fix: add blacklist email logic in backend (#15270)

* fix: add blacklist email logic in backedn * chore: type err * Update packages/features/bookings/lib/handleNewBooking.ts * Update packages/features/bookings/lib/handleNewBooking.ts --------- Co-authored-by: Keith Williams <[email protected]>
calcom · May 31, 2024 · 54557b4 · 54557b4
1 parent b905de4
commit 54557b4
Showing 1 changed file with 61 additions and 0 deletions.
diff --git a/packages/features/bookings/lib/handleNewBooking.ts b/packages/features/bookings/lib/handleNewBooking.ts
@@ -915,6 +915,65 @@ type BookingDataSchemaGetter =
   | typeof getBookingDataSchema
   | typeof import("@calcom/features/bookings/lib/getBookingDataSchemaForApi").default;
 
+const checkIfBookerEmailIsBlocked = async ({
+  bookerEmail,
+  loggedInUserId,
+}: {
+  bookerEmail: string;
+  loggedInUserId?: number;
+}) => {
+  const baseEmail = extractBaseEmail(bookerEmail);
+  const blacklistedGuestEmails = process.env.BLACKLISTED_GUEST_EMAILS
+    ? process.env.BLACKLISTED_GUEST_EMAILS.split(",")
+    : [];
+
+  const blacklistedEmail = blacklistedGuestEmails.find(
+    (guestEmail: string) => guestEmail.toLowerCase() === baseEmail.toLowerCase()
+  );
+
+  if (!blacklistedEmail) {
+    return false;
+  }
+
+  const user = await prisma.user.findFirst({
+    where: {
+      OR: [
+        {
+          email: baseEmail,
+          emailVerified: {
+            not: null,
+          },
+        },
+        {
+          secondaryEmails: {
+            some: {
+              email: baseEmail,
+              emailVerified: {
+                not: null,
+              },
+            },
+          },
+        },
+      ],
+    },
+    select: {
+      id: true,
+      email: true,
+    },
+  });
+
+  if (!user) {
+    throw new HttpError({ statusCode: 403, message: "Cannot use this email to create the booking." });
+  }
+
+  if (user.id !== loggedInUserId) {
+    throw new HttpError({
+      statusCode: 403,
+      message: `Attendee email has been blocked. Make sure to login as ${bookerEmail} to use this email for creating a booking.`,
+    });
+  }
+};
+
 async function handler(
   req: NextApiRequest & {
     userId?: number | undefined;
@@ -977,6 +1036,8 @@ async function handler(
 
   const loggerWithEventDetails = createLoggerWithEventDetails(eventTypeId, reqBody.user, eventTypeSlug);
 
+  await checkIfBookerEmailIsBlocked({ loggedInUserId: userId, bookerEmail });
+
   if (isEventTypeLoggingEnabled({ eventTypeId, usernameOrTeamName: reqBody.user })) {
     logger.settings.minLevel = 0;
   }