Merge pull request '[BUG] First user created through reverse proxy should be admin' (#4549) from gusted/forgejo-reverseproxy-admin into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4549 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Radosław Piliszek <radek@piliszek.it>
2024-11-08 16:14:30 +00:00 · 2024-08-24 22:45:32 +00:00 · 2024-08-24 22:45:32 +00:00 · 78e4736db6
parent 1cab8788c8 0692cc2cc1
commit 78e4736db6
2 changed files with 72 additions and 0 deletions
--- a/services/auth/reverseproxy.go
+++ b/services/auth/reverseproxy.go
@ -164,6 +164,11 @@ func (r *ReverseProxy) newUser(req *http.Request) *user_model.User {
 		IsActive: optional.Some(true),
 	}

+	// The first user created should be an admin.
+	if user_model.CountUsers(req.Context(), nil) == 0 {
+		user.IsAdmin = true
+	}
+
 	if err := user_model.CreateUser(req.Context(), user, &overwriteDefault); err != nil {
 		// FIXME: should I create a system notice?
 		log.Error("CreateUser: %v", err)
--- a/services/auth/reverseproxy_test.go
+++ b/services/auth/reverseproxy_test.go
@ -0,0 +1,67 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package auth
+
+import (
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestReverseProxyAuth(t *testing.T) {
+	defer test.MockVariableValue(&setting.Service.EnableReverseProxyEmail, true)()
+	defer test.MockVariableValue(&setting.Service.EnableReverseProxyFullName, true)()
+	defer test.MockVariableValue(&setting.Service.EnableReverseProxyFullName, true)()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	require.NoError(t, db.TruncateBeans(db.DefaultContext, &user_model.User{}))
+	require.EqualValues(t, 0, user_model.CountUsers(db.DefaultContext, nil))
+
+	t.Run("First user should be admin", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+
+		req.Header.Add(setting.ReverseProxyAuthUser, "Edgar")
+		req.Header.Add(setting.ReverseProxyAuthFullName, "Edgar Allan Poe")
+		req.Header.Add(setting.ReverseProxyAuthEmail, "edgar@example.org")
+
+		rp := &ReverseProxy{}
+		user := rp.newUser(req)
+
+		require.EqualValues(t, 1, user_model.CountUsers(db.DefaultContext, nil))
+		unittest.AssertExistsAndLoadBean(t, &user_model.User{Email: "edgar@example.org", Name: "Edgar", LowerName: "edgar", FullName: "Edgar Allan Poe", IsAdmin: true})
+		require.EqualValues(t, "edgar@example.org", user.Email)
+		require.EqualValues(t, "Edgar", user.Name)
+		require.EqualValues(t, "edgar", user.LowerName)
+		require.EqualValues(t, "Edgar Allan Poe", user.FullName)
+		require.True(t, user.IsAdmin)
+	})
+
+	t.Run("Second user shouldn't be admin", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+
+		req.Header.Add(setting.ReverseProxyAuthUser, " Gusted ")
+		req.Header.Add(setting.ReverseProxyAuthFullName, "❤‿❤")
+		req.Header.Add(setting.ReverseProxyAuthEmail, "gusted@example.org")
+
+		rp := &ReverseProxy{}
+		user := rp.newUser(req)
+
+		require.EqualValues(t, 2, user_model.CountUsers(db.DefaultContext, nil))
+		unittest.AssertExistsAndLoadBean(t, &user_model.User{Email: "gusted@example.org", Name: "Gusted", LowerName: "gusted", FullName: "❤‿❤"}, "is_admin = false")
+		require.EqualValues(t, "gusted@example.org", user.Email)
+		require.EqualValues(t, "Gusted", user.Name)
+		require.EqualValues(t, "gusted", user.LowerName)
+		require.EqualValues(t, "❤‿❤", user.FullName)
+		require.False(t, user.IsAdmin)
+	})
+}