Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username (#15304)
* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username ReverseProxy users should generate a session on reverse proxy username change. Also prevent ReverseProxy users from changing their username. Fix #2407 * add testcase Signed-off-by: Andrew Thornton <art27@cantab.net>release/v1.15
parent
17c5c654a5
commit
f582ec4e53
|
@ -12,6 +12,7 @@ import (
|
||||||
"code.gitea.io/gitea/models"
|
"code.gitea.io/gitea/models"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
|
|
||||||
gouuid "github.com/google/uuid"
|
gouuid "github.com/google/uuid"
|
||||||
)
|
)
|
||||||
|
@ -69,13 +70,21 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
|
||||||
|
|
||||||
user, err := models.GetUserByName(username)
|
user, err := models.GetUserByName(username)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() {
|
if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
|
||||||
return r.newUser(req)
|
log.Error("GetUserByName: %v", err)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
log.Error("GetUserByName: %v", err)
|
user = r.newUser(req)
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
|
||||||
|
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
|
||||||
|
if sess.Get("uid").(int64) != user.ID {
|
||||||
|
handleSignIn(w, req, sess, user)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
store.GetData()["IsReverseProxy"] = true
|
||||||
|
|
||||||
log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
|
log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
|
||||||
return user
|
return user
|
||||||
}
|
}
|
||||||
|
@ -104,7 +113,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
|
||||||
user := &models.User{
|
user := &models.User{
|
||||||
Name: username,
|
Name: username,
|
||||||
Email: email,
|
Email: email,
|
||||||
Passwd: username,
|
|
||||||
IsActive: true,
|
IsActive: true,
|
||||||
}
|
}
|
||||||
if err := models.CreateUser(user); err != nil {
|
if err := models.CreateUser(user); err != nil {
|
||||||
|
@ -112,5 +120,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
|
||||||
log.Error("CreateUser: %v", err)
|
log.Error("CreateUser: %v", err)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
return user
|
return user
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,8 +15,8 @@
|
||||||
<span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span>
|
<span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span>
|
||||||
<span class="text red hide" id="name-change-redirect-prompt"> {{.i18n.Tr "settings.change_username_redirect_prompt"}}</span>
|
<span class="text red hide" id="name-change-redirect-prompt"> {{.i18n.Tr "settings.change_username_redirect_prompt"}}</span>
|
||||||
</label>
|
</label>
|
||||||
<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if not .SignedUser.IsLocal}}disabled{{end}}>
|
<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}disabled{{end}}>
|
||||||
{{if not .SignedUser.IsLocal}}
|
{{if or (not .SignedUser.IsLocal) .IsReverseProxy}}
|
||||||
<p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p>
|
<p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p>
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
|
|
Loading…
Reference in New Issue