From 0f14f69e6070c9aca09f57c419e7d6007d0e520b Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Sat, 28 Nov 2020 23:41:06 +0100 Subject: [PATCH] Verify password for local-account activation (#13631) * Verify passwords for activation This is to prevent 3rd party activation * Fix function comment * only veify password on local-account aktivation * fix lint * Update templates/user/auth/activate.tmpl Co-authored-by: silverwind Co-authored-by: Andreas Shimokawa Co-authored-by: Lauris BH Co-authored-by: silverwind Co-authored-by: zeripath Co-authored-by: techknowlogick --- routers/user/auth.go | 84 +++++++++++++++++++------------ templates/user/auth/activate.tmpl | 14 +++++- 2 files changed, 64 insertions(+), 34 deletions(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index ba6420967f..d347962ca7 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -1203,6 +1203,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo // Activate render activate user page func Activate(ctx *context.Context) { code := ctx.Query("code") + password := ctx.Query("password") + if len(code) == 0 { ctx.Data["IsActivatePage"] = true if ctx.User.IsActive { @@ -1228,42 +1230,58 @@ func Activate(ctx *context.Context) { return } - // Verify code. - if user := models.VerifyUserActiveCode(code); user != nil { - user.IsActive = true - var err error - if user.Rands, err = models.GetUserSalt(); err != nil { - ctx.ServerError("UpdateUser", err) - return - } - if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil { - if models.IsErrUserNotExist(err) { - ctx.Error(404) - } else { - ctx.ServerError("UpdateUser", err) - } - return - } - - log.Trace("User activated: %s", user.Name) - - if err := ctx.Session.Set("uid", user.ID); err != nil { - log.Error(fmt.Sprintf("Error setting uid in session: %v", err)) - } - if err := ctx.Session.Set("uname", user.Name); err != nil { - log.Error(fmt.Sprintf("Error setting uname in session: %v", err)) - } - if err := ctx.Session.Release(); err != nil { - log.Error("Error storing session: %v", err) - } - - ctx.Flash.Success(ctx.Tr("auth.account_activated")) - ctx.Redirect(setting.AppSubURL + "/") + user := models.VerifyUserActiveCode(code) + // if code is wrong + if user == nil { + ctx.Data["IsActivateFailed"] = true + ctx.HTML(200, TplActivate) return } - ctx.Data["IsActivateFailed"] = true - ctx.HTML(200, TplActivate) + // if account is local account, verify password + if user.LoginSource == 0 { + if len(password) == 0 { + ctx.Data["Code"] = code + ctx.Data["NeedsPassword"] = true + ctx.HTML(200, TplActivate) + return + } + if !user.ValidatePassword(password) { + ctx.Data["IsActivateFailed"] = true + ctx.HTML(200, TplActivate) + return + } + } + + user.IsActive = true + var err error + if user.Rands, err = models.GetUserSalt(); err != nil { + ctx.ServerError("UpdateUser", err) + return + } + if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil { + if models.IsErrUserNotExist(err) { + ctx.Error(404) + } else { + ctx.ServerError("UpdateUser", err) + } + return + } + + log.Trace("User activated: %s", user.Name) + + if err := ctx.Session.Set("uid", user.ID); err != nil { + log.Error(fmt.Sprintf("Error setting uid in session: %v", err)) + } + if err := ctx.Session.Set("uname", user.Name); err != nil { + log.Error(fmt.Sprintf("Error setting uname in session: %v", err)) + } + if err := ctx.Session.Release(); err != nil { + log.Error("Error storing session: %v", err) + } + + ctx.Flash.Success(ctx.Tr("auth.account_activated")) + ctx.Redirect(setting.AppSubURL + "/") } // ActivateEmail render the activate email page diff --git a/templates/user/auth/activate.tmpl b/templates/user/auth/activate.tmpl index c24362bb8c..c3f136add4 100644 --- a/templates/user/auth/activate.tmpl +++ b/templates/user/auth/activate.tmpl @@ -18,7 +18,19 @@

{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.SignedUser.Email|Escape) .ActiveCodeLives | Str2html}}

{{end}} {{else}} - {{if .IsSendRegisterMail}} + {{if .NeedsPassword}} +
+
+ + +
+
+ + +
+ +
+ {{else if .IsSendRegisterMail}}

{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.Email|Escape) .ActiveCodeLives | Str2html}}

{{else if .IsActivateFailed}}

{{.i18n.Tr "auth.invalid_code"}}