prevent users from different organizations

app/models/decidim/action_delegator/participant.rb

@@ -25,6 +25,8 @@ class Participant < ApplicationRecord
       validates :email, uniqueness: { scope: :setting }, if: -> { email.present? }
       validates :phone, uniqueness: { scope: :setting }, if: -> { phone.present? }
 
+      validate :user_belongs_to_organization
+
       # sets the decidim user if found
       before_save :set_decidim_user
 
@@ -36,7 +38,7 @@ def user
       end
 
       def user_from_metadata
-        @user_from_metadata ||= if setting.email_required?
+        @user_from_metadata ||= if setting&.email_required?
                                   Decidim::User.find_by(email: email, organization: setting.organization)
                                 else
                                   Decidim::Authorization.find_by(unique_id: uniq_ids)&.user
@@ -96,6 +98,13 @@ def voted?
       def set_decidim_user
         self.decidim_user = user_from_metadata if decidim_user.blank?
       end
+
+      def user_belongs_to_organization
+        return unless decidim_user && setting && setting.consultation
+        return if decidim_user.organization == organization
+
+        errors.add(:decidim_user, :invalid)
+      end
     end
   end
 end

spec/models/decidim/action_delegator/participant_spec.rb

@@ -19,6 +19,12 @@ module ActionDelegator
       it { is_expected.to be_valid }
       it { is_expected.to belong_to(:setting) }
 
+      context "when user belongs to a different organization" do
+        let(:decidim_user) { create(:user) }
+
+        it { is_expected.not_to be_valid }
+      end
+
       it "belong_to a ponderation" do
         expect(subject.ponderation).to eq(ponderation)
       end