diff options
| author | Unknwon <u@gogs.io> | 2015-11-03 18:40:52 -0500 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2015-11-03 18:40:52 -0500 |
| commit | 6f0a41b8b28ba33382ab8d655c0d015324be7647 (patch) | |
| tree | d30191b529354c42aaf8ae4066d73b402c0b4bb2 /modules/auth | |
| parent | 25ec20d5251511ebd0b9e6b963e189b860c39704 (diff) | |
| download | gitea-6f0a41b8b28ba33382ab8d655c0d015324be7647.tar.gz gitea-6f0a41b8b28ba33382ab8d655c0d015324be7647.zip | |
#1511 Allow local import only for admin users
Diffstat (limited to 'modules/auth')
| -rw-r--r-- | modules/auth/admin.go | 21 | ||||
| -rw-r--r-- | modules/auth/repo_form.go | 34 |
2 files changed, 45 insertions, 10 deletions
diff --git a/modules/auth/admin.go b/modules/auth/admin.go index c2d47a44fd..1530212bf3 100644 --- a/modules/auth/admin.go +++ b/modules/auth/admin.go @@ -24,16 +24,17 @@ func (f *AdminCrateUserForm) Validate(ctx *macaron.Context, errs binding.Errors) } type AdminEditUserForm struct { - LoginType string `binding:"Required"` - LoginName string - FullName string `binding:"MaxSize(100)"` - Email string `binding:"Required;Email;MaxSize(254)"` - Password string `binding:"MaxSize(255)"` - Website string `binding:"MaxSize(50)"` - Location string `binding:"MaxSize(50)"` - Active bool - Admin bool - AllowGitHook bool + LoginType string `binding:"Required"` + LoginName string + FullName string `binding:"MaxSize(100)"` + Email string `binding:"Required;Email;MaxSize(254)"` + Password string `binding:"MaxSize(255)"` + Website string `binding:"MaxSize(50)"` + Location string `binding:"MaxSize(50)"` + Active bool + Admin bool + AllowGitHook bool + AllowImportLocal bool } func (f *AdminEditUserForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors { diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go index 191117bbdf..766f540f40 100644 --- a/modules/auth/repo_form.go +++ b/modules/auth/repo_form.go @@ -5,8 +5,14 @@ package auth import ( + "net/url" + "strings" + + "github.com/Unknwon/com" "github.com/go-macaron/binding" "gopkg.in/macaron.v1" + + "github.com/gogits/gogs/models" ) // _______________________________________ _________.______________________ _______________.___. @@ -46,6 +52,34 @@ func (f *MigrateRepoForm) Validate(ctx *macaron.Context, errs binding.Errors) bi return validate(errs, ctx.Data, f, ctx.Locale) } +// ParseRemoteAddr checks if given remote address is valid, +// and returns composed URL with needed username and passowrd. +// It also checks if given user has permission when remote address +// is actually a local path. +func (f MigrateRepoForm) ParseRemoteAddr(user *models.User) (string, error) { + remoteAddr := f.CloneAddr + + // Remote address can be HTTP/HTTPS/Git URL or local path. + if strings.HasPrefix(remoteAddr, "http://") || + strings.HasPrefix(remoteAddr, "https://") || + strings.HasPrefix(remoteAddr, "git://") { + u, err := url.Parse(remoteAddr) + if err != nil { + return "", models.ErrInvalidCloneAddr{IsURLError: true} + } + if len(f.AuthUsername)+len(f.AuthPassword) > 0 { + u.User = url.UserPassword(f.AuthUsername, f.AuthPassword) + } + remoteAddr = u.String() + } else if !user.CanImportLocal() { + return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true} + } else if !com.IsDir(remoteAddr) { + return "", models.ErrInvalidCloneAddr{IsInvalidPath: true} + } + + return remoteAddr, nil +} + type RepoSettingForm struct { RepoName string `binding:"Required;AlphaDashDot;MaxSize(100)"` Description string `binding:"MaxSize(255)"` |