From 4b30a4e7ef0a6251c3f5ce8d18b6e190f84da62b Mon Sep 17 00:00:00 2001
From: Rory Powell <rory.codes@gmail.com>
Date: Tue, 28 Sep 2021 15:49:03 +0100
Subject: [PATCH] Prevent duplicate internal budibase users across tenants

---
 .../src/api/controllers/global/users.js       | 25 ++++++++++++++++---
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/packages/worker/src/api/controllers/global/users.js b/packages/worker/src/api/controllers/global/users.js
index 9d2d27a05c..7753370f09 100644
--- a/packages/worker/src/api/controllers/global/users.js
+++ b/packages/worker/src/api/controllers/global/users.js
@@ -56,6 +56,14 @@ async function saveUser(
       throw "Email address already in use."
     }
 
+    // check budibase users in other tenants
+    if (env.MULTI_TENANCY) {
+      dbUser = await getTenantUser(email)
+      if (dbUser != null) {
+        throw "Email address already in use."
+      }
+    }
+
     // check root account users in account portal
     if (!env.SELF_HOSTED) {
       const account = await accounts.getAccount(email)
@@ -277,13 +285,22 @@ exports.find = async ctx => {
   ctx.body = user
 }
 
-exports.tenantUserLookup = async ctx => {
-  const id = ctx.params.id
-  // lookup, could be email or userId, either will return a doc
+// lookup, could be email or userId, either will return a doc
+const getTenantUser = async identifier => {
   const db = new CouchDB(PLATFORM_INFO_DB)
   try {
-    ctx.body = await db.get(id)
+    return await db.get(identifier)
   } catch (err) {
+    return null
+  }
+}
+
+exports.tenantUserLookup = async ctx => {
+  const id = ctx.params.id
+  const user = await getTenantUser(id)
+  if (user) {
+    ctx.body = user
+  } else {
     ctx.throw(400, "No tenant user found.")
   }
 }