follow HEAD

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6034
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>

.forgejo/workflows/publish-release.yml

@@ -84,20 +84,3 @@ jobs:
           ref_name: '${{ github.ref_name }}'
           image: 'codeberg.org/forgejo-experimental/forgejo'
           tag_suffix: '-rootless'
-
-      - name: set up go for the DNS update below
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
-        uses: https://code.forgejo.org/actions/setup-go@v5
-        with:
-          go-version-file: "go.mod"
-      - name: update the _release.experimental DNS record
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
-        uses: https://code.forgejo.org/actions/ovh-dns-update@v1
-        with:
-          subdomain: _release.experimental
-          domain: forgejo.com # there is a CNAME from .org to .com (for security reasons)
-          record-id: 5283602601
-          value: v=${{ github.ref_name }}
-          ovh-app-key: ${{ secrets.OVH_APP_KEY }}
-          ovh-app-secret: ${{ secrets.OVH_APP_SECRET }}
-          ovh-consumer-key: ${{ secrets.OVH_CON_KEY }}

models/user/email_address.go

@@ -139,6 +139,38 @@ func GetPrimaryEmailAddressOfUser(ctx context.Context, uid int64) (*EmailAddress
 	return ea, nil
 }
 
+// Deletes the primary email address of the user
+// This is only allowed if the user is a organization
+func DeletePrimaryEmailAddressOfUser(ctx context.Context, uid int64) error {
+	user, err := GetUserByID(ctx, uid)
+	if err != nil {
+		return err
+	}
+
+	if user.Type != UserTypeOrganization {
+		return fmt.Errorf("%s is not a organization", user.Name)
+	}
+
+	ctx, committer, err := db.TxContext(ctx)
+	if err != nil {
+		return err
+	}
+	defer committer.Close()
+
+	_, err = db.GetEngine(ctx).Exec("DELETE FROM email_address WHERE uid = ? AND is_primary = true", uid)
+	if err != nil {
+		return err
+	}
+
+	user.Email = ""
+	err = UpdateUserCols(ctx, user, "email")
+	if err != nil {
+		return err
+	}
+
+	return committer.Commit()
+}
+
 // GetEmailAddresses returns all email addresses belongs to given user.
 func GetEmailAddresses(ctx context.Context, uid int64) ([]*EmailAddress, error) {
 	emails := make([]*EmailAddress, 0, 5)

models/user/email_address_test.go

@@ -129,6 +129,7 @@ func TestListEmails(t *testing.T) {
 	assert.Len(t, emails, 5)
 	assert.Greater(t, count, int64(len(emails)))
 }
+
 func TestGetActivatedEmailAddresses(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 
@@ -162,3 +163,21 @@ func TestGetActivatedEmailAddresses(t *testing.T) {
 		})
 	}
 }
+
+func TestDeletePrimaryEmailAddressOfUser(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	user, err := user_model.GetUserByName(db.DefaultContext, "org3")
+	require.NoError(t, err)
+	assert.Equal(t, "org3@example.com", user.Email)
+
+	require.NoError(t, user_model.DeletePrimaryEmailAddressOfUser(db.DefaultContext, user.ID))
+
+	user, err = user_model.GetUserByName(db.DefaultContext, "org3")
+	require.NoError(t, err)
+	assert.Empty(t, user.Email)
+
+	email, err := user_model.GetPrimaryEmailAddressOfUser(db.DefaultContext, user.ID)
+	assert.True(t, user_model.IsErrEmailAddressNotExist(err))
+	assert.Nil(t, email)
+}

models/user/user_test.go

@@ -324,7 +324,6 @@ func TestCreateUserInvalidEmail(t *testing.T) {
 
 	err := user_model.CreateUser(db.DefaultContext, user)
 	require.Error(t, err)
-
 	assert.True(t, validation.IsErrEmailCharIsNotSupported(err))
 }
 
@@ -607,69 +606,6 @@ func Test_ValidateUser(t *testing.T) {
 	}
 }
 
-func TestGenerateEmailAuthorizationCode(t *testing.T) {
-	defer test.MockVariableValue(&setting.Service.ActiveCodeLives, 2)()
-	require.NoError(t, unittest.PrepareTestDatabase())
-
-	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-
-	code, err := user.GenerateEmailAuthorizationCode(db.DefaultContext, auth.UserActivation)
-	require.NoError(t, err)
-
-	lookupKey, validator, ok := strings.Cut(code, ":")
-	assert.True(t, ok)
-
-	rawValidator, err := hex.DecodeString(validator)
-	require.NoError(t, err)
-
-	authToken, err := auth.FindAuthToken(db.DefaultContext, lookupKey, auth.UserActivation)
-	require.NoError(t, err)
-	assert.False(t, authToken.IsExpired())
-	assert.EqualValues(t, authToken.HashedValidator, auth.HashValidator(rawValidator))
-
-	authToken.Expiry = authToken.Expiry.Add(-int64(setting.Service.ActiveCodeLives) * 60)
-	assert.True(t, authToken.IsExpired())
-}
-
-func TestVerifyUserAuthorizationToken(t *testing.T) {
-	defer test.MockVariableValue(&setting.Service.ActiveCodeLives, 2)()
-	require.NoError(t, unittest.PrepareTestDatabase())
-
-	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-
-	code, err := user.GenerateEmailAuthorizationCode(db.DefaultContext, auth.UserActivation)
-	require.NoError(t, err)
-
-	lookupKey, _, ok := strings.Cut(code, ":")
-	assert.True(t, ok)
-
-	t.Run("Wrong purpose", func(t *testing.T) {
-		u, err := user_model.VerifyUserAuthorizationToken(db.DefaultContext, code, auth.PasswordReset, false)
-		require.NoError(t, err)
-		assert.Nil(t, u)
-	})
-
-	t.Run("No delete", func(t *testing.T) {
-		u, err := user_model.VerifyUserAuthorizationToken(db.DefaultContext, code, auth.UserActivation, false)
-		require.NoError(t, err)
-		assert.EqualValues(t, user.ID, u.ID)
-
-		authToken, err := auth.FindAuthToken(db.DefaultContext, lookupKey, auth.UserActivation)
-		require.NoError(t, err)
-		assert.NotNil(t, authToken)
-	})
-
-	t.Run("Delete", func(t *testing.T) {
-		u, err := user_model.VerifyUserAuthorizationToken(db.DefaultContext, code, auth.UserActivation, true)
-		require.NoError(t, err)
-		assert.EqualValues(t, user.ID, u.ID)
-
-		authToken, err := auth.FindAuthToken(db.DefaultContext, lookupKey, auth.UserActivation)
-		require.ErrorIs(t, err, util.ErrNotExist)
-		assert.Nil(t, authToken)
-	})
-}
-
 func Test_NormalizeUserFromEmail(t *testing.T) {
 	oldSetting := setting.Service.AllowDotsInUsernames
 	defer func() {
@@ -767,3 +703,66 @@ func TestDisabledUserFeatures(t *testing.T) {
 		assert.True(t, user_model.IsFeatureDisabledWithLoginType(user, f))
 	}
 }
+
+func TestGenerateEmailAuthorizationCode(t *testing.T) {
+	defer test.MockVariableValue(&setting.Service.ActiveCodeLives, 2)()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	code, err := user.GenerateEmailAuthorizationCode(db.DefaultContext, auth.UserActivation)
+	require.NoError(t, err)
+
+	lookupKey, validator, ok := strings.Cut(code, ":")
+	assert.True(t, ok)
+
+	rawValidator, err := hex.DecodeString(validator)
+	require.NoError(t, err)
+
+	authToken, err := auth.FindAuthToken(db.DefaultContext, lookupKey, auth.UserActivation)
+	require.NoError(t, err)
+	assert.False(t, authToken.IsExpired())
+	assert.EqualValues(t, authToken.HashedValidator, auth.HashValidator(rawValidator))
+
+	authToken.Expiry = authToken.Expiry.Add(-int64(setting.Service.ActiveCodeLives) * 60)
+	assert.True(t, authToken.IsExpired())
+}
+
+func TestVerifyUserAuthorizationToken(t *testing.T) {
+	defer test.MockVariableValue(&setting.Service.ActiveCodeLives, 2)()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	code, err := user.GenerateEmailAuthorizationCode(db.DefaultContext, auth.UserActivation)
+	require.NoError(t, err)
+
+	lookupKey, _, ok := strings.Cut(code, ":")
+	assert.True(t, ok)
+
+	t.Run("Wrong purpose", func(t *testing.T) {
+		u, err := user_model.VerifyUserAuthorizationToken(db.DefaultContext, code, auth.PasswordReset, false)
+		require.NoError(t, err)
+		assert.Nil(t, u)
+	})
+
+	t.Run("No delete", func(t *testing.T) {
+		u, err := user_model.VerifyUserAuthorizationToken(db.DefaultContext, code, auth.UserActivation, false)
+		require.NoError(t, err)
+		assert.EqualValues(t, user.ID, u.ID)
+
+		authToken, err := auth.FindAuthToken(db.DefaultContext, lookupKey, auth.UserActivation)
+		require.NoError(t, err)
+		assert.NotNil(t, authToken)
+	})
+
+	t.Run("Delete", func(t *testing.T) {
+		u, err := user_model.VerifyUserAuthorizationToken(db.DefaultContext, code, auth.UserActivation, true)
+		require.NoError(t, err)
+		assert.EqualValues(t, user.ID, u.ID)
+
+		authToken, err := auth.FindAuthToken(db.DefaultContext, lookupKey, auth.UserActivation)
+		require.ErrorIs(t, err, util.ErrNotExist)
+		assert.Nil(t, authToken)
+	})
+}

modules/structs/org.go

@@ -48,7 +48,7 @@ type CreateOrgOption struct {
 // EditOrgOption options for editing an organization
 type EditOrgOption struct {
 	FullName    string  `json:"full_name" binding:"MaxSize(100)"`
-	Email       string `json:"email" binding:"MaxSize(255)"`
+	Email       *string `json:"email" binding:"MaxSize(255)"`
 	Description string  `json:"description" binding:"MaxSize(255)"`
 	Website     string  `json:"website" binding:"ValidUrl;MaxSize(255)"`
 	Location    string  `json:"location" binding:"MaxSize(50)"`

modules/validation/email.go

@@ -1,5 +1,6 @@
 // Copyright 2016 The Gogs Authors. All rights reserved.
 // Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package validation

modules/validation/email_test.go

@@ -1,4 +1,5 @@
 // Copyright 2017 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package validation

routers/api/v1/org/org.go

@@ -15,6 +15,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/optional"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/validation"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/api/v1/utils"
@@ -340,14 +341,29 @@ func Edit(ctx *context.APIContext) {
 	//     "$ref": "#/responses/Organization"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	//   "422":
+	//     "$ref": "#/responses/error"
 
 	form := web.GetForm(ctx).(*api.EditOrgOption)
 
-	if form.Email != "" {
+	if form.Email != nil {
-		if err := user_service.ReplacePrimaryEmailAddress(ctx, ctx.Org.Organization.AsUser(), form.Email); err != nil {
+		if *form.Email == "" {
-			ctx.Error(http.StatusInternalServerError, "ReplacePrimaryEmailAddress", err)
+			err := user_model.DeletePrimaryEmailAddressOfUser(ctx, ctx.Org.Organization.ID)
+			if err != nil {
+				ctx.Error(http.StatusInternalServerError, "DeletePrimaryEmailAddressOfUser", err)
 				return
 			}
+			ctx.Org.Organization.Email = ""
+		} else {
+			if err := user_service.ReplacePrimaryEmailAddress(ctx, ctx.Org.Organization.AsUser(), *form.Email); err != nil {
+				if validation.IsErrEmailInvalid(err) || validation.IsErrEmailCharIsNotSupported(err) {
+					ctx.Error(http.StatusUnprocessableEntity, "ReplacePrimaryEmailAddress", err)
+				} else {
+					ctx.Error(http.StatusInternalServerError, "ReplacePrimaryEmailAddress", err)
+				}
+				return
+			}
+		}
 	}
 
 	opts := &user_service.UpdateOptions{

routers/web/org/setting.go

@@ -93,7 +93,13 @@ func SettingsPost(ctx *context.Context) {
 		ctx.Org.OrgLink = setting.AppSubURL + "/org/" + url.PathEscape(org.Name)
 	}
 
-	if form.Email != "" {
+	if form.Email == "" {
+		err := user_model.DeletePrimaryEmailAddressOfUser(ctx, org.ID)
+		if err != nil {
+			ctx.ServerError("DeletePrimaryEmailAddressOfUser", err)
+			return
+		}
+	} else {
 		if err := user_service.ReplacePrimaryEmailAddress(ctx, org.AsUser(), form.Email); err != nil {
 			ctx.Data["Err_Email"] = true
 			ctx.RenderWithErr(ctx.Tr("form.email_invalid"), tplSettingsOptions, &form)

templates/swagger/v1_json.tmpl

@@ -2263,6 +2263,9 @@
           },
           "404": {
             "$ref": "#/responses/notFound"
+          },
+          "422": {
+            "$ref": "#/responses/error"
           }
         }
       }

tests/integration/api_org_test.go

@@ -218,3 +218,57 @@ func TestAPIOrgSearchEmptyTeam(t *testing.T) {
 		assert.EqualValues(t, "Empty", data.Data[0].Name)
 	}
 }
+
+func TestAPIOrgChangeEmail(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	session := loginUser(t, "user1")
+	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
+
+	t.Run("Invalid", func(t *testing.T) {
+		newMail := "invalid"
+		settings := api.EditOrgOption{Email: &newMail}
+
+		resp := MakeRequest(t, NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3", &settings).AddTokenAuth(token), http.StatusUnprocessableEntity)
+
+		var org *api.Organization
+		DecodeJSON(t, resp, &org)
+
+		assert.Empty(t, org.Email)
+	})
+
+	t.Run("Valid", func(t *testing.T) {
+		newMail := "example@example.com"
+		settings := api.EditOrgOption{Email: &newMail}
+
+		resp := MakeRequest(t, NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3", &settings).AddTokenAuth(token), http.StatusOK)
+
+		var org *api.Organization
+		DecodeJSON(t, resp, &org)
+
+		assert.Equal(t, "example@example.com", org.Email)
+	})
+
+	t.Run("NoChange", func(t *testing.T) {
+		settings := api.EditOrgOption{}
+
+		resp := MakeRequest(t, NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3", &settings).AddTokenAuth(token), http.StatusOK)
+
+		var org *api.Organization
+		DecodeJSON(t, resp, &org)
+
+		assert.Equal(t, "example@example.com", org.Email)
+	})
+
+	t.Run("Empty", func(t *testing.T) {
+		newMail := ""
+		settings := api.EditOrgOption{Email: &newMail}
+
+		resp := MakeRequest(t, NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3", &settings).AddTokenAuth(token), http.StatusOK)
+
+		var org *api.Organization
+		DecodeJSON(t, resp, &org)
+
+		assert.Empty(t, org.Email)
+	})
+}

tests/integration/org_settings_test.go

@@ -0,0 +1,89 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func getOrgSettingsFormData(t *testing.T, session *TestSession, orgName string) map[string]string {
+	return map[string]string{
+		"_csrf":                         GetCSRF(t, session, fmt.Sprintf("/org/%s/settings", orgName)),
+		"name":                          orgName,
+		"full_name":                     "",
+		"email":                         "",
+		"description":                   "",
+		"website":                       "",
+		"location":                      "",
+		"visibility":                    "0",
+		"repo_admin_change_team_access": "on",
+		"max_repo_creation":             "-1",
+	}
+}
+
+func getOrgSettings(t *testing.T, token, orgName string) *api.Organization {
+	t.Helper()
+
+	req := NewRequestf(t, "GET", "/api/v1/orgs/%s", orgName).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var org *api.Organization
+	DecodeJSON(t, resp, &org)
+
+	return org
+}
+
+func TestOrgSettingsChangeEmail(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	const orgName = "org3"
+	settingsURL := fmt.Sprintf("/org/%s/settings", orgName)
+
+	session := loginUser(t, "user1")
+	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
+
+	t.Run("Invalid", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		settings := getOrgSettingsFormData(t, session, orgName)
+
+		settings["email"] = "invalid"
+		session.MakeRequest(t, NewRequestWithValues(t, "POST", settingsURL, settings), http.StatusOK)
+
+		org := getOrgSettings(t, token, orgName)
+		assert.Equal(t, "org3@example.com", org.Email)
+	})
+
+	t.Run("Valid", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		settings := getOrgSettingsFormData(t, session, orgName)
+
+		settings["email"] = "example@example.com"
+		session.MakeRequest(t, NewRequestWithValues(t, "POST", settingsURL, settings), http.StatusSeeOther)
+
+		org := getOrgSettings(t, token, orgName)
+		assert.Equal(t, "example@example.com", org.Email)
+	})
+
+	t.Run("Empty", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		settings := getOrgSettingsFormData(t, session, orgName)
+
+		settings["email"] = ""
+		session.MakeRequest(t, NewRequestWithValues(t, "POST", settingsURL, settings), http.StatusSeeOther)
+
+		org := getOrgSettings(t, token, orgName)
+		assert.Empty(t, org.Email)
+	})
+}