summaryrefslogtreecommitdiffstats
path: root/routers
diff options
context:
space:
mode:
author6543 <6543@obermui.de>2020-11-28 23:41:06 +0100
committerGitHub <noreply@github.com>2020-11-28 17:41:06 -0500
commit0f14f69e6070c9aca09f57c419e7d6007d0e520b (patch)
tree4bf05d1a4e98d6aabc1b36da644628954d0805da /routers
parente82150d41b74304dc332fbd0c077ec99c72a5c76 (diff)
downloadgitea-0f14f69e6070c9aca09f57c419e7d6007d0e520b.tar.gz
gitea-0f14f69e6070c9aca09f57c419e7d6007d0e520b.zip
Verify password for local-account activation (#13631)
* Verify passwords for activation This is to prevent 3rd party activation * Fix function comment * only veify password on local-account aktivation * fix lint * Update templates/user/auth/activate.tmpl Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Andreas Shimokawa <shimokawa@fsfe.org> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'routers')
-rw-r--r--routers/user/auth.go72
1 files changed, 45 insertions, 27 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go
index ba6420967f..d347962ca7 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -1203,6 +1203,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
// Activate render activate user page
func Activate(ctx *context.Context) {
code := ctx.Query("code")
+ password := ctx.Query("password")
+
if len(code) == 0 {
ctx.Data["IsActivatePage"] = true
if ctx.User.IsActive {
@@ -1228,42 +1230,58 @@ func Activate(ctx *context.Context) {
return
}
- // Verify code.
- if user := models.VerifyUserActiveCode(code); user != nil {
- user.IsActive = true
- var err error
- if user.Rands, err = models.GetUserSalt(); err != nil {
- ctx.ServerError("UpdateUser", err)
+ user := models.VerifyUserActiveCode(code)
+ // if code is wrong
+ if user == nil {
+ ctx.Data["IsActivateFailed"] = true
+ ctx.HTML(200, TplActivate)
+ return
+ }
+
+ // if account is local account, verify password
+ if user.LoginSource == 0 {
+ if len(password) == 0 {
+ ctx.Data["Code"] = code
+ ctx.Data["NeedsPassword"] = true
+ ctx.HTML(200, TplActivate)
return
}
- if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {
- if models.IsErrUserNotExist(err) {
- ctx.Error(404)
- } else {
- ctx.ServerError("UpdateUser", err)
- }
+ if !user.ValidatePassword(password) {
+ ctx.Data["IsActivateFailed"] = true
+ ctx.HTML(200, TplActivate)
return
}
+ }
- log.Trace("User activated: %s", user.Name)
-
- if err := ctx.Session.Set("uid", user.ID); err != nil {
- log.Error(fmt.Sprintf("Error setting uid in session: %v", err))
- }
- if err := ctx.Session.Set("uname", user.Name); err != nil {
- log.Error(fmt.Sprintf("Error setting uname in session: %v", err))
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
+ user.IsActive = true
+ var err error
+ if user.Rands, err = models.GetUserSalt(); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+ if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {
+ if models.IsErrUserNotExist(err) {
+ ctx.Error(404)
+ } else {
+ ctx.ServerError("UpdateUser", err)
}
-
- ctx.Flash.Success(ctx.Tr("auth.account_activated"))
- ctx.Redirect(setting.AppSubURL + "/")
return
}
- ctx.Data["IsActivateFailed"] = true
- ctx.HTML(200, TplActivate)
+ log.Trace("User activated: %s", user.Name)
+
+ if err := ctx.Session.Set("uid", user.ID); err != nil {
+ log.Error(fmt.Sprintf("Error setting uid in session: %v", err))
+ }
+ if err := ctx.Session.Set("uname", user.Name); err != nil {
+ log.Error(fmt.Sprintf("Error setting uname in session: %v", err))
+ }
+ if err := ctx.Session.Release(); err != nil {
+ log.Error("Error storing session: %v", err)
+ }
+
+ ctx.Flash.Success(ctx.Tr("auth.account_activated"))
+ ctx.Redirect(setting.AppSubURL + "/")
}
// ActivateEmail render the activate email page