Deactivated administrators are not deactivated?

[michelvosje]

• Gitea version (or commit ref): 3b612ce built with go1.11.5 : bindata, sqlite, sqlite_unlock_notify
• Git version: 2.18.1
• Operating system: Docker
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Log gist:

Description

A week ago we deactivated a user account which was marked as an administrator account. The person assigned to the user account has left the organisation. We assumed that the user would not be able to login again into Gitea.

Today we found out he was able to create a new non-administrator account for somebody else (no worries it's contract related). I just tried it out and i see that deactivated administrator accounts still administrator rights. For us this is unexpected behaviour of Gitea which i wanted to report.
...

Screenshots

[jolheiser]

One thing to note, Activated is referring to email activation when you have enabled REGISTER_EMAIL_CONFIRM in settings.
To stop someone from signing in, you would need to check Disable Sign-In when editing them.

[lunny]

@michelvosje @jolheiser I think I have sent #6115 merged in v1.7.3 should fix this problem. An unactived user should also be deny login except he clicked the activation link on the confirm email.

[michelvosje]

So am i correct that it is not possible to see from the overview of User Accounts which account is marked as enabled/disabled? I'd have to manually click all accounts 1 by 1 to see which one is and is not disabled?

From a security perspective i don't think that is correct. As an administrator i don't care who has and who has not clicked the email activation link.

[lafriks]

Most probably both options would be nice to see

[adelowo]

Might be a little confusing if both options are there. I think Activated can be swapped out for @michelvosje 's suggestion

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[stale]

This issue has been automatically closed because of inactivity. You can re-open it if needed.