summaryrefslogtreecommitdiffstats
path: root/modules/context/auth.go
diff options
context:
space:
mode:
authorLanre Adelowo <adelowomailbox@gmail.com>2018-09-13 13:04:25 +0100
committerLauris BH <lauris@nix.lv>2018-09-13 15:04:25 +0300
commit126ba796dcc9ccdf9c25ed7d441786478be2825b (patch)
tree63f0ceb0a89495cd86cf664b9ceba6b4cdca589b /modules/context/auth.go
parent10a2a904d7938e26f6d64fe9a9788185b802d4df (diff)
downloadgitea-126ba796dcc9ccdf9c25ed7d441786478be2825b.tar.gz
gitea-126ba796dcc9ccdf9c25ed7d441786478be2825b.zip
Force user to change password (#4489)
* redirect to login page after successfully activating account * force users to change password if account was created by an admin * force users to change password if account was created by an admin * fixed build * fixed build * fix pending issues with translation and wrong routes * make sure path check is safe * remove unneccessary newline * make sure users that don't have to view the form get redirected * move route to use /settings prefix so as to make sure unauthenticated users can't view the page * update as per @lafriks review * add necessary comment * remove unrelated changes * support redirecting to location the user actually want to go to before being forced to change his/her password * run make fmt * added tests * improve assertions * add assertion * fix copyright year Signed-off-by: Lanre Adelowo <yo@lanre.wtf>
Diffstat (limited to 'modules/context/auth.go')
-rw-r--r--modules/context/auth.go29
1 files changed, 25 insertions, 4 deletions
diff --git a/modules/context/auth.go b/modules/context/auth.go
index c38cc3948d..110122cb66 100644
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -31,10 +31,31 @@ func Toggle(options *ToggleOptions) macaron.Handler {
}
// Check prohibit login users.
- if ctx.IsSigned && ctx.User.ProhibitLogin {
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(200, "user/auth/prohibit_login")
- return
+ if ctx.IsSigned {
+
+ if ctx.User.ProhibitLogin {
+ ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+ ctx.HTML(200, "user/auth/prohibit_login")
+ return
+ }
+
+ // prevent infinite redirection
+ // also make sure that the form cannot be accessed by
+ // users who don't need this
+ if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" {
+ if !ctx.User.MustChangePassword {
+ ctx.Redirect(setting.AppSubURL + "/")
+ }
+ return
+ }
+
+ if ctx.User.MustChangePassword {
+ ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+ ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
+ ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubURL+ctx.Req.RequestURI), 0, setting.AppSubURL)
+ ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
+ return
+ }
}
// Redirect to dashboard if user tries to visit any non-login page.