fix: Forbid removing emails if they're required to register

2026-05-26 20:49:55 +00:00 · 2026-04-23 13:17:48 -04:00
parent 8171e3d614
commit 567d809efe
5 changed files with 30 additions and 4 deletions
@@ -53,6 +53,10 @@ pub(crate) async fn request_3pid_management_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_3pid_management_token_via_email::v3::Request>,
 ) -> Result<request_3pid_management_token_via_email::v3::Response> {
+	if !services.threepid.email_requirement().may_change() {
+		return Err!(Request(Forbidden("You may not change your email address.")));
+	}
+
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
@@ -105,6 +109,10 @@ pub(crate) async fn add_3pid_route(
 ) -> Result<add_3pid::v3::Response> {
 	let sender_user = body.sender_user();

+	if !services.threepid.email_requirement().may_change() {
+		return Err!(Request(Forbidden("You may not change your email address.")));
+	}
+
 	// Require password auth to add an email
 	let _ = services
 		.uiaa
@@ -138,6 +146,10 @@ pub(crate) async fn delete_3pid_route(
 		});
 	}

+	if !services.threepid.email_requirement().may_remove() {
+		return Err!(Request(Forbidden("You may not remove your email address.")));
+	}
+
 	if services
 		.threepid
 		.disassociate_localpart_email(sender_user.localpart())
@@ -32,7 +32,7 @@ pub(crate) async fn get_capabilities_route(

 	// Only allow 3pid changes if SMTP is configured
 	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability {
-		enabled: services.mailer.mailer().is_some(),
+		enabled: services.threepid.email_requirement().may_change(),
 	};

 	capabilities.get_login_token = GetLoginTokenCapability {