From 84043dbb43db7a9c01a0ffdd845ba4da3bbcf253 Mon Sep 17 00:00:00 2001
From: Eric Wollesen <eric@tidepool.org>
Date: Thu, 18 Jan 2024 19:16:36 -0700
Subject: [PATCH] always use a validated userId for alerts configs

If a user were to put some arbitrary value in the userId field of their
invitation, we should not use it, but rather the userId of the user making the
request, which has been validated already.

Thanks again to Brian for finding this edge case.

BACK-2500
---
 api/invite.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/api/invite.go b/api/invite.go
index 04e60dd9..43330800 100644
--- a/api/invite.go
+++ b/api/invite.go
@@ -240,11 +240,8 @@ func (a *Api) AcceptInvite(res http.ResponseWriter, req *http.Request, vars map[
 			a.sendError(ctx, res, http.StatusBadRequest, STATUS_ERR_DECODING_CONTEXT)
 			return
 		}
-		// In the event that the invitee didn't have a user account when they
-		// were invited, this could be empty. Since they're accepting the
-		// invite now, they clearly have a userID, so we can populate that
-		// field now.
-		if ctc.AlertsConfig != nil && ctc.AlertsConfig.UserID == "" {
+
+		if ctc.AlertsConfig != nil {
 			ctc.AlertsConfig.UserID = inviteeID
 		}