Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deactivated administrators are not deactivated? #6151

Closed
1 of 4 tasks
michelvosje opened this issue Feb 21, 2019 · 7 comments
Closed
1 of 4 tasks

Deactivated administrators are not deactivated? #6151

michelvosje opened this issue Feb 21, 2019 · 7 comments
Labels
issue/stale type/question Issue needs no code to be fixed, only a description on how to fix it yourself.

Comments

@michelvosje
Copy link

  • Gitea version (or commit ref): 3b612ce built with go1.11.5 : bindata, sqlite, sqlite_unlock_notify
  • Git version: 2.18.1
  • Operating system: Docker
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Log gist:

Description

A week ago we deactivated a user account which was marked as an administrator account. The person assigned to the user account has left the organisation. We assumed that the user would not be able to login again into Gitea.

Today we found out he was able to create a new non-administrator account for somebody else (no worries it's contract related). I just tried it out and i see that deactivated administrator accounts still administrator rights. For us this is unexpected behaviour of Gitea which i wanted to report.
...

Screenshots

image
@jolheiser
Copy link
Member

jolheiser commented Feb 21, 2019
edited
Loading

One thing to note, Activated is referring to email activation when you have enabled REGISTER_EMAIL_CONFIRM in settings.
To stop someone from signing in, you would need to check Disable Sign-In when editing them.

@lunny
Copy link
Member

lunny commented Feb 23, 2019

@michelvosje @jolheiser I think I have sent #6115 merged in v1.7.3 should fix this problem. An unactived user should also be deny login except he clicked the activation link on the confirm email.

@lunny lunny added the type/question Issue needs no code to be fixed, only a description on how to fix it yourself. label Feb 23, 2019
@michelvosje
Copy link
Author

So am i correct that it is not possible to see from the overview of User Accounts which account is marked as enabled/disabled? I'd have to manually click all accounts 1 by 1 to see which one is and is not disabled?

From a security perspective i don't think that is correct. As an administrator i don't care who has and who has not clicked the email activation link.

@lafriks
Copy link
Member

lafriks commented Feb 25, 2019

Most probably both options would be nice to see

@adelowo
Copy link
Member

adelowo commented Mar 3, 2019

Might be a little confusing if both options are there. I think Activated can be swapped out for @michelvosje 's suggestion

@stale
Copy link

stale bot commented May 2, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale stale bot added the issue/stale label May 2, 2019
@stale
Copy link

stale bot commented May 16, 2019

This issue has been automatically closed because of inactivity. You can re-open it if needed.

@stale stale bot closed this as completed May 16, 2019
@snyk-bot snyk-bot mentioned this issue Jul 10, 2020
Open
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue/stale type/question Issue needs no code to be fixed, only a description on how to fix it yourself.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lunny @lafriks @michelvosje @adelowo @jolheiser