go-gitea · 6543 · Feb 14, 2021 · Feb 12, 2021 · Feb 12, 2021 · Feb 13, 2021
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -617,6 +617,8 @@ REGISTER_MANUAL_CONFIRM = false
 ; List of domain names that are allowed to be used to register on a Gitea instance
 ; gitea.io,example.com
 EMAIL_DOMAIN_WHITELIST =
+; Comma-separated list of domain names that are not allowed to be used to register on a Gitea instance
+EMAIL_DOMAIN_BLACKLIST =
 ; Disallow registration, only allow admins to create accounts.
 DISABLE_REGISTRATION = false
 ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -466,6 +466,7 @@ relation to port exhaustion.
 - `DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME`: **true**: Only allow users with write permissions to track time.
 - `EMAIL_DOMAIN_WHITELIST`: **\<empty\>**: If non-empty, list of domain names that can only be used to register
   on this instance.
+- `EMAIL_DOMAIN_BLACKLIST`: **\<empty\>**: If non-empty, list of domain names that cannot be used to register on this instance
 - `SHOW_REGISTRATION_BUTTON`: **! DISABLE\_REGISTRATION**: Show Registration Button
 - `SHOW_MILESTONES_DASHBOARD_PAGE`: **true** Enable this to show the milestones dashboard page - a view of all the user's milestones
 - `AUTO_WATCH_NEW_REPOS`: **true**: Enable this to let all organisation users watch new repos when they are created

diff --git a/docs/content/doc/help/faq.en-us.md b/docs/content/doc/help/faq.en-us.md
@@ -120,13 +120,14 @@ For more information, refer to Gitea's [API docs]({{< relref "doc/developers/api
 
 There are multiple things you can combine to prevent spammers.
 
-1. By only whitelisting certain domains with OpenID (see below)
-2. Setting `ENABLE_CAPTCHA` to `true` in your `app.ini` and properly configuring `RECAPTCHA_SECRET` and `RECAPTCHA_SITEKEY`
-3. Settings `DISABLE_REGISTRATION` to `true` and creating new users via the [CLI]({{< relref "doc/usage/command-line.en-us.md" >}}), [API]({{< relref "doc/developers/api-usage.en-us.md" >}}), or Gitea's Admin UI
+1. By whitelisting or blacklisting certain email domains
+2. By only whitelisting certain domains with OpenID (see below)
+3. Setting `ENABLE_CAPTCHA` to `true` in your `app.ini` and properly configuring `RECAPTCHA_SECRET` and `RECAPTCHA_SITEKEY`
+4. Settings `DISABLE_REGISTRATION` to `true` and creating new users via the [CLI]({{< relref "doc/usage/command-line.en-us.md" >}}), [API]({{< relref "doc/developers/api-usage.en-us.md" >}}), or Gitea's Admin UI
 
-### Only allow certain email domains
+### Only allow/block certain email domains
 
-You can configure `EMAIL_DOMAIN_WHITELIST` in your app.ini under `[service]`
+You can configure `EMAIL_DOMAIN_WHITELIST` and/or `EMAIL_DOMAIN_BLACKLIST` in your app.ini under `[service]`
 
 ### Only allow/block certain OpenID providers
 

diff --git a/modules/forms/user_form.go b/modules/forms/user_form.go
@@ -120,6 +120,30 @@ func (f RegisterForm) IsEmailDomainWhitelisted() bool {
 	return false
 }
 
+// IsEmailDomainBlacklisted validates that the email address
+// does not come from a domain that has been blacklisted.
+// In the absence of a blacklist, all addresses are accepted.
+func (f RegisterForm) IsEmailDomainBlacklisted() bool {
+	if len(setting.Service.EmailDomainBlacklist) == 0 {
+		return false
+	}
+
+	n := strings.LastIndex(f.Email, "@")
+	if n <= 0 {
+		return false
+	}
+
+	domain := strings.ToLower(f.Email[n+1:])
+
+	for _, v := range setting.Service.EmailDomainBlacklist {
+		if strings.ToLower(v) == domain {
+			return true
+		}
+	}
+
+	return false
+}
+
 // MustChangePasswordForm form for updating your password after account creation
 // by an admin
 type MustChangePasswordForm struct {

diff --git a/modules/setting/service.go b/modules/setting/service.go
@@ -20,6 +20,7 @@ var Service struct {
 	RegisterEmailConfirm                    bool
 	RegisterManualConfirm                   bool
 	EmailDomainWhitelist                    []string
+	EmailDomainBlacklist                    []string
 	DisableRegistration                     bool
 	AllowOnlyExternalRegistration           bool
 	ShowRegistrationButton                  bool
@@ -72,6 +73,7 @@ func newService() {
 		Service.RegisterManualConfirm = false
 	}
 	Service.EmailDomainWhitelist = sec.Key("EMAIL_DOMAIN_WHITELIST").Strings(",")
+	Service.EmailDomainBlacklist = sec.Key("EMAIL_DOMAIN_BLACKLIST").Strings(",")
 	Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!(Service.DisableRegistration || Service.AllowOnlyExternalRegistration))
 	Service.ShowMilestonesDashboardPage = sec.Key("SHOW_MILESTONES_DASHBOARD_PAGE").MustBool(true)
 	Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool()

diff --git a/routers/user/auth.go b/routers/user/auth.go
@@ -1129,7 +1129,7 @@ func SignUpPost(ctx *context.Context) {
 		}
 	}
 
-	if !form.IsEmailDomainWhitelisted() {
+	if !form.IsEmailDomainWhitelisted() || form.IsEmailDomainBlacklisted() {
 		ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplSignUp, &form)
 		return
 	}
-Original file line number
+Diff line change
@@ Expand Up / @@ -1129,7 +1129,7 @@ func SignUpPost(ctx *context.Context) { @@
     		}
     	}
-    	if !form.IsEmailDomainWhitelisted() {
+    	if !form.IsEmailDomainWhitelisted() || form.IsEmailDomainBlacklisted() {
     		ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplSignUp, &form)
     		return
     	}
@@ Expand Down @@