Prevent accepting another user invitation

src/api/core/organizations.rs

@@ -1131,11 +1131,13 @@ async fn accept_invite(
     org_id: OrganizationId,
     member_id: MembershipId,
     data: Json<AcceptData>,
+    headers: Headers,
     mut conn: DbConn,
 ) -> EmptyResult {
     // The web-vault passes org_id and member_id in the URL, but we are just reading them from the JWT instead
     let data: AcceptData = data.into_inner();
     let claims = decode_invite(&data.token)?;
+    let user = headers.user;
 
     // If a claim does not have a member_id or it does not match the one in from the URI, something is wrong.
     match &claims.member_id {
@@ -1143,8 +1145,10 @@ async fn accept_invite(
         _ => err!("Error accepting the invitation", "Claim does not match the member_id"),
     }
 
-    match User::find_by_mail(&claims.email, &mut conn).await {
-        Some(user) => {
+    if user.email != claims.email {
+        err!("Invitation claim does not match the user")
+    }
+
     Invitation::take(&claims.email, &mut conn).await;
 
     if let (Some(member), Some(org)) = (&claims.member_id, &claims.org_id) {
@@ -1187,9 +1191,6 @@ async fn accept_invite(
 
         member.save(&mut conn).await?;
     }
-        }
-        None => err!("Invited user not found"),
-    }
 
     if CONFIG.mail_enabled() {
         let mut org_name = CONFIG.invitation_org_name();