From 96698f7e0788ad377dfe5e118df37e6afede6b27 Mon Sep 17 00:00:00 2001
From: Rory Powell <rory.codes@gmail.com>
Date: Tue, 28 Sep 2021 15:22:19 +0100
Subject: [PATCH 1/2] Prevent root account users being re-created as internal
 budibase users

---
 packages/auth/accounts.js                           |  1 +
 packages/worker/src/api/controllers/global/users.js | 10 ++++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 packages/auth/accounts.js

diff --git a/packages/auth/accounts.js b/packages/auth/accounts.js
new file mode 100644
index 0000000000..47ad03456a
--- /dev/null
+++ b/packages/auth/accounts.js
@@ -0,0 +1 @@
+module.exports = require("./src/cloud/accounts")
diff --git a/packages/worker/src/api/controllers/global/users.js b/packages/worker/src/api/controllers/global/users.js
index 1d3f38698b..9d2d27a05c 100644
--- a/packages/worker/src/api/controllers/global/users.js
+++ b/packages/worker/src/api/controllers/global/users.js
@@ -11,6 +11,7 @@ const { sendEmail } = require("../../../utilities/email")
 const { user: userCache } = require("@budibase/auth/cache")
 const { invalidateSessions } = require("@budibase/auth/sessions")
 const CouchDB = require("../../../db")
+const accounts = require("@budibase/auth/accounts")
 const {
   getGlobalDB,
   getTenantId,
@@ -49,10 +50,19 @@ async function saveUser(
   // make sure another user isn't using the same email
   let dbUser
   if (email) {
+    // check budibase users inside the tenant
     dbUser = await getGlobalUserByEmail(email)
     if (dbUser != null && (dbUser._id !== _id || Array.isArray(dbUser))) {
       throw "Email address already in use."
     }
+
+    // check root account users in account portal
+    if (!env.SELF_HOSTED) {
+      const account = await accounts.getAccount(email)
+      if (account) {
+        throw "Email address already in use."
+      }
+    }
   } else {
     dbUser = await db.get(_id)
   }

From 5e286d8de2db97d75b20ad69cce588768c9de3bb Mon Sep 17 00:00:00 2001
From: Rory Powell <rory.codes@gmail.com>
Date: Tue, 28 Sep 2021 15:49:03 +0100
Subject: [PATCH 2/2] Prevent duplicate internal budibase users across tenants

---
 .../src/api/controllers/global/users.js       | 25 ++++++++++++++++---
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/packages/worker/src/api/controllers/global/users.js b/packages/worker/src/api/controllers/global/users.js
index 9d2d27a05c..7753370f09 100644
--- a/packages/worker/src/api/controllers/global/users.js
+++ b/packages/worker/src/api/controllers/global/users.js
@@ -56,6 +56,14 @@ async function saveUser(
       throw "Email address already in use."
     }
 
+    // check budibase users in other tenants
+    if (env.MULTI_TENANCY) {
+      dbUser = await getTenantUser(email)
+      if (dbUser != null) {
+        throw "Email address already in use."
+      }
+    }
+
     // check root account users in account portal
     if (!env.SELF_HOSTED) {
       const account = await accounts.getAccount(email)
@@ -277,13 +285,22 @@ exports.find = async ctx => {
   ctx.body = user
 }
 
-exports.tenantUserLookup = async ctx => {
-  const id = ctx.params.id
-  // lookup, could be email or userId, either will return a doc
+// lookup, could be email or userId, either will return a doc
+const getTenantUser = async identifier => {
   const db = new CouchDB(PLATFORM_INFO_DB)
   try {
-    ctx.body = await db.get(id)
+    return await db.get(identifier)
   } catch (err) {
+    return null
+  }
+}
+
+exports.tenantUserLookup = async ctx => {
+  const id = ctx.params.id
+  const user = await getTenantUser(id)
+  if (user) {
+    ctx.body = user
+  } else {
     ctx.throw(400, "No tenant user found.")
   }
 }