mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
Browse Source

Fix prohibit login check on authorization (#6106) 

* fix bug prohibit login not applied on dashboard

* fix tests

* fix bug user status leak

* fix typo

* return after render
tags/v1.9.0-dev
Lunny Xiao 5 years ago
parent
538a26d56f
commit
f5fa22a499
7 changed files with 83 additions and 9 deletions
Unified View Show Diff Stats
  1. 2
    2
      integrations/release_test.go
  2. 1
    1
      integrations/repo_test.go
  3. 32
    0
      models/error.go
  4. 23
    4
      models/login_source.go
  5. 7
    2
      modules/context/auth.go
  6. 5
    0
      routers/home.go
  7. 13
    0
      routers/user/auth.go

+ 2
- 2
integrations/release_test.go View File



checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.12", i18n.Tr("en", "repo.release.draft"), 10) checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.12", i18n.Tr("en", "repo.release.draft"), 10)


// Check that user3 does not see draft and still see 10 latest releases
session2 := loginUser(t, "user3")
// Check that user4 does not see draft and still see 10 latest releases
session2 := loginUser(t, "user4")
checkLatestReleaseAndCount(t, session2, "/user2/repo1", "v0.0.11", i18n.Tr("en", "repo.release.stable"), 10) checkLatestReleaseAndCount(t, session2, "/user2/repo1", "v0.0.11", i18n.Tr("en", "repo.release.stable"), 10)
} }

+ 1
- 1
integrations/repo_test.go View File

func TestViewAsRepoAdmin(t *testing.T) { func TestViewAsRepoAdmin(t *testing.T) {
for user, expectedNoDescription := range map[string]bool{ for user, expectedNoDescription := range map[string]bool{
"user2": true, "user2": true,
"user3": false,
"user4": false,
} { } {
prepareTestEnv(t) prepareTestEnv(t)



+ 32
- 0
models/error.go View File

return fmt.Sprintf("user does not exist [uid: %d, name: %s, keyid: %d]", err.UID, err.Name, err.KeyID) return fmt.Sprintf("user does not exist [uid: %d, name: %s, keyid: %d]", err.UID, err.Name, err.KeyID)
} }


// ErrUserProhibitLogin represents a "ErrUserProhibitLogin" kind of error.
type ErrUserProhibitLogin struct {
UID int64
Name string
}

// IsErrUserProhibitLogin checks if an error is a ErrUserProhibitLogin
func IsErrUserProhibitLogin(err error) bool {
_, ok := err.(ErrUserProhibitLogin)
return ok
}

func (err ErrUserProhibitLogin) Error() string {
return fmt.Sprintf("user is not allowed login [uid: %d, name: %s]", err.UID, err.Name)
}

// ErrUserInactive represents a "ErrUserInactive" kind of error.
type ErrUserInactive struct {
UID int64
Name string
}

// IsErrUserInactive checks if an error is a ErrUserInactive
func IsErrUserInactive(err error) bool {
_, ok := err.(ErrUserInactive)
return ok
}

func (err ErrUserInactive) Error() string {
return fmt.Sprintf("user is inactive [uid: %d, name: %s]", err.UID, err.Name)
}

// ErrEmailAlreadyUsed represents a "EmailAlreadyUsed" kind of error. // ErrEmailAlreadyUsed represents a "EmailAlreadyUsed" kind of error.
type ErrEmailAlreadyUsed struct { type ErrEmailAlreadyUsed struct {
Email string Email string

+ 23
- 4
models/login_source.go View File

return nil, ErrLoginSourceNotActived return nil, ErrLoginSourceNotActived
} }


var err error
switch source.Type { switch source.Type {
case LoginLDAP, LoginDLDAP: case LoginLDAP, LoginDLDAP:
return LoginViaLDAP(user, login, password, source, autoRegister)
user, err = LoginViaLDAP(user, login, password, source, autoRegister)
case LoginSMTP: case LoginSMTP:
return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
case LoginPAM: case LoginPAM:
return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
default:
return nil, ErrUnsupportedLoginType
}

if err != nil {
return nil, err
}

if !user.IsActive {
return nil, ErrUserInactive{user.ID, user.Name}
} else if user.ProhibitLogin {
return nil, ErrUserProhibitLogin{user.ID, user.Name}
} }


return nil, ErrUnsupportedLoginType
return user, nil
} }


// UserSignIn validates user name and password. // UserSignIn validates user name and password.
switch user.LoginType { switch user.LoginType {
case LoginNoType, LoginPlain, LoginOAuth2: case LoginNoType, LoginPlain, LoginOAuth2:
if user.IsPasswordSet() && user.ValidatePassword(password) { if user.IsPasswordSet() && user.ValidatePassword(password) {
if !user.IsActive {
return nil, ErrUserInactive{user.ID, user.Name}
} else if user.ProhibitLogin {
return nil, ErrUserProhibitLogin{user.ID, user.Name}
}

return user, nil return user, nil
} }



+ 7
- 2
modules/context/auth.go View File

"net/url" "net/url"


"code.gitea.io/gitea/modules/auth" "code.gitea.io/gitea/modules/auth"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"github.com/go-macaron/csrf" "github.com/go-macaron/csrf"
macaron "gopkg.in/macaron.v1" macaron "gopkg.in/macaron.v1"


// Check prohibit login users. // Check prohibit login users.
if ctx.IsSigned { if ctx.IsSigned {

if ctx.User.ProhibitLogin {
if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
ctx.HTML(200, "user/auth/activate")
return
} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
ctx.HTML(200, "user/auth/prohibit_login") ctx.HTML(200, "user/auth/prohibit_login")
return return

+ 5
- 0
routers/home.go View File

"code.gitea.io/gitea/models" "code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/search" "code.gitea.io/gitea/modules/search"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm { if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
ctx.Data["Title"] = ctx.Tr("auth.active_your_account") ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
ctx.HTML(200, user.TplActivate) ctx.HTML(200, user.TplActivate)
} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
ctx.HTML(200, "user/auth/prohibit_login")
} else { } else {
user.Dashboard(ctx) user.Dashboard(ctx)
} }

+ 13
- 0
routers/user/auth.go View File

} else if models.IsErrEmailAlreadyUsed(err) { } else if models.IsErrEmailAlreadyUsed(err) {
ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form) ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)
log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr()) log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
} else if models.IsErrUserProhibitLogin(err) {
log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
ctx.HTML(200, "user/auth/prohibit_login")
} else if models.IsErrUserInactive(err) {
if setting.Service.RegisterEmailConfirm {
ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
ctx.HTML(200, TplActivate)
} else {
log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
ctx.HTML(200, "user/auth/prohibit_login")
}
} else { } else {
ctx.ServerError("UserSignIn", err) ctx.ServerError("UserSignIn", err)
} }

Write Preview
Loading…
Cancel
Save