summaryrefslogtreecommitdiffstats
path: root/modules/middleware/auth.go
diff options
context:
space:
mode:
authorslene <vslene@gmail.com>2014-03-23 01:44:02 +0800
committerslene <vslene@gmail.com>2014-03-23 01:44:02 +0800
commit076fc98d981aea3533eea363ca1c7e43f77b9802 (patch)
tree596d754de0d53a7e0794dcd61122ddb85298a0e1 /modules/middleware/auth.go
parent01e781dedb3c6d48349516de0eee5cea41c077e1 (diff)
downloadgitea-076fc98d981aea3533eea363ca1c7e43f77b9802.tar.gz
gitea-076fc98d981aea3533eea363ca1c7e43f77b9802.zip
add csrf check
Diffstat (limited to 'modules/middleware/auth.go')
-rw-r--r--modules/middleware/auth.go58
1 files changed, 32 insertions, 26 deletions
diff --git a/modules/middleware/auth.go b/modules/middleware/auth.go
index f211de32b9..b557188ee9 100644
--- a/modules/middleware/auth.go
+++ b/modules/middleware/auth.go
@@ -10,39 +10,45 @@ import (
"github.com/gogits/gogs/modules/base"
)
-// SignInRequire requires user to sign in.
-func SignInRequire(redirect bool) martini.Handler {
- return func(ctx *Context) {
- if !ctx.IsSigned {
- if redirect {
- ctx.Redirect("/user/login")
- }
- return
- } else if !ctx.User.IsActive && base.Service.RegisterEmailConfirm {
- ctx.Data["Title"] = "Activate Your Account"
- ctx.HTML(200, "user/active")
- return
- }
- }
+type ToggleOptions struct {
+ SignInRequire bool
+ SignOutRequire bool
+ AdminRequire bool
+ DisableCsrf bool
}
-// SignOutRequire requires user to sign out.
-func SignOutRequire() martini.Handler {
+func Toggle(options *ToggleOptions) martini.Handler {
return func(ctx *Context) {
- if ctx.IsSigned {
+ if options.SignOutRequire && ctx.IsSigned {
ctx.Redirect("/")
return
}
- }
-}
-// AdminRequire requires user signed in as administor.
-func AdminRequire() martini.Handler {
- return func(ctx *Context) {
- if !ctx.User.IsAdmin {
- ctx.Error(403)
- return
+ if !options.DisableCsrf {
+ if ctx.Req.Method == "POST" {
+ if !ctx.CsrfTokenValid() {
+ ctx.Error(403, "CSRF token does not match")
+ return
+ }
+ }
+ }
+
+ if options.SignInRequire {
+ if !ctx.IsSigned {
+ ctx.Redirect("/user/login")
+ return
+ } else if !ctx.User.IsActive && base.Service.RegisterEmailConfirm {
+ ctx.Data["Title"] = "Activate Your Account"
+ ctx.HTML(200, "user/active")
+ return
+ }
+ }
+
+ if options.AdminRequire {
+ if !ctx.User.IsAdmin {
+ ctx.Error(403)
+ return
+ }
}
- ctx.Data["PageIsAdmin"] = true
}
}