From ad39c50f380c5de75a9fc84f86f54acf71bc3468 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 12 Nov 2020 09:53:37 +0800
Subject: [PATCH 1/4] prevent git operations for inactive users

---
 routers/private/serv.go | 6 ++++++
 routers/repo/http.go    | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/routers/private/serv.go b/routers/private/serv.go
index 79683c2826de..cb386ba9ec7d 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -61,6 +61,12 @@ func ServNoCommand(ctx *macaron.Context) {
 			})
 			return
 		}
+		if !user.IsActive {
+			ctx.JSON(http.StatusForbidden, map[string]interface{}{
+				"err": fmt.Sprintf("Your account is unactived."),
+			})
+			return
+		}
 		results.Owner = user
 	}
 	ctx.JSON(http.StatusOK, &results)
diff --git a/routers/repo/http.go b/routers/repo/http.go
index c7523c7932a6..5b6038b98be8 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -244,6 +244,11 @@ func HTTP(ctx *context.Context) {
 			}
 		}
 
+		if !authUser.IsActive {
+			ctx.HandleText(http.StatusForbidden, "Your account is unactived.")
+			return
+		}
+
 		if repoExist {
 			perm, err := models.GetUserRepoPermission(repo, authUser)
 			if err != nil {

From 461ef8b5afffcbf6d3994301982990370e08c7e7 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 12 Nov 2020 15:33:54 +0800
Subject: [PATCH 2/4] Some fixes

---
 routers/private/serv.go | 2 +-
 routers/repo/http.go    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/routers/private/serv.go b/routers/private/serv.go
index cb386ba9ec7d..425c552096ff 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -63,7 +63,7 @@ func ServNoCommand(ctx *macaron.Context) {
 		}
 		if !user.IsActive {
 			ctx.JSON(http.StatusForbidden, map[string]interface{}{
-				"err": fmt.Sprintf("Your account is unactived."),
+				"err": "Your account is disabled.",
 			})
 			return
 		}
diff --git a/routers/repo/http.go b/routers/repo/http.go
index 5b6038b98be8..b14ce106292a 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -245,7 +245,7 @@ func HTTP(ctx *context.Context) {
 		}
 
 		if !authUser.IsActive {
-			ctx.HandleText(http.StatusForbidden, "Your account is unactived.")
+			ctx.HandleText(http.StatusForbidden, "Your account is disabled.")
 			return
 		}
 

From ed512bf4193b828dd257b88b027afd4c36a7a32c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 12 Nov 2020 16:30:38 +0800
Subject: [PATCH 3/4] Deny push to the repositories which's owner is inactive

---
 routers/private/serv.go | 39 +++++++++++++++++++++++++++++----------
 routers/repo/http.go    |  4 ++++
 2 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/routers/private/serv.go b/routers/private/serv.go
index 425c552096ff..1bab55d14a35 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -104,9 +104,28 @@ func ServCommand(ctx *macaron.Context) {
 		results.RepoName = repoName[:len(repoName)-5]
 	}
 
+	owner, err := models.GetUserByName(results.OwnerName)
+	if err != nil {
+		log.Error("Unable to get repository owner: %s/%s Error: %v", results.OwnerName, results.RepoName, err)
+		ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
+			"results": results,
+			"type":    "InternalServerError",
+			"err":     fmt.Sprintf("Unable to get repository owner: %s/%s %v", results.OwnerName, results.RepoName, err),
+		})
+		return
+	}
+	if !owner.IsActive {
+		ctx.JSON(http.StatusForbidden, map[string]interface{}{
+			"results": results,
+			"type":    "ForbiddenError",
+			"err":     "Repository cannot be accessed, you could retry it later",
+		})
+		return
+	}
+
 	// Now get the Repository and set the results section
 	repoExist := true
-	repo, err := models.GetRepositoryByOwnerAndName(results.OwnerName, results.RepoName)
+	repo, err := models.GetRepositoryByName(owner.ID, results.RepoName)
 	if err != nil {
 		if models.IsErrRepoNotExist(err) {
 			repoExist = false
@@ -133,6 +152,7 @@ func ServCommand(ctx *macaron.Context) {
 	}
 
 	if repoExist {
+		repo.Owner = owner
 		repo.OwnerName = ownerName
 		results.RepoID = repo.ID
 
@@ -223,15 +243,6 @@ func ServCommand(ctx *macaron.Context) {
 		// so for now use the owner of the repository
 		results.UserName = results.OwnerName
 		results.UserID = repo.OwnerID
-		if err = repo.GetOwner(); err != nil {
-			log.Error("Unable to get owner for repo %-v. Error: %v", repo, err)
-			ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
-				"results": results,
-				"type":    "InternalServerError",
-				"err":     fmt.Sprintf("Unable to get owner for repo: %s/%s.", results.OwnerName, results.RepoName),
-			})
-			return
-		}
 		if !repo.Owner.KeepEmailPrivate {
 			results.UserEmail = repo.Owner.Email
 		}
@@ -256,6 +267,14 @@ func ServCommand(ctx *macaron.Context) {
 			})
 			return
 		}
+
+		if !user.IsActive {
+			ctx.JSON(http.StatusForbidden, map[string]interface{}{
+				"err": "Your account is disabled.",
+			})
+			return
+		}
+
 		results.UserName = user.Name
 		if !user.KeepEmailPrivate {
 			results.UserEmail = user.Email
diff --git a/routers/repo/http.go b/routers/repo/http.go
index b14ce106292a..39dd5006b53e 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -105,6 +105,10 @@ func HTTP(ctx *context.Context) {
 		ctx.NotFoundOrServerError("GetUserByName", models.IsErrUserNotExist, err)
 		return
 	}
+	if !owner.IsActive {
+		ctx.HandleText(http.StatusForbidden, "Repository cannot be accessed. You cannot push or open issues/pull-requests.")
+		return
+	}
 
 	repoExist := true
 	repo, err := models.GetRepositoryByName(owner.ID, reponame)

From 403a4b972dc8e07977568c68860922b801a34013 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 12 Nov 2020 18:57:16 +0800
Subject: [PATCH 4/4] deny operations also when user is ProhibitLogin

---
 routers/private/serv.go | 4 ++--
 routers/repo/http.go    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/routers/private/serv.go b/routers/private/serv.go
index 1bab55d14a35..2697666b87fa 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -61,7 +61,7 @@ func ServNoCommand(ctx *macaron.Context) {
 			})
 			return
 		}
-		if !user.IsActive {
+		if !user.IsActive || user.ProhibitLogin {
 			ctx.JSON(http.StatusForbidden, map[string]interface{}{
 				"err": "Your account is disabled.",
 			})
@@ -268,7 +268,7 @@ func ServCommand(ctx *macaron.Context) {
 			return
 		}
 
-		if !user.IsActive {
+		if !user.IsActive || user.ProhibitLogin {
 			ctx.JSON(http.StatusForbidden, map[string]interface{}{
 				"err": "Your account is disabled.",
 			})
diff --git a/routers/repo/http.go b/routers/repo/http.go
index 39dd5006b53e..9e94d28eab12 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -248,7 +248,7 @@ func HTTP(ctx *context.Context) {
 			}
 		}
 
-		if !authUser.IsActive {
+		if !authUser.IsActive || authUser.ProhibitLogin {
 			ctx.HandleText(http.StatusForbidden, "Your account is disabled.")
 			return
 		}