diff options
| author | zeripath <art27@cantab.net> | 2021-05-15 19:33:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-15 20:33:13 +0200 |
| commit | f582ec4e5367f77d6b3085540a56fed818d6c638 (patch) | |
| tree | b7dc6b114e0e8980073c403ad906fa8c6903a467 /modules/auth | |
| parent | 17c5c654a57ecf51c8c7c8ecfc6c86ae313d4000 (diff) | |
| download | gitea-f582ec4e5367f77d6b3085540a56fed818d6c638.tar.gz gitea-f582ec4e5367f77d6b3085540a56fed818d6c638.zip | |
Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username (#15304)
* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username
ReverseProxy users should generate a session on reverse proxy username change.
Also prevent ReverseProxy users from changing their username.
Fix #2407
* add testcase
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/auth')
| -rw-r--r-- | modules/auth/sso/reverseproxy.go | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go index 62598a15cd..d4fae9d5f4 100644 --- a/modules/auth/sso/reverseproxy.go +++ b/modules/auth/sso/reverseproxy.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/web/middleware" gouuid "github.com/google/uuid" ) @@ -69,13 +70,21 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter, user, err := models.GetUserByName(username) if err != nil { - if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() { - return r.newUser(req) + if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() { + log.Error("GetUserByName: %v", err) + return nil } - log.Error("GetUserByName: %v", err) - return nil + user = r.newUser(req) } + // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session + if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) { + if sess.Get("uid").(int64) != user.ID { + handleSignIn(w, req, sess, user) + } + } + store.GetData()["IsReverseProxy"] = true + log.Trace("ReverseProxy Authorization: Logged in user %-v", user) return user } @@ -104,7 +113,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User { user := &models.User{ Name: username, Email: email, - Passwd: username, IsActive: true, } if err := models.CreateUser(user); err != nil { @@ -112,5 +120,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User { log.Error("CreateUser: %v", err) return nil } + return user } |