From e55a11407324027f510a1cd563d997f2bf7a6f72 Mon Sep 17 00:00:00 2001
From: Leendert de Borst <ldeborst@xivisoft.com>
Date: Fri, 15 May 2026 07:06:47 +0200
Subject: [PATCH] Add email claim disabled check to email retrieval (#2014)

---
 .../AliasVault.Api/Controllers/Email/EmailBoxController.cs    | 4 ++--
 .../AliasVault.Api/Controllers/Email/EmailController.cs       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/server/AliasVault.Api/Controllers/Email/EmailBoxController.cs b/apps/server/AliasVault.Api/Controllers/Email/EmailBoxController.cs
index c36d93fe1..39ab33f64 100644
--- a/apps/server/AliasVault.Api/Controllers/Email/EmailBoxController.cs
+++ b/apps/server/AliasVault.Api/Controllers/Email/EmailBoxController.cs
@@ -47,7 +47,7 @@ public class EmailBoxController(IAliasServerDbContextFactory dbContextFactory, U
         var emailClaim = await context.UserEmailClaims
             .FirstOrDefaultAsync(x => x.Address == sanitizedEmail);
 
-        if (emailClaim is null)
+        if (emailClaim is null || emailClaim.Disabled)
         {
             return BadRequest(new ApiErrorResponse
             {
@@ -126,7 +126,7 @@ public class EmailBoxController(IAliasServerDbContextFactory dbContextFactory, U
 
         // Load all email addresses that the user has a claim to where the address is in the list.
         var validAddresses = await context.UserEmailClaims
-            .Where(claim => claim.UserId == user.Id && model.Addresses.Contains(claim.Address))
+            .Where(claim => claim.UserId == user.Id && model.Addresses.Contains(claim.Address) && !claim.Disabled)
             .Select(claim => claim.Address)
             .ToListAsync();
 
diff --git a/apps/server/AliasVault.Api/Controllers/Email/EmailController.cs b/apps/server/AliasVault.Api/Controllers/Email/EmailController.cs
index ea5d5ff51..16a0085d8 100644
--- a/apps/server/AliasVault.Api/Controllers/Email/EmailController.cs
+++ b/apps/server/AliasVault.Api/Controllers/Email/EmailController.cs
@@ -161,7 +161,7 @@ public class EmailController(ILogger<VaultController> logger, IAliasServerDbCont
 
         // See if this user has a valid claim to the email address.
         var normalizedEmailAddress = email.To.Trim().ToLower();
-        var emailClaim = await context.UserEmailClaims.FirstOrDefaultAsync(x => x.UserId == user.Id && x.Address == normalizedEmailAddress);
+        var emailClaim = await context.UserEmailClaims.FirstOrDefaultAsync(x => x.UserId == user.Id && x.Address == normalizedEmailAddress && !x.Disabled);
 
         if (emailClaim is null)
         {