diff options
| author | Lanre Adelowo <adelowomailbox@gmail.com> | 2018-09-13 13:04:25 +0100 |
|---|---|---|
| committer | Lauris BH <lauris@nix.lv> | 2018-09-13 15:04:25 +0300 |
| commit | 126ba796dcc9ccdf9c25ed7d441786478be2825b (patch) | |
| tree | 63f0ceb0a89495cd86cf664b9ceba6b4cdca589b /modules/context | |
| parent | 10a2a904d7938e26f6d64fe9a9788185b802d4df (diff) | |
| download | gitea-126ba796dcc9ccdf9c25ed7d441786478be2825b.tar.gz gitea-126ba796dcc9ccdf9c25ed7d441786478be2825b.zip | |
Force user to change password (#4489)
* redirect to login page after successfully activating account
* force users to change password if account was created by an admin
* force users to change password if account was created by an admin
* fixed build
* fixed build
* fix pending issues with translation and wrong routes
* make sure path check is safe
* remove unneccessary newline
* make sure users that don't have to view the form get redirected
* move route to use /settings prefix so as to make sure unauthenticated users can't view the page
* update as per @lafriks review
* add necessary comment
* remove unrelated changes
* support redirecting to location the user actually want to go to before being forced to change his/her password
* run make fmt
* added tests
* improve assertions
* add assertion
* fix copyright year
Signed-off-by: Lanre Adelowo <yo@lanre.wtf>
Diffstat (limited to 'modules/context')
| -rw-r--r-- | modules/context/auth.go | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/modules/context/auth.go b/modules/context/auth.go index c38cc3948d..110122cb66 100644 --- a/modules/context/auth.go +++ b/modules/context/auth.go @@ -31,10 +31,31 @@ func Toggle(options *ToggleOptions) macaron.Handler { } // Check prohibit login users. - if ctx.IsSigned && ctx.User.ProhibitLogin { - ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") - ctx.HTML(200, "user/auth/prohibit_login") - return + if ctx.IsSigned { + + if ctx.User.ProhibitLogin { + ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") + ctx.HTML(200, "user/auth/prohibit_login") + return + } + + // prevent infinite redirection + // also make sure that the form cannot be accessed by + // users who don't need this + if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" { + if !ctx.User.MustChangePassword { + ctx.Redirect(setting.AppSubURL + "/") + } + return + } + + if ctx.User.MustChangePassword { + ctx.Data["Title"] = ctx.Tr("auth.must_change_password") + ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" + ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubURL+ctx.Req.RequestURI), 0, setting.AppSubURL) + ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") + return + } } // Redirect to dashboard if user tries to visit any non-login page. |