Respond with a 401 on git push when password isn't changed yet (#20027)

Fixes #19090

If the user-agent starts with git and user must change password but
hasn't return a 401 with the message.

It must be a 401, git doesn't seem to show the contents of the error message
when we return a 403

Co-authored-by: 6543 <6543@obermui.de>

diff --git a/modules/context/auth.go b/modules/context/auth.go
index 09c22954550c7dec6940cb7b6d9f701e68c9f97a..e6d882eb5b34e74b3e6e15278f8e59171d451d91 100644 (file)
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -7,6 +7,7 @@ package context
 
 import (
        "net/http"
+       "strings"
 
        "code.gitea.io/gitea/models/auth"
        "code.gitea.io/gitea/modules/log"
@@ -41,6 +42,10 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 
                        if ctx.Doer.MustChangePassword {
                                if ctx.Req.URL.Path != "/user/settings/change_password" {
+                                       if strings.HasPrefix(ctx.Req.UserAgent(), "git") {
+                                               ctx.Error(http.StatusUnauthorized, ctx.Tr("auth.must_change_password"))
+                                               return
+                                       }
                                        ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
                                        ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
                                        if ctx.Req.URL.Path != "/user/events" {