always use a validated userId for alerts configs

If a user were to put some arbitrary value in the userId field of their invitation, we should not use it, but rather the userId of the user making the request, which has been validated already. Thanks again to Brian for finding this edge case. BACK-2500
tidepool-org · Jan 23, 2024 · 84043db · 84043db
1 parent 09e04e3
commit 84043db
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/api/invite.go b/api/invite.go
@@ -240,11 +240,8 @@ func (a *Api) AcceptInvite(res http.ResponseWriter, req *http.Request, vars map[
 			a.sendError(ctx, res, http.StatusBadRequest, STATUS_ERR_DECODING_CONTEXT)
 			return
 		}
-		// In the event that the invitee didn't have a user account when they
-		// were invited, this could be empty. Since they're accepting the
-		// invite now, they clearly have a userID, so we can populate that
-		// field now.
-		if ctc.AlertsConfig != nil && ctc.AlertsConfig.UserID == "" {
+
+		if ctc.AlertsConfig != nil {
 			ctc.AlertsConfig.UserID = inviteeID
 		}