Browse Source

#1128: API calls are not hidden behind sign in

pull/1379/head
Unknwon 9 years ago
parent
commit
ff051e2106
  1. 2
      cmd/web.go
  2. 1
      conf/locale/TRANSLATORS
  3. 2
      gogs.go
  4. 6
      modules/auth/auth.go
  5. 7
      modules/middleware/auth.go
  6. 2
      templates/.VERSION

2
cmd/web.go

@ -242,7 +242,7 @@ func runWeb(ctx *cli.Context) {
ctx.HandleAPI(404, "Page not found") ctx.HandleAPI(404, "Page not found")
}) })
}) })
}) }, ignSignIn)
// User. // User.
m.Group("/user", func() { m.Group("/user", func() {

1
conf/locale/TRANSLATORS

@ -8,6 +8,7 @@ Huimin Wang <wanghm2009@hotmail.co.jp>
Thomas Fanninger <gogs.thomas@fanninger.at> Thomas Fanninger <gogs.thomas@fanninger.at>
Łukasz Jan Niemier <lukasz@niemier.pl> Łukasz Jan Niemier <lukasz@niemier.pl>
Lafriks <lafriks@gmail.com> Lafriks <lafriks@gmail.com>
Luc Stepniewski <luc@stepniewski.fr>
Miguel de la Cruz <miguel@mcrx.me> Miguel de la Cruz <miguel@mcrx.me>
Natan Albuquerque <natanalbuquerque5@gmail.com> Natan Albuquerque <natanalbuquerque5@gmail.com>
Marc Schiller <marc@schiller.im> Marc Schiller <marc@schiller.im>

2
gogs.go

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.6.1.0714 Beta" const APP_VER = "0.6.1.0715 Beta"
func init() { func init() {
runtime.GOMAXPROCS(runtime.NumCPU()) runtime.GOMAXPROCS(runtime.NumCPU())

6
modules/auth/auth.go

@ -21,6 +21,10 @@ import (
"github.com/gogits/gogs/modules/uuid" "github.com/gogits/gogs/modules/uuid"
) )
func IsAPIPath(url string) bool {
return strings.HasPrefix(url, "/api/")
}
// SignedInId returns the id of signed in user. // SignedInId returns the id of signed in user.
func SignedInId(req *http.Request, sess session.Store) int64 { func SignedInId(req *http.Request, sess session.Store) int64 {
if !models.HasEngine { if !models.HasEngine {
@ -28,7 +32,7 @@ func SignedInId(req *http.Request, sess session.Store) int64 {
} }
// API calls need to check access token. // API calls need to check access token.
if strings.HasPrefix(req.URL.Path, "/api/") { if IsAPIPath(req.URL.Path) {
auHead := req.Header.Get("Authorization") auHead := req.Header.Get("Authorization")
if len(auHead) > 0 { if len(auHead) > 0 {
auths := strings.Fields(auHead) auths := strings.Fields(auHead)

7
modules/middleware/auth.go

@ -10,6 +10,7 @@ import (
"github.com/Unknwon/macaron" "github.com/Unknwon/macaron"
"github.com/macaron-contrib/csrf" "github.com/macaron-contrib/csrf"
"github.com/gogits/gogs/modules/auth"
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
@ -49,6 +50,12 @@ func Toggle(options *ToggleOptions) macaron.Handler {
if options.SignInRequire { if options.SignInRequire {
if !ctx.IsSigned { if !ctx.IsSigned {
// Restrict API calls with error message.
if auth.IsAPIPath(ctx.Req.URL.Path) {
ctx.HandleAPI(403, "Only signed in user is allowed to call APIs.")
return
}
ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl) ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl)
ctx.Redirect(setting.AppSubUrl + "/user/login") ctx.Redirect(setting.AppSubUrl + "/user/login")
return return

2
templates/.VERSION

@ -1 +1 @@
0.6.1.0714 Beta 0.6.1.0715 Beta
Loading…
Cancel
Save