Security

I'm trying to validate the sponsor email field on our guest self-registration page using the isValidEmail validator argument. Through testing, I've found that I can only match domains, not full emails.

My current validator argument:

array (
'allow' =>
array (
0 => 'asdf123@contoso.net',
1 => 'contoso.com',
),
)

This should allow asdf123@contoso.net and any address from the contoso.com domain (while denying anything else), but only emails from contoso.com are validated. I have tried this a couple of different ways to no avail. It always denies the email unless the domain is allowed (in which case any email in that domain is allowed). Ultimately I just want a list of emails allowed, no domains. I could also not get isValidEmailList to work.

The knowledgebase says "When using the IsValidEmail validator, the validator argument may be specified with a whitelist/blacklist of domain names, or with a whitelist/blacklist of email addresses."

Any help would be greatly appreciated.

So it seems the documentation is a little incorrect.  The only times full emails kick in are in deny lists.  That scenario covers allowing 'contoso.com', but then denying a list of certain specific emails that you never want spammed.  We do not support a mix of a full domain and then a few extra specific addresses.  If they were all fixed addresses they can be listed out with a different validator (IsInOptionsList), but your example is not supported.

An alternative, if possible on your backend, is doing sponsor lookups against LDAP/AD and using LDAP filter syntax to cover what you need.