Create a session on ReverseProxy and ensure that ReverseProxy users cannot change...

* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username

ReverseProxy users should generate a session on reverse proxy username change.

Also prevent ReverseProxy users from changing their username.

Fix #2407

* add testcase

Signed-off-by: Andrew Thornton <art27@cantab.net>

diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
index 62598a15cdc331fda39b3dd6e517c2fca109e25b..d4fae9d5f425b39dab9dce54d99f4a6cd5947ef3 100644 (file)
--- a/modules/auth/sso/reverseproxy.go
+++ b/modules/auth/sso/reverseproxy.go
@@ -12,6 +12,7 @@ import (
        "code.gitea.io/gitea/models"
        "code.gitea.io/gitea/modules/log"
        "code.gitea.io/gitea/modules/setting"
+       "code.gitea.io/gitea/modules/web/middleware"
 
        gouuid "github.com/google/uuid"
 )
@@ -69,13 +70,21 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
 
        user, err := models.GetUserByName(username)
        if err != nil {
-               if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() {
-                       return r.newUser(req)
+               if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
+                       log.Error("GetUserByName: %v", err)
+                       return nil
                }
-               log.Error("GetUserByName: %v", err)
-               return nil
+               user = r.newUser(req)
        }
 
+       // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
+       if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+               if sess.Get("uid").(int64) != user.ID {
+                       handleSignIn(w, req, sess, user)
+               }
+       }
+       store.GetData()["IsReverseProxy"] = true
+
        log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
        return user
 }
@@ -104,7 +113,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
        user := &models.User{
                Name:     username,
                Email:    email,
-               Passwd:   username,
                IsActive: true,
        }
        if err := models.CreateUser(user); err != nil {
@@ -112,5 +120,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
                log.Error("CreateUser: %v", err)
                return nil
        }
+
        return user
 }

diff --git a/templates/user/settings/profile.tmpl b/templates/user/settings/profile.tmpl
index ee3cc589041a81b22b9f357130ac7aaa72f052af..9f07226632fcd5b74291d226f9b517c22b212f8c 100644 (file)
--- a/templates/user/settings/profile.tmpl
+++ b/templates/user/settings/profile.tmpl
@@ -15,8 +15,8 @@
                                                <span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span>
                                                <span class="text red hide" id="name-change-redirect-prompt"> {{.i18n.Tr "settings.change_username_redirect_prompt"}}</span>
                                        </label>
-                                       <input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if not .SignedUser.IsLocal}}disabled{{end}}>
-                                       {{if not .SignedUser.IsLocal}}
+                                       <input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}disabled{{end}}>
+                                       {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}
                                        <p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p>
                                        {{end}}
                                </div>