Merge commit from fork

* Allauth: don't extract secondary emails from GitHub Ref GHSA-h73w-m588-h9r6 * Use custom adapter instead * Update
readthedocs · Jan 23, 2025 · 04dd0e6 · 04dd0e6
1 parent 97bbb9e
commit 04dd0e6
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 10 deletions.
diff --git a/readthedocs/core/adapters.py b/readthedocs/core/adapters.py
@@ -2,6 +2,7 @@
 
 import structlog
 from allauth.account.adapter import DefaultAccountAdapter
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 from django.utils.encoding import force_str
 
 from readthedocs.core.utils import send_email_from_object
@@ -11,7 +12,6 @@
 
 
 class AccountAdapter(DefaultAccountAdapter):
-
     """Customize Allauth emails to match our current patterns."""
 
     def format_email_subject(self, subject):
@@ -50,3 +50,18 @@ def save_user(self, request, user, form, commit=True):
                 invitation.delete()
             else:
                 log.info("Invitation not found", invitation_pk=invitation_pk)
+
+
+class SocialAccountAdapter(DefaultSocialAccountAdapter):
+    def pre_social_login(self, request, sociallogin):
+        """
+        Remove all email addresses except the primary one.
+
+        We don't want to populate all email addresses from the social account,
+        it also makes it easy to mark only the primary email address as verified
+        for providers that don't return information about email verification
+        even if the email is verified (like GitLab).
+        """
+        sociallogin.email_addresses = [
+            email for email in sociallogin.email_addresses if email.primary
+        ]
diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py
@@ -2,19 +2,17 @@
 
 import os
 import re
-import subprocess
 import socket
+import subprocess
 
 import structlog
-
 from celery.schedules import crontab
+from corsheaders.defaults import default_headers
+from django.conf.global_settings import PASSWORD_HASHERS
 
+from readthedocs.builds import constants_docker
 from readthedocs.core.logs import shared_processors
-from corsheaders.defaults import default_headers
 from readthedocs.core.settings import Settings
-from readthedocs.builds import constants_docker
-
-from django.conf.global_settings import PASSWORD_HASHERS
 
 try:
     import readthedocsext.cdn  # noqa
@@ -36,7 +34,6 @@
 
 
 class CommunityBaseSettings(Settings):
-
     """Community base settings, don't use this directly."""
 
     # Django settings
@@ -76,7 +73,7 @@ def _show_debug_toolbar(request):
                 # It's a "known issue/bug" and there is no solution as far as we can tell.
                 "debug_toolbar.panels.sql.SQLPanel",
                 "debug_toolbar.panels.templates.TemplatesPanel",
-            ]
+            ],
         }
 
     @property
@@ -682,6 +679,7 @@ def DOCKER_LIMITS(self):
 
     # Allauth
     ACCOUNT_ADAPTER = "readthedocs.core.adapters.AccountAdapter"
+    SOCIALACCOUNT_ADAPTER = 'readthedocs.core.adapters.SocialAccountAdapter'
     ACCOUNT_EMAIL_REQUIRED = True
     # By preventing enumeration, we will always send an email,
     # even if the email is not registered, that's hurting
@@ -704,7 +702,6 @@ def DOCKER_LIMITS(self):
             "APPS": [
                 {"client_id": "123", "secret": "456", "key": ""},
             ],
-            "VERIFIED_EMAIL": True,
             "SCOPE": [
                 "user:email",
                 "read:org",
@@ -716,6 +713,7 @@ def DOCKER_LIMITS(self):
             "APPS": [
                 {"client_id": "123", "secret": "456", "key": ""},
             ],
+            # GitLab returns the primary email only, we can trust it's verified.
             "VERIFIED_EMAIL": True,
             "SCOPE": [
                 "api",