From 266a79a02195a506a3e0770a178ffddd10bba4bb Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@arthur-schiwon.de>
Date: Tue, 19 Mar 2024 21:43:47 +0100
Subject: [PATCH] fix(ProvisioningApi): only return verified additional mails
 per user

It would not per se be bad to return all of them, however the meta data
about the verified state is missing. Since the information may go out to
connected clients, those may have wrong trust the returned email
addresses.

Email verification still works with this change.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
---
 apps/provisioning_api/lib/Controller/AUserData.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/provisioning_api/lib/Controller/AUserData.php b/apps/provisioning_api/lib/Controller/AUserData.php
index 77d7f31c6daf5..2b5f48ce729a9 100644
--- a/apps/provisioning_api/lib/Controller/AUserData.php
+++ b/apps/provisioning_api/lib/Controller/AUserData.php
@@ -173,6 +173,9 @@ protected function getUserData(string $userId, bool $includeScopes = false): ?ar
 			$additionalEmails = $additionalEmailScopes = [];
 			$emailCollection = $userAccount->getPropertyCollection(IAccountManager::COLLECTION_EMAIL);
 			foreach ($emailCollection->getProperties() as $property) {
+				if ($property->getLocallyVerified() !== IAccountManager::VERIFIED) {
+					continue;
+				}
 				$additionalEmails[] = $property->getValue();
 				if ($includeScopes) {
 					$additionalEmailScopes[] = $property->getScope();