From 321015195538b292ec1738669a743c260914ccb1 Mon Sep 17 00:00:00 2001
From: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Date: Sat, 30 Aug 2025 18:43:22 +0200
Subject: [PATCH] [v12.0/forgejo] fix: ensure GetUserByEmail only considers
 validated emails (#9085)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9075

Only validated emails can be used to:

-  assert if a signature can be trusted or,
-  to assign comments, issues to an existing user during a migration

The emails that were not yet validated could previously used as if they were validated, incorrectly showing commits as trusted or assigning comments, issues to the user associated with this email during migrations.

Existing migrations are not modified when they were incorrectly assigned to an email that is not validated. The trust status of all commit signatures will now show differently depending on the validation status of an email.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9075): <!--number 9075 --><!--line 0 --><!--description ZW5zdXJlIEdldFVzZXJCeUVtYWlsIG9ubHkgY29uc2lkZXJzIHZhbGlkYXRlZCBlbWFpbHM=-->ensure GetUserByEmail only considers validated emails<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9085
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
---
 models/user/user.go      |  4 ++--
 models/user/user_test.go | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/models/user/user.go b/models/user/user.go
index 6b54776adf..bfd7e6063f 100644
--- a/models/user/user.go
+++ b/models/user/user.go
@@ -1163,8 +1163,8 @@ func GetUserByEmail(ctx context.Context, email string) (*User, error) {
 
 	email = strings.ToLower(email)
 	// Otherwise, check in alternative list for activated email addresses
-	emailAddress := &EmailAddress{LowerEmail: email, IsActivated: true}
-	has, err := db.GetEngine(ctx).Get(emailAddress)
+	emailAddress := &EmailAddress{}
+	has, err := db.GetEngine(ctx).Where("lower_email = ? AND is_activated = ?", email, true).Get(emailAddress)
 	if err != nil {
 		return nil, err
 	}
diff --git a/models/user/user_test.go b/models/user/user_test.go
index fd9d05653f..288a45105b 100644
--- a/models/user/user_test.go
+++ b/models/user/user_test.go
@@ -835,3 +835,25 @@ func TestPronounsPrivacy(t *testing.T) {
 		assert.Equal(t, "any", user.GetPronouns(true))
 	})
 }
+
+func TestGetUserByEmail(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("Normal", func(t *testing.T) {
+		u, err := user_model.GetUserByEmail(t.Context(), "user2@example.com")
+		require.NoError(t, err)
+		assert.EqualValues(t, 2, u.ID)
+	})
+
+	t.Run("Not activated", func(t *testing.T) {
+		u, err := user_model.GetUserByEmail(t.Context(), "user11@example.com")
+		require.ErrorIs(t, err, user_model.ErrUserNotExist{Name: "user11@example.com"})
+		assert.Nil(t, u)
+	})
+
+	t.Run("Not primary", func(t *testing.T) {
+		u, err := user_model.GetUserByEmail(t.Context(), "user1-3@example.com")
+		require.NoError(t, err)
+		assert.EqualValues(t, 1, u.ID)
+	})
+}