No description
Find a file
Gergely Nagy 3a80534d4d
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.

They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.

To remedy this issue, lets allow changing the email address for logged
in, but not activated users.

This fixes gitea#17785.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4)
(cherry picked from commit 639dafabec)
(cherry picked from commit d699c12ceb)

[GITEA] Allow changing the email address before activation (squash) cache is always active

This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.

See e7cb8da2a8 * Always enable caches (#28527)

(cherry picked from commit 43ded8ee30)

Rate limit pre-activation email change separately

Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.

With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.

The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.

The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.

Fixes #2040.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e5)
(cherry picked from commit 03989418a7)
(cherry picked from commit f50e0dfe5e)
(cherry picked from commit cad9184a36)
(cherry picked from commit e2da5d7fe1)
2024-01-28 10:54:59 +01:00
.devcontainer
.forgejo
.gitea [WORKFLOW] issues & pr templates (squash) fix link to CONTRIBUTING.md 2024-01-28 08:54:31 +01:00
assets [GITEA] Use maintained gziphandler 2024-01-28 10:53:42 +01:00
build [I18n] tooling and process 2024-01-28 08:54:31 +01:00
cmd
contrib [GITEA] fix VSCode settings 2024-01-28 10:54:59 +01:00
custom/conf [GITEA] notifies admins on new user registration 2024-01-28 10:47:53 +01:00
docker
docs [GITEA] notifies admins on new user registration 2024-01-28 10:47:53 +01:00
models [GITEA] Allow changing the email address before activation 2024-01-28 10:54:59 +01:00
modules [GITEA] test markdown CleanValue to prevent regression 2024-01-28 10:54:59 +01:00
options [I18N] add [common] as first line 2024-01-28 08:54:31 +01:00
public [API] Forgejo API /api/forgejo/v1 2024-01-28 08:13:13 +01:00
releases/images [DOCS] RELEASE-NOTES.md 2024-01-28 08:13:13 +01:00
routers [GITEA] Allow changing the email address before activation 2024-01-28 10:54:59 +01:00
services [GITEA] new doctor check: fix-push-mirrors-without-git-remote (#1853) 2024-01-28 10:54:59 +01:00
snap
templates [GITEA] Allow changing the email address before activation 2024-01-28 10:54:59 +01:00
tests [GITEA] Allow changing the email address before activation 2024-01-28 10:54:59 +01:00
web_src [GITEA] Use vertical tabs on issue filters 2024-01-28 09:22:15 +01:00
.air.toml
.changelog.yml
.deadcode-out [GITEA] Enable mocked HTTP responses for GitLab migration test 2024-01-28 10:54:58 +01:00
.dockerignore
.editorconfig
.eslintrc.yaml
.gitattributes [META] Use correct language for .tmpl 2024-01-28 08:13:13 +01:00
.gitignore [DEVELOPMENT] added /local/ to .gitignore 2024-01-28 08:19:26 +01:00
.gitpod.yml
.golangci.yml
.ignore
.markdownlint.yaml
.npmrc
.spectral.yaml
.stylelintrc.yaml
.yamllint.yaml
BSDmakefile
build.go
CHANGELOG.md
CODEOWNERS [META] Add CODEOWNERS files 2024-01-28 08:19:26 +01:00
CONTRIBUTING.md
DCO
Dockerfile
Dockerfile.rootless
go.mod [GITEA] Use existing error functionality 2024-01-28 10:54:48 +01:00
go.sum [GITEA] Use maintained gziphandler 2024-01-28 10:53:42 +01:00
LICENSE [DOCS] LICENSE: add Forgejo Authors 2024-01-28 08:13:13 +01:00
main.go [SEMVER] store SemVer in ForgejoSemVer after a database upgrade 2024-01-28 08:19:25 +01:00
MAINTAINERS
Makefile [SEMVER] 7.0.0+0-gitea-1.22.0 2024-01-28 08:54:31 +01:00
package-lock.json
package.json
playwright.config.js
poetry.lock
poetry.toml
pyproject.toml
README.md
RELEASE-NOTES.md [DOCS] RELEASE-NOTES.md (squash) v1.21.4-0 security 2024-01-28 08:54:31 +01:00
vitest.config.js
webpack.config.js [API] Forgejo API /api/forgejo/v1 2024-01-28 08:13:13 +01:00

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.