From 2296400acdd16bca6dce46376c58b8b91311988b Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 2 May 2023 16:31:40 -0400
Subject: [PATCH 1/2] prevent a user with a different email from accepting the
 team invite

---
 options/locale/locale_en-US.ini |  1 +
 routers/web/org/teams.go        |  8 ++++++++
 templates/org/team/invite.tmpl  | 28 +++++++++++++++++-----------
 3 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index b4d5ba00bcd6..180fd1c18d0e 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2559,6 +2559,7 @@ teams.all_repositories_admin_permission_desc = This team grants <strong>Admin</s
 teams.invite.title = You've been invited to join team <strong>%s</strong> in organization <strong>%s</strong>.
 teams.invite.by = Invited by %s
 teams.invite.description = Please click the button below to join the team.
+teams.invite.email_mismatch = Your email address does not match this invite.
 
 [admin]
 dashboard = Dashboard
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 2ce4bf532271..9a0f49b688ed 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -552,6 +552,7 @@ func TeamInvite(ctx *context.Context) {
 	ctx.Data["Organization"] = org
 	ctx.Data["Team"] = team
 	ctx.Data["Inviter"] = inviter
+	ctx.Data["EmailMismatch"] = ctx.Doer.Email != invite.Email
 
 	ctx.HTML(http.StatusOK, tplTeamInvite)
 }
@@ -568,6 +569,13 @@ func TeamInvitePost(ctx *context.Context) {
 		return
 	}
 
+	// check that the Doer is the invitee
+	if ctx.Doer.Email != invite.Email {
+		log.Info("invite %d does not apply to the current user %d", invite.ID, ctx.Doer.ID)
+		ctx.NotFound("ErrTeamInviteNotFound", err)
+		return
+	}
+
 	if err := models.AddTeamMember(team, ctx.Doer.ID); err != nil {
 		ctx.ServerError("AddTeamMember", err)
 		return
diff --git a/templates/org/team/invite.tmpl b/templates/org/team/invite.tmpl
index 55ecd049b39d..019f143f5b4f 100644
--- a/templates/org/team/invite.tmpl
+++ b/templates/org/team/invite.tmpl
@@ -6,17 +6,23 @@
 			<div class="image">
 				{{avatar $.Context .Organization 140}}
 			</div>
-			<div class="content">
-				<div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div>
-				<div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div>
-				<div class="description">{{.locale.Tr "org.teams.invite.description"}}</div>
-			</div>
-			<div class="extra content">
-				<form class="ui form" action="" method="post">
-					{{.CsrfTokenHtml}}
-					<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button>
-				</form>
-			</div>
+			{{if .EmailMismatch}}
+				<div class="content">
+				<div class="header">{{.locale.Tr "org.teams.invite.email_mismatch"}}</div>
+				</div>
+			{{else}}
+				<div class="content">
+					<div class="header">{{.locale.Tr "org.teams.invite.title" .Team.Name .Organization.Name | Str2html}}</div>
+					<div class="meta">{{.locale.Tr "org.teams.invite.by" .Inviter.Name}}</div>
+					<div class="description">{{.locale.Tr "org.teams.invite.description"}}</div>
+				</div>
+				<div class="extra content">
+					<form class="ui form" action="" method="post">
+						{{.CsrfTokenHtml}}
+						<button class="fluid ui green button">{{.locale.Tr "org.teams.join"}}</button>
+					</form>
+				</div>
+			{{end}}
 		</div>
 	</div>
 </div>

From 0427c58afaf860abc284f907f6473d5b5059c7e4 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 2 May 2023 16:36:18 -0400
Subject: [PATCH 2/2] formatting fix

---
 templates/org/team/invite.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/org/team/invite.tmpl b/templates/org/team/invite.tmpl
index 019f143f5b4f..8d1fad014165 100644
--- a/templates/org/team/invite.tmpl
+++ b/templates/org/team/invite.tmpl
@@ -8,7 +8,7 @@
 			</div>
 			{{if .EmailMismatch}}
 				<div class="content">
-				<div class="header">{{.locale.Tr "org.teams.invite.email_mismatch"}}</div>
+					<div class="header">{{.locale.Tr "org.teams.invite.email_mismatch"}}</div>
 				</div>
 			{{else}}
 				<div class="content">