From 54557b4522ae9c7c7f3a31f3c1b2b2242b50397f Mon Sep 17 00:00:00 2001
From: Udit Takkar <53316345+Udit-takkar@users.noreply.github.com>
Date: Fri, 31 May 2024 17:59:26 +0530
Subject: [PATCH] fix: add blacklist email logic in backend (#15270)

* fix: add blacklist email logic in backedn

* chore: type err

* Update packages/features/bookings/lib/handleNewBooking.ts

* Update packages/features/bookings/lib/handleNewBooking.ts

---------

Co-authored-by: Keith Williams <keithwillcode@gmail.com>
---
 .../features/bookings/lib/handleNewBooking.ts | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/packages/features/bookings/lib/handleNewBooking.ts b/packages/features/bookings/lib/handleNewBooking.ts
index 37751adbce0eae..8236f9dbe4d4a7 100644
--- a/packages/features/bookings/lib/handleNewBooking.ts
+++ b/packages/features/bookings/lib/handleNewBooking.ts
@@ -915,6 +915,65 @@ type BookingDataSchemaGetter =
   | typeof getBookingDataSchema
   | typeof import("@calcom/features/bookings/lib/getBookingDataSchemaForApi").default;
 
+const checkIfBookerEmailIsBlocked = async ({
+  bookerEmail,
+  loggedInUserId,
+}: {
+  bookerEmail: string;
+  loggedInUserId?: number;
+}) => {
+  const baseEmail = extractBaseEmail(bookerEmail);
+  const blacklistedGuestEmails = process.env.BLACKLISTED_GUEST_EMAILS
+    ? process.env.BLACKLISTED_GUEST_EMAILS.split(",")
+    : [];
+
+  const blacklistedEmail = blacklistedGuestEmails.find(
+    (guestEmail: string) => guestEmail.toLowerCase() === baseEmail.toLowerCase()
+  );
+
+  if (!blacklistedEmail) {
+    return false;
+  }
+
+  const user = await prisma.user.findFirst({
+    where: {
+      OR: [
+        {
+          email: baseEmail,
+          emailVerified: {
+            not: null,
+          },
+        },
+        {
+          secondaryEmails: {
+            some: {
+              email: baseEmail,
+              emailVerified: {
+                not: null,
+              },
+            },
+          },
+        },
+      ],
+    },
+    select: {
+      id: true,
+      email: true,
+    },
+  });
+
+  if (!user) {
+    throw new HttpError({ statusCode: 403, message: "Cannot use this email to create the booking." });
+  }
+
+  if (user.id !== loggedInUserId) {
+    throw new HttpError({
+      statusCode: 403,
+      message: `Attendee email has been blocked. Make sure to login as ${bookerEmail} to use this email for creating a booking.`,
+    });
+  }
+};
+
 async function handler(
   req: NextApiRequest & {
     userId?: number | undefined;
@@ -977,6 +1036,8 @@ async function handler(
 
   const loggerWithEventDetails = createLoggerWithEventDetails(eventTypeId, reqBody.user, eventTypeSlug);
 
+  await checkIfBookerEmailIsBlocked({ loggedInUserId: userId, bookerEmail });
+
   if (isEventTypeLoggingEnabled({ eventTypeId, usernameOrTeamName: reqBody.user })) {
     logger.settings.minLevel = 0;
   }