mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-26 01:54:30 +02:00 
			
		
		
		
	Verify password for local-account activation (#13631)
* Verify passwords for activation This is to prevent 3rd party activation * Fix function comment * only veify password on local-account aktivation * fix lint * Update templates/user/auth/activate.tmpl Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Andreas Shimokawa <shimokawa@fsfe.org> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
		
							parent
							
								
									e82150d41b
								
							
						
					
					
						commit
						0f14f69e60
					
				| @ -1203,6 +1203,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo | |||||||
| // Activate render activate user page | // Activate render activate user page | ||||||
| func Activate(ctx *context.Context) { | func Activate(ctx *context.Context) { | ||||||
| 	code := ctx.Query("code") | 	code := ctx.Query("code") | ||||||
|  | 	password := ctx.Query("password") | ||||||
|  | 
 | ||||||
| 	if len(code) == 0 { | 	if len(code) == 0 { | ||||||
| 		ctx.Data["IsActivatePage"] = true | 		ctx.Data["IsActivatePage"] = true | ||||||
| 		if ctx.User.IsActive { | 		if ctx.User.IsActive { | ||||||
| @ -1228,8 +1230,29 @@ func Activate(ctx *context.Context) { | |||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	// Verify code. | 	user := models.VerifyUserActiveCode(code) | ||||||
| 	if user := models.VerifyUserActiveCode(code); user != nil { | 	// if code is wrong | ||||||
|  | 	if user == nil { | ||||||
|  | 		ctx.Data["IsActivateFailed"] = true | ||||||
|  | 		ctx.HTML(200, TplActivate) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	// if account is local account, verify password | ||||||
|  | 	if user.LoginSource == 0 { | ||||||
|  | 		if len(password) == 0 { | ||||||
|  | 			ctx.Data["Code"] = code | ||||||
|  | 			ctx.Data["NeedsPassword"] = true | ||||||
|  | 			ctx.HTML(200, TplActivate) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  | 		if !user.ValidatePassword(password) { | ||||||
|  | 			ctx.Data["IsActivateFailed"] = true | ||||||
|  | 			ctx.HTML(200, TplActivate) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	user.IsActive = true | 	user.IsActive = true | ||||||
| 	var err error | 	var err error | ||||||
| 	if user.Rands, err = models.GetUserSalt(); err != nil { | 	if user.Rands, err = models.GetUserSalt(); err != nil { | ||||||
| @ -1259,11 +1282,6 @@ func Activate(ctx *context.Context) { | |||||||
| 
 | 
 | ||||||
| 	ctx.Flash.Success(ctx.Tr("auth.account_activated")) | 	ctx.Flash.Success(ctx.Tr("auth.account_activated")) | ||||||
| 	ctx.Redirect(setting.AppSubURL + "/") | 	ctx.Redirect(setting.AppSubURL + "/") | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 
 |  | ||||||
| 	ctx.Data["IsActivateFailed"] = true |  | ||||||
| 	ctx.HTML(200, TplActivate) |  | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| // ActivateEmail render the activate email page | // ActivateEmail render the activate email page | ||||||
|  | |||||||
| @ -18,7 +18,19 @@ | |||||||
| 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.SignedUser.Email|Escape) .ActiveCodeLives | Str2html}}</p> | 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.SignedUser.Email|Escape) .ActiveCodeLives | Str2html}}</p> | ||||||
| 						{{end}} | 						{{end}} | ||||||
| 					{{else}} | 					{{else}} | ||||||
| 						{{if .IsSendRegisterMail}} | 						{{if .NeedsPassword}} | ||||||
|  | 							<form class="ui form" action="/user/activate" method="post"> | ||||||
|  | 								<div class="required inline field"> | ||||||
|  | 									<label for="password">{{.i18n.Tr "password"}}</label> | ||||||
|  | 									<input id="password" name="password" type="password" autocomplete="off" required> | ||||||
|  | 								</div> | ||||||
|  | 								<div class="inline field"> | ||||||
|  | 									<label></label> | ||||||
|  | 									<button class="ui green button">{{.i18n.Tr "install.confirm_password"}}</button> | ||||||
|  | 								</div> | ||||||
|  | 								<input id="code" name="code" type="hidden" value="{{.Code}}"> | ||||||
|  | 							</form> | ||||||
|  | 						{{else if .IsSendRegisterMail}} | ||||||
| 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.Email|Escape) .ActiveCodeLives | Str2html}}</p> | 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.Email|Escape) .ActiveCodeLives | Str2html}}</p> | ||||||
| 						{{else if .IsActivateFailed}} | 						{{else if .IsActivateFailed}} | ||||||
| 							<p>{{.i18n.Tr "auth.invalid_code"}}</p> | 							<p>{{.i18n.Tr "auth.invalid_code"}}</p> | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user