@@ -25,13 +25,17 @@ func EncodeMd5(str string) string { | |||
return hex.EncodeToString(m.Sum(nil)) | |||
} | |||
// Random generate string | |||
func GetRandomString(n int) string { | |||
// GetRandomString generate random string by specify chars. | |||
func GetRandomString(n int, alphabets ...byte) string { | |||
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" | |||
var bytes = make([]byte, n) | |||
rand.Read(bytes) | |||
for i, b := range bytes { | |||
bytes[i] = alphanum[b%byte(len(alphanum))] | |||
if len(alphabets) == 0 { | |||
bytes[i] = alphanum[b%byte(len(alphanum))] | |||
} else { | |||
bytes[i] = alphabets[b%byte(len(alphabets))] | |||
} | |||
} | |||
return string(bytes) | |||
} |
@@ -10,39 +10,45 @@ import ( | |||
"github.com/gogits/gogs/modules/base" | |||
) | |||
// SignInRequire requires user to sign in. | |||
func SignInRequire(redirect bool) martini.Handler { | |||
return func(ctx *Context) { | |||
if !ctx.IsSigned { | |||
if redirect { | |||
ctx.Redirect("/user/login") | |||
} | |||
return | |||
} else if !ctx.User.IsActive && base.Service.RegisterEmailConfirm { | |||
ctx.Data["Title"] = "Activate Your Account" | |||
ctx.HTML(200, "user/active") | |||
return | |||
} | |||
} | |||
type ToggleOptions struct { | |||
SignInRequire bool | |||
SignOutRequire bool | |||
AdminRequire bool | |||
DisableCsrf bool | |||
} | |||
// SignOutRequire requires user to sign out. | |||
func SignOutRequire() martini.Handler { | |||
func Toggle(options *ToggleOptions) martini.Handler { | |||
return func(ctx *Context) { | |||
if ctx.IsSigned { | |||
if options.SignOutRequire && ctx.IsSigned { | |||
ctx.Redirect("/") | |||
return | |||
} | |||
} | |||
} | |||
// AdminRequire requires user signed in as administor. | |||
func AdminRequire() martini.Handler { | |||
return func(ctx *Context) { | |||
if !ctx.User.IsAdmin { | |||
ctx.Error(403) | |||
return | |||
if !options.DisableCsrf { | |||
if ctx.Req.Method == "POST" { | |||
if !ctx.CsrfTokenValid() { | |||
ctx.Error(403, "CSRF token does not match") | |||
return | |||
} | |||
} | |||
} | |||
if options.SignInRequire { | |||
if !ctx.IsSigned { | |||
ctx.Redirect("/user/login") | |||
return | |||
} else if !ctx.User.IsActive && base.Service.RegisterEmailConfirm { | |||
ctx.Data["Title"] = "Activate Your Account" | |||
ctx.HTML(200, "user/active") | |||
return | |||
} | |||
} | |||
if options.AdminRequire { | |||
if !ctx.User.IsAdmin { | |||
ctx.Error(403) | |||
return | |||
} | |||
} | |||
ctx.Data["PageIsAdmin"] = true | |||
} | |||
} |
@@ -6,6 +6,7 @@ package middleware | |||
import ( | |||
"fmt" | |||
"html/template" | |||
"net/http" | |||
"time" | |||
@@ -32,6 +33,8 @@ type Context struct { | |||
User *models.User | |||
IsSigned bool | |||
csrfToken string | |||
Repo struct { | |||
IsValid bool | |||
IsOwner bool | |||
@@ -90,6 +93,95 @@ func (ctx *Context) Handle(status int, title string, err error) { | |||
ctx.HTML(status, fmt.Sprintf("status/%d", status)) | |||
} | |||
func (ctx *Context) GetCookie(name string) string { | |||
cookie, err := ctx.Req.Cookie(name) | |||
if err != nil { | |||
return "" | |||
} | |||
return cookie.Value | |||
} | |||
func (ctx *Context) SetCookie(name string, value string, others ...interface{}) { | |||
cookie := http.Cookie{} | |||
cookie.Name = name | |||
cookie.Value = value | |||
if len(others) > 0 { | |||
switch v := others[0].(type) { | |||
case int: | |||
cookie.MaxAge = v | |||
case int64: | |||
cookie.MaxAge = int(v) | |||
case int32: | |||
cookie.MaxAge = int(v) | |||
} | |||
} | |||
// default "/" | |||
if len(others) > 1 { | |||
if v, ok := others[1].(string); ok && len(v) > 0 { | |||
cookie.Path = v | |||
} | |||
} else { | |||
cookie.Path = "/" | |||
} | |||
// default empty | |||
if len(others) > 2 { | |||
if v, ok := others[2].(string); ok && len(v) > 0 { | |||
cookie.Domain = v | |||
} | |||
} | |||
// default empty | |||
if len(others) > 3 { | |||
switch v := others[3].(type) { | |||
case bool: | |||
cookie.Secure = v | |||
default: | |||
if others[3] != nil { | |||
cookie.Secure = true | |||
} | |||
} | |||
} | |||
// default false. for session cookie default true | |||
if len(others) > 4 { | |||
if v, ok := others[4].(bool); ok && v { | |||
cookie.HttpOnly = true | |||
} | |||
} | |||
ctx.Res.Header().Add("Set-Cookie", cookie.String()) | |||
} | |||
func (ctx *Context) CsrfToken() string { | |||
if len(ctx.csrfToken) > 0 { | |||
return ctx.csrfToken | |||
} | |||
token := ctx.GetCookie("_csrf") | |||
if len(token) == 0 { | |||
token = base.GetRandomString(30) | |||
ctx.SetCookie("_csrf", token) | |||
} | |||
ctx.csrfToken = token | |||
return token | |||
} | |||
func (ctx *Context) CsrfTokenValid() bool { | |||
token := ctx.Query("_csrf") | |||
if token == "" { | |||
token = ctx.Req.Header.Get("X-Csrf-Token") | |||
} | |||
if token == "" { | |||
return false | |||
} else if ctx.csrfToken != token { | |||
return false | |||
} | |||
return true | |||
} | |||
// InitContext initializes a classic context for a request. | |||
func InitContext() martini.Handler { | |||
return func(res http.ResponseWriter, r *http.Request, c martini.Context, rd *Render) { | |||
@@ -103,11 +195,14 @@ func InitContext() martini.Handler { | |||
Render: rd, | |||
} | |||
ctx.Data["PageStartTime"] = time.Now() | |||
// start session | |||
ctx.Session = base.SessionManager.SessionStart(res, r) | |||
defer func() { | |||
rw := res.(martini.ResponseWriter) | |||
rw.Before(func(martini.ResponseWriter) { | |||
ctx.Session.SessionRelease(res) | |||
}() | |||
}) | |||
// Get user from session if logined. | |||
user := auth.SignedInUser(ctx.Session) | |||
@@ -121,9 +216,15 @@ func InitContext() martini.Handler { | |||
ctx.Data["SignedUserId"] = user.Id | |||
ctx.Data["SignedUserName"] = user.LowerName | |||
ctx.Data["IsAdmin"] = ctx.User.IsAdmin | |||
if ctx.User.IsAdmin { | |||
ctx.Data["PageIsAdmin"] = true | |||
} | |||
} | |||
ctx.Data["PageStartTime"] = time.Now() | |||
// get or create csrf token | |||
ctx.Data["CsrfToken"] = ctx.CsrfToken() | |||
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.csrfToken + `">`) | |||
c.Map(ctx) | |||
@@ -242,8 +242,11 @@ func (r *Render) HTMLString(name string, binding interface{}, htmlOpt ...HTMLOpt | |||
} | |||
} | |||
func (r *Render) Error(status int) { | |||
func (r *Render) Error(status int, message ...string) { | |||
r.WriteHeader(status) | |||
if len(message) > 0 { | |||
r.Write([]byte(message[0])) | |||
} | |||
} | |||
func (r *Render) Redirect(location string, status ...int) { |
@@ -2,6 +2,39 @@ var Gogits = { | |||
"PageIsSignup": false | |||
}; | |||
(function($){ | |||
// extend jQuery ajax, set csrf token value | |||
var ajax = $.ajax; | |||
$.extend({ | |||
ajax: function(url, options) { | |||
if (typeof url === 'object') { | |||
options = url; | |||
url = undefined; | |||
} | |||
options = options || {}; | |||
url = options.url; | |||
var csrftoken = $('meta[name=_csrf]').attr('content'); | |||
var headers = options.headers || {}; | |||
var domain = document.domain.replace(/\./ig, '\\.'); | |||
if (!/^(http:|https:).*/.test(url) || eval('/^(http:|https:)\\/\\/(.+\\.)*' + domain + '.*/').test(url)) { | |||
headers = $.extend(headers, {'X-Csrf-Token':csrftoken}); | |||
} | |||
options.headers = headers; | |||
var callback = options.success; | |||
options.success = function(data){ | |||
if(data.once){ | |||
// change all _once value if ajax data.once exist | |||
$('[name=_once]').val(data.once); | |||
} | |||
if(callback){ | |||
callback.apply(this, arguments); | |||
} | |||
}; | |||
return ajax(url, options); | |||
} | |||
}); | |||
}(jQuery)); | |||
(function ($) { | |||
Gogits.showTab = function (selector, index) { |
@@ -12,6 +12,7 @@ | |||
<br/> | |||
<form action="/admin/users/{{.User.Id}}" method="post" class="form-horizontal"> | |||
{{if .IsSuccess}}<p class="alert alert-success">Account profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}} | |||
{{.CsrfTokenHtml}} | |||
<input type="hidden" value="{{.User.Id}}" name="userId"/> | |||
<div class="form-group"> | |||
<label class="col-md-3 control-label">Username: </label> |
@@ -11,6 +11,7 @@ | |||
<div class="panel-body"> | |||
<br/> | |||
<form action="/admin/users/new" method="post" class="form-horizontal"> | |||
{{.CsrfTokenHtml}} | |||
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div> | |||
<div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}"> | |||
<label class="col-md-3 control-label">Username: </label> |
@@ -8,6 +8,7 @@ | |||
<meta name="author" content="Gogs - Go Git Service" /> | |||
<meta name="description" content="Gogs(Go Git Service) is a GitHub-like clone in the Go Programming Language" /> | |||
<meta name="keywords" content="go, git"> | |||
<meta name="_csrf" content="{{.CsrfToken}}" /> | |||
<!-- Stylesheets --> | |||
<link href="/css/bootstrap.min.css" rel="stylesheet" /> |
@@ -2,6 +2,7 @@ | |||
{{template "base/navbar" .}} | |||
<div class="container" id="gogs-body"> | |||
<form action="/repo/create" method="post" class="form-horizontal gogs-card" id="gogs-repo-create"> | |||
{{.CsrfTokenHtml}} | |||
<h3>Create New Repository</h3> | |||
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div> | |||
<div class="form-group"> |
@@ -40,6 +40,7 @@ | |||
<div class="modal fade" id="delete-repository-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> | |||
<div class="modal-dialog"> | |||
<form action="/{{.Owner.Name}}/{{.Repository.Name}}/settings" method="post" class="modal-content"> | |||
{{.CsrfTokenHtml}} | |||
<input type="hidden" name="action" value="delete"> | |||
<div class="modal-header"> |
@@ -1,7 +1,8 @@ | |||
{{template "base/head" .}} | |||
{{template "base/navbar" .}} | |||
<div id="gogs-body" class="container"> | |||
<form action="/user/activate" method="get" class="form-horizontal gogs-card" id="gogs-login-card"> | |||
<form action="/user/activate" method="post" class="form-horizontal gogs-card" id="gogs-login-card"> | |||
{{.CsrfTokenHtml}} | |||
<h3>Activate Your Account</h3> | |||
{{if .IsActivatePage}} | |||
{{if .ServiceNotEnabled}} |
@@ -22,6 +22,7 @@ | |||
<div class="modal fade" id="delete-account-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> | |||
<div class="modal-dialog"> | |||
<form action="/user/delete" method="post" class="modal-content" id="gogs-user-delete"> | |||
{{.CsrfTokenHtml}} | |||
<div class="modal-header"> | |||
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button> | |||
<h4 class="modal-title" id="myModalLabel">Delete Account</h4> |
@@ -5,7 +5,9 @@ | |||
<div id="gogs-user-setting-container" class="col-md-9"> | |||
<div id="gogs-setting-pwd"> | |||
<h4>Password</h4> | |||
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting/password">{{if .IsSuccess}} | |||
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting/password"> | |||
{{.CsrfTokenHtml}} | |||
{{if .IsSuccess}} | |||
<p class="alert alert-success">Password is changed successfully. You can now sign in via new password.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}} | |||
<div class="form-group"> | |||
<label class="col-md-3 control-label">Old Password<strong class="text-danger">*</strong></label> |
@@ -22,6 +22,7 @@ | |||
<div class="modal fade" id="ssh-add-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> | |||
<div class="modal-dialog"> | |||
<form class="modal-content form-horizontal" id="gogs-ssh-form" method="post" action="/user/setting/ssh/"> | |||
{{.CsrfTokenHtml}} | |||
<div class="modal-header"> | |||
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button> | |||
<h4 class="modal-title" id="myModalLabel">Add SSH Key</h4> |
@@ -6,6 +6,7 @@ | |||
<div id="gogs-setting-pwd"> | |||
<h4>Account Profile</h4> | |||
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting"> | |||
{{.CsrfTokenHtml}} | |||
{{if .IsSuccess}}<p class="alert alert-success">Your profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}} | |||
<p>Your Email will be public and used for Account related notifications and any web based operations made via the web.</p> | |||
<div class="form-group"> |
@@ -2,6 +2,7 @@ | |||
{{template "base/navbar" .}} | |||
<div class="container" id="gogs-body" data-page="user-signin"> | |||
<form action="/user/login" method="post" class="form-horizontal gogs-card" id="gogs-login-card"> | |||
{{.CsrfTokenHtml}} | |||
<h3>Log in</h3> | |||
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div> | |||
<div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}"> |
@@ -2,6 +2,7 @@ | |||
{{template "base/navbar" .}} | |||
<div class="container" id="gogs-body" data-page="user-signup"> | |||
<form action="/user/sign_up" method="post" class="form-horizontal gogs-card" id="gogs-login-card"> | |||
{{.CsrfTokenHtml}} | |||
{{if .DisenableRegisteration}} | |||
Sorry, registeration has been disenabled, you can only get account from administrator. | |||
{{else}} |
@@ -82,9 +82,10 @@ func runWeb(*cli.Context) { | |||
m.Use(middleware.InitContext()) | |||
reqSignIn := middleware.SignInRequire(true) | |||
ignSignIn := middleware.SignInRequire(base.Service.RequireSignInView) | |||
reqSignOut := middleware.SignOutRequire() | |||
reqSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true}) | |||
ignSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: base.Service.RequireSignInView}) | |||
reqSignOut := middleware.Toggle(&middleware.ToggleOptions{SignOutRequire: true}) | |||
// Routers. | |||
m.Get("/", ignSignIn, routers.Home) | |||
m.Get("/issues", reqSignIn, user.Issues) | |||
@@ -109,14 +110,15 @@ func runWeb(*cli.Context) { | |||
m.Get("/help", routers.Help) | |||
adminReq := middleware.AdminRequire() | |||
m.Get("/admin", reqSignIn, adminReq, admin.Dashboard) | |||
m.Get("/admin/users", reqSignIn, adminReq, admin.Users) | |||
m.Any("/admin/users/new", reqSignIn, adminReq, binding.BindIgnErr(auth.RegisterForm{}), admin.NewUser) | |||
m.Any("/admin/users/:userid", reqSignIn, adminReq, binding.BindIgnErr(auth.AdminEditUserForm{}), admin.EditUser) | |||
m.Any("/admin/users/:userid/delete", reqSignIn, adminReq, admin.DeleteUser) | |||
m.Get("/admin/repos", reqSignIn, adminReq, admin.Repositories) | |||
m.Get("/admin/config", reqSignIn, adminReq, admin.Config) | |||
adminReq := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true, AdminRequire: true}) | |||
m.Get("/admin", adminReq, admin.Dashboard) | |||
m.Get("/admin/users", adminReq, admin.Users) | |||
m.Any("/admin/users/new", adminReq, binding.BindIgnErr(auth.RegisterForm{}), admin.NewUser) | |||
m.Any("/admin/users/:userid", adminReq, binding.BindIgnErr(auth.AdminEditUserForm{}), admin.EditUser) | |||
m.Any("/admin/users/:userid/delete", adminReq, admin.DeleteUser) | |||
m.Get("/admin/repos", adminReq, admin.Repositories) | |||
m.Get("/admin/config", adminReq, admin.Config) | |||
m.Post("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.SettingPost) | |||
m.Get("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.Setting) |