This commit is contained in:
@@ -140,6 +140,12 @@ export function isPublicEmailDomain(domain: string): boolean {
|
||||
* Look up active tenant_requests whose contact_email shares the given domain.
|
||||
* Active = status NOT IN ('rejected', 'deleted').
|
||||
*
|
||||
* Slice 4: personal-account rows (is_personal = TRUE) are excluded. A
|
||||
* person's personal account doesn't claim the domain on behalf of a
|
||||
* company — alice@acme.ch registering as a personal account must not
|
||||
* block the actual Acme GmbH from registering later. The personal flag
|
||||
* lives on the row itself, set by /api/register at creation time.
|
||||
*
|
||||
* Uses LOWER() on both sides to handle any historical case inconsistency in
|
||||
* stored emails. The pattern '%@<domain>' is anchored so 'acme.ch' does not
|
||||
* match 'notacme.ch' or 'acme.ch.evil.com'.
|
||||
@@ -151,7 +157,8 @@ async function findDuplicateInDb(
|
||||
const result = await pool.query<{ count: string }>(
|
||||
`SELECT COUNT(*) AS count FROM tenant_requests
|
||||
WHERE LOWER(contact_email) LIKE $1
|
||||
AND status NOT IN ('rejected', 'deleted')`,
|
||||
AND status NOT IN ('rejected', 'deleted')
|
||||
AND is_personal = FALSE`,
|
||||
[`%@${domain.toLowerCase()}`]
|
||||
);
|
||||
return Number(result.rows[0]?.count ?? 0) > 0;
|
||||
|
||||
Reference in New Issue
Block a user