Restrict email reply-to domains to domains used by current team members #2060
+108
−19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
whabanks
changed the title
whabanks
commented
Jan 28, 2025
| return | ||
| email_domain = field.data.split("@")[-1] | ||
|
|
||
| if email_domain not in g.team_member_email_domains: |
There was a problem hiding this comment.
Content to be reviewed / reworked.
🧪 Review environmenthttps://ms4xroe5m7jykn2ddkkarxwn3a0rxhek.lambda-url.ca-central-1.on.aws/ |
andrewleith
reviewed
Jan 30, 2025
There was a problem hiding this comment.
Didn't review the code yet but wrote a query to see the state of this right now. There are 55 services whose reply-to's don't match any of their members. If we were to safelist @canada.ca that would get us down to 35.
Safelisting *.gc.ca, gets us down to 21.
WITH service_domains AS (
SELECT
services.id as service_id,
services.name as service_name,
STRING_AGG(DISTINCT SUBSTRING(users.email_address FROM '@(.*)$'), ', ') as user_email_domains,
STRING_AGG(DISTINCT SUBSTRING(service_email_reply_to.email_address FROM '@(.*)$'), ', ') as reply_to_domains,
BOOL_OR(
SUBSTRING(service_email_reply_to.email_address FROM '@(.*)$') =
SUBSTRING(users.email_address FROM '@(.*)$')
) as has_matching_domain
FROM users
JOIN user_to_service ON users.id = user_to_service.user_id
JOIN services ON services.id = user_to_service.service_id
JOIN service_email_reply_to ON services.id = service_email_reply_to.service_id
GROUP BY services.id, services.name
HAVING COUNT(service_email_reply_to.id) > 0
)
SELECT
service_name,
user_email_domains,
reply_to_domains,
CASE
WHEN has_matching_domain THEN 'Yes'
ELSE 'No'
END as domains_match
FROM service_domains
where has_matching_domain = False
ORDER BY domains_match, service_name
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
This PR updates the email reply-to validation, allowing only email domains matching the email domains of current team members.
Test instructions | Instructions pour tester la modification
Add a reply-to with an invalid domain
Add a reply-to with a valid domain
+someStringalias to identify the notificationdeliveredEdit an existing reply-to to an invalid domain
Edit an existing reply-to to a valid domain
+someStringaliasdeliveredin your local DB to complete the verification process