mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-25 22:43:32 +00:00
#1128: API calls are not hidden behind sign in
This commit is contained in:
parent
71b9a87fe1
commit
ff051e2106
|
@ -242,7 +242,7 @@ func runWeb(ctx *cli.Context) {
|
||||||
ctx.HandleAPI(404, "Page not found")
|
ctx.HandleAPI(404, "Page not found")
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
}, ignSignIn)
|
||||||
|
|
||||||
// User.
|
// User.
|
||||||
m.Group("/user", func() {
|
m.Group("/user", func() {
|
||||||
|
|
|
@ -8,6 +8,7 @@ Huimin Wang <wanghm2009@hotmail.co.jp>
|
||||||
Thomas Fanninger <gogs.thomas@fanninger.at>
|
Thomas Fanninger <gogs.thomas@fanninger.at>
|
||||||
Łukasz Jan Niemier <lukasz@niemier.pl>
|
Łukasz Jan Niemier <lukasz@niemier.pl>
|
||||||
Lafriks <lafriks@gmail.com>
|
Lafriks <lafriks@gmail.com>
|
||||||
|
Luc Stepniewski <luc@stepniewski.fr>
|
||||||
Miguel de la Cruz <miguel@mcrx.me>
|
Miguel de la Cruz <miguel@mcrx.me>
|
||||||
Natan Albuquerque <natanalbuquerque5@gmail.com>
|
Natan Albuquerque <natanalbuquerque5@gmail.com>
|
||||||
Marc Schiller <marc@schiller.im>
|
Marc Schiller <marc@schiller.im>
|
||||||
|
|
2
gogs.go
2
gogs.go
|
@ -17,7 +17,7 @@ import (
|
||||||
"github.com/gogits/gogs/modules/setting"
|
"github.com/gogits/gogs/modules/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
const APP_VER = "0.6.1.0714 Beta"
|
const APP_VER = "0.6.1.0715 Beta"
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
runtime.GOMAXPROCS(runtime.NumCPU())
|
runtime.GOMAXPROCS(runtime.NumCPU())
|
||||||
|
|
|
@ -21,6 +21,10 @@ import (
|
||||||
"github.com/gogits/gogs/modules/uuid"
|
"github.com/gogits/gogs/modules/uuid"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func IsAPIPath(url string) bool {
|
||||||
|
return strings.HasPrefix(url, "/api/")
|
||||||
|
}
|
||||||
|
|
||||||
// SignedInId returns the id of signed in user.
|
// SignedInId returns the id of signed in user.
|
||||||
func SignedInId(req *http.Request, sess session.Store) int64 {
|
func SignedInId(req *http.Request, sess session.Store) int64 {
|
||||||
if !models.HasEngine {
|
if !models.HasEngine {
|
||||||
|
@ -28,7 +32,7 @@ func SignedInId(req *http.Request, sess session.Store) int64 {
|
||||||
}
|
}
|
||||||
|
|
||||||
// API calls need to check access token.
|
// API calls need to check access token.
|
||||||
if strings.HasPrefix(req.URL.Path, "/api/") {
|
if IsAPIPath(req.URL.Path) {
|
||||||
auHead := req.Header.Get("Authorization")
|
auHead := req.Header.Get("Authorization")
|
||||||
if len(auHead) > 0 {
|
if len(auHead) > 0 {
|
||||||
auths := strings.Fields(auHead)
|
auths := strings.Fields(auHead)
|
||||||
|
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"github.com/Unknwon/macaron"
|
"github.com/Unknwon/macaron"
|
||||||
"github.com/macaron-contrib/csrf"
|
"github.com/macaron-contrib/csrf"
|
||||||
|
|
||||||
|
"github.com/gogits/gogs/modules/auth"
|
||||||
"github.com/gogits/gogs/modules/setting"
|
"github.com/gogits/gogs/modules/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -49,6 +50,12 @@ func Toggle(options *ToggleOptions) macaron.Handler {
|
||||||
|
|
||||||
if options.SignInRequire {
|
if options.SignInRequire {
|
||||||
if !ctx.IsSigned {
|
if !ctx.IsSigned {
|
||||||
|
// Restrict API calls with error message.
|
||||||
|
if auth.IsAPIPath(ctx.Req.URL.Path) {
|
||||||
|
ctx.HandleAPI(403, "Only signed in user is allowed to call APIs.")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl)
|
ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl)
|
||||||
ctx.Redirect(setting.AppSubUrl + "/user/login")
|
ctx.Redirect(setting.AppSubUrl + "/user/login")
|
||||||
return
|
return
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
0.6.1.0714 Beta
|
0.6.1.0715 Beta
|
Loading…
Reference in a new issue