From 15886ce0483a616d3aa67bc1c7f9279cec5e305c Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Sat, 1 May 2021 02:14:36 +0200
Subject: [PATCH] Fixed several activation bugs (#15473) (#15685)

* Removed unneeded form tag.

* Fixed typo.

* Fixed NPE.

* Use better error page.

* Splitted GET and POST.

Co-authored-by: KN4CK3R <KN4CK3R@users.noreply.github.com>
---
 routers/routes/web.go             |  3 ++-
 routers/user/auth.go              | 39 +++++++++++++++++++++++++++----
 templates/user/auth/activate.tmpl | 20 +++++++---------
 3 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/routers/routes/web.go b/routers/routes/web.go
index 0aa4d4fe4..e4ec3aa52 100644
--- a/routers/routes/web.go
+++ b/routers/routes/web.go
@@ -470,7 +470,8 @@ func RegisterRoutes(m *web.Route) {
 
 	m.Group("/user", func() {
 		// r.Get("/feeds", binding.Bind(auth.FeedsForm{}), user.Feeds)
-		m.Any("/activate", user.Activate, reqSignIn)
+		m.Get("/activate", user.Activate, reqSignIn)
+		m.Post("/activate", user.ActivatePost, reqSignIn)
 		m.Any("/activate_email", user.ActivateEmail)
 		m.Get("/avatar/{username}/{size}", user.Avatar)
 		m.Get("/email2user", user.Email2User)
diff --git a/routers/user/auth.go b/routers/user/auth.go
index 37181c68e..f7e60d5f3 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -1233,12 +1233,11 @@ func SignUpPost(ctx *context.Context) {
 // Activate render activate user page
 func Activate(ctx *context.Context) {
 	code := ctx.Query("code")
-	password := ctx.Query("password")
 
 	if len(code) == 0 {
 		ctx.Data["IsActivatePage"] = true
-		if ctx.User.IsActive {
-			ctx.Error(404)
+		if ctx.User == nil || ctx.User.IsActive {
+			ctx.NotFound("invalid user", nil)
 			return
 		}
 		// Resend confirmation email.
@@ -1270,6 +1269,34 @@ func Activate(ctx *context.Context) {
 
 	// if account is local account, verify password
 	if user.LoginSource == 0 {
+		ctx.Data["Code"] = code
+		ctx.Data["NeedsPassword"] = true
+		ctx.HTML(http.StatusOK, TplActivate)
+		return
+	}
+
+	handleAccountActivation(ctx, user)
+}
+
+// ActivatePost handles account activation with password check
+func ActivatePost(ctx *context.Context) {
+	code := ctx.Query("code")
+	if len(code) == 0 {
+		ctx.Redirect(setting.AppSubURL + "/user/activate")
+		return
+	}
+
+	user := models.VerifyUserActiveCode(code)
+	// if code is wrong
+	if user == nil {
+		ctx.Data["IsActivateFailed"] = true
+		ctx.HTML(http.StatusOK, TplActivate)
+		return
+	}
+
+	// if account is local account, verify password
+	if user.LoginSource == 0 {
+		password := ctx.Query("password")
 		if len(password) == 0 {
 			ctx.Data["Code"] = code
 			ctx.Data["NeedsPassword"] = true
@@ -1283,6 +1310,10 @@ func Activate(ctx *context.Context) {
 		}
 	}
 
+	handleAccountActivation(ctx, user)
+}
+
+func handleAccountActivation(ctx *context.Context, user *models.User) {
 	user.IsActive = true
 	var err error
 	if user.Rands, err = models.GetUserSalt(); err != nil {
@@ -1291,7 +1322,7 @@ func Activate(ctx *context.Context) {
 	}
 	if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {
 		if models.IsErrUserNotExist(err) {
-			ctx.Error(404)
+			ctx.NotFound("UpdateUserCols", err)
 		} else {
 			ctx.ServerError("UpdateUser", err)
 		}
diff --git a/templates/user/auth/activate.tmpl b/templates/user/auth/activate.tmpl
index cc6f52b57..8d75c1d92 100644
--- a/templates/user/auth/activate.tmpl
+++ b/templates/user/auth/activate.tmpl
@@ -19,17 +19,15 @@
 						{{end}}
 					{{else}}
 						{{if .NeedsPassword}}
-							<form class="ui form" action="{{AppSubUrl}}/user/activate" method="post">
-								<div class="required inline field">
-									<label for="password">{{.i18n.Tr "password"}}</label>
-									<input id="password" name="password" type="password" autocomplete="off" required>
-								</div>
-								<div class="inline field">
-									<label></label>
-									<button class="ui green button">{{.i18n.Tr "install.confirm_password"}}</button>
-								</div>
-								<input id="code" name="code" type="hidden" value="{{.Code}}">
-							</form>
+							<div class="required inline field">
+								<label for="password">{{.i18n.Tr "password"}}</label>
+								<input id="password" name="password" type="password" autocomplete="off" required>
+							</div>
+							<div class="inline field">
+								<label></label>
+								<button class="ui green button">{{.i18n.Tr "install.confirm_password"}}</button>
+							</div>
+							<input id="code" name="code" type="hidden" value="{{.Code}}">
 						{{else if .IsSendRegisterMail}}
 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.Email|Escape) .ActiveCodeLives | Str2html}}</p>
 						{{else if .IsActivateFailed}}