From 82f923c27add4c361ff10d7c03ea8df4aeb209a5 Mon Sep 17 00:00:00 2001
From: Mateusz Mandera <mateusz.mandera@protonmail.com>
Date: Sat, 28 Sep 2019 01:51:36 +0200
Subject: [PATCH] social auth: Validate email in backends without
 get_verified_emails.

If the social backend doesn't have get_verified_emails emails, and we
simply grab kwargs["details"].get("email") for the email, we should
still validate it is correct.
Needed for SAML. This will get covered by tests in upcoming commits that
add SAML support.
---
 zproject/backends.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/zproject/backends.py b/zproject/backends.py
index ac4afc14d5..1330cb1747 100644
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -725,8 +725,12 @@ def social_associate_user_helper(backend: BaseAuth, return_data: Dict[str, Any],
             return None
 
         validated_email = chosen_email
-    else:  # nocoverage
-        # This code path isn't used by GitHubAuthBackend
+    else:
+        try:
+            validate_email(kwargs["details"].get("email"))
+        except ValidationError:
+            return_data['invalid_email'] = True
+            return None
         validated_email = kwargs["details"].get("email")
 
     if not validated_email:  # nocoverage