初始提交: Gitea 项目代码

models/user/avatar.go

@@ -0,0 +1,111 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+	"image/png"
+	"io"
+
+	"gitea.dev/models/avatars"
+	"gitea.dev/models/db"
+	"gitea.dev/modules/avatar"
+	"gitea.dev/modules/httplib"
+	"gitea.dev/modules/log"
+	"gitea.dev/modules/setting"
+	"gitea.dev/modules/storage"
+)
+
+// CustomAvatarRelativePath returns user custom avatar relative path.
+func (u *User) CustomAvatarRelativePath() string {
+	return u.Avatar
+}
+
+// GenerateRandomAvatar generates a random avatar for user.
+func GenerateRandomAvatar(ctx context.Context, u *User) error {
+	seed := u.Email
+	if len(seed) == 0 {
+		seed = u.Name
+	}
+
+	img := avatar.RandomImageDefaultSize([]byte(seed))
+
+	u.Avatar = avatars.HashEmail(seed)
+
+	_, err := storage.Avatars.Stat(u.CustomAvatarRelativePath())
+	if err != nil {
+		// If unable to Stat the avatar file (usually it means non-existing), then try to save a new one
+		// Don't share the images so that we can delete them easily
+		if err := storage.SaveFrom(storage.Avatars, u.CustomAvatarRelativePath(), func(w io.Writer) error {
+			return png.Encode(w, img)
+		}); err != nil {
+			return fmt.Errorf("failed to save avatar %s: %w", u.CustomAvatarRelativePath(), err)
+		}
+	}
+
+	if _, err := db.GetEngine(ctx).ID(u.ID).Cols("avatar").Update(u); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// AvatarLinkWithSize returns a link to the user's avatar with size. size <= 0 means default size
+func (u *User) AvatarLinkWithSize(ctx context.Context, size int) string {
+	// ghost user was deleted, Gitea actions is a bot user, 0 means the user should be a virtual user
+	// which comes from git configure information
+	if u.IsGhost() || u.IsGiteaActions() || u.ID <= 0 {
+		return avatars.DefaultAvatarLink()
+	}
+
+	useLocalAvatar := false
+	autoGenerateAvatar := false
+
+	disableGravatar := setting.Config().Picture.DisableGravatar.Value(ctx)
+
+	switch {
+	case u.UseCustomAvatar:
+		useLocalAvatar = true
+	case disableGravatar:
+		useLocalAvatar = true
+		autoGenerateAvatar = true
+	}
+
+	if useLocalAvatar {
+		if u.Avatar == "" && autoGenerateAvatar {
+			if err := GenerateRandomAvatar(ctx, u); err != nil {
+				log.Error("GenerateRandomAvatar: %v", err)
+			}
+		}
+		if u.Avatar == "" {
+			return avatars.DefaultAvatarLink()
+		}
+		return avatars.GenerateUserAvatarImageLink(u.Avatar, size)
+	}
+	return avatars.GenerateEmailAvatarFastLink(ctx, u.AvatarEmail, size)
+}
+
+// AvatarLink returns the full avatar url with http host.
+// TODO: refactor it to a relative URL, but it is still used in API response at the moment
+func (u *User) AvatarLink(ctx context.Context) string {
+	relLink := u.AvatarLinkWithSize(ctx, 0) // it can't be empty
+	return httplib.MakeAbsoluteURL(ctx, relLink)
+}
+
+// IsUploadAvatarChanged returns true if the current user's avatar would be changed with the provided data
+func (u *User) IsUploadAvatarChanged(data []byte) bool {
+	if !u.UseCustomAvatar || len(u.Avatar) == 0 {
+		return true
+	}
+	avatarID := avatar.HashAvatar(u.ID, data)
+	return u.Avatar != avatarID
+}
+
+// ExistsWithAvatarAtStoragePath returns true if there is a user with this Avatar
+func ExistsWithAvatarAtStoragePath(ctx context.Context, storagePath string) (bool, error) {
+	// See func (u *User) CustomAvatarRelativePath()
+	// u.Avatar is used directly as the storage path - therefore we can check for existence directly using the path
+	return db.GetEngine(ctx).Where("`avatar`=?", storagePath).Exist(new(User))
+}

models/user/avatar_test.go

@@ -0,0 +1,66 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"io"
+	"strings"
+	"testing"
+
+	"gitea.dev/models/unittest"
+	"gitea.dev/modules/setting"
+	"gitea.dev/modules/storage"
+	"gitea.dev/modules/test"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserAvatarLink(t *testing.T) {
+	defer test.MockVariableValue(&setting.AppURL, "https://localhost/")()
+	defer test.MockVariableValue(&setting.AppSubURL, "")()
+
+	u := &User{ID: 1, Avatar: "avatar.png"}
+	link := u.AvatarLink(t.Context())
+	assert.Equal(t, "https://localhost/avatars/avatar.png", link)
+
+	setting.AppURL = "https://localhost/sub-path/"
+	setting.AppSubURL = "/sub-path"
+	link = u.AvatarLink(t.Context())
+	assert.Equal(t, "https://localhost/sub-path/avatars/avatar.png", link)
+}
+
+func TestUserAvatarGenerate(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	var err error
+	tmpDir := t.TempDir()
+	storage.Avatars, err = storage.NewLocalStorage(t.Context(), &setting.Storage{Path: tmpDir})
+	require.NoError(t, err)
+
+	u := unittest.AssertExistsAndLoadBean(t, &User{ID: 2})
+
+	// there was no avatar, generate a new one
+	assert.Empty(t, u.Avatar)
+	err = GenerateRandomAvatar(t.Context(), u)
+	require.NoError(t, err)
+	assert.NotEmpty(t, u.Avatar)
+
+	// make sure the generated one exists
+	oldAvatarPath := u.CustomAvatarRelativePath()
+	_, err = storage.Avatars.Stat(u.CustomAvatarRelativePath())
+	require.NoError(t, err)
+	// and try to change its content
+	_, err = storage.Avatars.Save(u.CustomAvatarRelativePath(), strings.NewReader("abcd"), 4)
+	require.NoError(t, err)
+
+	// try to generate again
+	err = GenerateRandomAvatar(t.Context(), u)
+	require.NoError(t, err)
+	assert.Equal(t, oldAvatarPath, u.CustomAvatarRelativePath())
+	f, err := storage.Avatars.Open(u.CustomAvatarRelativePath())
+	require.NoError(t, err)
+	defer f.Close()
+	content, _ := io.ReadAll(f)
+	assert.Equal(t, "abcd", string(content))
+}

models/user/badge.go

@@ -0,0 +1,254 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/util"
+
+	"xorm.io/builder"
+	"xorm.io/xorm/schemas"
+)
+
+// Badge represents a user badge
+type Badge struct {
+	ID          int64  `xorm:"pk autoincr"`
+	Slug        string `xorm:"UNIQUE"`
+	Description string
+	ImageURL    string
+}
+
+// UserBadge represents a user badge
+type UserBadge struct { //nolint:revive // export stutter
+	ID      int64 `xorm:"pk autoincr"`
+	BadgeID int64
+	UserID  int64
+}
+
+// TableIndices implements xorm's TableIndices interface
+func (n *UserBadge) TableIndices() []*schemas.Index {
+	indices := make([]*schemas.Index, 0, 1)
+	ubUnique := schemas.NewIndex("unique_user_badge", schemas.UniqueType)
+	ubUnique.AddColumn("user_id", "badge_id")
+	indices = append(indices, ubUnique)
+	return indices
+}
+
+func init() {
+	db.RegisterModel(new(Badge))
+	db.RegisterModel(new(UserBadge))
+}
+
+// GetUserBadges returns the user's badges.
+func GetUserBadges(ctx context.Context, u *User) ([]*Badge, int64, error) {
+	sess := db.GetEngine(ctx).
+		Select("`badge`.*").
+		Join("INNER", "user_badge", "`user_badge`.badge_id=badge.id").
+		Where("user_badge.user_id=?", u.ID)
+
+	badges := make([]*Badge, 0, 8)
+	count, err := sess.FindAndCount(&badges)
+	return badges, count, err
+}
+
+// GetBadgeUsersOptions contains options for getting users with a specific badge
+type GetBadgeUsersOptions struct {
+	db.ListOptions
+	BadgeSlug string
+}
+
+// GetBadgeUsers returns the users that have a specific badge with pagination support.
+func GetBadgeUsers(ctx context.Context, opts *GetBadgeUsersOptions) ([]*User, int64, error) {
+	sess := db.GetEngine(ctx).
+		Select("`user`.*").
+		Join("INNER", "user_badge", "`user_badge`.user_id=`user`.id").
+		Join("INNER", "badge", "`user_badge`.badge_id=badge.id").
+		Where("badge.slug=?", opts.BadgeSlug)
+
+	if opts.Page > 0 {
+		db.SetSessionPagination(sess, opts)
+	}
+
+	users := make([]*User, 0, opts.PageSize)
+	count, err := sess.FindAndCount(&users)
+	return users, count, err
+}
+
+// CreateBadge creates a new badge.
+func CreateBadge(ctx context.Context, badge *Badge) error {
+	exists, err := db.GetEngine(ctx).Where("slug = ?", badge.Slug).Exist(new(Badge))
+	if err != nil {
+		return err
+	}
+	if exists {
+		return util.NewAlreadyExistErrorf("badge already exists [slug: %s]", badge.Slug)
+	}
+
+	if _, err := db.GetEngine(ctx).Insert(badge); err != nil {
+		// Handle race between existence check and insert.
+		exists, existErr := db.GetEngine(ctx).Where("slug = ?", badge.Slug).Exist(new(Badge))
+		if existErr == nil && exists {
+			return util.NewAlreadyExistErrorf("badge already exists [slug: %s]", badge.Slug)
+		}
+		return err
+	}
+	return nil
+}
+
+// GetBadge returns a specific badge
+func GetBadge(ctx context.Context, slug string) (*Badge, error) {
+	badge := new(Badge)
+	has, err := db.GetEngine(ctx).Where("slug=?", slug).Get(badge)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, util.NewNotExistErrorf("badge does not exist [slug: %s]", slug)
+	}
+	return badge, nil
+}
+
+// UpdateBadge updates a badge based on its slug.
+func UpdateBadge(ctx context.Context, badge *Badge) error {
+	_, err := db.GetEngine(ctx).Where("slug=?", badge.Slug).Cols("description", "image_url").Update(badge)
+	return err
+}
+
+// DeleteBadge deletes a badge and all associated user_badge entries.
+func DeleteBadge(ctx context.Context, badge *Badge) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		// First delete all user_badge entries for this badge
+		if _, err := db.GetEngine(ctx).
+			Where("badge_id = ?", badge.ID).
+			Delete(&UserBadge{}); err != nil {
+			return err
+		}
+
+		// Then delete the badge itself
+		if _, err := db.GetEngine(ctx).Where("slug=?", badge.Slug).Delete(badge); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// AddUserBadge adds a badge to a user.
+func AddUserBadge(ctx context.Context, u *User, badge *Badge) error {
+	return AddUserBadges(ctx, u, []*Badge{badge})
+}
+
+// AddUserBadges adds badges to a user.
+func AddUserBadges(ctx context.Context, u *User, badges []*Badge) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		for _, badge := range badges {
+			// hydrate badge and check if it exists
+			has, err := db.GetEngine(ctx).Where("slug=?", badge.Slug).Get(badge)
+			if err != nil {
+				return err
+			} else if !has {
+				return util.NewNotExistErrorf("badge does not exist [slug: %s]", badge.Slug)
+			}
+
+			exists, err := db.GetEngine(ctx).Where("badge_id = ? AND user_id = ?", badge.ID, u.ID).Exist(new(UserBadge))
+			if err != nil {
+				return err
+			}
+			if exists {
+				return util.NewAlreadyExistErrorf("user badge already exists [user_id: %d, badge_id: %d]", u.ID, badge.ID)
+			}
+
+			if err := db.Insert(ctx, &UserBadge{
+				BadgeID: badge.ID,
+				UserID:  u.ID,
+			}); err != nil {
+				exists, existErr := db.GetEngine(ctx).Where("badge_id = ? AND user_id = ?", badge.ID, u.ID).Exist(new(UserBadge))
+				if existErr == nil && exists {
+					return util.NewAlreadyExistErrorf("user badge already exists [user_id: %d, badge_id: %d]", u.ID, badge.ID)
+				}
+				return err
+			}
+		}
+		return nil
+	})
+}
+
+// RemoveUserBadge removes a badge from a user.
+func RemoveUserBadge(ctx context.Context, u *User, badge *Badge) error {
+	return RemoveUserBadges(ctx, u, []*Badge{badge})
+}
+
+// RemoveUserBadges removes specific badges from a user.
+func RemoveUserBadges(ctx context.Context, u *User, badges []*Badge) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if len(badges) == 0 {
+			return nil
+		}
+
+		badgeSlugs := make([]string, 0, len(badges))
+		for _, badge := range badges {
+			badgeSlugs = append(badgeSlugs, badge.Slug)
+		}
+		var userBadges []UserBadge
+		if err := db.GetEngine(ctx).Table("user_badge").
+			Join("INNER", "badge", "badge.id = `user_badge`.badge_id").
+			Where("`user_badge`.user_id = ?", u.ID).In("`badge`.slug", badgeSlugs).
+			Find(&userBadges); err != nil {
+			return err
+		}
+		userBadgeIDs := make([]int64, 0, len(userBadges))
+		for _, ub := range userBadges {
+			userBadgeIDs = append(userBadgeIDs, ub.ID)
+		}
+		if len(userBadgeIDs) == 0 {
+			return nil
+		}
+		if _, err := db.GetEngine(ctx).Table("user_badge").In("id", userBadgeIDs).Delete(); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// SearchBadgeOptions represents the options when finding badges
+type SearchBadgeOptions struct {
+	db.ListOptions
+
+	Keyword string
+	Slug    string
+	ID      int64
+	OrderBy db.SearchOrderBy
+}
+
+func (opts *SearchBadgeOptions) ToConds() builder.Cond {
+	cond := builder.NewCond()
+
+	if opts.Keyword != "" {
+		keywordCond := builder.Or(
+			db.BuildCaseInsensitiveLike("badge.slug", opts.Keyword),
+			db.BuildCaseInsensitiveLike("badge.description", opts.Keyword),
+		)
+		cond = cond.And(keywordCond)
+	}
+
+	if opts.ID > 0 {
+		cond = cond.And(builder.Eq{"badge.id": opts.ID})
+	}
+
+	if len(opts.Slug) > 0 {
+		cond = cond.And(builder.Eq{"badge.slug": opts.Slug})
+	}
+
+	return cond
+}
+
+func (opts *SearchBadgeOptions) ToOrders() string {
+	return opts.OrderBy.String()
+}
+
+// SearchBadges returns badges based on the provided SearchBadgeOptions options
+func SearchBadges(ctx context.Context, opts *SearchBadgeOptions) ([]*Badge, int64, error) {
+	return db.FindAndCount[Badge](ctx, opts)
+}

models/user/badge_test.go

@@ -0,0 +1,185 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"testing"
+
+	"gitea.dev/models/db"
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+	"gitea.dev/modules/util"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBadge(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("GetBadgeNotExist", testGetBadgeNotExist)
+	t.Run("CreateBadgeAlreadyExists", testCreateBadgeAlreadyExists)
+	t.Run("GetBadgeUsers", testGetBadgeUsers)
+	t.Run("AddAndRemoveUserBadges", testAddAndRemoveUserBadges)
+	t.Run("SearchBadgesOrderingAndKeyword", testSearchBadgesOrderingAndKeyword)
+}
+
+func testGetBadgeNotExist(t *testing.T) {
+	badge, err := user_model.GetBadge(t.Context(), "does-not-exist")
+	assert.Nil(t, badge)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, util.ErrNotExist)
+}
+
+func testCreateBadgeAlreadyExists(t *testing.T) {
+	badge := &user_model.Badge{
+		Slug:        "duplicate-badge-slug",
+		Description: "First",
+	}
+	assert.NoError(t, user_model.CreateBadge(t.Context(), badge))
+
+	err := user_model.CreateBadge(t.Context(), &user_model.Badge{
+		Slug:        "duplicate-badge-slug",
+		Description: "Second",
+	})
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, util.ErrAlreadyExist)
+}
+
+func testGetBadgeUsers(t *testing.T) {
+	// Create a test badge
+	badge := &user_model.Badge{
+		Slug:        "test-badge-users",
+		Description: "Test Badge",
+		ImageURL:    "test.png",
+	}
+	assert.NoError(t, user_model.CreateBadge(t.Context(), badge))
+
+	// Create test users and assign badges
+	user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	assert.NoError(t, user_model.AddUserBadge(t.Context(), user1, badge))
+	assert.NoError(t, user_model.AddUserBadge(t.Context(), user2, badge))
+	defer func() {
+		assert.NoError(t, user_model.RemoveUserBadge(t.Context(), user1, badge))
+		assert.NoError(t, user_model.RemoveUserBadge(t.Context(), user2, badge))
+	}()
+
+	// Test getting users with pagination
+	opts := &user_model.GetBadgeUsersOptions{
+		BadgeSlug: badge.Slug,
+		ListOptions: db.ListOptions{
+			Page:     1,
+			PageSize: 1,
+		},
+	}
+
+	users, count, err := user_model.GetBadgeUsers(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 2, count)
+	assert.Len(t, users, 1)
+
+	// Test second page
+	opts.Page = 2
+	users, count, err = user_model.GetBadgeUsers(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 2, count)
+	assert.Len(t, users, 1)
+
+	// Test with non-existent badge
+	opts.BadgeSlug = "non-existent"
+	users, count, err = user_model.GetBadgeUsers(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 0, count)
+	assert.Empty(t, users)
+}
+
+func testAddAndRemoveUserBadges(t *testing.T) {
+	badge1 := unittest.AssertExistsAndLoadBean(t, &user_model.Badge{ID: 1})
+	user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+
+	// Add a badge to user and verify that it is returned in the list
+	assert.NoError(t, user_model.AddUserBadge(t.Context(), user1, badge1))
+	badges, count, err := user_model.GetUserBadges(t.Context(), user1)
+	assert.Equal(t, int64(1), count)
+	assert.Equal(t, badge1.Slug, badges[0].Slug)
+	assert.NoError(t, err)
+
+	// Confirm that it is impossible to duplicate the same badge
+	err = user_model.AddUserBadge(t.Context(), user1, badge1)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, util.ErrAlreadyExist)
+
+	// Nothing happened to the existing badge
+	badges, count, err = user_model.GetUserBadges(t.Context(), user1)
+	assert.Equal(t, int64(1), count)
+	assert.Equal(t, badge1.Slug, badges[0].Slug)
+	assert.NoError(t, err)
+
+	// Remove a badge from user and verify that it is no longer in the list
+	assert.NoError(t, user_model.RemoveUserBadge(t.Context(), user1, badge1))
+	_, count, err = user_model.GetUserBadges(t.Context(), user1)
+	assert.Equal(t, int64(0), count)
+	assert.NoError(t, err)
+
+	// Removing empty or missing badge selections should be a no-op.
+	assert.NoError(t, user_model.RemoveUserBadges(t.Context(), user1, nil))
+	assert.NoError(t, user_model.RemoveUserBadges(t.Context(), user1, []*user_model.Badge{{Slug: "does-not-exist"}}))
+}
+
+func testSearchBadgesOrderingAndKeyword(t *testing.T) {
+	createdBadges := []*user_model.Badge{
+		{Slug: "badge-sort-b", Description: "Badge Sort B"},
+		{Slug: "badge-sort-c", Description: "Badge Sort C"},
+		{Slug: "badge-sort-a", Description: "Badge Sort A"},
+		{Slug: "badge-sort-case", Description: "MiXeDCaSeKeyword"},
+	}
+	for _, badge := range createdBadges {
+		assert.NoError(t, user_model.CreateBadge(t.Context(), badge))
+	}
+
+	opts := &user_model.SearchBadgeOptions{
+		ListOptions: db.ListOptions{ListAll: true},
+		Keyword:     "badge-sort-",
+		OrderBy:     db.SearchOrderBy("`badge`.id ASC"),
+	}
+
+	oldestFirst, count, err := user_model.SearchBadges(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 4, count)
+	assert.Equal(t, []string{"badge-sort-b", "badge-sort-c", "badge-sort-a", "badge-sort-case"}, collectBadgeSlugs(oldestFirst))
+
+	opts.OrderBy = db.SearchOrderBy("`badge`.id DESC")
+	newestFirst, count, err := user_model.SearchBadges(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 4, count)
+	assert.Equal(t, []string{"badge-sort-case", "badge-sort-a", "badge-sort-c", "badge-sort-b"}, collectBadgeSlugs(newestFirst))
+
+	opts.OrderBy = db.SearchOrderBy("`badge`.slug ASC")
+	alpha, count, err := user_model.SearchBadges(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 4, count)
+	assert.Equal(t, []string{"badge-sort-a", "badge-sort-b", "badge-sort-c", "badge-sort-case"}, collectBadgeSlugs(alpha))
+
+	opts.OrderBy = db.SearchOrderBy("`badge`.slug DESC")
+	reverseAlpha, count, err := user_model.SearchBadges(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 4, count)
+	assert.Equal(t, []string{"badge-sort-case", "badge-sort-c", "badge-sort-b", "badge-sort-a"}, collectBadgeSlugs(reverseAlpha))
+
+	opts.Keyword = "mixedcasekeyword"
+	opts.OrderBy = db.SearchOrderBy("`badge`.slug ASC")
+	caseInsensitive, count, err := user_model.SearchBadges(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 1, count)
+	assert.Equal(t, []string{"badge-sort-case"}, collectBadgeSlugs(caseInsensitive))
+}
+
+func collectBadgeSlugs(badges []*user_model.Badge) []string {
+	slugs := make([]string, 0, len(badges))
+	for _, badge := range badges {
+		slugs = append(slugs, badge.Slug)
+	}
+	return slugs
+}

models/user/block.go

@@ -0,0 +1,123 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/container"
+	"gitea.dev/modules/timeutil"
+	"gitea.dev/modules/util"
+
+	"xorm.io/builder"
+)
+
+var (
+	ErrBlockOrganization = util.NewInvalidArgumentErrorf("cannot block an organization")
+	ErrCanNotBlock       = util.NewInvalidArgumentErrorf("cannot block the user")
+	ErrCanNotUnblock     = util.NewInvalidArgumentErrorf("cannot unblock the user")
+	ErrBlockedUser       = util.NewPermissionDeniedErrorf("user is blocked")
+)
+
+type Blocking struct {
+	ID          int64 `xorm:"pk autoincr"`
+	BlockerID   int64 `xorm:"UNIQUE(block)"`
+	Blocker     *User `xorm:"-"`
+	BlockeeID   int64 `xorm:"UNIQUE(block)"`
+	Blockee     *User `xorm:"-"`
+	Note        string
+	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+}
+
+func (*Blocking) TableName() string {
+	return "user_blocking"
+}
+
+func init() {
+	db.RegisterModel(new(Blocking))
+}
+
+func UpdateBlockingNote(ctx context.Context, id int64, note string) error {
+	_, err := db.GetEngine(ctx).ID(id).Cols("note").Update(&Blocking{Note: note})
+	return err
+}
+
+func IsUserBlockedBy(ctx context.Context, blockee *User, blockerIDs ...int64) bool {
+	if len(blockerIDs) == 0 {
+		return false
+	}
+
+	if blockee.IsAdmin {
+		return false
+	}
+
+	cond := builder.Eq{"user_blocking.blockee_id": blockee.ID}.
+		And(builder.In("user_blocking.blocker_id", blockerIDs))
+
+	has, _ := db.GetEngine(ctx).Where(cond).Exist(&Blocking{})
+	return has
+}
+
+type FindBlockingOptions struct {
+	db.ListOptions
+	BlockerID int64
+	BlockeeID int64
+}
+
+func (opts *FindBlockingOptions) ToConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.BlockerID != 0 {
+		cond = cond.And(builder.Eq{"user_blocking.blocker_id": opts.BlockerID})
+	}
+	if opts.BlockeeID != 0 {
+		cond = cond.And(builder.Eq{"user_blocking.blockee_id": opts.BlockeeID})
+	}
+	return cond
+}
+
+func FindBlockings(ctx context.Context, opts *FindBlockingOptions) ([]*Blocking, int64, error) {
+	return db.FindAndCount[Blocking](ctx, opts)
+}
+
+func GetBlocking(ctx context.Context, blockerID, blockeeID int64) (*Blocking, error) {
+	blocks, _, err := FindBlockings(ctx, &FindBlockingOptions{
+		BlockerID: blockerID,
+		BlockeeID: blockeeID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if len(blocks) == 0 {
+		return nil, util.NewNotExistErrorf("blocking record doesn't exist")
+	}
+	return blocks[0], nil
+}
+
+type BlockingList []*Blocking
+
+func (blocks BlockingList) LoadAttributes(ctx context.Context) error {
+	ids := make(container.Set[int64], len(blocks)*2)
+	for _, b := range blocks {
+		ids.Add(b.BlockerID)
+		ids.Add(b.BlockeeID)
+	}
+
+	userList, err := GetUsersByIDs(ctx, ids.Values())
+	if err != nil {
+		return err
+	}
+
+	userMap := make(map[int64]*User, len(userList))
+	for _, u := range userList {
+		userMap[u.ID] = u
+	}
+
+	for _, b := range blocks {
+		b.Blocker = userMap[b.BlockerID]
+		b.Blockee = userMap[b.BlockeeID]
+	}
+
+	return nil
+}

models/user/email_address.go

@@ -0,0 +1,540 @@
+// Copyright 2016 The Gogs Authors. All rights reserved.
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+	"net/mail"
+	"strings"
+	"time"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/base"
+	"gitea.dev/modules/log"
+	"gitea.dev/modules/optional"
+	"gitea.dev/modules/setting"
+	"gitea.dev/modules/util"
+	"gitea.dev/modules/validation"
+
+	"xorm.io/builder"
+)
+
+// ErrEmailCharIsNotSupported e-mail address contains unsupported character
+type ErrEmailCharIsNotSupported struct {
+	Email string
+}
+
+// IsErrEmailCharIsNotSupported checks if an error is an ErrEmailCharIsNotSupported
+func IsErrEmailCharIsNotSupported(err error) bool {
+	_, ok := err.(ErrEmailCharIsNotSupported)
+	return ok
+}
+
+func (err ErrEmailCharIsNotSupported) Error() string {
+	return fmt.Sprintf("e-mail address contains unsupported character [email: %s]", err.Email)
+}
+
+func (err ErrEmailCharIsNotSupported) Unwrap() error {
+	return util.ErrInvalidArgument
+}
+
+// ErrEmailInvalid represents an error where the email address does not comply with RFC 5322
+// or has a leading '-' character
+type ErrEmailInvalid struct {
+	Email string
+}
+
+// IsErrEmailInvalid checks if an error is an ErrEmailInvalid
+func IsErrEmailInvalid(err error) bool {
+	_, ok := err.(ErrEmailInvalid)
+	return ok
+}
+
+func (err ErrEmailInvalid) Error() string {
+	return fmt.Sprintf("e-mail invalid [email: %s]", err.Email)
+}
+
+func (err ErrEmailInvalid) Unwrap() error {
+	return util.ErrInvalidArgument
+}
+
+// ErrEmailAlreadyUsed represents a "EmailAlreadyUsed" kind of error.
+type ErrEmailAlreadyUsed struct {
+	Email string
+}
+
+// IsErrEmailAlreadyUsed checks if an error is a ErrEmailAlreadyUsed.
+func IsErrEmailAlreadyUsed(err error) bool {
+	_, ok := err.(ErrEmailAlreadyUsed)
+	return ok
+}
+
+func (err ErrEmailAlreadyUsed) Error() string {
+	return fmt.Sprintf("e-mail already in use [email: %s]", err.Email)
+}
+
+func (err ErrEmailAlreadyUsed) Unwrap() error {
+	return util.ErrAlreadyExist
+}
+
+// ErrEmailAddressNotExist email address not exist
+type ErrEmailAddressNotExist struct {
+	Email string
+}
+
+// IsErrEmailAddressNotExist checks if an error is an ErrEmailAddressNotExist
+func IsErrEmailAddressNotExist(err error) bool {
+	_, ok := err.(ErrEmailAddressNotExist)
+	return ok
+}
+
+func (err ErrEmailAddressNotExist) Error() string {
+	return fmt.Sprintf("Email address does not exist [email: %s]", err.Email)
+}
+
+func (err ErrEmailAddressNotExist) Unwrap() error {
+	return util.ErrNotExist
+}
+
+// ErrPrimaryEmailCannotDelete primary email address cannot be deleted
+type ErrPrimaryEmailCannotDelete struct {
+	Email string
+}
+
+// IsErrPrimaryEmailCannotDelete checks if an error is an ErrPrimaryEmailCannotDelete
+func IsErrPrimaryEmailCannotDelete(err error) bool {
+	_, ok := err.(ErrPrimaryEmailCannotDelete)
+	return ok
+}
+
+func (err ErrPrimaryEmailCannotDelete) Error() string {
+	return fmt.Sprintf("Primary email address cannot be deleted [email: %s]", err.Email)
+}
+
+func (err ErrPrimaryEmailCannotDelete) Unwrap() error {
+	return util.ErrInvalidArgument
+}
+
+// EmailAddress is the list of all email addresses of a user. It also contains the
+// primary email address which is saved in user table.
+type EmailAddress struct {
+	ID          int64  `xorm:"pk autoincr"`
+	UID         int64  `xorm:"INDEX NOT NULL"`
+	Email       string `xorm:"UNIQUE NOT NULL"`
+	LowerEmail  string `xorm:"UNIQUE NOT NULL"`
+	IsActivated bool
+	IsPrimary   bool `xorm:"DEFAULT(false) NOT NULL"`
+}
+
+func init() {
+	db.RegisterModel(new(EmailAddress))
+}
+
+// BeforeInsert will be invoked by XORM before inserting a record
+func (email *EmailAddress) BeforeInsert() {
+	if email.LowerEmail == "" {
+		email.LowerEmail = strings.ToLower(email.Email)
+	}
+}
+
+func InsertEmailAddress(ctx context.Context, email *EmailAddress) (*EmailAddress, error) {
+	if err := db.Insert(ctx, email); err != nil {
+		return nil, err
+	}
+	return email, nil
+}
+
+// ValidateEmail check if email is a valid & allowed address
+func ValidateEmail(email string) error {
+	if err := validateEmailBasic(email); err != nil {
+		return err
+	}
+	return validateEmailDomain(email)
+}
+
+// ValidateEmailForAdmin check if email is a valid address when admins manually add or edit users
+func ValidateEmailForAdmin(email string) error {
+	return validateEmailBasic(email)
+	// In this case we do not need to check the email domain
+}
+
+func GetEmailAddressByEmail(ctx context.Context, email string) (*EmailAddress, error) {
+	ea := &EmailAddress{}
+	if has, err := db.GetEngine(ctx).Where("lower_email=?", strings.ToLower(email)).Get(ea); err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrEmailAddressNotExist{email}
+	}
+	return ea, nil
+}
+
+func GetEmailAddressOfUser(ctx context.Context, email string, uid int64) (*EmailAddress, error) {
+	ea := &EmailAddress{}
+	if has, err := db.GetEngine(ctx).Where("lower_email=? AND uid=?", strings.ToLower(email), uid).Get(ea); err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrEmailAddressNotExist{email}
+	}
+	return ea, nil
+}
+
+func GetPrimaryEmailAddressOfUser(ctx context.Context, uid int64) (*EmailAddress, error) {
+	ea := &EmailAddress{}
+	if has, err := db.GetEngine(ctx).Where("uid=? AND is_primary=?", uid, true).Get(ea); err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrEmailAddressNotExist{}
+	}
+	return ea, nil
+}
+
+// GetEmailAddresses returns all email addresses belongs to given user.
+func GetEmailAddresses(ctx context.Context, uid int64) ([]*EmailAddress, error) {
+	emails := make([]*EmailAddress, 0, 5)
+	if err := db.GetEngine(ctx).
+		Where("uid=?", uid).
+		Asc("id").
+		Find(&emails); err != nil {
+		return nil, err
+	}
+	return emails, nil
+}
+
+// GetEmailAddressByID gets a user's email address by ID
+func GetEmailAddressByID(ctx context.Context, uid, id int64) (*EmailAddress, error) {
+	// User ID is required for security reasons
+	email := &EmailAddress{UID: uid}
+	if has, err := db.GetEngine(ctx).ID(id).Get(email); err != nil {
+		return nil, err
+	} else if !has {
+		return nil, nil //nolint:nilnil // return nil to indicate that the object does not exist
+	}
+	return email, nil
+}
+
+// IsEmailActive check if email is activated with a different emailID
+func IsEmailActive(ctx context.Context, email string, excludeEmailID int64) (bool, error) {
+	if len(email) == 0 {
+		return true, nil
+	}
+
+	// Can't filter by boolean field unless it's explicit
+	cond := builder.NewCond()
+	cond = cond.And(builder.Eq{"lower_email": strings.ToLower(email)}, builder.Neq{"id": excludeEmailID})
+	if setting.Service.RegisterEmailConfirm {
+		// Inactive (unvalidated) addresses don't count as active if email validation is required
+		cond = cond.And(builder.Eq{"is_activated": true})
+	}
+
+	var em EmailAddress
+	if has, err := db.GetEngine(ctx).Where(cond).Get(&em); has || err != nil {
+		if has {
+			log.Info("isEmailActive(%q, %d) found duplicate in email ID %d", email, excludeEmailID, em.ID)
+		}
+		return has, err
+	}
+
+	return false, nil
+}
+
+// IsEmailUsed returns true if the email has been used.
+func IsEmailUsed(ctx context.Context, email string) (bool, error) {
+	if len(email) == 0 {
+		return true, nil
+	}
+
+	return db.GetEngine(ctx).Where("lower_email=?", strings.ToLower(email)).Get(&EmailAddress{})
+}
+
+// ActivateEmail activates the email address to given user.
+func ActivateEmail(ctx context.Context, email *EmailAddress) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		return updateActivation(ctx, email, true)
+	})
+}
+
+func updateActivation(ctx context.Context, email *EmailAddress, activate bool) error {
+	user, err := GetUserByID(ctx, email.UID)
+	if err != nil {
+		return err
+	}
+	if user.Rands, err = GetUserSalt(); err != nil {
+		return err
+	}
+	email.IsActivated = activate
+	if _, err := db.GetEngine(ctx).ID(email.ID).Cols("is_activated").Update(email); err != nil {
+		return err
+	}
+	return UpdateUserCols(ctx, user, "rands")
+}
+
+func MakeActiveEmailPrimary(ctx context.Context, ownerID, emailID int64) error {
+	return makeEmailPrimaryInternal(ctx, ownerID, emailID, true)
+}
+
+func MakeInactiveEmailPrimary(ctx context.Context, ownerID, emailID int64) error {
+	return makeEmailPrimaryInternal(ctx, ownerID, emailID, false)
+}
+
+func makeEmailPrimaryInternal(ctx context.Context, ownerID, emailID int64, isActive bool) error {
+	email := &EmailAddress{}
+	if has, err := db.GetEngine(ctx).ID(emailID).
+		Where(builder.Eq{
+			"uid":          ownerID,
+			"is_activated": isActive,
+		}).
+		Get(email); err != nil {
+		return err
+	} else if !has {
+		return ErrEmailAddressNotExist{}
+	}
+
+	user := &User{}
+	if has, err := db.GetEngine(ctx).ID(email.UID).Get(user); err != nil {
+		return err
+	} else if !has {
+		return ErrUserNotExist{UID: email.UID}
+	}
+
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		sess := db.GetEngine(ctx)
+
+		// 1. Update user table
+		user.Email = email.Email
+		if _, err := sess.ID(user.ID).Cols("email").Update(user); err != nil {
+			return err
+		}
+
+		// 2. Update old primary email
+		if _, err := sess.Where("uid=? AND is_primary=?", email.UID, true).Cols("is_primary").Update(&EmailAddress{
+			IsPrimary: false,
+		}); err != nil {
+			return err
+		}
+
+		// 3. update new primary email
+		email.IsPrimary = true
+		if _, err := sess.ID(email.ID).Cols("is_primary").Update(email); err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+// ChangeInactivePrimaryEmail replaces the inactive primary email of a given user
+func ChangeInactivePrimaryEmail(ctx context.Context, uid int64, oldEmailAddr, newEmailAddr string) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		_, err := db.GetEngine(ctx).Where(builder.Eq{"uid": uid, "lower_email": strings.ToLower(oldEmailAddr)}).Delete(&EmailAddress{})
+		if err != nil {
+			return err
+		}
+		newEmail, err := InsertEmailAddress(ctx, &EmailAddress{UID: uid, Email: newEmailAddr})
+		if err != nil {
+			return err
+		}
+		return MakeInactiveEmailPrimary(ctx, uid, newEmail.ID)
+	})
+}
+
+// VerifyActiveEmailCode verifies active email code when active account
+func VerifyActiveEmailCode(ctx context.Context, code, email string) *EmailAddress {
+	if user := GetVerifyUser(ctx, code); user != nil {
+		// time limit code
+		prefix := code[:base.TimeLimitCodeLength]
+		opts := &TimeLimitCodeOptions{Purpose: TimeLimitCodeActivateEmail, NewEmail: email}
+		data := makeTimeLimitCodeHashData(opts, user)
+		if base.VerifyTimeLimitCode(time.Now(), data, setting.Service.ActiveCodeLives, prefix) {
+			emailAddress := &EmailAddress{UID: user.ID, Email: email}
+			if has, _ := db.GetEngine(ctx).Get(emailAddress); has {
+				return emailAddress
+			}
+		}
+	}
+	return nil
+}
+
+// SearchEmailOrderBy is used to sort the results from SearchEmails()
+type SearchEmailOrderBy string
+
+func (s SearchEmailOrderBy) String() string {
+	return string(s)
+}
+
+// Strings for sorting result
+const (
+	SearchEmailOrderByEmail        SearchEmailOrderBy = "email_address.lower_email ASC, email_address.is_primary DESC, email_address.id ASC"
+	SearchEmailOrderByEmailReverse SearchEmailOrderBy = "email_address.lower_email DESC, email_address.is_primary ASC, email_address.id DESC"
+	SearchEmailOrderByName         SearchEmailOrderBy = "`user`.lower_name ASC, email_address.is_primary DESC, email_address.id ASC"
+	SearchEmailOrderByNameReverse  SearchEmailOrderBy = "`user`.lower_name DESC, email_address.is_primary ASC, email_address.id DESC"
+)
+
+// SearchEmailOptions are options to search e-mail addresses for the admin panel
+type SearchEmailOptions struct {
+	db.ListOptions
+	Keyword     string
+	SortType    SearchEmailOrderBy
+	IsPrimary   optional.Option[bool]
+	IsActivated optional.Option[bool]
+}
+
+// SearchEmailResult is an e-mail address found in the user or email_address table
+type SearchEmailResult struct {
+	ID          int64
+	UID         int64
+	Email       string
+	IsActivated bool
+	IsPrimary   bool
+	// From User
+	Name     string
+	FullName string
+}
+
+// SearchEmails takes options i.e. keyword and part of email name to search,
+// it returns results in given range and number of total results.
+func SearchEmails(ctx context.Context, opts *SearchEmailOptions) ([]*SearchEmailResult, int64, error) {
+	var cond builder.Cond = builder.Eq{"`user`.`type`": UserTypeIndividual}
+	if len(opts.Keyword) > 0 {
+		likeStr := "%" + strings.ToLower(opts.Keyword) + "%"
+		cond = cond.And(builder.Or(
+			builder.Like{"lower(`user`.full_name)", likeStr},
+			builder.Like{"`user`.lower_name", likeStr},
+			builder.Like{"email_address.lower_email", likeStr},
+		))
+	}
+
+	if opts.IsPrimary.Has() {
+		cond = cond.And(builder.Eq{"email_address.is_primary": opts.IsPrimary.Value()})
+	}
+
+	if opts.IsActivated.Has() {
+		cond = cond.And(builder.Eq{"email_address.is_activated": opts.IsActivated.Value()})
+	}
+
+	count, err := db.GetEngine(ctx).Join("INNER", "`user`", "`user`.id = email_address.uid").
+		Where(cond).Count(new(EmailAddress))
+	if err != nil {
+		return nil, 0, fmt.Errorf("Count: %w", err)
+	}
+
+	orderby := opts.SortType.String()
+	if orderby == "" {
+		orderby = SearchEmailOrderByEmail.String()
+	}
+
+	opts.SetDefaultValues()
+
+	emails := make([]*SearchEmailResult, 0, opts.PageSize)
+	err = db.GetEngine(ctx).Table("email_address").
+		Select("email_address.*, `user`.name, `user`.full_name").
+		Join("INNER", "`user`", "`user`.id = email_address.uid").
+		Where(cond).
+		OrderBy(orderby).
+		Limit(opts.PageSize, (opts.Page-1)*opts.PageSize).
+		Find(&emails)
+
+	return emails, count, err
+}
+
+// ActivateUserEmail will change the activated state of an email address,
+// either primary or secondary (all in the email_address table)
+func ActivateUserEmail(ctx context.Context, userID int64, email string, activate bool) (err error) {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		// Activate/deactivate a user's secondary email address
+		// First check if there's another user active with the same address
+		addr, exist, err := db.Get[EmailAddress](ctx, builder.Eq{"uid": userID, "lower_email": strings.ToLower(email)})
+		if err != nil {
+			return err
+		} else if !exist {
+			return fmt.Errorf("no such email: %d (%s)", userID, email)
+		}
+
+		if addr.IsActivated == activate {
+			// Already in the desired state; no action
+			return nil
+		}
+		if activate {
+			if used, err := IsEmailActive(ctx, email, addr.ID); err != nil {
+				return fmt.Errorf("unable to check isEmailActive() for %s: %w", email, err)
+			} else if used {
+				return ErrEmailAlreadyUsed{Email: email}
+			}
+		}
+		if err = updateActivation(ctx, addr, activate); err != nil {
+			return fmt.Errorf("unable to updateActivation() for %d:%s: %w", addr.ID, addr.Email, err)
+		}
+
+		// Activate/deactivate a user's primary email address and account
+		if addr.IsPrimary {
+			user, exist, err := db.Get[User](ctx, builder.Eq{"id": userID})
+			if err != nil {
+				return err
+			} else if !exist || !strings.EqualFold(user.Email, email) {
+				return fmt.Errorf("no user with ID: %d and Email: %s", userID, email)
+			}
+
+			// The user's activation state should be synchronized with the primary email
+			if user.IsActive != activate {
+				user.IsActive = activate
+				if user.Rands, err = GetUserSalt(); err != nil {
+					return fmt.Errorf("unable to generate salt: %w", err)
+				}
+				if err = UpdateUserCols(ctx, user, "is_active", "rands"); err != nil {
+					return fmt.Errorf("unable to updateUserCols() for user ID: %d: %w", userID, err)
+				}
+			}
+		}
+		return nil
+	})
+}
+
+// validateEmailBasic checks whether the email complies with the rules
+func validateEmailBasic(email string) error {
+	if len(email) == 0 {
+		return ErrEmailInvalid{email}
+	}
+
+	if !globalVars().emailRegexp.MatchString(email) {
+		return ErrEmailCharIsNotSupported{email}
+	}
+
+	if email[0] == '-' {
+		return ErrEmailInvalid{email}
+	}
+
+	if _, err := mail.ParseAddress(email); err != nil {
+		return ErrEmailInvalid{email}
+	}
+
+	return nil
+}
+
+// validateEmailDomain checks whether the email domain is allowed or blocked
+func validateEmailDomain(email string) error {
+	if !IsEmailDomainAllowed(email) {
+		return ErrEmailInvalid{email}
+	}
+
+	return nil
+}
+
+func IsEmailDomainAllowed(email string) bool {
+	if len(setting.Service.EmailDomainAllowList) == 0 {
+		return !validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, email)
+	}
+
+	return validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, email)
+}
+
+func GetActivatedEmailAddresses(ctx context.Context, uid int64) ([]string, error) {
+	emails := make([]string, 0, 2)
+	if err := db.GetEngine(ctx).Table("email_address").Select("email").
+		Where("uid=? AND is_activated=?", uid, true).Asc("id").
+		Find(&emails); err != nil {
+		return nil, err
+	}
+	return emails, nil
+}

models/user/email_address_test.go

@@ -0,0 +1,207 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"slices"
+	"testing"
+
+	"gitea.dev/models/db"
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+	"gitea.dev/modules/optional"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetEmailAddresses(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	emails, _ := user_model.GetEmailAddresses(t.Context(), int64(1))
+	if assert.Len(t, emails, 3) {
+		assert.True(t, emails[0].IsPrimary)
+		assert.True(t, emails[2].IsActivated)
+		assert.False(t, emails[2].IsPrimary)
+	}
+
+	emails, _ = user_model.GetEmailAddresses(t.Context(), int64(2))
+	if assert.Len(t, emails, 2) {
+		assert.True(t, emails[0].IsPrimary)
+		assert.True(t, emails[0].IsActivated)
+	}
+}
+
+func TestIsEmailUsed(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	isExist, _ := user_model.IsEmailUsed(t.Context(), "")
+	assert.True(t, isExist)
+	isExist, _ = user_model.IsEmailUsed(t.Context(), "user11@example.com")
+	assert.True(t, isExist)
+	isExist, _ = user_model.IsEmailUsed(t.Context(), "user1234567890@example.com")
+	assert.False(t, isExist)
+}
+
+func TestMakeEmailPrimary(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	err := user_model.MakeActiveEmailPrimary(t.Context(), 1, 9999999)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, user_model.ErrEmailAddressNotExist{})
+
+	email := unittest.AssertExistsAndLoadBean(t, &user_model.EmailAddress{Email: "user11@example.com"})
+	err = user_model.MakeActiveEmailPrimary(t.Context(), email.UID, email.ID)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, user_model.ErrEmailAddressNotExist{}) // inactive email is considered as not exist for "MakeActiveEmailPrimary"
+
+	email = unittest.AssertExistsAndLoadBean(t, &user_model.EmailAddress{Email: "user9999999@example.com"})
+	err = user_model.MakeActiveEmailPrimary(t.Context(), email.UID, email.ID)
+	assert.Error(t, err)
+	assert.True(t, user_model.IsErrUserNotExist(err))
+
+	email = unittest.AssertExistsAndLoadBean(t, &user_model.EmailAddress{Email: "user101@example.com"})
+	err = user_model.MakeActiveEmailPrimary(t.Context(), email.UID, email.ID)
+	assert.NoError(t, err)
+
+	user, _ := user_model.GetUserByID(t.Context(), int64(10))
+	assert.Equal(t, "user101@example.com", user.Email)
+}
+
+func TestActivate(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	email := &user_model.EmailAddress{
+		ID:    int64(1),
+		UID:   int64(1),
+		Email: "user11@example.com",
+	}
+	assert.NoError(t, user_model.ActivateEmail(t.Context(), email))
+
+	emails, _ := user_model.GetEmailAddresses(t.Context(), int64(1))
+	assert.Len(t, emails, 3)
+	assert.True(t, emails[0].IsActivated)
+	assert.True(t, emails[0].IsPrimary)
+	assert.False(t, emails[1].IsPrimary)
+	assert.True(t, emails[2].IsActivated)
+	assert.False(t, emails[2].IsPrimary)
+}
+
+func TestListEmails(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	// Must find all users and their emails
+	opts := &user_model.SearchEmailOptions{
+		ListOptions: db.ListOptions{
+			PageSize: 10000,
+		},
+	}
+	emails, count, err := user_model.SearchEmails(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.Greater(t, count, int64(5))
+
+	contains := func(match func(s *user_model.SearchEmailResult) bool) bool {
+		return slices.ContainsFunc(emails, match)
+	}
+
+	assert.True(t, contains(func(s *user_model.SearchEmailResult) bool { return s.UID == 18 }))
+	// 'org3' is an organization
+	assert.False(t, contains(func(s *user_model.SearchEmailResult) bool { return s.UID == 3 }))
+
+	// Must find no records
+	opts = &user_model.SearchEmailOptions{Keyword: "NOTFOUND"}
+	emails, count, err = user_model.SearchEmails(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.Equal(t, int64(0), count)
+
+	// Must find users 'user2', 'user28', etc.
+	opts = &user_model.SearchEmailOptions{Keyword: "user2"}
+	emails, count, err = user_model.SearchEmails(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.NotEqual(t, int64(0), count)
+	assert.True(t, contains(func(s *user_model.SearchEmailResult) bool { return s.UID == 2 }))
+	assert.True(t, contains(func(s *user_model.SearchEmailResult) bool { return s.UID == 27 }))
+
+	// Must find only primary addresses (i.e. from the `user` table)
+	opts = &user_model.SearchEmailOptions{IsPrimary: optional.Some(true)}
+	emails, _, err = user_model.SearchEmails(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.True(t, contains(func(s *user_model.SearchEmailResult) bool { return s.IsPrimary }))
+	assert.False(t, contains(func(s *user_model.SearchEmailResult) bool { return !s.IsPrimary }))
+
+	// Must find only inactive addresses (i.e. not validated)
+	opts = &user_model.SearchEmailOptions{IsActivated: optional.Some(false)}
+	emails, _, err = user_model.SearchEmails(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.True(t, contains(func(s *user_model.SearchEmailResult) bool { return !s.IsActivated }))
+	assert.False(t, contains(func(s *user_model.SearchEmailResult) bool { return s.IsActivated }))
+
+	// Must find more than one page, but retrieve only one
+	opts = &user_model.SearchEmailOptions{
+		ListOptions: db.ListOptions{
+			PageSize: 5,
+			Page:     1,
+		},
+	}
+	emails, count, err = user_model.SearchEmails(t.Context(), opts)
+	assert.NoError(t, err)
+	assert.Len(t, emails, 5)
+	assert.Greater(t, count, int64(len(emails)))
+}
+
+func TestEmailAddressValidate(t *testing.T) {
+	kases := map[string]error{
+		"abc@gmail.com":                  nil,
+		"132@hotmail.com":                nil,
+		"1-3-2@test.org":                 nil,
+		"1.3.2@test.org":                 nil,
+		"a_123@test.org.cn":              nil,
+		`first.last@iana.org`:            nil,
+		`first!last@iana.org`:            nil,
+		`first#last@iana.org`:            nil,
+		`first$last@iana.org`:            nil,
+		`first%last@iana.org`:            nil,
+		`first&last@iana.org`:            nil,
+		`first'last@iana.org`:            nil,
+		`first*last@iana.org`:            nil,
+		`first+last@iana.org`:            nil,
+		`first/last@iana.org`:            nil,
+		`first=last@iana.org`:            nil,
+		`first?last@iana.org`:            nil,
+		`first^last@iana.org`:            nil,
+		"first`last@iana.org":            nil,
+		`first{last@iana.org`:            nil,
+		`first|last@iana.org`:            nil,
+		`first}last@iana.org`:            nil,
+		`first~last@iana.org`:            nil,
+		`first;last@iana.org`:            user_model.ErrEmailCharIsNotSupported{`first;last@iana.org`},
+		".233@qq.com":                    user_model.ErrEmailInvalid{".233@qq.com"},
+		"!233@qq.com":                    nil,
+		"#233@qq.com":                    nil,
+		"$233@qq.com":                    nil,
+		"%233@qq.com":                    nil,
+		"&233@qq.com":                    nil,
+		"'233@qq.com":                    nil,
+		"*233@qq.com":                    nil,
+		"+233@qq.com":                    nil,
+		"-233@qq.com":                    user_model.ErrEmailInvalid{"-233@qq.com"},
+		"/233@qq.com":                    nil,
+		"=233@qq.com":                    nil,
+		"?233@qq.com":                    nil,
+		"^233@qq.com":                    nil,
+		"_233@qq.com":                    nil,
+		"`233@qq.com":                    nil,
+		"{233@qq.com":                    nil,
+		"|233@qq.com":                    nil,
+		"}233@qq.com":                    nil,
+		"~233@qq.com":                    nil,
+		";233@qq.com":                    user_model.ErrEmailCharIsNotSupported{";233@qq.com"},
+		"Foo <foo@bar.com>":              user_model.ErrEmailCharIsNotSupported{"Foo <foo@bar.com>"},
+		string([]byte{0xE2, 0x84, 0xAA}): user_model.ErrEmailCharIsNotSupported{string([]byte{0xE2, 0x84, 0xAA})},
+	}
+	for kase, err := range kases {
+		t.Run(kase, func(t *testing.T) {
+			assert.Equal(t, err, user_model.ValidateEmail(kase))
+		})
+	}
+}

models/user/error.go

@@ -0,0 +1,88 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"fmt"
+
+	"gitea.dev/modules/util"
+)
+
+// ErrUserAlreadyExist represents a "user already exists" error.
+type ErrUserAlreadyExist struct {
+	Name string
+}
+
+// IsErrUserAlreadyExist checks if an error is a ErrUserAlreadyExists.
+func IsErrUserAlreadyExist(err error) bool {
+	_, ok := err.(ErrUserAlreadyExist)
+	return ok
+}
+
+func (err ErrUserAlreadyExist) Error() string {
+	return fmt.Sprintf("user already exists [name: %s]", err.Name)
+}
+
+// Unwrap unwraps this error as a ErrExist error
+func (err ErrUserAlreadyExist) Unwrap() error {
+	return util.ErrAlreadyExist
+}
+
+// ErrUserNotExist represents a "UserNotExist" kind of error.
+type ErrUserNotExist struct {
+	UID  int64
+	Name string
+}
+
+// IsErrUserNotExist checks if an error is a ErrUserNotExist.
+func IsErrUserNotExist(err error) bool {
+	_, ok := err.(ErrUserNotExist)
+	return ok
+}
+
+func (err ErrUserNotExist) Error() string {
+	return fmt.Sprintf("user does not exist [uid: %d, name: %s]", err.UID, err.Name)
+}
+
+// Unwrap unwraps this error as a ErrNotExist error
+func (err ErrUserNotExist) Unwrap() error {
+	return util.ErrNotExist
+}
+
+// ErrUserProhibitLogin represents a "ErrUserProhibitLogin" kind of error.
+type ErrUserProhibitLogin struct {
+	UID  int64
+	Name string
+}
+
+// IsErrUserProhibitLogin checks if an error is a ErrUserProhibitLogin
+func IsErrUserProhibitLogin(err error) bool {
+	_, ok := err.(ErrUserProhibitLogin)
+	return ok
+}
+
+func (err ErrUserProhibitLogin) Error() string {
+	return fmt.Sprintf("user is not allowed login [uid: %d, name: %s]", err.UID, err.Name)
+}
+
+// Unwrap unwraps this error as a ErrPermission error
+func (err ErrUserProhibitLogin) Unwrap() error {
+	return util.ErrPermissionDenied
+}
+
+// ErrUserIsNotLocal represents a "ErrUserIsNotLocal" kind of error.
+type ErrUserIsNotLocal struct {
+	UID  int64
+	Name string
+}
+
+func (err ErrUserIsNotLocal) Error() string {
+	return fmt.Sprintf("user is not local type [uid: %d, name: %s]", err.UID, err.Name)
+}
+
+// IsErrUserIsNotLocal
+func IsErrUserIsNotLocal(err error) bool {
+	_, ok := err.(ErrUserIsNotLocal)
+	return ok
+}

models/user/external_login_user.go

@@ -0,0 +1,207 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/util"
+
+	"xorm.io/builder"
+)
+
+// ErrExternalLoginUserAlreadyExist represents a "ExternalLoginUserAlreadyExist" kind of error.
+type ErrExternalLoginUserAlreadyExist struct {
+	ExternalID    string
+	UserID        int64
+	LoginSourceID int64
+}
+
+func (err ErrExternalLoginUserAlreadyExist) Error() string {
+	return fmt.Sprintf("external login user already exists [externalID: %s, userID: %d, loginSourceID: %d]", err.ExternalID, err.UserID, err.LoginSourceID)
+}
+
+func (err ErrExternalLoginUserAlreadyExist) Unwrap() error {
+	return util.ErrAlreadyExist
+}
+
+// ErrExternalLoginUserNotExist represents a "ExternalLoginUserNotExist" kind of error.
+type ErrExternalLoginUserNotExist struct {
+	UserID        int64
+	LoginSourceID int64
+}
+
+func (err ErrExternalLoginUserNotExist) Error() string {
+	return fmt.Sprintf("external login user link does not exists [userID: %d, loginSourceID: %d]", err.UserID, err.LoginSourceID)
+}
+
+func (err ErrExternalLoginUserNotExist) Unwrap() error {
+	return util.ErrNotExist
+}
+
+// ExternalLoginUser makes the connecting between some existing user and additional external login sources
+type ExternalLoginUser struct {
+	ExternalID        string         `xorm:"pk NOT NULL"`
+	UserID            int64          `xorm:"INDEX NOT NULL"`
+	LoginSourceID     int64          `xorm:"pk NOT NULL"`
+	RawData           map[string]any `xorm:"TEXT JSON"`
+	Provider          string         `xorm:"index VARCHAR(25)"`
+	Email             string
+	Name              string
+	FirstName         string
+	LastName          string
+	NickName          string
+	Description       string
+	AvatarURL         string `xorm:"TEXT"`
+	Location          string
+	AccessToken       string `xorm:"TEXT"`
+	AccessTokenSecret string `xorm:"TEXT"`
+	RefreshToken      string `xorm:"TEXT"`
+	ExpiresAt         time.Time
+}
+
+type ExternalUserMigrated interface {
+	GetExternalName() string
+	GetExternalID() int64
+}
+
+type ExternalUserRemappable interface {
+	GetUserID() int64
+	RemapExternalUser(externalName string, externalID, userID int64) error
+	ExternalUserMigrated
+}
+
+func init() {
+	db.RegisterModel(new(ExternalLoginUser))
+}
+
+// GetExternalLogin checks if a externalID in loginSourceID scope already exists
+func GetExternalLogin(ctx context.Context, externalLoginUser *ExternalLoginUser) (bool, error) {
+	return db.GetEngine(ctx).Get(externalLoginUser)
+}
+
+// LinkExternalToUser link the external user to the user
+func LinkExternalToUser(ctx context.Context, user *User, externalLoginUser *ExternalLoginUser) error {
+	has, err := db.Exist[ExternalLoginUser](ctx, builder.Eq{
+		"external_id":     externalLoginUser.ExternalID,
+		"login_source_id": externalLoginUser.LoginSourceID,
+	})
+	if err != nil {
+		return err
+	} else if has {
+		return ErrExternalLoginUserAlreadyExist{externalLoginUser.ExternalID, user.ID, externalLoginUser.LoginSourceID}
+	}
+
+	_, err = db.GetEngine(ctx).Insert(externalLoginUser)
+	return err
+}
+
+// RemoveAccountLink will remove all external login sources for the given user
+func RemoveAccountLink(ctx context.Context, user *User, loginSourceID int64) (int64, error) {
+	deleted, err := db.GetEngine(ctx).Delete(&ExternalLoginUser{UserID: user.ID, LoginSourceID: loginSourceID})
+	if err != nil {
+		return deleted, err
+	}
+	if deleted < 1 {
+		return deleted, ErrExternalLoginUserNotExist{user.ID, loginSourceID}
+	}
+	return deleted, err
+}
+
+// RemoveAllAccountLinks will remove all external login sources for the given user
+func RemoveAllAccountLinks(ctx context.Context, user *User) error {
+	_, err := db.GetEngine(ctx).Delete(&ExternalLoginUser{UserID: user.ID})
+	return err
+}
+
+// GetUserIDByExternalUserID get user id according to provider and userID
+func GetUserIDByExternalUserID(ctx context.Context, provider, userID string) (int64, error) {
+	var id int64
+	_, err := db.GetEngine(ctx).Table("external_login_user").
+		Select("user_id").
+		Where("provider=?", provider).
+		And("external_id=?", userID).
+		Get(&id)
+	if err != nil {
+		return 0, err
+	}
+	return id, nil
+}
+
+// UpdateExternalUserByExternalID updates an external user's information
+func UpdateExternalUserByExternalID(ctx context.Context, external *ExternalLoginUser) error {
+	has, err := db.Exist[ExternalLoginUser](ctx, builder.Eq{
+		"external_id":     external.ExternalID,
+		"login_source_id": external.LoginSourceID,
+	})
+	if err != nil {
+		return err
+	} else if !has {
+		return ErrExternalLoginUserNotExist{external.UserID, external.LoginSourceID}
+	}
+
+	_, err = db.GetEngine(ctx).Where("external_id=? AND login_source_id=?", external.ExternalID, external.LoginSourceID).AllCols().Update(external)
+	return err
+}
+
+// EnsureLinkExternalToUser link the external user to the user
+func EnsureLinkExternalToUser(ctx context.Context, external *ExternalLoginUser) error {
+	has, err := db.Exist[ExternalLoginUser](ctx, builder.Eq{
+		"external_id":     external.ExternalID,
+		"login_source_id": external.LoginSourceID,
+	})
+	if err != nil {
+		return err
+	}
+
+	if has {
+		_, err = db.GetEngine(ctx).Where("external_id=? AND login_source_id=?", external.ExternalID, external.LoginSourceID).AllCols().Update(external)
+		return err
+	}
+
+	_, err = db.GetEngine(ctx).Insert(external)
+	return err
+}
+
+// FindExternalUserOptions represents an options to find external users
+type FindExternalUserOptions struct {
+	db.ListOptions
+	Provider        string
+	UserID          int64
+	LoginSourceID   int64
+	HasRefreshToken bool
+	Expired         bool
+	OrderBy         string
+}
+
+func (opts FindExternalUserOptions) ToConds() builder.Cond {
+	cond := builder.NewCond()
+	if len(opts.Provider) > 0 {
+		cond = cond.And(builder.Eq{"provider": opts.Provider})
+	}
+	if opts.UserID > 0 {
+		cond = cond.And(builder.Eq{"user_id": opts.UserID})
+	}
+	if opts.Expired {
+		cond = cond.And(builder.Lt{"expires_at": time.Now()})
+	}
+	if opts.HasRefreshToken {
+		cond = cond.And(builder.Neq{"refresh_token": ""})
+	}
+	if opts.LoginSourceID != 0 {
+		cond = cond.And(builder.Eq{"login_source_id": opts.LoginSourceID})
+	}
+	return cond
+}
+
+func (opts FindExternalUserOptions) ToOrders() string {
+	return opts.OrderBy
+}
+
+func IterateExternalLogin(ctx context.Context, opts FindExternalUserOptions, f func(ctx context.Context, u *ExternalLoginUser) error) error {
+	return db.Iterate(ctx, opts.ToConds(), f)
+}

models/user/follow.go

@@ -0,0 +1,77 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/timeutil"
+)
+
+// Follow represents relations of user and their followers.
+type Follow struct {
+	ID          int64              `xorm:"pk autoincr"`
+	UserID      int64              `xorm:"UNIQUE(follow)"`
+	FollowID    int64              `xorm:"UNIQUE(follow)"`
+	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+}
+
+func init() {
+	db.RegisterModel(new(Follow))
+}
+
+// IsFollowing returns true if user is following followID.
+func IsFollowing(ctx context.Context, userID, followID int64) bool {
+	has, _ := db.GetEngine(ctx).Get(&Follow{UserID: userID, FollowID: followID})
+	return has
+}
+
+// FollowUser marks someone be another's follower.
+func FollowUser(ctx context.Context, user, follow *User) (err error) {
+	if user.ID == follow.ID || IsFollowing(ctx, user.ID, follow.ID) {
+		return nil
+	}
+
+	if IsUserBlockedBy(ctx, user, follow.ID) || IsUserBlockedBy(ctx, follow, user.ID) {
+		return ErrBlockedUser
+	}
+
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if err = db.Insert(ctx, &Follow{UserID: user.ID, FollowID: follow.ID}); err != nil {
+			return err
+		}
+
+		if _, err = db.Exec(ctx, "UPDATE `user` SET num_followers = num_followers + 1 WHERE id = ?", follow.ID); err != nil {
+			return err
+		}
+
+		if _, err = db.Exec(ctx, "UPDATE `user` SET num_following = num_following + 1 WHERE id = ?", user.ID); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// UnfollowUser unmarks someone as another's follower.
+func UnfollowUser(ctx context.Context, userID, followID int64) (err error) {
+	if userID == followID || !IsFollowing(ctx, userID, followID) {
+		return nil
+	}
+
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if _, err = db.DeleteByBean(ctx, &Follow{UserID: userID, FollowID: followID}); err != nil {
+			return err
+		}
+
+		if _, err = db.Exec(ctx, "UPDATE `user` SET num_followers = num_followers - 1 WHERE id = ?", followID); err != nil {
+			return err
+		}
+
+		if _, err = db.Exec(ctx, "UPDATE `user` SET num_following = num_following - 1 WHERE id = ?", userID); err != nil {
+			return err
+		}
+		return nil
+	})
+}

models/user/follow_test.go

@@ -0,0 +1,22 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"testing"
+
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsFollowing(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	assert.True(t, user_model.IsFollowing(t.Context(), 4, 2))
+	assert.False(t, user_model.IsFollowing(t.Context(), 2, 4))
+	assert.False(t, user_model.IsFollowing(t.Context(), 5, unittest.NonexistentID))
+	assert.False(t, user_model.IsFollowing(t.Context(), unittest.NonexistentID, 5))
+	assert.False(t, user_model.IsFollowing(t.Context(), unittest.NonexistentID, unittest.NonexistentID))
+}

models/user/list.go

@@ -0,0 +1,83 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+
+	"gitea.dev/models/auth"
+	"gitea.dev/models/db"
+)
+
+// UserList is a list of user.
+// This type provide valuable methods to retrieve information for a group of users efficiently.
+type UserList []*User //revive:disable-line:exported
+
+// GetUserIDs returns a slice of user's id
+func (users UserList) GetUserIDs() []int64 {
+	userIDs := make([]int64, 0, len(users))
+	for _, user := range users {
+		userIDs = append(userIDs, user.ID) // Considering that user id are unique in the list
+	}
+	return userIDs
+}
+
+// GetTwoFaStatus return state of 2FA enrollment
+func (users UserList) GetTwoFaStatus(ctx context.Context) map[int64]bool {
+	results := make(map[int64]bool, len(users))
+	for _, user := range users {
+		results[user.ID] = false // Set default to false
+	}
+
+	if tokenMaps, err := users.loadTwoFactorStatus(ctx); err == nil {
+		for _, token := range tokenMaps {
+			results[token.UID] = true
+		}
+	}
+
+	if ids, err := users.userIDsWithWebAuthn(ctx); err == nil {
+		for _, id := range ids {
+			results[id] = true
+		}
+	}
+
+	return results
+}
+
+func (users UserList) loadTwoFactorStatus(ctx context.Context) (map[int64]*auth.TwoFactor, error) {
+	if len(users) == 0 {
+		return nil, nil //nolint:nilnil // returns nil when there are no users
+	}
+
+	userIDs := users.GetUserIDs()
+	tokenMaps := make(map[int64]*auth.TwoFactor, len(userIDs))
+	if err := db.GetEngine(ctx).In("uid", userIDs).Find(&tokenMaps); err != nil {
+		return nil, fmt.Errorf("find two factor: %w", err)
+	}
+	return tokenMaps, nil
+}
+
+func (users UserList) userIDsWithWebAuthn(ctx context.Context) ([]int64, error) {
+	if len(users) == 0 {
+		return nil, nil
+	}
+	ids := make([]int64, 0, len(users))
+	if err := db.GetEngine(ctx).Table(new(auth.WebAuthnCredential)).In("user_id", users.GetUserIDs()).Select("user_id").Distinct("user_id").Find(&ids); err != nil {
+		return nil, fmt.Errorf("find two factor: %w", err)
+	}
+	return ids, nil
+}
+
+// GetUsersByIDs returns all resolved users from a list of Ids.
+func GetUsersByIDs(ctx context.Context, ids []int64) (UserList, error) {
+	ous := make([]*User, 0, len(ids))
+	if len(ids) == 0 {
+		return ous, nil
+	}
+	err := db.GetEngine(ctx).In("id", ids).
+		Asc("name").
+		Find(&ous)
+	return ous, err
+}

models/user/main_test.go

@@ -0,0 +1,19 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"testing"
+
+	"gitea.dev/models/unittest"
+
+	_ "gitea.dev/models"
+	_ "gitea.dev/models/actions"
+	_ "gitea.dev/models/activities"
+	_ "gitea.dev/models/user"
+)
+
+func TestMain(m *testing.M) {
+	unittest.MainTest(m)
+}

models/user/must_change_password.go

@@ -0,0 +1,49 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"strings"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/util"
+
+	"xorm.io/builder"
+)
+
+func SetMustChangePassword(ctx context.Context, all, mustChangePassword bool, include, exclude []string) (int64, error) {
+	sliceTrimSpaceDropEmpty := func(input []string) []string {
+		output := make([]string, 0, len(input))
+		for _, in := range input {
+			in = strings.ToLower(strings.TrimSpace(in))
+			if in == "" {
+				continue
+			}
+			output = append(output, in)
+		}
+		return output
+	}
+
+	var cond builder.Cond
+
+	// Only include the users where something changes to get an accurate count
+	cond = builder.Neq{"must_change_password": mustChangePassword}
+
+	if !all {
+		include = sliceTrimSpaceDropEmpty(include)
+		if len(include) == 0 {
+			return 0, util.ErrorWrap(util.ErrInvalidArgument, "no users to include provided")
+		}
+
+		cond = cond.And(builder.In("lower_name", include))
+	}
+
+	exclude = sliceTrimSpaceDropEmpty(exclude)
+	if len(exclude) > 0 {
+		cond = cond.And(builder.NotIn("lower_name", exclude))
+	}
+
+	return db.GetEngine(ctx).Where(cond).MustCols("must_change_password").Update(&User{MustChangePassword: mustChangePassword})
+}

models/user/openid.go

@@ -0,0 +1,114 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/util"
+)
+
+// UserOpenID is the list of all OpenID identities of a user.
+// Since this is a middle table, name it OpenID is not suitable, so we ignore the lint here
+type UserOpenID struct { //revive:disable-line:exported
+	ID   int64  `xorm:"pk autoincr"`
+	UID  int64  `xorm:"INDEX NOT NULL"`
+	URI  string `xorm:"UNIQUE NOT NULL"`
+	Show bool   `xorm:"DEFAULT false"`
+}
+
+func init() {
+	db.RegisterModel(new(UserOpenID))
+}
+
+// GetUserOpenIDs returns all openid addresses that belongs to given user.
+func GetUserOpenIDs(ctx context.Context, uid int64) ([]*UserOpenID, error) {
+	openids := make([]*UserOpenID, 0, 5)
+	if err := db.GetEngine(ctx).
+		Where("uid=?", uid).
+		Asc("id").
+		Find(&openids); err != nil {
+		return nil, err
+	}
+
+	return openids, nil
+}
+
+// isOpenIDUsed returns true if the openid has been used.
+func isOpenIDUsed(ctx context.Context, uri string) (bool, error) {
+	if len(uri) == 0 {
+		return true, nil
+	}
+
+	return db.GetEngine(ctx).Get(&UserOpenID{URI: uri})
+}
+
+// ErrOpenIDAlreadyUsed represents a "OpenIDAlreadyUsed" kind of error.
+type ErrOpenIDAlreadyUsed struct {
+	OpenID string
+}
+
+// IsErrOpenIDAlreadyUsed checks if an error is a ErrOpenIDAlreadyUsed.
+func IsErrOpenIDAlreadyUsed(err error) bool {
+	_, ok := err.(ErrOpenIDAlreadyUsed)
+	return ok
+}
+
+func (err ErrOpenIDAlreadyUsed) Error() string {
+	return fmt.Sprintf("OpenID already in use [oid: %s]", err.OpenID)
+}
+
+func (err ErrOpenIDAlreadyUsed) Unwrap() error {
+	return util.ErrAlreadyExist
+}
+
+// AddUserOpenID adds an pre-verified/normalized OpenID URI to given user.
+// NOTE: make sure openid.URI is normalized already
+func AddUserOpenID(ctx context.Context, openid *UserOpenID) error {
+	used, err := isOpenIDUsed(ctx, openid.URI)
+	if err != nil {
+		return err
+	} else if used {
+		return ErrOpenIDAlreadyUsed{openid.URI}
+	}
+
+	return db.Insert(ctx, openid)
+}
+
+// DeleteUserOpenID deletes an openid address of given user.
+func DeleteUserOpenID(ctx context.Context, openid *UserOpenID) (err error) {
+	var deleted int64
+	// ask to check UID
+	address := UserOpenID{
+		UID: openid.UID,
+	}
+	if openid.ID > 0 {
+		deleted, err = db.GetEngine(ctx).ID(openid.ID).Delete(&address)
+	} else {
+		deleted, err = db.GetEngine(ctx).
+			Where("openid=?", openid.URI).
+			Delete(&address)
+	}
+
+	if err != nil {
+		return err
+	} else if deleted != 1 {
+		return util.NewNotExistErrorf("OpenID is unknown")
+	}
+	return nil
+}
+
+// ToggleUserOpenIDVisibility toggles visibility of an openid address of given user.
+func ToggleUserOpenIDVisibility(ctx context.Context, id int64, user *User) error {
+	affected, err := db.GetEngine(ctx).Exec("update `user_open_id` set `show` = not `show` where `id` = ? AND uid = ?", id, user.ID)
+	if err != nil {
+		return err
+	}
+	if n, _ := affected.RowsAffected(); n != 1 {
+		return util.NewNotExistErrorf("OpenID is unknown")
+	}
+	return nil
+}

models/user/openid_test.go

@@ -0,0 +1,70 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"testing"
+
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+	"gitea.dev/modules/util"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetUserOpenIDs(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	oids, err := user_model.GetUserOpenIDs(t.Context(), int64(1))
+	if assert.NoError(t, err) && assert.Len(t, oids, 2) {
+		assert.Equal(t, "https://user1.domain1.tld/", oids[0].URI)
+		assert.False(t, oids[0].Show)
+		assert.Equal(t, "http://user1.domain2.tld/", oids[1].URI)
+		assert.True(t, oids[1].Show)
+	}
+
+	oids, err = user_model.GetUserOpenIDs(t.Context(), int64(2))
+	if assert.NoError(t, err) && assert.Len(t, oids, 1) {
+		assert.Equal(t, "https://domain1.tld/user2/", oids[0].URI)
+		assert.True(t, oids[0].Show)
+	}
+}
+
+func TestToggleUserOpenIDVisibility(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	user, err := user_model.GetUserByID(t.Context(), int64(2))
+	require.NoError(t, err)
+	oids, err := user_model.GetUserOpenIDs(t.Context(), int64(2))
+	require.NoError(t, err)
+	require.Len(t, oids, 1)
+	assert.True(t, oids[0].Show)
+
+	err = user_model.ToggleUserOpenIDVisibility(t.Context(), oids[0].ID, user)
+	require.NoError(t, err)
+
+	oids, err = user_model.GetUserOpenIDs(t.Context(), int64(2))
+	require.NoError(t, err)
+	require.Len(t, oids, 1)
+
+	assert.False(t, oids[0].Show)
+	err = user_model.ToggleUserOpenIDVisibility(t.Context(), oids[0].ID, user)
+	require.NoError(t, err)
+
+	oids, err = user_model.GetUserOpenIDs(t.Context(), int64(2))
+	require.NoError(t, err)
+	if assert.Len(t, oids, 1) {
+		assert.True(t, oids[0].Show)
+	}
+}
+
+func TestToggleUserOpenIDVisibilityRequiresOwnership(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	unauthorizedUser, err := user_model.GetUserByID(t.Context(), int64(2))
+	require.NoError(t, err)
+
+	err = user_model.ToggleUserOpenIDVisibility(t.Context(), int64(1), unauthorizedUser)
+	require.Error(t, err)
+	assert.ErrorIs(t, err, util.ErrNotExist)
+}

models/user/redirect.go

@@ -0,0 +1,87 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/util"
+)
+
+// ErrUserRedirectNotExist represents a "UserRedirectNotExist" kind of error.
+type ErrUserRedirectNotExist struct {
+	Name string
+}
+
+// IsErrUserRedirectNotExist check if an error is an ErrUserRedirectNotExist.
+func IsErrUserRedirectNotExist(err error) bool {
+	_, ok := err.(ErrUserRedirectNotExist)
+	return ok
+}
+
+func (err ErrUserRedirectNotExist) Error() string {
+	return fmt.Sprintf("user redirect does not exist [name: %s]", err.Name)
+}
+
+func (err ErrUserRedirectNotExist) Unwrap() error {
+	return util.ErrNotExist
+}
+
+// Redirect represents that a user name should be redirected to another
+type Redirect struct {
+	ID             int64  `xorm:"pk autoincr"`
+	LowerName      string `xorm:"UNIQUE(s) INDEX NOT NULL"`
+	RedirectUserID int64  // userID to redirect to
+}
+
+// TableName provides the real table name
+func (Redirect) TableName() string {
+	return "user_redirect"
+}
+
+func init() {
+	db.RegisterModel(new(Redirect))
+}
+
+// LookupUserRedirect look up userID if a user has a redirect name
+func LookupUserRedirect(ctx context.Context, userName string) (int64, error) {
+	userName = strings.ToLower(userName)
+	redirect := &Redirect{LowerName: userName}
+	if has, err := db.GetEngine(ctx).Get(redirect); err != nil {
+		return 0, err
+	} else if !has {
+		return 0, ErrUserRedirectNotExist{Name: userName}
+	}
+	return redirect.RedirectUserID, nil
+}
+
+// NewUserRedirect create a new user redirect
+func NewUserRedirect(ctx context.Context, ID int64, oldUserName, newUserName string) error {
+	oldUserName = strings.ToLower(oldUserName)
+	newUserName = strings.ToLower(newUserName)
+
+	if err := DeleteUserRedirect(ctx, oldUserName); err != nil {
+		return err
+	}
+
+	if err := DeleteUserRedirect(ctx, newUserName); err != nil {
+		return err
+	}
+
+	return db.Insert(ctx, &Redirect{
+		LowerName:      oldUserName,
+		RedirectUserID: ID,
+	})
+}
+
+// DeleteUserRedirect delete any redirect from the specified user name to
+// anything else
+func DeleteUserRedirect(ctx context.Context, userName string) error {
+	userName = strings.ToLower(userName)
+	_, err := db.GetEngine(ctx).Delete(&Redirect{LowerName: userName})
+	return err
+}

models/user/redirect_test.go

@@ -0,0 +1,24 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"testing"
+
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLookupUserRedirect(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	userID, err := user_model.LookupUserRedirect(t.Context(), "olduser1")
+	assert.NoError(t, err)
+	assert.EqualValues(t, 1, userID)
+
+	_, err = user_model.LookupUserRedirect(t.Context(), "doesnotexist")
+	assert.True(t, user_model.IsErrUserRedirectNotExist(err))
+}

models/user/search.go

@@ -0,0 +1,209 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"strings"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/container"
+	"gitea.dev/modules/optional"
+	"gitea.dev/modules/structs"
+
+	"xorm.io/builder"
+)
+
+// AdminUserOrderByMap represents all possible admin user search orders
+// This should only be used for admin API endpoints as we should not expose "updated" ordering which could expose recent user activity including logins.
+var AdminUserOrderByMap = map[string]map[string]db.SearchOrderBy{
+	"asc": {
+		"name":    db.SearchOrderByAlphabetically,
+		"created": db.SearchOrderByOldest,
+		"updated": db.SearchOrderByLeastUpdated,
+		"id":      db.SearchOrderByID,
+	},
+	"desc": {
+		"name":    db.SearchOrderByAlphabeticallyReverse,
+		"created": db.SearchOrderByNewest,
+		"updated": db.SearchOrderByRecentUpdated,
+		"id":      db.SearchOrderByIDReverse,
+	},
+}
+
+// SearchUserOptions contains the options for searching
+type SearchUserOptions struct {
+	db.ListOptions
+
+	Keyword       string
+	Types         []UserType
+	UID           int64
+	LoginName     string // this option should be used only for admin user
+	SourceID      int64  // this option should be used only for admin user
+	OrderBy       db.SearchOrderBy
+	Visible       []structs.VisibleType
+	Actor         *User // The user doing the search
+	SearchByEmail bool  // Search by email as well as username/full name
+
+	SupportedSortOrders container.Set[string] // if not nil, only allow to use the sort orders in this set
+
+	IsActive           optional.Option[bool]
+	IsAdmin            optional.Option[bool]
+	IsRestricted       optional.Option[bool]
+	IsTwoFactorEnabled optional.Option[bool]
+	IsProhibitLogin    optional.Option[bool]
+	IncludeReserved    bool
+}
+
+func (opts *SearchUserOptions) ApplyPublicOnly(publicOnly bool) {
+	if publicOnly {
+		opts.Visible = []structs.VisibleType{structs.VisibleTypePublic}
+	}
+}
+
+func (opts *SearchUserOptions) toSearchQueryBase(ctx context.Context) db.Session {
+	var cond builder.Cond
+	cond = builder.In("type", opts.Types)
+	if opts.IncludeReserved {
+		switch {
+		case slices.Contains(opts.Types, UserTypeIndividual):
+			cond = cond.Or(builder.Eq{"type": UserTypeUserReserved}).Or(
+				builder.Eq{"type": UserTypeBot},
+			).Or(
+				builder.Eq{"type": UserTypeRemoteUser},
+			)
+		case slices.Contains(opts.Types, UserTypeOrganization):
+			cond = cond.Or(builder.Eq{"type": UserTypeOrganizationReserved})
+		}
+	}
+
+	if len(opts.Keyword) > 0 {
+		lowerKeyword := strings.ToLower(opts.Keyword)
+		keywordCond := builder.Or(
+			builder.Like{"lower_name", lowerKeyword},
+			builder.Like{"LOWER(full_name)", lowerKeyword},
+		)
+		if opts.SearchByEmail {
+			var emailCond builder.Cond
+			emailCond = builder.Like{"LOWER(email)", lowerKeyword}
+			if opts.Actor == nil {
+				emailCond = emailCond.And(builder.Eq{"keep_email_private": false})
+			} else if !opts.Actor.IsAdmin {
+				emailCond = emailCond.And(
+					builder.Or(
+						builder.Eq{"keep_email_private": false},
+						builder.Eq{"id": opts.Actor.ID},
+					),
+				)
+			}
+			keywordCond = keywordCond.Or(emailCond)
+		}
+
+		cond = cond.And(keywordCond)
+	}
+
+	// If visibility filtered
+	if len(opts.Visible) > 0 {
+		cond = cond.And(builder.In("visibility", opts.Visible))
+	}
+
+	cond = cond.And(BuildCanSeeUserCondition(opts.Actor))
+
+	if opts.UID > 0 {
+		cond = cond.And(builder.Eq{"id": opts.UID})
+	}
+
+	if opts.SourceID > 0 {
+		cond = cond.And(builder.Eq{"login_source": opts.SourceID})
+	}
+	if opts.LoginName != "" {
+		cond = cond.And(builder.Eq{"login_name": opts.LoginName})
+	}
+
+	if opts.IsActive.Has() {
+		cond = cond.And(builder.Eq{"is_active": opts.IsActive.Value()})
+	}
+
+	if opts.IsAdmin.Has() {
+		cond = cond.And(builder.Eq{"is_admin": opts.IsAdmin.Value()})
+	}
+
+	if opts.IsRestricted.Has() {
+		cond = cond.And(builder.Eq{"is_restricted": opts.IsRestricted.Value()})
+	}
+
+	if opts.IsProhibitLogin.Has() {
+		cond = cond.And(builder.Eq{"prohibit_login": opts.IsProhibitLogin.Value()})
+	}
+
+	e := db.GetEngine(ctx)
+	if !opts.IsTwoFactorEnabled.Has() {
+		return e.Where(cond)
+	}
+
+	// 2fa filter uses LEFT JOIN to check whether a user has a 2fa record
+	// While using LEFT JOIN, sometimes the performance might not be good, but it won't be a problem now, such SQL is seldom executed.
+	// There are some possible methods to refactor this SQL in future when we really need to optimize the performance (but not now):
+	// (1) add a column in user table (2) add a setting value in user_setting table (3) use search engines (bleve/elasticsearch)
+	if opts.IsTwoFactorEnabled.Value() {
+		cond = cond.And(builder.Expr("two_factor.uid IS NOT NULL"))
+	} else {
+		cond = cond.And(builder.Expr("two_factor.uid IS NULL"))
+	}
+
+	return e.Join("LEFT OUTER", "two_factor", "two_factor.uid = `user`.id").
+		Where(cond)
+}
+
+// SearchUsers takes options i.e. keyword and part of user name to search,
+// it returns results in given range and number of total results.
+func SearchUsers(ctx context.Context, opts SearchUserOptions) (users []*User, _ int64, _ error) {
+	sessCount := opts.toSearchQueryBase(ctx)
+	defer sessCount.Close()
+	count, err := sessCount.Count(new(User))
+	if err != nil {
+		return nil, 0, fmt.Errorf("count: %w", err)
+	}
+
+	if len(opts.OrderBy) == 0 {
+		opts.OrderBy = db.SearchOrderByAlphabetically
+	}
+
+	sessQuery := opts.toSearchQueryBase(ctx)
+	defer sessQuery.Close()
+	sessQuery.OrderBy(opts.OrderBy.String())
+	if opts.Page > 0 {
+		db.SetSessionPagination(sessQuery, &opts)
+	}
+
+	// the sql may contain JOIN, so we must only select User related columns
+	sessQuery.Select("`user`.*")
+	users = make([]*User, 0, opts.PageSize)
+	return users, count, sessQuery.Find(&users)
+}
+
+// BuildCanSeeUserCondition creates a condition which can be used to restrict results to users/orgs the actor can see
+func BuildCanSeeUserCondition(actor *User) builder.Cond {
+	if actor != nil {
+		// If Admin - they see all users!
+		if !actor.IsAdmin {
+			// Users can see an organization they are a member of
+			cond := builder.In("`user`.id", builder.Select("org_id").From("org_user").Where(builder.Eq{"uid": actor.ID}))
+			if !actor.IsRestricted {
+				// Not-Restricted users can see public and limited users/organizations
+				cond = cond.Or(builder.In("`user`.visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited))
+			}
+			// Don't forget about self
+			return cond.Or(builder.Eq{"`user`.id": actor.ID})
+		}
+
+		return nil
+	}
+
+	// Force visibility for privacy
+	// Not logged in - only public users
+	return builder.In("`user`.visibility", structs.VisibleTypePublic)
+}

models/user/setting.go

@@ -0,0 +1,250 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"gitea.dev/models/db"
+	"gitea.dev/modules/cache"
+	"gitea.dev/modules/json"
+	setting_module "gitea.dev/modules/setting"
+	"gitea.dev/modules/util"
+
+	"xorm.io/builder"
+	"xorm.io/xorm/convert"
+)
+
+// Setting is a key value store of user settings
+type Setting struct {
+	ID           int64  `xorm:"pk autoincr"`
+	UserID       int64  `xorm:"index unique(key_userid)"`              // to load all of someone's settings
+	SettingKey   string `xorm:"varchar(255) index unique(key_userid)"` // ensure key is always lowercase
+	SettingValue string `xorm:"text"`
+}
+
+// TableName sets the table name for the settings struct
+func (s *Setting) TableName() string {
+	return "user_setting"
+}
+
+func init() {
+	db.RegisterModel(new(Setting))
+}
+
+// ErrUserSettingIsNotExist represents an error that a setting is not exist with special key
+type ErrUserSettingIsNotExist struct {
+	Key string
+}
+
+// Error implements error
+func (err ErrUserSettingIsNotExist) Error() string {
+	return fmt.Sprintf("Setting[%s] is not exist", err.Key)
+}
+
+func (err ErrUserSettingIsNotExist) Unwrap() error {
+	return util.ErrNotExist
+}
+
+// genSettingCacheKey returns the cache key for some configuration
+func genSettingCacheKey(userID int64, key string) string {
+	return fmt.Sprintf("user_%d.setting.%s", userID, key)
+}
+
+// GetSetting returns the setting value via the key
+func GetSetting(ctx context.Context, uid int64, key string) (string, error) {
+	return cache.GetString(genSettingCacheKey(uid, key), func() (string, error) {
+		res, err := GetSettingNoCache(ctx, uid, key)
+		if err != nil {
+			return "", err
+		}
+		return res.SettingValue, nil
+	})
+}
+
+// GetSettingNoCache returns specific setting without using the cache
+func GetSettingNoCache(ctx context.Context, uid int64, key string) (*Setting, error) {
+	v, err := GetSettings(ctx, uid, []string{key})
+	if err != nil {
+		return nil, err
+	}
+	if len(v) == 0 {
+		return nil, ErrUserSettingIsNotExist{key}
+	}
+	return v[key], nil
+}
+
+// GetSettings returns specific settings from user
+func GetSettings(ctx context.Context, uid int64, keys []string) (map[string]*Setting, error) {
+	settings := make([]*Setting, 0, len(keys))
+	if err := db.GetEngine(ctx).
+		Where("user_id=?", uid).
+		And(builder.In("setting_key", keys)).
+		Find(&settings); err != nil {
+		return nil, err
+	}
+	settingsMap := make(map[string]*Setting)
+	for _, s := range settings {
+		settingsMap[s.SettingKey] = s
+	}
+	return settingsMap, nil
+}
+
+// GetUserAllSettings returns all settings from user
+func GetUserAllSettings(ctx context.Context, uid int64) (map[string]*Setting, error) {
+	settings := make([]*Setting, 0, 5)
+	if err := db.GetEngine(ctx).
+		Where("user_id=?", uid).
+		Find(&settings); err != nil {
+		return nil, err
+	}
+	settingsMap := make(map[string]*Setting)
+	for _, s := range settings {
+		settingsMap[s.SettingKey] = s
+	}
+	return settingsMap, nil
+}
+
+func validateUserSettingKey(key string) error {
+	if len(key) == 0 {
+		return errors.New("setting key must be set")
+	}
+	if strings.ToLower(key) != key {
+		return errors.New("setting key should be lowercase")
+	}
+	return nil
+}
+
+// GetUserSetting gets a specific setting for a user
+func GetUserSetting(ctx context.Context, userID int64, key string, def ...string) (string, error) {
+	if err := validateUserSettingKey(key); err != nil {
+		return "", err
+	}
+
+	setting := &Setting{UserID: userID, SettingKey: key}
+	has, err := db.GetEngine(ctx).Get(setting)
+	if err != nil {
+		return "", err
+	}
+	if !has {
+		if len(def) == 1 {
+			return def[0], nil
+		}
+		return "", nil
+	}
+	return setting.SettingValue, nil
+}
+
+// DeleteUserSetting deletes a specific setting for a user
+func DeleteUserSetting(ctx context.Context, userID int64, key string) error {
+	if err := validateUserSettingKey(key); err != nil {
+		return err
+	}
+
+	cache.Remove(genSettingCacheKey(userID, key))
+	_, err := db.GetEngine(ctx).Delete(&Setting{UserID: userID, SettingKey: key})
+
+	return err
+}
+
+// SetUserSetting updates a users' setting for a specific key
+func SetUserSetting(ctx context.Context, userID int64, key, value string) error {
+	if err := validateUserSettingKey(key); err != nil {
+		return err
+	}
+
+	if err := upsertUserSettingValue(ctx, userID, key, value); err != nil {
+		return err
+	}
+
+	cc := cache.GetCache()
+	if cc != nil {
+		return cc.Put(genSettingCacheKey(userID, key), value, setting_module.CacheService.TTLSeconds())
+	}
+
+	return nil
+}
+
+func upsertUserSettingValue(ctx context.Context, userID int64, key, value string) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		e := db.GetEngine(ctx)
+
+		// here we use a general method to do a safe upsert for different databases (and most transaction levels)
+		// 1. try to UPDATE the record and acquire the transaction write lock
+		//    if UPDATE returns non-zero rows are changed, OK, the setting is saved correctly
+		//    if UPDATE returns "0 rows changed", two possibilities: (a) record doesn't exist  (b) value is not changed
+		// 2. do a SELECT to check if the row exists or not (we already have the transaction lock)
+		// 3. if the row doesn't exist, do an INSERT (we are still protected by the transaction lock, so it's safe)
+		//
+		// to optimize the SELECT in step 2, we can use an extra column like `revision=revision+1`
+		//    to make sure the UPDATE always returns a non-zero value for existing (unchanged) records.
+
+		res, err := e.Exec("UPDATE user_setting SET setting_value=? WHERE setting_key=? AND user_id=?", value, key, userID)
+		if err != nil {
+			return err
+		}
+		rows, _ := res.RowsAffected()
+		if rows > 0 {
+			// the existing row is updated, so we can return
+			return nil
+		}
+
+		// in case the value isn't changed, update would return 0 rows changed, so we need this check
+		has, err := e.Exist(&Setting{UserID: userID, SettingKey: key})
+		if err != nil {
+			return err
+		}
+		if has {
+			return nil
+		}
+
+		// if no existing row, insert a new row
+		_, err = e.Insert(&Setting{UserID: userID, SettingKey: key, SettingValue: value})
+		return err
+	})
+}
+
+func GetUserSettingJSON[T any](ctx context.Context, userID int64, key string, def T) (ret T, _ error) {
+	ret = def
+	str, err := GetUserSetting(ctx, userID, key)
+	if err != nil {
+		return ret, err
+	}
+
+	conv, ok := any(&ret).(convert.ConversionFrom)
+	if !ok {
+		conv, ok = any(ret).(convert.ConversionFrom)
+	}
+	if ok {
+		if err := conv.FromDB(util.UnsafeStringToBytes(str)); err != nil {
+			return ret, err
+		}
+	} else {
+		if str == "" {
+			return ret, nil
+		}
+		err = json.Unmarshal(util.UnsafeStringToBytes(str), &ret)
+	}
+	return ret, err
+}
+
+func SetUserSettingJSON[T any](ctx context.Context, userID int64, key string, val T) (err error) {
+	conv, ok := any(&val).(convert.ConversionTo)
+	if !ok {
+		conv, ok = any(val).(convert.ConversionTo)
+	}
+	var bs []byte
+	if ok {
+		bs, err = conv.ToDB()
+	} else {
+		bs, err = json.Marshal(val)
+	}
+	if err != nil {
+		return err
+	}
+	return SetUserSetting(ctx, userID, key, util.UnsafeBytesToString(bs))
+}

models/user/setting_options.go

@@ -0,0 +1,27 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+const (
+	// SettingsKeyHiddenCommentTypes is the setting key for hidden comment types
+	SettingsKeyHiddenCommentTypes = "issue.hidden_comment_types"
+	// SettingsKeyDiffWhitespaceBehavior is the setting key for whitespace behavior of diff
+	SettingsKeyDiffWhitespaceBehavior = "diff.whitespace_behaviour"
+	// SettingsKeyShowOutdatedComments is the setting key whether or not to show outdated comments in PRs
+	SettingsKeyShowOutdatedComments = "comment_code.show_outdated"
+
+	// SignupIP is the IP address that the user signed up with
+	SignupIP = "signup.ip"
+	// SignupUserAgent is the user agent that the user signed up with
+	SignupUserAgent = "signup.user_agent"
+
+	SettingsKeyCodeViewShowFileTree = "code_view.show_file_tree"
+
+	SettingsKeyEmailNotificationGiteaActions        = "email_notification.gitea_actions"
+	SettingEmailNotificationGiteaActionsAll         = "all"
+	SettingEmailNotificationGiteaActionsFailureOnly = "failure-only" // Default for actions email preference
+	SettingEmailNotificationGiteaActionsDisabled    = "disabled"
+
+	SettingsKeyActionsConfig = "actions.config"
+)

models/user/setting_test.go

@@ -0,0 +1,59 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"testing"
+
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSettings(t *testing.T) {
+	keyName := "test_user_setting"
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	newSetting := &user_model.Setting{UserID: 99, SettingKey: keyName, SettingValue: "Gitea User Setting Test"}
+
+	// create setting
+	err := user_model.SetUserSetting(t.Context(), newSetting.UserID, newSetting.SettingKey, newSetting.SettingValue)
+	assert.NoError(t, err)
+	// test about saving unchanged values
+	err = user_model.SetUserSetting(t.Context(), newSetting.UserID, newSetting.SettingKey, newSetting.SettingValue)
+	assert.NoError(t, err)
+
+	// get specific setting
+	settings, err := user_model.GetSettings(t.Context(), 99, []string{keyName})
+	assert.NoError(t, err)
+	assert.Len(t, settings, 1)
+	assert.Equal(t, newSetting.SettingValue, settings[keyName].SettingValue)
+
+	settingValue, err := user_model.GetUserSetting(t.Context(), 99, keyName)
+	assert.NoError(t, err)
+	assert.Equal(t, newSetting.SettingValue, settingValue)
+
+	settingValue, err = user_model.GetUserSetting(t.Context(), 99, "no_such")
+	assert.NoError(t, err)
+	assert.Empty(t, settingValue)
+
+	// updated setting
+	updatedSetting := &user_model.Setting{UserID: 99, SettingKey: keyName, SettingValue: "Updated"}
+	err = user_model.SetUserSetting(t.Context(), updatedSetting.UserID, updatedSetting.SettingKey, updatedSetting.SettingValue)
+	assert.NoError(t, err)
+
+	// get all settings
+	settings, err = user_model.GetUserAllSettings(t.Context(), 99)
+	assert.NoError(t, err)
+	assert.Len(t, settings, 1)
+	assert.Equal(t, updatedSetting.SettingValue, settings[updatedSetting.SettingKey].SettingValue)
+
+	// delete setting
+	err = user_model.DeleteUserSetting(t.Context(), 99, keyName)
+	assert.NoError(t, err)
+	settings, err = user_model.GetUserAllSettings(t.Context(), 99)
+	assert.NoError(t, err)
+	assert.Empty(t, settings)
+}

models/user/user_list.go

@@ -0,0 +1,48 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+
+	"gitea.dev/models/db"
+)
+
+func GetUsersMapByIDs(ctx context.Context, userIDs []int64) (map[int64]*User, error) {
+	userMaps := make(map[int64]*User, len(userIDs))
+	if len(userIDs) == 0 {
+		return userMaps, nil
+	}
+
+	left := len(userIDs)
+	for left > 0 {
+		limit := min(left, db.DefaultMaxInSize)
+		err := db.GetEngine(ctx).
+			In("id", userIDs[:limit]).
+			Find(&userMaps)
+		if err != nil {
+			return nil, err
+		}
+		left -= limit
+		userIDs = userIDs[limit:]
+	}
+	return userMaps, nil
+}
+
+func GetPossibleUserFromMap(userID int64, usererMaps map[int64]*User) *User {
+	switch userID {
+	case GhostUserID:
+		return NewGhostUser()
+	case ActionsUserID:
+		return NewActionsUser()
+	case 0:
+		return nil
+	default:
+		user, ok := usererMaps[userID]
+		if !ok {
+			return NewGhostUser()
+		}
+		return user
+	}
+}

models/user/user_system.go

@@ -0,0 +1,90 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"strconv"
+	"strings"
+
+	"gitea.dev/modules/structs"
+)
+
+const (
+	GhostUserID   int64 = -1
+	GhostUserName       = "Ghost"
+)
+
+// NewGhostUser creates and returns a fake user for someone has deleted their account.
+func NewGhostUser() *User {
+	return &User{
+		ID:        GhostUserID,
+		Name:      GhostUserName,
+		LowerName: strings.ToLower(GhostUserName),
+	}
+}
+
+// IsGhost check if user is fake user for a deleted account
+func (u *User) IsGhost() bool {
+	if u == nil {
+		return false
+	}
+	return u.ID == GhostUserID && u.Name == GhostUserName
+}
+
+const (
+	ActionsUserID    int64 = -2
+	ActionsUserName        = "gitea-actions"
+	ActionsUserEmail       = "teabot@gitea.io"
+)
+
+// NewActionsUser creates and returns a fake user for running the actions.
+func NewActionsUser() *User {
+	return &User{
+		ID:               ActionsUserID,
+		Name:             ActionsUserName,
+		LowerName:        ActionsUserName,
+		IsActive:         true,
+		FullName:         "Gitea Actions",
+		Email:            ActionsUserEmail,
+		KeepEmailPrivate: true,
+		LoginName:        ActionsUserName,
+		Type:             UserTypeBot,
+		Visibility:       structs.VisibleTypePublic,
+	}
+}
+
+func NewActionsUserWithTaskID(id int64) *User {
+	u := NewActionsUser()
+	// LoginName is for only internal usage in this case, so it can be moved to other fields in the future
+	u.LoginSource = -1
+	u.LoginName = "@" + ActionsUserName + "/" + strconv.FormatInt(id, 10)
+	return u
+}
+
+func GetActionsUserTaskID(u *User) (int64, bool) {
+	if u == nil || u.ID != ActionsUserID {
+		return 0, false
+	}
+	prefix, payload, _ := strings.Cut(u.LoginName, "/")
+	if prefix != "@"+ActionsUserName {
+		return 0, false
+	} else if taskID, err := strconv.ParseInt(payload, 10, 64); err == nil {
+		return taskID, true
+	}
+	return 0, false
+}
+
+func (u *User) IsGiteaActions() bool {
+	return u != nil && u.ID == ActionsUserID
+}
+
+func GetSystemUserByName(name string) *User {
+	if strings.EqualFold(name, GhostUserName) {
+		return NewGhostUser()
+	}
+	if strings.EqualFold(name, ActionsUserName) {
+		return NewActionsUser()
+	}
+	return nil
+}

models/user/user_system_test.go

@@ -0,0 +1,40 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSystemUser(t *testing.T) {
+	uid, u, err := GetPossibleUserByID(t.Context(), -1)
+	require.NoError(t, err)
+	assert.Equal(t, int64(-1), uid)
+	assert.Equal(t, "Ghost", u.Name)
+	assert.Equal(t, "ghost", u.LowerName)
+	assert.True(t, u.IsGhost())
+
+	u = GetSystemUserByName("gHost")
+	require.NotNil(t, u)
+	assert.Equal(t, "Ghost", u.Name)
+
+	uid, u, err = GetPossibleUserByID(t.Context(), -2)
+	require.NoError(t, err)
+	assert.Equal(t, int64(-2), uid)
+	assert.Equal(t, "gitea-actions", u.Name)
+	assert.Equal(t, "gitea-actions", u.LowerName)
+	assert.True(t, u.IsGiteaActions())
+
+	u = GetSystemUserByName("Gitea-actionS")
+	require.NotNil(t, u)
+	assert.Equal(t, "Gitea Actions", u.FullName)
+
+	uid, u, err = GetPossibleUserByID(t.Context(), 999999)
+	require.NoError(t, err)
+	assert.Equal(t, int64(-1), uid)
+	assert.Equal(t, "Ghost", u.Name)
+}

models/user/user_test.go

@@ -0,0 +1,746 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user_test
+
+import (
+	"crypto/rand"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"gitea.dev/models/auth"
+	"gitea.dev/models/db"
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+	"gitea.dev/modules/auth/password/hash"
+	"gitea.dev/modules/container"
+	"gitea.dev/modules/optional"
+	"gitea.dev/modules/setting"
+	"gitea.dev/modules/structs"
+	"gitea.dev/modules/test"
+	"gitea.dev/modules/timeutil"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsUsableUsername(t *testing.T) {
+	assert.NoError(t, user_model.IsUsableUsername("a"))
+	assert.NoError(t, user_model.IsUsableUsername("foo.wiki"))
+	assert.NoError(t, user_model.IsUsableUsername("foo.git"))
+
+	assert.Error(t, user_model.IsUsableUsername("a--b"))
+	assert.Error(t, user_model.IsUsableUsername("-1_."))
+	assert.Error(t, user_model.IsUsableUsername(".profile"))
+	assert.Error(t, user_model.IsUsableUsername("-"))
+	assert.Error(t, user_model.IsUsableUsername("🌞"))
+	assert.Error(t, user_model.IsUsableUsername("the..repo"))
+	assert.Error(t, user_model.IsUsableUsername("foo.RSS"))
+	assert.Error(t, user_model.IsUsableUsername("foo.PnG"))
+}
+
+func TestOAuth2Application_LoadUser(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	app := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: 1})
+	user, err := user_model.GetUserByID(t.Context(), app.UID)
+	assert.NoError(t, err)
+	assert.NotNil(t, user)
+}
+
+func TestUserEmails(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	defer test.MockVariableValue(&setting.Service.NoReplyAddress, "NoReply.gitea.internal")()
+	t.Run("GetUserEmailsByNames", func(t *testing.T) {
+		// ignore not active user email
+		assert.ElementsMatch(t, []string{"user8@example.com"}, user_model.GetUserEmailsByNames(t.Context(), []string{"user8", "user9"}))
+		assert.ElementsMatch(t, []string{"user8@example.com", "user5@example.com"}, user_model.GetUserEmailsByNames(t.Context(), []string{"user8", "user5"}))
+		assert.ElementsMatch(t, []string{"user8@example.com"}, user_model.GetUserEmailsByNames(t.Context(), []string{"user8", "org7"}))
+	})
+
+	cases := []struct {
+		Email string
+		UID   int64
+	}{
+		{"UseR1@example.com", 1},
+		{"user1-2@example.COM", 1},
+		{"USER2@" + setting.Service.NoReplyAddress, 2},
+		{"2+user2@" + setting.Service.NoReplyAddress, 2},
+		{"2+oldUser2UsernameWhichDoesNotMatterForQuery@" + setting.Service.NoReplyAddress, 2},
+		{"99999+badUser@" + setting.Service.NoReplyAddress, 0},
+		{"user4@example.com", 4},
+		{"no-such", 0},
+	}
+	t.Run("GetUsersByEmails", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Service.NoReplyAddress, "NoReply.gitea.internal")()
+		testGetUserByEmail := func(t *testing.T, email string, uid int64) {
+			m, err := user_model.GetUsersByEmails(t.Context(), []string{email})
+			require.NoError(t, err)
+			user := m.GetByEmail(email)
+			if uid == 0 {
+				require.Nil(t, user)
+				return
+			}
+			require.NotNil(t, user)
+			assert.Equal(t, uid, user.ID)
+		}
+		for _, c := range cases {
+			t.Run(c.Email, func(t *testing.T) {
+				testGetUserByEmail(t, c.Email, c.UID)
+			})
+		}
+
+		t.Run("NoReplyConflict", func(t *testing.T) {
+			setting.Service.NoReplyAddress = "example.com"
+			testGetUserByEmail(t, "user1-2@example.COM", 1)
+		})
+	})
+	t.Run("GetUserByEmail", func(t *testing.T) {
+		testGetUserByEmail := func(t *testing.T, email string, uid int64) {
+			user, err := user_model.GetUserByEmail(t.Context(), email)
+			if uid == 0 {
+				require.Error(t, err)
+				assert.Nil(t, user)
+			} else {
+				require.NotNil(t, user)
+				assert.Equal(t, uid, user.ID)
+			}
+		}
+		for _, c := range cases {
+			t.Run(c.Email, func(t *testing.T) {
+				testGetUserByEmail(t, c.Email, c.UID)
+			})
+		}
+
+		t.Run("NoReplyConflict", func(t *testing.T) {
+			setting.Service.NoReplyAddress = "example.com"
+			testGetUserByEmail(t, "user1-2@example.COM", 1)
+		})
+	})
+}
+
+func TestCanCreateOrganization(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	assert.True(t, admin.CanCreateOrganization())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	assert.True(t, user.CanCreateOrganization())
+	// Disable user create organization permission.
+	user.AllowCreateOrganization = false
+	assert.False(t, user.CanCreateOrganization())
+
+	setting.Admin.DisableRegularOrgCreation = true
+	user.AllowCreateOrganization = true
+	assert.True(t, admin.CanCreateOrganization())
+	assert.False(t, user.CanCreateOrganization())
+}
+
+func TestSearchUsers(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	testSuccess := func(opts user_model.SearchUserOptions, expectedUserOrOrgIDs []int64) {
+		users, _, err := user_model.SearchUsers(t.Context(), opts)
+		assert.NoError(t, err)
+		cassText := fmt.Sprintf("ids: %v, opts: %v", expectedUserOrOrgIDs, opts)
+		if assert.Len(t, users, len(expectedUserOrOrgIDs), "case: %s", cassText) {
+			for i, expectedID := range expectedUserOrOrgIDs {
+				assert.Equal(t, expectedID, users[i].ID, "case: %s", cassText)
+			}
+		}
+	}
+
+	// test orgs
+	testOrgSuccess := func(opts user_model.SearchUserOptions, expectedOrgIDs []int64) {
+		opts.Types = []user_model.UserType{user_model.UserTypeOrganization}
+		testSuccess(opts, expectedOrgIDs)
+	}
+
+	testOrgSuccess(user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 1, PageSize: 2}},
+		[]int64{3, 6})
+
+	testOrgSuccess(user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 2, PageSize: 2}},
+		[]int64{7, 17})
+
+	testOrgSuccess(user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 3, PageSize: 2}},
+		[]int64{19, 25})
+
+	testOrgSuccess(user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 4, PageSize: 2}},
+		[]int64{26, 41})
+
+	testOrgSuccess(user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 5, PageSize: 2}},
+		[]int64{42})
+
+	testOrgSuccess(user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 6, PageSize: 2}},
+		[]int64{})
+
+	// test users
+	testUserSuccess := func(opts user_model.SearchUserOptions, expectedUserIDs []int64) {
+		opts.Types = []user_model.UserType{user_model.UserTypeIndividual}
+		testSuccess(opts, expectedUserIDs)
+	}
+
+	testUserSuccess(user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 1}},
+		[]int64{1, 2, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 32, 34, 37, 38, 39, 40})
+
+	testUserSuccess(user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsActive: optional.Some(false)},
+		[]int64{9})
+
+	testUserSuccess(user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 1}, IsActive: optional.Some(true)},
+		[]int64{1, 2, 4, 5, 8, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 32, 34, 37, 38, 39, 40})
+
+	testUserSuccess(user_model.SearchUserOptions{Keyword: "user1", OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 1}, IsActive: optional.Some(true)},
+		[]int64{1, 10, 11, 12, 13, 14, 15, 16, 18})
+
+	// order by name asc default
+	testUserSuccess(user_model.SearchUserOptions{Keyword: "user1", ListOptions: db.ListOptions{Page: 1}, IsActive: optional.Some(true)},
+		[]int64{1, 10, 11, 12, 13, 14, 15, 16, 18})
+
+	testUserSuccess(user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsAdmin: optional.Some(true)},
+		[]int64{1})
+
+	testUserSuccess(user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsRestricted: optional.Some(true)},
+		[]int64{29})
+
+	testUserSuccess(user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsProhibitLogin: optional.Some(true)},
+		[]int64{37})
+
+	testUserSuccess(user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsTwoFactorEnabled: optional.Some(true)},
+		[]int64{24})
+}
+
+func TestEmailNotificationPreferences(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	for _, test := range []struct {
+		expected string
+		userID   int64
+	}{
+		{user_model.EmailNotificationsEnabled, 1},
+		{user_model.EmailNotificationsEnabled, 2},
+		{user_model.EmailNotificationsOnMention, 3},
+		{user_model.EmailNotificationsOnMention, 4},
+		{user_model.EmailNotificationsEnabled, 5},
+		{user_model.EmailNotificationsEnabled, 6},
+		{user_model.EmailNotificationsDisabled, 7},
+		{user_model.EmailNotificationsEnabled, 8},
+		{user_model.EmailNotificationsOnMention, 9},
+	} {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: test.userID})
+		assert.Equal(t, test.expected, user.EmailNotificationsPreference)
+	}
+}
+
+func TestHashPasswordDeterministic(t *testing.T) {
+	b := make([]byte, 16)
+	u := &user_model.User{}
+	algos := hash.RecommendedHashAlgorithms
+	for j := range algos {
+		u.PasswdHashAlgo = algos[j]
+		for range 50 {
+			// generate a random password
+			rand.Read(b)
+			pass := string(b)
+
+			// save the current password in the user - hash it and store the result
+			u.SetPassword(pass)
+			r1 := u.Passwd
+
+			// run again
+			u.SetPassword(pass)
+			r2 := u.Passwd
+
+			assert.NotEqual(t, r1, r2)
+			assert.True(t, u.ValidatePassword(pass))
+		}
+	}
+}
+
+func BenchmarkHashPassword(b *testing.B) {
+	// BenchmarkHashPassword ensures that it takes a reasonable amount of time
+	// to hash a password - in order to protect from brute-force attacks.
+	pass := "password1337"
+	u := &user_model.User{Passwd: pass}
+	b.ResetTimer()
+	for b.Loop() {
+		u.SetPassword(pass)
+	}
+}
+
+func TestNewGitSig(t *testing.T) {
+	users := make([]*user_model.User, 0, 20)
+	err := db.GetEngine(t.Context()).Find(&users)
+	assert.NoError(t, err)
+
+	for _, user := range users {
+		sig := user.NewGitSig()
+		assert.NotContains(t, sig.Name, "<")
+		assert.NotContains(t, sig.Name, ">")
+		assert.NotContains(t, sig.Name, "\n")
+		assert.NotEmpty(t, strings.TrimSpace(sig.Name))
+	}
+}
+
+func TestDisplayName(t *testing.T) {
+	users := make([]*user_model.User, 0, 20)
+	err := db.GetEngine(t.Context()).Find(&users)
+	assert.NoError(t, err)
+
+	for _, user := range users {
+		displayName := user.DisplayName()
+		assert.Equal(t, strings.TrimSpace(displayName), displayName)
+		if len(strings.TrimSpace(user.FullName)) == 0 {
+			assert.Equal(t, user.Name, displayName)
+		}
+		assert.NotEmpty(t, strings.TrimSpace(displayName))
+	}
+}
+
+func TestCreateUserInvalidEmail(t *testing.T) {
+	user := &user_model.User{
+		Name:               "GiteaBot",
+		Email:              "GiteaBot@gitea.io\r\n",
+		Passwd:             ";p['////..-++']",
+		IsAdmin:            false,
+		Theme:              setting.UI.DefaultTheme,
+		MustChangePassword: false,
+	}
+
+	err := user_model.CreateUser(t.Context(), user, &user_model.Meta{})
+	assert.Error(t, err)
+	assert.True(t, user_model.IsErrEmailCharIsNotSupported(err))
+}
+
+func TestCreateUserEmailAlreadyUsed(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	// add new user with user2's email
+	user.Name = "testuser"
+	user.LowerName = strings.ToLower(user.Name)
+	user.ID = 0
+	err := user_model.CreateUser(t.Context(), user, &user_model.Meta{})
+	assert.Error(t, err)
+	assert.True(t, user_model.IsErrEmailAlreadyUsed(err))
+}
+
+func TestCreateUserCustomTimestamps(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	// Add new user with a custom creation timestamp.
+	var creationTimestamp timeutil.TimeStamp = 12345
+	user.Name = "testuser"
+	user.LowerName = strings.ToLower(user.Name)
+	user.ID = 0
+	user.Email = "unique@example.com"
+	user.CreatedUnix = creationTimestamp
+	err := user_model.CreateUser(t.Context(), user, &user_model.Meta{})
+	assert.NoError(t, err)
+
+	fetched, err := user_model.GetUserByID(t.Context(), user.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, creationTimestamp, fetched.CreatedUnix)
+	assert.Equal(t, creationTimestamp, fetched.UpdatedUnix)
+}
+
+func TestCreateUserWithoutCustomTimestamps(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	// There is no way to use a mocked time for the XORM auto-time functionality,
+	// so use the real clock to approximate the expected timestamp.
+	timestampStart := time.Now().Unix()
+
+	// Add new user without a custom creation timestamp.
+	user.Name = "Testuser"
+	user.LowerName = strings.ToLower(user.Name)
+	user.ID = 0
+	user.Email = "unique@example.com"
+	user.CreatedUnix = 0
+	user.UpdatedUnix = 0
+	err := user_model.CreateUser(t.Context(), user, &user_model.Meta{})
+	assert.NoError(t, err)
+
+	timestampEnd := time.Now().Unix()
+
+	fetched, err := user_model.GetUserByID(t.Context(), user.ID)
+	assert.NoError(t, err)
+
+	assert.LessOrEqual(t, timestampStart, fetched.CreatedUnix)
+	assert.LessOrEqual(t, fetched.CreatedUnix, timestampEnd)
+
+	assert.LessOrEqual(t, timestampStart, fetched.UpdatedUnix)
+	assert.LessOrEqual(t, fetched.UpdatedUnix, timestampEnd)
+}
+
+func TestGetUserIDsByNames(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	// ignore non existing
+	IDs, err := user_model.GetUserIDsByNames(t.Context(), []string{"user1", "user2", "none_existing_user"}, true)
+	assert.NoError(t, err)
+	assert.Equal(t, []int64{1, 2}, IDs)
+
+	// ignore non existing
+	IDs, err = user_model.GetUserIDsByNames(t.Context(), []string{"user1", "do_not_exist"}, false)
+	assert.Error(t, err)
+	assert.Equal(t, []int64(nil), IDs)
+}
+
+func TestGetMaileableUsersByIDs(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	results, err := user_model.GetMailableUsersByIDs(t.Context(), []int64{1, 4}, false)
+	assert.NoError(t, err)
+	assert.Len(t, results, 1)
+	if len(results) > 1 {
+		assert.Equal(t, 1, results[0].ID)
+	}
+
+	results, err = user_model.GetMailableUsersByIDs(t.Context(), []int64{1, 4}, true)
+	assert.NoError(t, err)
+	assert.Len(t, results, 2)
+	if len(results) > 2 {
+		assert.Equal(t, 1, results[0].ID)
+		assert.Equal(t, 4, results[1].ID)
+	}
+}
+
+func TestNewUserRedirect(t *testing.T) {
+	// redirect to a completely new name
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	assert.NoError(t, user_model.NewUserRedirect(t.Context(), user.ID, user.Name, "newusername"))
+
+	unittest.AssertExistsAndLoadBean(t, &user_model.Redirect{
+		LowerName:      user.LowerName,
+		RedirectUserID: user.ID,
+	})
+	unittest.AssertExistsAndLoadBean(t, &user_model.Redirect{
+		LowerName:      "olduser1",
+		RedirectUserID: user.ID,
+	})
+}
+
+func TestNewUserRedirect2(t *testing.T) {
+	// redirect to previously used name
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	assert.NoError(t, user_model.NewUserRedirect(t.Context(), user.ID, user.Name, "olduser1"))
+
+	unittest.AssertExistsAndLoadBean(t, &user_model.Redirect{
+		LowerName:      user.LowerName,
+		RedirectUserID: user.ID,
+	})
+	unittest.AssertNotExistsBean(t, &user_model.Redirect{
+		LowerName:      "olduser1",
+		RedirectUserID: user.ID,
+	})
+}
+
+func TestNewUserRedirect3(t *testing.T) {
+	// redirect for a previously-unredirected user
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	assert.NoError(t, user_model.NewUserRedirect(t.Context(), user.ID, user.Name, "newusername"))
+
+	unittest.AssertExistsAndLoadBean(t, &user_model.Redirect{
+		LowerName:      user.LowerName,
+		RedirectUserID: user.ID,
+	})
+}
+
+func TestGetUserByOpenID(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	_, err := user_model.GetUserByOpenID(t.Context(), "https://unknown")
+	if assert.Error(t, err) {
+		assert.True(t, user_model.IsErrUserNotExist(err))
+	}
+
+	user, err := user_model.GetUserByOpenID(t.Context(), "https://user1.domain1.tld")
+	if assert.NoError(t, err) {
+		assert.Equal(t, int64(1), user.ID)
+	}
+
+	user, err = user_model.GetUserByOpenID(t.Context(), "https://domain1.tld/user2/")
+	if assert.NoError(t, err) {
+		assert.Equal(t, int64(2), user.ID)
+	}
+}
+
+func TestFollowUser(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	testSuccess := func(follower, followed *user_model.User) {
+		assert.NoError(t, user_model.FollowUser(t.Context(), follower, followed))
+		unittest.AssertExistsAndLoadBean(t, &user_model.Follow{UserID: follower.ID, FollowID: followed.ID})
+	}
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+	user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+	testSuccess(user4, user2)
+	testSuccess(user5, user2)
+
+	assert.NoError(t, user_model.FollowUser(t.Context(), user2, user2))
+
+	unittest.CheckConsistencyFor(t, &user_model.User{})
+}
+
+func TestUnfollowUser(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	testSuccess := func(followerID, followedID int64) {
+		assert.NoError(t, user_model.UnfollowUser(t.Context(), followerID, followedID))
+		unittest.AssertNotExistsBean(t, &user_model.Follow{UserID: followerID, FollowID: followedID})
+	}
+	testSuccess(4, 2)
+	testSuccess(5, 2)
+	testSuccess(2, 2)
+
+	unittest.CheckConsistencyFor(t, &user_model.User{})
+}
+
+func TestIsUserVisibleToViewer(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})   // admin, public
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})   // normal, public
+	user20 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 20}) // public, same team as user31
+	user29 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) // public, is restricted
+	user31 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 31}) // private, same team as user20
+	user33 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 33}) // limited, follows 31
+
+	test := func(u, viewer *user_model.User, expected bool) {
+		name := func(u *user_model.User) string {
+			if u == nil {
+				return "<nil>"
+			}
+			return u.Name
+		}
+		assert.Equal(t, expected, user_model.IsUserVisibleToViewer(t.Context(), u, viewer), "user %v should be visible to viewer %v: %v", name(u), name(viewer), expected)
+	}
+
+	// admin viewer
+	test(user1, user1, true)
+	test(user20, user1, true)
+	test(user31, user1, true)
+	test(user33, user1, true)
+
+	// non admin viewer
+	test(user4, user4, true)
+	test(user20, user4, true)
+	test(user31, user4, false)
+	test(user33, user4, true)
+	test(user4, nil, true)
+
+	// public user
+	test(user4, user20, true)
+	test(user4, user31, true)
+	test(user4, user33, true)
+
+	// limited user
+	test(user33, user33, true)
+	test(user33, user4, true)
+	test(user33, user29, false)
+	test(user33, nil, false)
+
+	// private user
+	test(user31, user31, true)
+	test(user31, user4, false)
+	test(user31, user20, true)
+	test(user31, user29, false)
+	test(user31, user33, true)
+	test(user31, nil, false)
+}
+
+func Test_ValidateUser(t *testing.T) {
+	defer test.MockVariableValue(&setting.Service.AllowedUserVisibilityModesSlice, []bool{true, false, true})()
+
+	kases := map[*user_model.User]bool{
+		{ID: 1, Visibility: structs.VisibleTypePublic}:  true,
+		{ID: 2, Visibility: structs.VisibleTypeLimited}: false,
+		{ID: 2, Visibility: structs.VisibleTypePrivate}: true,
+	}
+	for kase, expected := range kases {
+		assert.Equal(t, expected, nil == user_model.ValidateUser(kase), "case: %+v", kase)
+	}
+}
+
+func Test_NormalizeUserFromEmail(t *testing.T) {
+	testCases := []struct {
+		Input             string
+		Expected          string
+		IsNormalizedValid bool
+	}{
+		{"name@example.com", "name", true},
+		{"test'`´name", "testname", true},
+		{"Sinéad.O'Connor", "Sinead.OConnor", true},
+		{"Æsir", "AEsir", true},
+		{"éé", "ee", true}, // \u00e9\u0065\u0301
+		{"Awareness Hub", "Awareness-Hub", true},
+		{"double__underscore", "double__underscore", false}, // We should consider squashing double non-alpha characters
+		{".bad.", ".bad.", false},
+		{"new😀user", "new😀user", false}, // No plans to support
+		{`"quoted"`, `"quoted"`, false}, // No plans to support
+	}
+	for _, testCase := range testCases {
+		normalizedName, err := user_model.NormalizeUserName(testCase.Input)
+		assert.NoError(t, err)
+		assert.Equal(t, testCase.Expected, normalizedName)
+		if testCase.IsNormalizedValid {
+			assert.NoError(t, user_model.IsUsableUsername(normalizedName))
+		} else {
+			assert.Error(t, user_model.IsUsableUsername(normalizedName))
+		}
+	}
+}
+
+func TestEmailTo(t *testing.T) {
+	testCases := []struct {
+		fullName string
+		mail     string
+		result   string
+	}{
+		{"Awareness Hub", "awareness@hub.net", "Awareness Hub <awareness@hub.net>"},
+		{"name@example.com", "name@example.com", "name@example.com"},
+		{"Hi Its <Mee>", "ee@mail.box", "Hi Its Mee <ee@mail.box>"},
+		{"Sinéad.O'Connor", "sinead.oconnor@gmail.com", "=?utf-8?q?Sin=C3=A9ad.O'Connor?= <sinead.oconnor@gmail.com>"},
+		{"Æsir", "aesir@gmx.de", "=?utf-8?q?=C3=86sir?= <aesir@gmx.de>"},
+		{"new😀user", "new.user@alo.com", "=?utf-8?q?new=F0=9F=98=80user?= <new.user@alo.com>"},
+		{`"quoted"`, "quoted@test.com", "quoted <quoted@test.com>"},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.result, func(t *testing.T) {
+			testUser := &user_model.User{FullName: testCase.fullName, Email: testCase.mail}
+			assert.Equal(t, testCase.result, testUser.EmailTo())
+		})
+	}
+}
+
+func TestDisabledUserFeatures(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	testValues := container.SetOf(setting.UserFeatureDeletion,
+		setting.UserFeatureManageSSHKeys,
+		setting.UserFeatureManageGPGKeys)
+	defer test.MockVariableValue(&setting.Admin.ExternalUserDisableFeatures, testValues)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+
+	assert.Empty(t, setting.Admin.UserDisabledFeatures.Values())
+
+	// no features should be disabled with a plain login type
+	assert.LessOrEqual(t, user.LoginType, auth.Plain)
+	assert.Empty(t, user_model.DisabledFeaturesWithLoginType(user).Values())
+	for _, f := range testValues.Values() {
+		assert.False(t, user_model.IsFeatureDisabledWithLoginType(user, f))
+	}
+
+	// check disabled features with external login type
+	user.LoginType = auth.OAuth2
+
+	// all features should be disabled
+	assert.NotEmpty(t, user_model.DisabledFeaturesWithLoginType(user).Values())
+	for _, f := range testValues.Values() {
+		assert.True(t, user_model.IsFeatureDisabledWithLoginType(user, f))
+	}
+}
+
+func TestGetInactiveUsers(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	// all inactive users
+	// user1's createdunix is 1730468968
+	users, err := user_model.GetInactiveUsers(t.Context(), 0)
+	assert.NoError(t, err)
+	assert.Len(t, users, 1)
+	interval := time.Now().Unix() - 1730468968 + 3600*24
+	users, err = user_model.GetInactiveUsers(t.Context(), time.Duration(interval*int64(time.Second)))
+	assert.NoError(t, err)
+	assert.Empty(t, users)
+}
+
+func TestCanCreateRepo(t *testing.T) {
+	defer test.MockVariableValue(&setting.Repository.MaxCreationLimit)()
+	defer test.MockVariableValue(&setting.Repository.UserMaxCreationLimit)()
+	defer test.MockVariableValue(&setting.Repository.OrgMaxCreationLimit)()
+	const noLimit = -1
+	doerActions := user_model.NewActionsUser()
+	doerNormal := &user_model.User{ID: 2}
+	doerAdmin := &user_model.User{ID: 1, IsAdmin: true}
+	orgOwner := func(numRepos, maxRepoCreation int) *user_model.User {
+		return &user_model.User{ID: 3, Type: user_model.UserTypeOrganization, NumRepos: numRepos, MaxRepoCreation: maxRepoCreation}
+	}
+	t.Run("NoGlobalLimit", func(t *testing.T) {
+		setting.Repository.UserMaxCreationLimit = noLimit
+		setting.Repository.OrgMaxCreationLimit = noLimit
+
+		assert.False(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 0}))
+		assert.True(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 100}))
+		assert.True(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: noLimit}))
+
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 0}))
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 100}))
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: noLimit}))
+		assert.False(t, doerActions.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: noLimit}))
+		assert.False(t, doerAdmin.CanCreateRepoIn(doerActions))
+	})
+
+	t.Run("GlobalLimit50", func(t *testing.T) {
+		setting.Repository.UserMaxCreationLimit = 50
+		setting.Repository.OrgMaxCreationLimit = 50
+
+		assert.True(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: noLimit}))
+		assert.False(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 60, MaxRepoCreation: noLimit})) // limited by global limit
+		assert.False(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 0}))
+		assert.True(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 100}))
+		assert.True(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 60, MaxRepoCreation: 100}))
+
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: noLimit}))
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 60, MaxRepoCreation: noLimit}))
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 0}))
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 10, MaxRepoCreation: 100}))
+		assert.True(t, doerAdmin.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 60, MaxRepoCreation: 100}))
+	})
+
+	t.Run("UserBlockedOrgsUnlimited", func(t *testing.T) {
+		// User and org limits are independent: a deployment can block personal repos while leaving orgs unrestricted.
+		setting.Repository.UserMaxCreationLimit = 0
+		setting.Repository.OrgMaxCreationLimit = noLimit
+
+		// regular user is blocked
+		assert.False(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 0, MaxRepoCreation: noLimit}))
+		// per-user override grants individual exceptions even when the global user limit is 0
+		assert.True(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 3, MaxRepoCreation: 5}))
+		assert.False(t, doerNormal.CanCreateRepoIn(&user_model.User{ID: 2, NumRepos: 5, MaxRepoCreation: 5}))
+
+		// organization can create unlimited repos
+		assert.True(t, doerNormal.CanCreateRepoIn(orgOwner(10, noLimit)))
+		assert.True(t, doerNormal.CanCreateRepoIn(orgOwner(999, noLimit)))
+		// per-org override still wins over the global org limit
+		assert.False(t, doerNormal.CanCreateRepoIn(orgOwner(5, 5)))
+	})
+
+	t.Run("OrgGlobalLimitWithPerOrgOverride", func(t *testing.T) {
+		setting.Repository.UserMaxCreationLimit = noLimit
+		setting.Repository.OrgMaxCreationLimit = 10
+
+		assert.True(t, doerNormal.CanCreateRepoIn(orgOwner(5, noLimit)))
+		assert.False(t, doerNormal.CanCreateRepoIn(orgOwner(10, noLimit)))
+
+		// per-org override bypasses the global org limit
+		assert.True(t, doerNormal.CanCreateRepoIn(orgOwner(10, 100)))
+	})
+}

models/user/user_update.go

@@ -0,0 +1,15 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+
+	"gitea.dev/models/db"
+)
+
+func IncrUserRepoNum(ctx context.Context, userID int64) error {
+	_, err := db.GetEngine(ctx).Incr("num_repos").ID(userID).Update(new(User))
+	return err
+}