diff options
author | 6543 <6543@obermui.de> | 2020-11-28 23:41:06 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-28 17:41:06 -0500 |
commit | 0f14f69e6070c9aca09f57c419e7d6007d0e520b (patch) | |
tree | 4bf05d1a4e98d6aabc1b36da644628954d0805da /routers | |
parent | e82150d41b74304dc332fbd0c077ec99c72a5c76 (diff) | |
download | gitea-0f14f69e6070c9aca09f57c419e7d6007d0e520b.tar.gz gitea-0f14f69e6070c9aca09f57c419e7d6007d0e520b.zip |
Verify password for local-account activation (#13631)
* Verify passwords for activation
This is to prevent 3rd party activation
* Fix function comment
* only veify password on local-account aktivation
* fix lint
* Update templates/user/auth/activate.tmpl
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Andreas Shimokawa <shimokawa@fsfe.org>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'routers')
-rw-r--r-- | routers/user/auth.go | 72 |
1 files changed, 45 insertions, 27 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go index ba6420967f..d347962ca7 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -1203,6 +1203,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo // Activate render activate user page func Activate(ctx *context.Context) { code := ctx.Query("code") + password := ctx.Query("password") + if len(code) == 0 { ctx.Data["IsActivatePage"] = true if ctx.User.IsActive { @@ -1228,42 +1230,58 @@ func Activate(ctx *context.Context) { return } - // Verify code. - if user := models.VerifyUserActiveCode(code); user != nil { - user.IsActive = true - var err error - if user.Rands, err = models.GetUserSalt(); err != nil { - ctx.ServerError("UpdateUser", err) + user := models.VerifyUserActiveCode(code) + // if code is wrong + if user == nil { + ctx.Data["IsActivateFailed"] = true + ctx.HTML(200, TplActivate) + return + } + + // if account is local account, verify password + if user.LoginSource == 0 { + if len(password) == 0 { + ctx.Data["Code"] = code + ctx.Data["NeedsPassword"] = true + ctx.HTML(200, TplActivate) return } - if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil { - if models.IsErrUserNotExist(err) { - ctx.Error(404) - } else { - ctx.ServerError("UpdateUser", err) - } + if !user.ValidatePassword(password) { + ctx.Data["IsActivateFailed"] = true + ctx.HTML(200, TplActivate) return } + } - log.Trace("User activated: %s", user.Name) - - if err := ctx.Session.Set("uid", user.ID); err != nil { - log.Error(fmt.Sprintf("Error setting uid in session: %v", err)) - } - if err := ctx.Session.Set("uname", user.Name); err != nil { - log.Error(fmt.Sprintf("Error setting uname in session: %v", err)) - } - if err := ctx.Session.Release(); err != nil { - log.Error("Error storing session: %v", err) + user.IsActive = true + var err error + if user.Rands, err = models.GetUserSalt(); err != nil { + ctx.ServerError("UpdateUser", err) + return + } + if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil { + if models.IsErrUserNotExist(err) { + ctx.Error(404) + } else { + ctx.ServerError("UpdateUser", err) } - - ctx.Flash.Success(ctx.Tr("auth.account_activated")) - ctx.Redirect(setting.AppSubURL + "/") return } - ctx.Data["IsActivateFailed"] = true - ctx.HTML(200, TplActivate) + log.Trace("User activated: %s", user.Name) + + if err := ctx.Session.Set("uid", user.ID); err != nil { + log.Error(fmt.Sprintf("Error setting uid in session: %v", err)) + } + if err := ctx.Session.Set("uname", user.Name); err != nil { + log.Error(fmt.Sprintf("Error setting uname in session: %v", err)) + } + if err := ctx.Session.Release(); err != nil { + log.Error("Error storing session: %v", err) + } + + ctx.Flash.Success(ctx.Tr("auth.account_activated")) + ctx.Redirect(setting.AppSubURL + "/") } // ActivateEmail render the activate email page |