Description:

When Use Default Blocked Domains List is enabled but Blocked Domains List
is empty, the default blocklist is silently never checked. Users can register
with disposable email addresses from domains that should be blocked.

Steps to reproduce:

1. Click Register a new account
2. Enter email hello@yopmail.com or any other email that has domain apps/meteor/app/lib/server/lib/defaultBlockedDomainsList.ts and fill other fields
3. Click Register

Expected behavior:

Registration to be blocked and no new account to be created

Actual behavior:

Registration succeeds. Account is created even though yopmail.com or any other domain that is in the default blocked domains list is used.

Root cause:

File: apps/meteor/app/lib/server/lib/validateEmailDomain.js

The default blocklist check is nested inside emailDomainBlackList.length &&:

if (
    emailDomainBlackList.length &&
    (emailDomainBlackList.indexOf(emailDomain) !== -1 ||
        (settings.get('Accounts_UseDefaultBlockedDomainsList') && 
         emailDomainDefaultBlackList.indexOf(emailDomain) !== -1))
) {

When Blocked Domains List is empty, emailDomainBlackList.length is 0
(falsy) so the entire condition short-circuits. The default list check on
line 56 is never reached even when Accounts_UseDefaultBlockedDomainsList
is true.

Related files:

• Bug: apps/meteor/app/lib/server/lib/validateEmailDomain.js — line 52
• Default list: apps/meteor/app/lib/server/lib/defaultBlockedDomainsList.ts
• Setting registered: apps/meteor/server/settings/accounts.ts — line 354

Server Setup Information:

• Version of Rocket.Chat Server: develop branch
• Deployment Method: local development

Additional context:

Any workspace relying solely on the default blocked domains list without
also configuring a custom list has zero protection against disposable
email registrations. The toggle appears to work in the UI but silently
does nothing.