Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username (#15304)

* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username

ReverseProxy users should generate a session on reverse proxy username change.

Also prevent ReverseProxy users from changing their username.

Fix #2407

* add testcase

Signed-off-by: Andrew Thornton <art27@cantab.net>
release/v1.15
zeripath 2021-05-15 19:33:13 +01:00 committed by GitHub
parent 17c5c654a5
commit f582ec4e53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 7 deletions

View File

@ -12,6 +12,7 @@ import (
"code.gitea.io/gitea/models" "code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
gouuid "github.com/google/uuid" gouuid "github.com/google/uuid"
) )
@ -69,13 +70,21 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
user, err := models.GetUserByName(username) user, err := models.GetUserByName(username)
if err != nil { if err != nil {
if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() { if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
return r.newUser(req) log.Error("GetUserByName: %v", err)
return nil
} }
log.Error("GetUserByName: %v", err) user = r.newUser(req)
return nil
} }
// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
if sess.Get("uid").(int64) != user.ID {
handleSignIn(w, req, sess, user)
}
}
store.GetData()["IsReverseProxy"] = true
log.Trace("ReverseProxy Authorization: Logged in user %-v", user) log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
return user return user
} }
@ -104,7 +113,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
user := &models.User{ user := &models.User{
Name: username, Name: username,
Email: email, Email: email,
Passwd: username,
IsActive: true, IsActive: true,
} }
if err := models.CreateUser(user); err != nil { if err := models.CreateUser(user); err != nil {
@ -112,5 +120,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
log.Error("CreateUser: %v", err) log.Error("CreateUser: %v", err)
return nil return nil
} }
return user return user
} }

View File

@ -15,8 +15,8 @@
<span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span> <span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span>
<span class="text red hide" id="name-change-redirect-prompt"> {{.i18n.Tr "settings.change_username_redirect_prompt"}}</span> <span class="text red hide" id="name-change-redirect-prompt"> {{.i18n.Tr "settings.change_username_redirect_prompt"}}</span>
</label> </label>
<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if not .SignedUser.IsLocal}}disabled{{end}}> <input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}disabled{{end}}>
{{if not .SignedUser.IsLocal}} {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}
<p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p> <p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p>
{{end}} {{end}}
</div> </div>