fix: ensure GetUserByEmail only considers validated emails (#9075)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9075 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2025-08-30 13:16:03 +02:00 · 2025-08-30 13:16:03 +02:00 · 48e29ff861
commit 48e29ff861
parent 1b13fda06b 7287495064
2 changed files with 24 additions and 2 deletions
--- a/models/user/user.go
+++ b/models/user/user.go
@ -1202,8 +1202,8 @@ func GetUserByEmail(ctx context.Context, email string) (*User, error) {

 	email = strings.ToLower(email)
 	// Otherwise, check in alternative list for activated email addresses
-	emailAddress := &EmailAddress{LowerEmail: email, IsActivated: true}
-	has, err := db.GetEngine(ctx).Get(emailAddress)
+	emailAddress := &EmailAddress{}
+	has, err := db.GetEngine(ctx).Where("lower_email = ? AND is_activated = ?", email, true).Get(emailAddress)
 	if err != nil {
 		return nil, err
 	}
--- a/models/user/user_test.go
+++ b/models/user/user_test.go
@ -996,3 +996,25 @@ func TestPronounsPrivacy(t *testing.T) {
 		assert.Equal(t, "any", user.GetPronouns(true))
 	})
 }
+
+func TestGetUserByEmail(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("Normal", func(t *testing.T) {
+		u, err := user_model.GetUserByEmail(t.Context(), "user2@example.com")
+		require.NoError(t, err)
+		assert.EqualValues(t, 2, u.ID)
+	})
+
+	t.Run("Not activated", func(t *testing.T) {
+		u, err := user_model.GetUserByEmail(t.Context(), "user11@example.com")
+		require.ErrorIs(t, err, user_model.ErrUserNotExist{Name: "user11@example.com"})
+		assert.Nil(t, u)
+	})
+
+	t.Run("Not primary", func(t *testing.T) {
+		u, err := user_model.GetUserByEmail(t.Context(), "user1-3@example.com")
+		require.NoError(t, err)
+		assert.EqualValues(t, 1, u.ID)
+	})
+}