) #3

For me staging accounts is a subset of accounts that should satisfy the mail address restrictions.

So I opt for: Staging accounts should not be created for black listed mail addresses.

(Jeff Atwood) #4

@zogstrip we should make sure accounts are not staged for blacklisted domains.

(Robert) #5

Any news on this topic? Just happened again. :frowning:

(Jeff Atwood) #6

Can you add this to your list @zogstrip

(Régis Hanol) #7

Already on my list. Bumped it near the top :arrow_up:

(Robert) #9

Any progress on this matter? I just ran again into this issue. :confused:

(Stephen Chung) #10

Sorry for bumping this, I can confirm that this issue is still here, although in a lesser form.

Stage user is not created if the email is from a blacklisted email domain. However, if the email is from a valid domain, but one of the To or Cc email addresses is from a blacklisted domain, the staged user still gets created.


  1. Send email from valid domain
  2. Include in the Cc of the email an address that is from a blacklisted domain
  3. Observe that the staged user from the blacklisted domain still gets created

(Jeff Atwood) #11

Hmm @gerhard we should test this.

(Gerhard Schlager) #13

I can’t repro and the following line should forbid the creation of staged users if their domain is not blacklisted/whitelisted.

Are you sure that the domain is on the blacklist and that email_domains_whitelist is empty?
Could you send me a message with the raw email that created staged users and the value of email_domains_blacklist?

Anyway, I added a few more specs, since this wasn’t covered by tests yet.

(Stephen Chung) #14

Let me go back and dig into it some more. I just realize a bunch of new users being staged with zero posts. This used to happen in the bug but we then fixed. I then realize that those users were cited in Cc lists.

Otherwise it cannot be explained why those users are staged with no posts on them.

I’ll grab an email and PM to you.

EDIT: Oops. Sorry, I think since I’ve deleted the unnecessary staged users, I can no longer find out which email created them. Bummer. I’ll observe this pattern further and PM you something once I get a hold of it.

(Kane York) #15

Here’s a fairly straightforward extremely complicated and I can see how this got overlooked route that should result in spurious user creation:


A :reply type destination is recognized (L427)

SiteSetting.find_related_post_with_key && !sent_to_mailinglist_mirror?
→ Cause find_related_post to fail (L129) so process_destination (L141) is called instead

SiteSetting.enable_forwarded_emails: true
has_been_forwarded?: true
→ Call process_forwarded_email (L436)

L524: process_forwarded_email(reply_email_dest, forwarding_user)
L530: embedded_user = find_or_create_user(email, display_name) Creates a staged user.
L534: case destination[:type]
L560: :type is reply, so return false - the staged user from forwarded email processing is lost
L434: process_destination does not early return because forwarded_email returned false
L470: Creating the reply succeeds
L141: No exception raised, so return successfully
L63: No exception raised
L68: delete_staged_users is not run - the staged user survives, the post is created, nothing looks wrong