Page MenuHomePhabricator

Email Address Blocklist could lead to unexpected behavior
Open, Needs TriagePublic


The AddDonation use case currently has a functionality to ask the AddDonationPolicyValidator if donation data violates policy and should be blocked (a stronger case than just "needs moderation"). AddDonationPolicyValidator checks the donor e-mail against a list of regular expressions and if one of them matches, causes the AddDonation use case to create the donation in a deleted state. This behavior is problematic, because it will lead to the following behavior:

  • The system creates a donation in the database, but marks it as deleted
  • The system will send a confirmation email to the blocked email address (there is no check for deletion state before mailing)
  • The user will see an "access denied" page instead of the donation confirmation page because the confirmation page prevents showing deleted donations.

The history of this feature can be found here:

The current configuration of the Fundraising Application has no entries in the email blocklist, so it's not clear if this feature ever was active and what happened when it was active. We should define a new behavior or delete the check and related code all together.