From 7d255a353f2dd0348e7e2df6193f0b672b46ba14 Mon Sep 17 00:00:00 2001
From: Dustin Ingram <di@users.noreply.github.com>
Date: Thu, 28 Mar 2024 07:21:29 -0400
Subject: [PATCH] Add email domain blocklist (#15672)

---
 tests/unit/accounts/test_forms.py             |  55 ++++-
 tests/unit/admin/test_routes.py               |   7 +
 tests/unit/admin/views/test_users.py          |  60 +++++
 tests/unit/manage/test_forms.py               |  24 +-
 tests/unit/manage/test_views.py               |   2 +-
 warehouse/accounts/forms.py                   |  23 +-
 warehouse/accounts/models.py                  |  20 ++
 warehouse/accounts/views.py                   |   1 +
 warehouse/admin/routes.py                     |   7 +
 .../admin/templates/admin/users/detail.html   |  46 +++-
 warehouse/admin/views/users.py                |  42 +++-
 warehouse/locale/messages.pot                 | 210 +++++++++---------
 warehouse/manage/views/__init__.py            |   4 +-
 .../1fdecaf73541_add_prohibitedemaildomain.py |  60 +++++
 14 files changed, 439 insertions(+), 122 deletions(-)
 create mode 100644 warehouse/migrations/versions/1fdecaf73541_add_prohibitedemaildomain.py

diff --git a/tests/unit/accounts/test_forms.py b/tests/unit/accounts/test_forms.py
index 718a22c8409b..7cecb64ebb07 100644
--- a/tests/unit/accounts/test_forms.py
+++ b/tests/unit/accounts/test_forms.py
@@ -28,7 +28,7 @@
     NoRecoveryCodes,
     TooManyFailedLogins,
 )
-from warehouse.accounts.models import DisableReason
+from warehouse.accounts.models import DisableReason, ProhibitedEmailDomain
 from warehouse.captcha import recaptcha
 from warehouse.events.tags import EventTag
 from warehouse.utils.webauthn import AuthenticationRejectedError
@@ -399,6 +399,9 @@ def test_validate(self):
         )
 
         form = forms.RegistrationForm(
+            request=pretend.stub(
+                db=pretend.stub(query=lambda *a: pretend.stub(scalar=lambda: False))
+            ),
             formdata=MultiDict(
                 {
                     "username": "myusername",
@@ -419,6 +422,7 @@ def test_validate(self):
 
     def test_password_confirm_required_error(self):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"password_confirm": ""}),
             user_service=pretend.stub(
                 find_userid_by_email=pretend.call_recorder(lambda _: pretend.stub())
@@ -435,6 +439,7 @@ def test_passwords_mismatch_error(self, pyramid_config):
             find_userid_by_email=pretend.call_recorder(lambda _: pretend.stub())
         )
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict(
                 {"new_password": "password", "password_confirm": "mismatch"}
             ),
@@ -454,6 +459,7 @@ def test_passwords_match_success(self):
             find_userid_by_email=pretend.call_recorder(lambda _: pretend.stub())
         )
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict(
                 {
                     "new_password": "MyStr0ng!shPassword",
@@ -471,6 +477,7 @@ def test_passwords_match_success(self):
 
     def test_email_required_error(self):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"email": ""}),
             user_service=pretend.stub(
                 find_userid_by_email=pretend.call_recorder(lambda _: pretend.stub())
@@ -483,8 +490,9 @@ def test_email_required_error(self):
         assert form.email.errors.pop() == "This field is required."
 
     @pytest.mark.parametrize("email", ["bad", "foo]bar@example.com", "</body></html>"])
-    def test_invalid_email_error(self, pyramid_config, email):
+    def test_invalid_email_error(self, pyramid_request, email):
         form = forms.RegistrationForm(
+            request=pyramid_request,
             formdata=MultiDict({"email": email}),
             user_service=pretend.stub(
                 find_userid_by_email=pretend.call_recorder(lambda _: None)
@@ -500,6 +508,9 @@ def test_invalid_email_error(self, pyramid_config, email):
 
     def test_exotic_email_success(self):
         form = forms.RegistrationForm(
+            request=pretend.stub(
+                db=pretend.stub(query=lambda *a: pretend.stub(scalar=lambda: False))
+            ),
             formdata=MultiDict({"email": "foo@n--tree.net"}),
             user_service=pretend.stub(
                 find_userid_by_email=pretend.call_recorder(lambda _: None)
@@ -511,8 +522,12 @@ def test_exotic_email_success(self):
         form.validate()
         assert len(form.email.errors) == 0
 
-    def test_email_exists_error(self, pyramid_config):
+    def test_email_exists_error(self, pyramid_request):
+        pyramid_request.db = pretend.stub(
+            query=lambda *a: pretend.stub(scalar=lambda: False)
+        )
         form = forms.RegistrationForm(
+            request=pyramid_request,
             formdata=MultiDict({"email": "foo@bar.com"}),
             user_service=pretend.stub(
                 find_userid_by_email=pretend.call_recorder(lambda _: pretend.stub())
@@ -528,8 +543,9 @@ def test_email_exists_error(self, pyramid_config):
             "Use a different email."
         )
 
-    def test_prohibited_email_error(self, pyramid_config):
+    def test_disposable_email_error(self, pyramid_request):
         form = forms.RegistrationForm(
+            request=pyramid_request,
             formdata=MultiDict({"email": "foo@bearsarefuzzy.com"}),
             user_service=pretend.stub(
                 find_userid_by_email=pretend.call_recorder(lambda _: None)
@@ -545,8 +561,30 @@ def test_prohibited_email_error(self, pyramid_config):
             "different email."
         )
 
+    def test_prohibited_email_error(self, db_request):
+        domain = ProhibitedEmailDomain(domain="wutang.net")
+        db_request.db.add(domain)
+
+        form = forms.RegistrationForm(
+            request=db_request,
+            formdata=MultiDict({"email": "foo@wutang.net"}),
+            user_service=pretend.stub(
+                find_userid_by_email=pretend.call_recorder(lambda _: None)
+            ),
+            captcha_service=pretend.stub(enabled=True),
+            breach_service=pretend.stub(check_password=lambda pw, tags=None: False),
+        )
+
+        assert not form.validate()
+        assert (
+            str(form.email.errors.pop())
+            == "You can't use an email address from this domain. Use a "
+            "different email."
+        )
+
     def test_recaptcha_disabled(self):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"g_recpatcha_response": ""}),
             user_service=pretend.stub(),
             captcha_service=pretend.stub(
@@ -562,6 +600,7 @@ def test_recaptcha_disabled(self):
 
     def test_recaptcha_required_error(self):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"g_recaptcha_response": ""}),
             user_service=pretend.stub(),
             captcha_service=pretend.stub(
@@ -575,6 +614,7 @@ def test_recaptcha_required_error(self):
 
     def test_recaptcha_error(self):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"g_recaptcha_response": "asd"}),
             user_service=pretend.stub(),
             captcha_service=pretend.stub(
@@ -588,6 +628,7 @@ def test_recaptcha_error(self):
 
     def test_username_exists(self, pyramid_config):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"username": "foo"}),
             user_service=pretend.stub(
                 find_userid=pretend.call_recorder(lambda name: 1),
@@ -608,6 +649,7 @@ def test_username_exists(self, pyramid_config):
 
     def test_username_prohibted(self, pyramid_config):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"username": "foo"}),
             user_service=pretend.stub(
                 username_is_prohibited=lambda a: True,
@@ -628,6 +670,7 @@ def test_username_prohibted(self, pyramid_config):
     @pytest.mark.parametrize("username", ["_foo", "bar_", "foo^bar", "boo\0far"])
     def test_username_is_valid(self, username, pyramid_config):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"username": username}),
             user_service=pretend.stub(
                 find_userid=pretend.call_recorder(lambda _: None),
@@ -656,6 +699,7 @@ def test_password_strength(self):
         )
         for pwd, valid in cases:
             form = forms.RegistrationForm(
+                request=pretend.stub(),
                 formdata=MultiDict({"new_password": pwd, "password_confirm": pwd}),
                 user_service=pretend.stub(),
                 captcha_service=pretend.stub(
@@ -669,6 +713,7 @@ def test_password_strength(self):
 
     def test_password_breached(self):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"new_password": "password"}),
             user_service=pretend.stub(
                 find_userid=pretend.call_recorder(lambda _: None)
@@ -693,6 +738,7 @@ def test_password_breached(self):
 
     def test_name_too_long(self, pyramid_config):
         form = forms.RegistrationForm(
+            request=pretend.stub(),
             formdata=MultiDict({"full_name": "hello " * 50}),
             user_service=pretend.stub(
                 find_userid=pretend.call_recorder(lambda _: None)
@@ -720,6 +766,7 @@ class TestRequestPasswordResetForm:
     )
     def test_validate(self, form_input):
         form = forms.RequestPasswordResetForm(
+            request=pretend.stub(),
             formdata=MultiDict({"username_or_email": form_input}),
         )
         assert form.validate()
diff --git a/tests/unit/admin/test_routes.py b/tests/unit/admin/test_routes.py
index 5c2066452dfa..09cba574612f 100644
--- a/tests/unit/admin/test_routes.py
+++ b/tests/unit/admin/test_routes.py
@@ -76,6 +76,13 @@ def test_includeme():
             factory="warehouse.accounts.models:UserFactory",
             traverse="/{username}",
         ),
+        pretend.call(
+            "admin.user.freeze",
+            "/admin/users/{username}/freeze/",
+            domain=warehouse,
+            factory="warehouse.accounts.models:UserFactory",
+            traverse="/{username}",
+        ),
         pretend.call(
             "admin.user.reset_password",
             "/admin/users/{username}/reset_password/",
diff --git a/tests/unit/admin/views/test_users.py b/tests/unit/admin/views/test_users.py
index 82a964ed46d4..c94f99753dcb 100644
--- a/tests/unit/admin/views/test_users.py
+++ b/tests/unit/admin/views/test_users.py
@@ -20,6 +20,7 @@
 from warehouse.accounts.interfaces import IEmailBreachedService, IUserService
 from warehouse.accounts.models import (
     DisableReason,
+    ProhibitedEmailDomain,
     ProhibitedUserName,
     RecoveryCode,
     WebAuthn,
@@ -396,6 +397,65 @@ def test_user_delete_redirects_actual_name(self, db_request):
         ]
 
 
+class TestUserFreeze:
+    def test_freezes_user(self, db_request, monkeypatch):
+        user = UserFactory.create()
+        verified_email = EmailFactory.create(user=user, verified=True, primary=True)
+        EmailFactory.create(user=user, verified=False, primary=False)
+
+        db_request.matchdict["username"] = str(user.username)
+        db_request.params = {"username": user.username}
+        db_request.route_path = pretend.call_recorder(lambda a: "/foobar")
+        db_request.user = UserFactory.create()
+
+        result = views.user_freeze(user, db_request)
+
+        db_request.db.flush()
+
+        assert db_request.db.get(User, user.id).is_frozen
+        prohibition = db_request.db.query(ProhibitedEmailDomain).one()
+        assert prohibition.domain == verified_email.domain
+
+        assert db_request.route_path.calls == [pretend.call("admin.user.list")]
+        assert result.status_code == 303
+        assert result.location == "/foobar"
+
+    def test_freezes_user_bad_confirm(self, db_request, monkeypatch):
+        user = UserFactory.create(is_frozen=False)
+        EmailFactory.create(user=user, verified=True, primary=True)
+
+        db_request.matchdict["username"] = str(user.username)
+        db_request.params = {"username": "wrong"}
+        db_request.route_path = pretend.call_recorder(lambda a, **k: "/foobar")
+
+        result = views.user_freeze(user, db_request)
+
+        db_request.db.flush()
+
+        assert not db_request.db.get(User, user.id).is_frozen
+        assert not db_request.db.query(ProhibitedEmailDomain).all()
+        assert db_request.route_path.calls == [
+            pretend.call("admin.user.detail", username=user.username)
+        ]
+        assert result.status_code == 303
+        assert result.location == "/foobar"
+
+    def test_user_freeze_redirects_actual_name(self, db_request):
+        user = UserFactory.create(username="wu-tang")
+        db_request.matchdict["username"] = "Wu-Tang"
+        db_request.current_route_path = pretend.call_recorder(
+            lambda username: "/user/the-redirect/"
+        )
+
+        result = views.user_freeze(user, db_request)
+
+        assert isinstance(result, HTTPMovedPermanently)
+        assert result.headers["Location"] == "/user/the-redirect/"
+        assert db_request.current_route_path.calls == [
+            pretend.call(username=user.username)
+        ]
+
+
 class TestUserResetPassword:
     def test_resets_password(self, db_request, monkeypatch):
         user = UserFactory.create()
diff --git a/tests/unit/manage/test_forms.py b/tests/unit/manage/test_forms.py
index 9939ca379b2d..f58bb61754bc 100644
--- a/tests/unit/manage/test_forms.py
+++ b/tests/unit/manage/test_forms.py
@@ -173,6 +173,9 @@ def test_validate(self):
         user_id = pretend.stub()
         user_service = pretend.stub(find_userid_by_email=lambda _: None)
         form = forms.AddEmailForm(
+            request=pretend.stub(
+                db=pretend.stub(query=lambda *a: pretend.stub(scalar=lambda: False))
+            ),
             formdata=MultiDict({"email": "foo@bar.com"}),
             user_id=user_id,
             user_service=user_service,
@@ -182,9 +185,13 @@ def test_validate(self):
         assert form.user_service is user_service
         assert form.validate(), str(form.errors)
 
-    def test_email_exists_error(self, pyramid_config):
+    def test_email_exists_error(self, pyramid_request):
+        pyramid_request.db = pretend.stub(
+            query=lambda *a: pretend.stub(scalar=lambda: False)
+        )
         user_id = pretend.stub()
         form = forms.AddEmailForm(
+            request=pyramid_request,
             formdata=MultiDict({"email": "foo@bar.com"}),
             user_id=user_id,
             user_service=pretend.stub(find_userid_by_email=lambda _: user_id),
@@ -197,8 +204,12 @@ def test_email_exists_error(self, pyramid_config):
             "Use a different email."
         )
 
-    def test_email_exists_other_account_error(self, pyramid_config):
+    def test_email_exists_other_account_error(self, pyramid_request):
+        pyramid_request.db = pretend.stub(
+            query=lambda *a: pretend.stub(scalar=lambda: False)
+        )
         form = forms.AddEmailForm(
+            request=pyramid_request,
             formdata=MultiDict({"email": "foo@bar.com"}),
             user_id=pretend.stub(),
             user_service=pretend.stub(find_userid_by_email=lambda _: pretend.stub()),
@@ -211,8 +222,12 @@ def test_email_exists_other_account_error(self, pyramid_config):
             "Use a different email."
         )
 
-    def test_prohibited_email_error(self, pyramid_config):
+    def test_prohibited_email_error(self, pyramid_request):
+        pyramid_request.db = pretend.stub(
+            query=lambda *a: pretend.stub(scalar=lambda: False)
+        )
         form = forms.AddEmailForm(
+            request=pyramid_request,
             formdata=MultiDict({"email": "foo@bearsarefuzzy.com"}),
             user_service=pretend.stub(find_userid_by_email=lambda _: None),
             user_id=pretend.stub(),
@@ -227,6 +242,9 @@ def test_prohibited_email_error(self, pyramid_config):
 
     def test_email_too_long_error(self, pyramid_config):
         form = forms.AddEmailForm(
+            request=pretend.stub(
+                db=pretend.stub(query=lambda *a: pretend.stub(scalar=lambda: False))
+            ),
             formdata=MultiDict({"email": f"{'x' * 300}@bar.com"}),
             user_service=pretend.stub(find_userid_by_email=lambda _: None),
             user_id=pretend.stub(),
diff --git a/tests/unit/manage/test_views.py b/tests/unit/manage/test_views.py
index 39c50e033f54..830d1b9b4a18 100644
--- a/tests/unit/manage/test_views.py
+++ b/tests/unit/manage/test_views.py
@@ -147,7 +147,7 @@ def test_default_response(self, monkeypatch, public_email, expected_public_email
             )
         ]
         assert add_email_cls.calls == [
-            pretend.call(user_id=user_id, user_service=user_service)
+            pretend.call(request=request, user_id=user_id, user_service=user_service)
         ]
         assert change_pass_cls.calls == [
             pretend.call(
diff --git a/warehouse/accounts/forms.py b/warehouse/accounts/forms.py
index 4dfb22d39707..016e37a5f495 100644
--- a/warehouse/accounts/forms.py
+++ b/warehouse/accounts/forms.py
@@ -22,6 +22,8 @@
 import wtforms
 import wtforms.fields
 
+from sqlalchemy import exists
+
 import warehouse.utils.otp as otp
 import warehouse.utils.webauthn as webauthn
 
@@ -32,7 +34,7 @@
     NoRecoveryCodes,
     TooManyFailedLogins,
 )
-from warehouse.accounts.models import DisableReason
+from warehouse.accounts.models import DisableReason, ProhibitedEmailDomain
 from warehouse.accounts.services import RECOVERY_CODE_BYTES
 from warehouse.captcha import recaptcha
 from warehouse.email import (
@@ -269,21 +271,30 @@ class NewEmailMixin:
         ]
     )
 
+    def __init__(self, *args, request, **kwargs):
+        self.request = request
+        super().__init__(*args, **kwargs)
+
     def validate_email(self, field):
         # Additional checks for the validity of the address
         try:
             Address(addr_spec=field.data)
         except (ValueError, HeaderParseError):
             raise wtforms.validators.ValidationError(
-                _("The email address isn't valid. Try again.")
+                self.request._("The email address isn't valid. Try again.")
             )
 
         # Check if the domain is valid
         domain = field.data.split("@")[-1]
 
-        if domain in disposable_email_domains.blocklist:
+        if (
+            domain in disposable_email_domains.blocklist
+            or self.request.db.query(
+                exists().where(ProhibitedEmailDomain.domain == domain)
+            ).scalar()
+        ):
             raise wtforms.validators.ValidationError(
-                _(
+                self.request._(
                     "You can't use an email address from this domain. Use a "
                     "different email."
                 )
@@ -294,14 +305,14 @@ def validate_email(self, field):
 
         if userid and userid == self.user_id:
             raise wtforms.validators.ValidationError(
-                _(
+                self.request._(
                     "This email address is already being used by this account. "
                     "Use a different email."
                 )
             )
         if userid:
             raise wtforms.validators.ValidationError(
-                _(
+                self.request._(
                     "This email address is already being used "
                     "by another account. Use a different email."
                 )
diff --git a/warehouse/accounts/models.py b/warehouse/accounts/models.py
index b9dcf2ded4ed..9618347ba49b 100644
--- a/warehouse/accounts/models.py
+++ b/warehouse/accounts/models.py
@@ -346,6 +346,26 @@ class Email(db.ModelBase):
     unverify_reason: Mapped[UnverifyReasons | None]
     transient_bounces: Mapped[int] = mapped_column(server_default=sql.text("0"))
 
+    @property
+    def domain(self):
+        return self.email.split("@")[-1].lower()
+
+
+class ProhibitedEmailDomain(db.Model):
+    __tablename__ = "prohibited_email_domains"
+    __repr__ = make_repr("domain")
+
+    created: Mapped[datetime_now]
+    domain: Mapped[str] = mapped_column(unique=True)
+    _prohibited_by: Mapped[UUID | None] = mapped_column(
+        "prohibited_by",
+        PG_UUID(as_uuid=True),
+        ForeignKey("users.id"),
+        index=True,
+    )
+    prohibited_by: Mapped[User] = orm.relationship(User)
+    comment: Mapped[str] = mapped_column(server_default="")
+
 
 class ProhibitedUserName(db.Model):
     __tablename__ = "prohibited_user_names"
diff --git a/warehouse/accounts/views.py b/warehouse/accounts/views.py
index 8a3ad8086b10..139976739111 100644
--- a/warehouse/accounts/views.py
+++ b/warehouse/accounts/views.py
@@ -679,6 +679,7 @@ def register(request, _form_class=RegistrationForm):
     )
 
     form = _form_class(
+        request=request,
         formdata=post_body,
         user_service=user_service,
         captcha_service=captcha_service,
diff --git a/warehouse/admin/routes.py b/warehouse/admin/routes.py
index 440e7d0d2bfc..abcce14cdfc2 100644
--- a/warehouse/admin/routes.py
+++ b/warehouse/admin/routes.py
@@ -74,6 +74,13 @@ def includeme(config):
         factory="warehouse.accounts.models:UserFactory",
         traverse="/{username}",
     )
+    config.add_route(
+        "admin.user.freeze",
+        "/admin/users/{username}/freeze/",
+        domain=warehouse,
+        factory="warehouse.accounts.models:UserFactory",
+        traverse="/{username}",
+    )
     config.add_route(
         "admin.user.reset_password",
         "/admin/users/{username}/reset_password/",
diff --git a/warehouse/admin/templates/admin/users/detail.html b/warehouse/admin/templates/admin/users/detail.html
index 87298c20ce66..b96afac62481 100644
--- a/warehouse/admin/templates/admin/users/detail.html
+++ b/warehouse/admin/templates/admin/users/detail.html
@@ -103,6 +103,9 @@ <h2 class="card-title">Actions</h2>
         </div>
         <div class="card-body">
           <div class="form-group">
+            <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#freezeModal" {{ "disabled" if not perms_admin_users_write }}>
+              <i class="icon fa fa-snowman"></i> Freeze user & block domain
+            </button>
             <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#nukeModal" {{ "disabled" if not perms_admin_users_write }}>
               <i class="icon fa fa-bomb"></i> Nuke user
             </button>
@@ -112,7 +115,48 @@ <h2 class="card-title">Actions</h2>
             <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#wipeFactorsModal" {{ "disabled" if not perms_admin_users_write }}>
               <i class="fa-solid fa-toilet-paper"></i> Wipe 2FA and recovery codes
             </button>
-            <div class="modal fade" id="nukeModal" tabindex="-1" role="dialog">
+            <div class="modal fade" id="freezeModal" tabindex="-1" role="dialog">
+              <form method="POST" action="{{ request.route_path('admin.user.freeze', username=user.username) }}">
+                <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
+                <div class="modal-dialog" role="document">
+                  <div class="modal-content">
+                    <div class="modal-header">
+                      <h4 class="modal-title" id="nukeModalLabel">Freeze user {{ user.username }} and prohibit domain?</h4>
+                      <button type="button" class="close" data-dismiss="modal">
+                        <span>&times;</span>
+                      </button>
+                    </div>
+                    <div class="modal-body">
+                      <p>
+                        This is totally reversible.
+                      </p>
+                      <p>
+                        This will also prohibit the following domains:
+                      </p>
+                      <ul>
+                      {% for email in user.emails if email.verified %}
+                        <li>
+                          {{ email.domain }}
+                        </li>
+                      {% else %}
+                        <li><i>None</i></li>
+                      {% endfor %}
+                      </ul>
+                      <hr>
+                      <p>
+                        Type the username '{{ user.username }}' to confirm:
+                      </p>
+                      <input type="text" name="username" placeholder="{{ user.username }}">
+                    </div>
+                    <div class="modal-footer">
+                        <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
+                        <button type="submit" class="btn btn-danger">Freeze 'em</button>
+                      </div>
+                  </div>
+                </div>
+              </form>
+            </div>
+<div class="modal fade" id="nukeModal" tabindex="-1" role="dialog">
               <form method="POST" action="{{ request.route_path('admin.user.delete', username=user.username) }}">
                 <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
                 <div class="modal-dialog" role="document">
diff --git a/warehouse/admin/views/users.py b/warehouse/admin/views/users.py
index 9f3c95622ac6..f58a0b3d784e 100644
--- a/warehouse/admin/views/users.py
+++ b/warehouse/admin/views/users.py
@@ -24,7 +24,13 @@
 
 from warehouse import forms
 from warehouse.accounts.interfaces import IEmailBreachedService, IUserService
-from warehouse.accounts.models import DisableReason, Email, ProhibitedUserName, User
+from warehouse.accounts.models import (
+    DisableReason,
+    Email,
+    ProhibitedEmailDomain,
+    ProhibitedUserName,
+    User,
+)
 from warehouse.authnz import Permissions
 from warehouse.email import send_password_compromised_email
 from warehouse.packaging.models import JournalEntry, Project, Role
@@ -268,6 +274,40 @@ def user_delete(user, request):
     return HTTPSeeOther(request.route_path("admin.user.list"))
 
 
+@view_config(
+    route_name="admin.user.freeze",
+    require_methods=["POST"],
+    permission=Permissions.AdminUsersWrite,
+    uses_session=True,
+    require_csrf=True,
+    context=User,
+)
+def user_freeze(user, request):
+    if user.username != request.matchdict.get("username", user.username):
+        return HTTPMovedPermanently(request.current_route_path(username=user.username))
+
+    if user.username != request.params.get("username"):
+        request.session.flash("Wrong confirmation input", queue="error")
+        return HTTPSeeOther(
+            request.route_path("admin.user.detail", username=user.username)
+        )
+
+    user.is_frozen = True
+
+    for email in user.emails:
+        if email.verified:
+            request.db.add(
+                ProhibitedEmailDomain(
+                    domain=email.domain,
+                    comment="frozen",
+                    prohibited_by=request.user,
+                )
+            )
+
+    request.session.flash(f"Froze user {user.username!r}", queue="success")
+    return HTTPSeeOther(request.route_path("admin.user.list"))
+
+
 def _user_reset_password(user, request):
     login_service = request.find_service(IUserService, context=None)
     send_password_compromised_email(request, user)
diff --git a/warehouse/locale/messages.pot b/warehouse/locale/messages.pot
index c37a2e4d1b0c..011255305afe 100644
--- a/warehouse/locale/messages.pot
+++ b/warehouse/locale/messages.pot
@@ -14,103 +14,103 @@ msgstr ""
 msgid "Locale updated"
 msgstr ""
 
-#: warehouse/accounts/forms.py:49
+#: warehouse/accounts/forms.py:51
 msgid "The password is invalid. Try again."
 msgstr ""
 
-#: warehouse/accounts/forms.py:50
+#: warehouse/accounts/forms.py:52
 msgid ""
 "The username is invalid. Usernames must be composed of letters, numbers, "
 "dots, hyphens and underscores. And must also start and finish with a "
 "letter or number. Choose a different username."
 msgstr ""
 
-#: warehouse/accounts/forms.py:68
+#: warehouse/accounts/forms.py:70
 msgid "Null bytes are not allowed."
 msgstr ""
 
-#: warehouse/accounts/forms.py:91
+#: warehouse/accounts/forms.py:93
 msgid "No user found with that username"
 msgstr ""
 
-#: warehouse/accounts/forms.py:102
+#: warehouse/accounts/forms.py:104
 msgid "TOTP code must be ${totp_length} digits."
 msgstr ""
 
-#: warehouse/accounts/forms.py:122
+#: warehouse/accounts/forms.py:124
 msgid "Recovery Codes must be ${recovery_code_length} characters."
 msgstr ""
 
-#: warehouse/accounts/forms.py:137
+#: warehouse/accounts/forms.py:139
 msgid "Choose a username with 50 characters or less."
 msgstr ""
 
-#: warehouse/accounts/forms.py:154
+#: warehouse/accounts/forms.py:156
 msgid ""
 "This username is already being used by another account. Choose a "
 "different username."
 msgstr ""
 
-#: warehouse/accounts/forms.py:168 warehouse/accounts/forms.py:217
-#: warehouse/accounts/forms.py:230
+#: warehouse/accounts/forms.py:170 warehouse/accounts/forms.py:219
+#: warehouse/accounts/forms.py:232
 msgid "Password too long."
 msgstr ""
 
-#: warehouse/accounts/forms.py:204
+#: warehouse/accounts/forms.py:206
 msgid ""
 "There have been too many unsuccessful login attempts. You have been "
 "locked out for ${time}. Please try again later."
 msgstr ""
 
-#: warehouse/accounts/forms.py:233
+#: warehouse/accounts/forms.py:235
 msgid "Your passwords don't match. Try again."
 msgstr ""
 
-#: warehouse/accounts/forms.py:267
+#: warehouse/accounts/forms.py:269
 msgid "The email address is too long. Try again."
 msgstr ""
 
-#: warehouse/accounts/forms.py:278
+#: warehouse/accounts/forms.py:284
 msgid "The email address isn't valid. Try again."
 msgstr ""
 
-#: warehouse/accounts/forms.py:286
+#: warehouse/accounts/forms.py:297
 msgid "You can't use an email address from this domain. Use a different email."
 msgstr ""
 
-#: warehouse/accounts/forms.py:297
+#: warehouse/accounts/forms.py:308
 msgid ""
 "This email address is already being used by this account. Use a different"
 " email."
 msgstr ""
 
-#: warehouse/accounts/forms.py:304
+#: warehouse/accounts/forms.py:315
 msgid ""
 "This email address is already being used by another account. Use a "
 "different email."
 msgstr ""
 
-#: warehouse/accounts/forms.py:337 warehouse/manage/forms.py:139
+#: warehouse/accounts/forms.py:348 warehouse/manage/forms.py:139
 msgid "The name is too long. Choose a name with 100 characters or less."
 msgstr ""
 
-#: warehouse/accounts/forms.py:428
+#: warehouse/accounts/forms.py:439
 msgid "Invalid TOTP code."
 msgstr ""
 
-#: warehouse/accounts/forms.py:445
+#: warehouse/accounts/forms.py:456
 msgid "Invalid WebAuthn assertion: Bad payload"
 msgstr ""
 
-#: warehouse/accounts/forms.py:514
+#: warehouse/accounts/forms.py:525
 msgid "Invalid recovery code."
 msgstr ""
 
-#: warehouse/accounts/forms.py:523
+#: warehouse/accounts/forms.py:534
 msgid "Recovery code has been previously used."
 msgstr ""
 
-#: warehouse/accounts/forms.py:553
+#: warehouse/accounts/forms.py:564
 msgid "The username isn't valid. Try again."
 msgstr ""
 
@@ -147,7 +147,7 @@ msgstr ""
 msgid "Successful WebAuthn assertion"
 msgstr ""
 
-#: warehouse/accounts/views.py:570 warehouse/manage/views/__init__.py:835
+#: warehouse/accounts/views.py:570 warehouse/manage/views/__init__.py:837
 msgid "Recovery code accepted. The supplied code cannot be used again."
 msgstr ""
 
@@ -157,182 +157,182 @@ msgid ""
 "#admin-intervention for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:799
+#: warehouse/accounts/views.py:800
 msgid "Expired token: request a new password reset link"
 msgstr ""
 
-#: warehouse/accounts/views.py:801
+#: warehouse/accounts/views.py:802
 msgid "Invalid token: request a new password reset link"
 msgstr ""
 
-#: warehouse/accounts/views.py:803 warehouse/accounts/views.py:916
-#: warehouse/accounts/views.py:1020 warehouse/accounts/views.py:1189
+#: warehouse/accounts/views.py:804 warehouse/accounts/views.py:917
+#: warehouse/accounts/views.py:1021 warehouse/accounts/views.py:1190
 msgid "Invalid token: no token supplied"
 msgstr ""
 
-#: warehouse/accounts/views.py:807
+#: warehouse/accounts/views.py:808
 msgid "Invalid token: not a password reset token"
 msgstr ""
 
-#: warehouse/accounts/views.py:812
+#: warehouse/accounts/views.py:813
 msgid "Invalid token: user not found"
 msgstr ""
 
-#: warehouse/accounts/views.py:834
+#: warehouse/accounts/views.py:835
 msgid "Invalid token: user has logged in since this token was requested"
 msgstr ""
 
-#: warehouse/accounts/views.py:852
+#: warehouse/accounts/views.py:853
 msgid ""
 "Invalid token: password has already been changed since this token was "
 "requested"
 msgstr ""
 
-#: warehouse/accounts/views.py:884
+#: warehouse/accounts/views.py:885
 msgid "You have reset your password"
 msgstr ""
 
-#: warehouse/accounts/views.py:912
+#: warehouse/accounts/views.py:913
 msgid "Expired token: request a new email verification link"
 msgstr ""
 
-#: warehouse/accounts/views.py:914
+#: warehouse/accounts/views.py:915
 msgid "Invalid token: request a new email verification link"
 msgstr ""
 
-#: warehouse/accounts/views.py:920
+#: warehouse/accounts/views.py:921
 msgid "Invalid token: not an email verification token"
 msgstr ""
 
-#: warehouse/accounts/views.py:929
+#: warehouse/accounts/views.py:930
 msgid "Email not found"
 msgstr ""
 
-#: warehouse/accounts/views.py:932
+#: warehouse/accounts/views.py:933
 msgid "Email already verified"
 msgstr ""
 
-#: warehouse/accounts/views.py:949
+#: warehouse/accounts/views.py:950
 msgid "You can now set this email as your primary address"
 msgstr ""
 
-#: warehouse/accounts/views.py:953
+#: warehouse/accounts/views.py:954
 msgid "This is your primary address"
 msgstr ""
 
-#: warehouse/accounts/views.py:958
+#: warehouse/accounts/views.py:959
 msgid "Email address ${email_address} verified. ${confirm_message}."
 msgstr ""
 
-#: warehouse/accounts/views.py:1016
+#: warehouse/accounts/views.py:1017
 msgid "Expired token: request a new organization invitation"
 msgstr ""
 
-#: warehouse/accounts/views.py:1018
+#: warehouse/accounts/views.py:1019
 msgid "Invalid token: request a new organization invitation"
 msgstr ""
 
-#: warehouse/accounts/views.py:1024
+#: warehouse/accounts/views.py:1025
 msgid "Invalid token: not an organization invitation token"
 msgstr ""
 
-#: warehouse/accounts/views.py:1028
+#: warehouse/accounts/views.py:1029
 msgid "Organization invitation is not valid."
 msgstr ""
 
-#: warehouse/accounts/views.py:1037
+#: warehouse/accounts/views.py:1038
 msgid "Organization invitation no longer exists."
 msgstr ""
 
-#: warehouse/accounts/views.py:1088
+#: warehouse/accounts/views.py:1089
 msgid "Invitation for '${organization_name}' is declined."
 msgstr ""
 
-#: warehouse/accounts/views.py:1151
+#: warehouse/accounts/views.py:1152
 msgid "You are now ${role} of the '${organization_name}' organization."
 msgstr ""
 
-#: warehouse/accounts/views.py:1185
+#: warehouse/accounts/views.py:1186
 msgid "Expired token: request a new project role invitation"
 msgstr ""
 
-#: warehouse/accounts/views.py:1187
+#: warehouse/accounts/views.py:1188
 msgid "Invalid token: request a new project role invitation"
 msgstr ""
 
-#: warehouse/accounts/views.py:1193
+#: warehouse/accounts/views.py:1194
 msgid "Invalid token: not a collaboration invitation token"
 msgstr ""
 
-#: warehouse/accounts/views.py:1197
+#: warehouse/accounts/views.py:1198
 msgid "Role invitation is not valid."
 msgstr ""
 
-#: warehouse/accounts/views.py:1212
+#: warehouse/accounts/views.py:1213
 msgid "Role invitation no longer exists."
 msgstr ""
 
-#: warehouse/accounts/views.py:1243
+#: warehouse/accounts/views.py:1244
 msgid "Invitation for '${project_name}' is declined."
 msgstr ""
 
-#: warehouse/accounts/views.py:1309
+#: warehouse/accounts/views.py:1310
 msgid "You are now ${role} of the '${project_name}' project."
 msgstr ""
 
-#: warehouse/accounts/views.py:1556 warehouse/accounts/views.py:1799
-#: warehouse/manage/views/__init__.py:1212
+#: warehouse/accounts/views.py:1557 warehouse/accounts/views.py:1800
+#: warehouse/manage/views/__init__.py:1214
 msgid ""
 "Trusted publishing is temporarily disabled. See https://pypi.org/help"
 "#admin-intervention for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1577
+#: warehouse/accounts/views.py:1578
 msgid "disabled. See https://pypi.org/help#admin-intervention for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1593
+#: warehouse/accounts/views.py:1594
 msgid ""
 "You must have a verified email in order to register a pending trusted "
 "publisher. See https://pypi.org/help#openid-connect for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1606
+#: warehouse/accounts/views.py:1607
 msgid "You can't register more than 3 pending trusted publishers at once."
 msgstr ""
 
-#: warehouse/accounts/views.py:1622 warehouse/manage/views/__init__.py:1247
-#: warehouse/manage/views/__init__.py:1360
-#: warehouse/manage/views/__init__.py:1472
-#: warehouse/manage/views/__init__.py:1582
+#: warehouse/accounts/views.py:1623 warehouse/manage/views/__init__.py:1249
+#: warehouse/manage/views/__init__.py:1362
+#: warehouse/manage/views/__init__.py:1474
+#: warehouse/manage/views/__init__.py:1584
 msgid ""
 "There have been too many attempted trusted publisher registrations. Try "
 "again later."
 msgstr ""
 
-#: warehouse/accounts/views.py:1633 warehouse/manage/views/__init__.py:1261
-#: warehouse/manage/views/__init__.py:1374
-#: warehouse/manage/views/__init__.py:1486
-#: warehouse/manage/views/__init__.py:1596
+#: warehouse/accounts/views.py:1634 warehouse/manage/views/__init__.py:1263
+#: warehouse/manage/views/__init__.py:1376
+#: warehouse/manage/views/__init__.py:1488
+#: warehouse/manage/views/__init__.py:1598
 msgid "The trusted publisher could not be registered"
 msgstr ""
 
-#: warehouse/accounts/views.py:1647
+#: warehouse/accounts/views.py:1648
 msgid ""
 "This trusted publisher has already been registered. Please contact PyPI's"
 " admins if this wasn't intentional."
 msgstr ""
 
-#: warehouse/accounts/views.py:1674
+#: warehouse/accounts/views.py:1675
 msgid "Registered a new pending publisher to create "
 msgstr ""
 
-#: warehouse/accounts/views.py:1813 warehouse/accounts/views.py:1826
-#: warehouse/accounts/views.py:1833
+#: warehouse/accounts/views.py:1814 warehouse/accounts/views.py:1827
+#: warehouse/accounts/views.py:1834
 msgid "Invalid publisher ID"
 msgstr ""
 
-#: warehouse/accounts/views.py:1839
+#: warehouse/accounts/views.py:1840
 msgid "Removed trusted publisher for project "
 msgstr ""
 
@@ -423,130 +423,130 @@ msgstr ""
 msgid "This team name has already been used. Choose a different team name."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:203
+#: warehouse/manage/views/__init__.py:205
 msgid "Account details updated"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:232
+#: warehouse/manage/views/__init__.py:234
 msgid "Email ${email_address} added - check your email for a verification link"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:783
+#: warehouse/manage/views/__init__.py:785
 msgid "Recovery codes already generated"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:784
+#: warehouse/manage/views/__init__.py:786
 msgid "Generating new recovery codes will invalidate your existing codes."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:893
+#: warehouse/manage/views/__init__.py:895
 msgid "Verify your email to create an API token."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:993
+#: warehouse/manage/views/__init__.py:995
 msgid "API Token does not exist."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1025
+#: warehouse/manage/views/__init__.py:1027
 msgid "Invalid credentials. Try again"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1228
+#: warehouse/manage/views/__init__.py:1230
 msgid ""
 "GitHub-based trusted publishing is temporarily disabled. See "
 "https://pypi.org/help#admin-intervention for details."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1341
+#: warehouse/manage/views/__init__.py:1343
 msgid ""
 "GitLab-based trusted publishing is temporarily disabled. See "
 "https://pypi.org/help#admin-intervention for details."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1453
+#: warehouse/manage/views/__init__.py:1455
 msgid ""
 "Google-based trusted publishing is temporarily disabled. See "
 "https://pypi.org/help#admin-intervention for details."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1562
+#: warehouse/manage/views/__init__.py:1564
 msgid ""
 "ActiveState-based trusted publishing is temporarily disabled. See "
 "https://pypi.org/help#admin-intervention for details."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1797
-#: warehouse/manage/views/__init__.py:2098
-#: warehouse/manage/views/__init__.py:2206
+#: warehouse/manage/views/__init__.py:1799
+#: warehouse/manage/views/__init__.py:2100
+#: warehouse/manage/views/__init__.py:2208
 msgid ""
 "Project deletion temporarily disabled. See https://pypi.org/help#admin-"
 "intervention for details."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1929
-#: warehouse/manage/views/__init__.py:2014
-#: warehouse/manage/views/__init__.py:2115
-#: warehouse/manage/views/__init__.py:2215
+#: warehouse/manage/views/__init__.py:1931
+#: warehouse/manage/views/__init__.py:2016
+#: warehouse/manage/views/__init__.py:2117
+#: warehouse/manage/views/__init__.py:2217
 msgid "Confirm the request"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:1941
+#: warehouse/manage/views/__init__.py:1943
 msgid "Could not yank release - "
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2026
+#: warehouse/manage/views/__init__.py:2028
 msgid "Could not un-yank release - "
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2127
+#: warehouse/manage/views/__init__.py:2129
 msgid "Could not delete release - "
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2227
+#: warehouse/manage/views/__init__.py:2229
 msgid "Could not find file"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2231
+#: warehouse/manage/views/__init__.py:2233
 msgid "Could not delete file - "
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2381
+#: warehouse/manage/views/__init__.py:2383
 msgid "Team '${team_name}' already has ${role_name} role for project"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2488
+#: warehouse/manage/views/__init__.py:2490
 msgid "User '${username}' already has ${role_name} role for project"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2555
+#: warehouse/manage/views/__init__.py:2557
 msgid "${username} is now ${role} of the '${project_name}' project."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2587
+#: warehouse/manage/views/__init__.py:2589
 msgid ""
 "User '${username}' does not have a verified primary email address and "
 "cannot be added as a ${role_name} for project"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2600
+#: warehouse/manage/views/__init__.py:2602
 #: warehouse/manage/views/organizations.py:878
 msgid "User '${username}' already has an active invite. Please try again later."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2665
+#: warehouse/manage/views/__init__.py:2667
 #: warehouse/manage/views/organizations.py:943
 msgid "Invitation sent to '${username}'"
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2698
+#: warehouse/manage/views/__init__.py:2700
 msgid "Could not find role invitation."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2709
+#: warehouse/manage/views/__init__.py:2711
 msgid "Invitation already expired."
 msgstr ""
 
-#: warehouse/manage/views/__init__.py:2741
+#: warehouse/manage/views/__init__.py:2743
 #: warehouse/manage/views/organizations.py:1130
 msgid "Invitation revoked from '${username}'."
 msgstr ""
diff --git a/warehouse/manage/views/__init__.py b/warehouse/manage/views/__init__.py
index c6155f39dd6f..40c5360d458b 100644
--- a/warehouse/manage/views/__init__.py
+++ b/warehouse/manage/views/__init__.py
@@ -171,7 +171,9 @@ def default_response(self):
                 user_id=self.request.user.id,
             ),
             "add_email_form": AddEmailForm(
-                user_service=self.user_service, user_id=self.request.user.id
+                request=self.request,
+                user_service=self.user_service,
+                user_id=self.request.user.id,
             ),
             "change_password_form": ChangePasswordForm(
                 request=self.request,
diff --git a/warehouse/migrations/versions/1fdecaf73541_add_prohibitedemaildomain.py b/warehouse/migrations/versions/1fdecaf73541_add_prohibitedemaildomain.py
new file mode 100644
index 000000000000..e226141f5967
--- /dev/null
+++ b/warehouse/migrations/versions/1fdecaf73541_add_prohibitedemaildomain.py
@@ -0,0 +1,60 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+Add ProhibitedEmailDomain
+
+Revision ID: 1fdecaf73541
+Revises: 93a1ca43e356
+Create Date: 2024-03-28 02:23:25.712347
+"""
+
+import sqlalchemy as sa
+
+from alembic import op
+
+revision = "1fdecaf73541"
+down_revision = "93a1ca43e356"
+
+
+def upgrade():
+    op.create_table(
+        "prohibited_email_domains",
+        sa.Column(
+            "created", sa.DateTime(), server_default=sa.text("now()"), nullable=False
+        ),
+        sa.Column("domain", sa.String(), nullable=False),
+        sa.Column("prohibited_by", sa.UUID(), nullable=True),
+        sa.Column("comment", sa.String(), server_default="", nullable=False),
+        sa.Column(
+            "id", sa.UUID(), server_default=sa.text("gen_random_uuid()"), nullable=False
+        ),
+        sa.ForeignKeyConstraint(
+            ["prohibited_by"],
+            ["users.id"],
+        ),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("domain"),
+    )
+    op.create_index(
+        op.f("ix_prohibited_email_domains_prohibited_by"),
+        "prohibited_email_domains",
+        ["prohibited_by"],
+        unique=False,
+    )
+
+
+def downgrade():
+    op.drop_index(
+        op.f("ix_prohibited_email_domains_prohibited_by"),
+        table_name="prohibited_email_domains",
+    )
+    op.drop_table("prohibited_email_domains")