From e3225e5816befb0d60cfab3211278fe8b5937a37 Mon Sep 17 00:00:00 2001
From: Vincent Petry <PVince81@owncloud.com>
Date: Thu, 12 Oct 2017 15:58:58 +0200
Subject: [PATCH 1/2] Detect existing email/user on frontend and backend

Prevent creating users using an email that already exists on the
backend.

The frontend now discards the guest creation entry if there is at least
one exact match for the search terms, which could refer to the user id
or email address (the latter being handled by the autocomplete backend)
---
 controller/userscontroller.php                |  7 +++++++
 js/guestshare.js                              | 21 +++++++------------
 .../guests_features/Guests.feature            | 11 ++++++++++
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/controller/userscontroller.php b/controller/userscontroller.php
index 004f66de..4bef926a 100644
--- a/controller/userscontroller.php
+++ b/controller/userscontroller.php
@@ -117,6 +117,13 @@ public function create($email, $displayName) {
 			);
 		}
 
+		$users = $this->userManager->getByEmail($email);
+		if (!empty($users)) {
+			$errorMessages['email'] = (string)$this->l10n->t(
+				'A username with that email already exists.'
+			);
+		}
+
 		if (!empty($errorMessages)) {
 			return new DataResponse(
 				[
diff --git a/js/guestshare.js b/js/guestshare.js
index 78059d04..ff71068f 100644
--- a/js/guestshare.js
+++ b/js/guestshare.js
@@ -86,7 +86,7 @@ OC.Plugins.register('OC.Share.ShareDialogView', {
 		var oldHandler = obj.autocompleteHandler;
 		obj.autocompleteHandler = function(search, response) {
 
-		    return oldHandler.call(obj, search, function(result) {
+		    return oldHandler.call(obj, search, function(result, xhrResult) {
 				var searchTerm = search.term.trim();
 
 				// Add potential guests to the suggestions
@@ -101,16 +101,11 @@ OC.Plugins.register('OC.Share.ShareDialogView', {
 						result = [];
 					}
 
-					// only add guest entry suggestion if there isn't another matching user share entry already
-					var lowerSearchTerm = searchTerm.toLowerCase();
-					if (!_.find(result, function(entry) {
-						if (entry && entry.value
-							&& entry.value.shareType === OC.Share.SHARE_TYPE_USER
-							&& entry.value.shareWith.toLowerCase() === lowerSearchTerm) {
-							return true;
-						}
-						return false;
-					})) {
+					// only allow guest creation entry if there is no exact match (by user id or email, decided by the server)
+					if (xhrResult
+						&& xhrResult.ocs.meta.statuscode === 100
+						&& xhrResult.ocs.data.exact.users.length === 0
+					) {
 						result.push({
 							label: t('core', 'Add {unknown} (guest)', {unknown: searchTerm}),
 							value: {
@@ -119,9 +114,9 @@ OC.Plugins.register('OC.Share.ShareDialogView', {
 							}
 						});
 					}
-					response(result);
+					response(result, xhrResult);
 				}
-				response(result);
+				response(result, xhrResult);
 		    });
 		};
 		
diff --git a/tests/integration/guests_features/Guests.feature b/tests/integration/guests_features/Guests.feature
index 515610f2..fc417363 100644
--- a/tests/integration/guests_features/Guests.feature
+++ b/tests/integration/guests_features/Guests.feature
@@ -10,6 +10,17 @@ Scenario: Creating a guest user works fine
 	Then the HTTP status code should be "201"
 	And check that user "guest" is a guest
 
+Scenario: Cannot create a guest if a user with the same email address exists
+	Given as an "admin"
+	And user "existing-user" exists
+	When sending "PUT" to "/cloud/users/existing-user" with
+		| key | email |
+		| value | guest@example.com |
+	When user "admin" creates guest user "guest" with email "guest@example.com"
+	Then the HTTP status code should be "422"
+	# TODO: missing appropriate step in core / Provisioning
+	#And check that user "guest" does not exist
+
 Scenario: A guest user cannot upload files
 	Given as an "admin"
 	And user "admin" creates guest user "guest" with email "guest@example.com"

From 6194f404d0330fe1b0c9dc3a602d2cf612beec46 Mon Sep 17 00:00:00 2001
From: Vincent Petry <PVince81@owncloud.com>
Date: Mon, 23 Oct 2017 11:01:01 +0200
Subject: [PATCH 2/2] Add 10.0.3 compatibility

---
 js/guestshare.js | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/js/guestshare.js b/js/guestshare.js
index ff71068f..a415781d 100644
--- a/js/guestshare.js
+++ b/js/guestshare.js
@@ -102,10 +102,34 @@ OC.Plugins.register('OC.Share.ShareDialogView', {
 					}
 
 					// only allow guest creation entry if there is no exact match (by user id or email, decided by the server)
+					var provideGuestEntry = false;
+
 					if (xhrResult
 						&& xhrResult.ocs.meta.statuscode === 100
 						&& xhrResult.ocs.data.exact.users.length === 0
 					) {
+						provideGuestEntry = true;
+					}
+
+					// compatibility with OC <= 10.0.3 where xhrResult is not available
+					// here we always show the entry as we don't know about exact matches,
+					// and the backend might block the request if the guest is referring
+					// to an existing email address
+					if (!xhrResult) {
+						var lowerSearchTerm = searchTerm.toLowerCase();
+						if (!_.find(result, function(entry) {
+							if (entry && entry.value
+								&& entry.value.shareType === OC.Share.SHARE_TYPE_USER
+								&& entry.value.shareWith.toLowerCase() === lowerSearchTerm) {
+								return true;
+							}
+							return false;
+						})) {
+							provideGuestEntry = true;
+						}
+					}
+
+					if (provideGuestEntry) {
 						result.push({
 							label: t('core', 'Add {unknown} (guest)', {unknown: searchTerm}),
 							value: {