fix(ProvisioningApi): only return verified additional mails per user

It would not per se be bad to return all of them, however the meta data
about the verified state is missing. Since the information may go out to
connected clients, those may have wrong trust the returned email
addresses.

Email verification still works with this change.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

Author: blizzz

apps/provisioning_api/lib/Controller/AUserData.php

@@ -173,6 +173,9 @@ protected function getUserData(string $userId, bool $includeScopes = false): ?ar
 			$additionalEmails = $additionalEmailScopes = [];
 			$emailCollection = $userAccount->getPropertyCollection(IAccountManager::COLLECTION_EMAIL);
 			foreach ($emailCollection->getProperties() as $property) {
+				if ($property->getLocallyVerified() !== IAccountManager::VERIFIED) {
+					continue;
+				}
 				$additionalEmails[] = $property->getValue();
 				if ($includeScopes) {
 					$additionalEmailScopes[] = $property->getScope();