From 0f14f69e6070c9aca09f57c419e7d6007d0e520b Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Sat, 28 Nov 2020 23:41:06 +0100 Subject: Verify password for local-account activation (#13631) * Verify passwords for activation This is to prevent 3rd party activation * Fix function comment * only veify password on local-account aktivation * fix lint * Update templates/user/auth/activate.tmpl Co-authored-by: silverwind Co-authored-by: Andreas Shimokawa Co-authored-by: Lauris BH Co-authored-by: silverwind Co-authored-by: zeripath Co-authored-by: techknowlogick --- routers/user/auth.go | 72 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 45 insertions(+), 27 deletions(-) (limited to 'routers/user') diff --git a/routers/user/auth.go b/routers/user/auth.go index ba6420967f..d347962ca7 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -1203,6 +1203,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo // Activate render activate user page func Activate(ctx *context.Context) { code := ctx.Query("code") + password := ctx.Query("password") + if len(code) == 0 { ctx.Data["IsActivatePage"] = true if ctx.User.IsActive { @@ -1228,42 +1230,58 @@ func Activate(ctx *context.Context) { return } - // Verify code. - if user := models.VerifyUserActiveCode(code); user != nil { - user.IsActive = true - var err error - if user.Rands, err = models.GetUserSalt(); err != nil { - ctx.ServerError("UpdateUser", err) + user := models.VerifyUserActiveCode(code) + // if code is wrong + if user == nil { + ctx.Data["IsActivateFailed"] = true + ctx.HTML(200, TplActivate) + return + } + + // if account is local account, verify password + if user.LoginSource == 0 { + if len(password) == 0 { + ctx.Data["Code"] = code + ctx.Data["NeedsPassword"] = true + ctx.HTML(200, TplActivate) return } - if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil { - if models.IsErrUserNotExist(err) { - ctx.Error(404) - } else { - ctx.ServerError("UpdateUser", err) - } + if !user.ValidatePassword(password) { + ctx.Data["IsActivateFailed"] = true + ctx.HTML(200, TplActivate) return } + } - log.Trace("User activated: %s", user.Name) - - if err := ctx.Session.Set("uid", user.ID); err != nil { - log.Error(fmt.Sprintf("Error setting uid in session: %v", err)) - } - if err := ctx.Session.Set("uname", user.Name); err != nil { - log.Error(fmt.Sprintf("Error setting uname in session: %v", err)) - } - if err := ctx.Session.Release(); err != nil { - log.Error("Error storing session: %v", err) + user.IsActive = true + var err error + if user.Rands, err = models.GetUserSalt(); err != nil { + ctx.ServerError("UpdateUser", err) + return + } + if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil { + if models.IsErrUserNotExist(err) { + ctx.Error(404) + } else { + ctx.ServerError("UpdateUser", err) } - - ctx.Flash.Success(ctx.Tr("auth.account_activated")) - ctx.Redirect(setting.AppSubURL + "/") return } - ctx.Data["IsActivateFailed"] = true - ctx.HTML(200, TplActivate) + log.Trace("User activated: %s", user.Name) + + if err := ctx.Session.Set("uid", user.ID); err != nil { + log.Error(fmt.Sprintf("Error setting uid in session: %v", err)) + } + if err := ctx.Session.Set("uname", user.Name); err != nil { + log.Error(fmt.Sprintf("Error setting uname in session: %v", err)) + } + if err := ctx.Session.Release(); err != nil { + log.Error("Error storing session: %v", err) + } + + ctx.Flash.Success(ctx.Tr("auth.account_activated")) + ctx.Redirect(setting.AppSubURL + "/") } // ActivateEmail render the activate email page -- cgit v1.2.3