aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-05-15 19:33:13 +0100
committerGitHub <noreply@github.com>2021-05-15 20:33:13 +0200
commitf582ec4e5367f77d6b3085540a56fed818d6c638 (patch)
treeb7dc6b114e0e8980073c403ad906fa8c6903a467
parent17c5c654a57ecf51c8c7c8ecfc6c86ae313d4000 (diff)
downloadgitea-f582ec4e5367f77d6b3085540a56fed818d6c638.tar.gz
gitea-f582ec4e5367f77d6b3085540a56fed818d6c638.zip
Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username (#15304)
* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username ReverseProxy users should generate a session on reverse proxy username change. Also prevent ReverseProxy users from changing their username. Fix #2407 * add testcase Signed-off-by: Andrew Thornton <art27@cantab.net>
-rw-r--r--modules/auth/sso/reverseproxy.go19
-rw-r--r--templates/user/settings/profile.tmpl4
2 files changed, 16 insertions, 7 deletions
diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
index 62598a15cd..d4fae9d5f4 100644
--- a/modules/auth/sso/reverseproxy.go
+++ b/modules/auth/sso/reverseproxy.go
@@ -12,6 +12,7 @@ import (
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/web/middleware"
gouuid "github.com/google/uuid"
)
@@ -69,13 +70,21 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
user, err := models.GetUserByName(username)
if err != nil {
- if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() {
- return r.newUser(req)
+ if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
+ log.Error("GetUserByName: %v", err)
+ return nil
}
- log.Error("GetUserByName: %v", err)
- return nil
+ user = r.newUser(req)
}
+ // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
+ if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+ if sess.Get("uid").(int64) != user.ID {
+ handleSignIn(w, req, sess, user)
+ }
+ }
+ store.GetData()["IsReverseProxy"] = true
+
log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
return user
}
@@ -104,7 +113,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
user := &models.User{
Name: username,
Email: email,
- Passwd: username,
IsActive: true,
}
if err := models.CreateUser(user); err != nil {
@@ -112,5 +120,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
log.Error("CreateUser: %v", err)
return nil
}
+
return user
}
diff --git a/templates/user/settings/profile.tmpl b/templates/user/settings/profile.tmpl
index ee3cc58904..9f07226632 100644
--- a/templates/user/settings/profile.tmpl
+++ b/templates/user/settings/profile.tmpl
@@ -15,8 +15,8 @@
<span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span>
<span class="text red hide" id="name-change-redirect-prompt"> {{.i18n.Tr "settings.change_username_redirect_prompt"}}</span>
</label>
- <input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if not .SignedUser.IsLocal}}disabled{{end}}>
- {{if not .SignedUser.IsLocal}}
+ <input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}disabled{{end}}>
+ {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}
<p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p>
{{end}}
</div>