Admin user registration and EMAIL_DOMAIN_ALLOWLIST

[TineHorvat]

Description

Hello,
we have a local installation of Gitea and have recently upgraded to 1.20.4 and experienced a feature or functionality that was not present before on in the versions before. I can see there was a security enchantment (https://github.com/go-gitea/gitea/releases/tag/v1.20.4) about checking the blocklist.

The issue:
After the upgrade to 1.20.4 we are not able (through administrator dashboard) to add users that have emails on domains that are not listed on the ALLOWLIST. If you use the any other domain, we get the error message: "The email address is invalid."

We have user registration enabled, and set EMAIL_DOMAIN_ALLOWLIST for our organization and some business partners domains, which is working fine and they can register trough the form. For any other domains, only Gitea administrators added new users, so we can avoid spam users as much as possible. This was working for any domains, also those that are not on the ALLOWLIST in the previous version of Gitea.

We want to keep the "open" registration for the domains that are allowed, but also allow the administrators to add users with emails from any other domains. The main reason is we don't want to disable the registration for "our" domains because those users are under our organization policy and they can register by themself, but still be able that admins can add users with any domain if needed.

Is there a new configuration combination that allows this settings or is this a "feature/bug", that checks only the ALLOWLIST also when an administrator is adding a new user?

Can you please look into in?

Thanks,
Tine

Gitea Version

1.20.4

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

We are running on Windows Server, its running as a windows service.

Database

None

[Zettat123]

Since #26812 is a security enhancement, I think this is not a bug but an expected behavior. As for your requirement, maybe we can add an option/configuration to allow administrators to manually add users whose emails are not in the ALLOWLIST. But I'm not sure if we should provide such a feature.

[TineHorvat]

Hey Zettat123,
I saw that it was added as a security enhancement, but I was not sure if this was also intended for the administration of Gitea users or just the registration process. That's why I marked it as a kinda bug.

I am also not sure what could be the issue for the administrators to be still able to add users with emails which are not on EMAIL_DOMAIN_ALLOWLIST as they are manually adding them by hand. Since this was working for years and never had a single issue with this process.

This is more of a bypass or workaround, but what could happen if we add users with a "bogus" e-mails with a domain on allowlist and then change the records in the database? This is the worst scenario which we don't want to use, but still, this could work without issues?

[f403]

@Zettat123 , I would consider this a bug.

According to the documentation:
EMAIL_DOMAIN_ALLOWLIST: If non-empty, comma separated list of domain names that can only be used to register on this instance, wildcard is supported.

It has been designed for providing self-registration for some users and manual (by admins) registration for others.
Forbidding administrators to create user will either limit usability of the instance, or create security breaches if admins will try to edit the database.

@TineHorvat , please be aware:

1. there are two table you might want to modify (user and email_address)
2. if you update email directly in the database, you won't be able to modify/restrict/disable this user via admin GUI

[stdmr]

@Zettat123 , I would consider this a bug.
It has been designed for providing self-registration for some users and manual (by admins) registration for others. Forbidding administrators to create user will either limit usability of the instance, or create security breaches if admins will try to edit the database.

Exactly! Thank you! I think the main use-case for EMAIL_ALLOW_LIST is to restrict user self registration.

Maybe just show a warning for admins, when registering an email which is not in the EMAIL_ALLOW_LIST.

[Zettat123]

Thanks for all your comments. After discussion I think admins should be able to create any user manually regardless of whether the user's email address is in the EMAIL_DOMAIN_ALLOWLIST or not. This should be a bug.

[gilbertoca]

@lunny @Zettat123
I'm here as well because of this problem. In my case, our users come from some smtp servers and I have to change the "Maximum Number of Repositories" to ZERO - every time a new user comes in - see the print-screen #19582

[Zettat123]

Hi @gilbertoca . I've seen the print-screen. I think your problem is that you get a "The email address is invalid" error when you change the "Maximum Number of Repositories".

Is the EMAIL_DOMAIN_ALLOWLIST configuration of your Gitea instance is empty? Could you add your email domain (like ibrowser.net.br) to the allowlist and then check if you can successfully change the "Maximum Number of Repositories"?

After testing, we will be able to know if the error is caused by the EMAIL_DOMAIN_ALLOWLIST configuration.

[f403]

Admin is not able to change any settings of a user, if the user's email host is not in EMAIL_DOMAIN_ALLOWLIST.
This also includes "Maximum Number of Repositories" and other important properties like "Disable Sign-In".
Checked on 1.21.5.
Changing user's avatar works :)