playground
/
gogs
mirror of https://github.com/gogits/gogs.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

#1128: API calls are not hidden behind sign in

pull/1379/head
Unknwon 9 years ago
parent
71b9a87fe1
commit
ff051e2106
6 changed files with 16 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      cmd/web.go
  2. 1
      conf/locale/TRANSLATORS
  3. 2
      gogs.go
  4. 6
      modules/auth/auth.go
  5. 7
      modules/middleware/auth.go
  6. 2
      templates/.VERSION

2
cmd/web.go
Unescape View File

@ -242,7 +242,7 @@ func runWeb(ctx *cli.Context) {
ctx.HandleAPI(404, "Page not found") ctx.HandleAPI(404, "Page not found")
}) })
}) })
}) }, ignSignIn)
// User. // User.
m.Group("/user", func() { m.Group("/user", func() {

1
conf/locale/TRANSLATORS
Unescape View File

@ -8,6 +8,7 @@ Huimin Wang <wanghm2009@hotmail.co.jp>
Thomas Fanninger <gogs.thomas@fanninger.at> Thomas Fanninger <gogs.thomas@fanninger.at>
Łukasz Jan Niemier <lukasz@niemier.pl> Łukasz Jan Niemier <lukasz@niemier.pl>
Lafriks <lafriks@gmail.com> Lafriks <lafriks@gmail.com>
Luc Stepniewski <luc@stepniewski.fr>
Miguel de la Cruz <miguel@mcrx.me> Miguel de la Cruz <miguel@mcrx.me>
Natan Albuquerque <natanalbuquerque5@gmail.com> Natan Albuquerque <natanalbuquerque5@gmail.com>
Marc Schiller <marc@schiller.im> Marc Schiller <marc@schiller.im>

2
gogs.go
Unescape View File

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.6.1.0714 Beta" const APP_VER = "0.6.1.0715 Beta"
func init() { func init() {
runtime.GOMAXPROCS(runtime.NumCPU()) runtime.GOMAXPROCS(runtime.NumCPU())

6
modules/auth/auth.go
Unescape View File

@ -21,6 +21,10 @@ import (
"github.com/gogits/gogs/modules/uuid" "github.com/gogits/gogs/modules/uuid"
) )
func IsAPIPath(url string) bool {
return strings.HasPrefix(url, "/api/")
}
// SignedInId returns the id of signed in user. // SignedInId returns the id of signed in user.
func SignedInId(req *http.Request, sess session.Store) int64 { func SignedInId(req *http.Request, sess session.Store) int64 {
if !models.HasEngine { if !models.HasEngine {
@ -28,7 +32,7 @@ func SignedInId(req *http.Request, sess session.Store) int64 {
} }
// API calls need to check access token. // API calls need to check access token.
if strings.HasPrefix(req.URL.Path, "/api/") { if IsAPIPath(req.URL.Path) {
auHead := req.Header.Get("Authorization") auHead := req.Header.Get("Authorization")
if len(auHead) > 0 { if len(auHead) > 0 {
auths := strings.Fields(auHead) auths := strings.Fields(auHead)

7
modules/middleware/auth.go
Unescape View File

@ -10,6 +10,7 @@ import (
"github.com/Unknwon/macaron" "github.com/Unknwon/macaron"
"github.com/macaron-contrib/csrf" "github.com/macaron-contrib/csrf"
"github.com/gogits/gogs/modules/auth"
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
@ -49,6 +50,12 @@ func Toggle(options *ToggleOptions) macaron.Handler {
if options.SignInRequire { if options.SignInRequire {
if !ctx.IsSigned { if !ctx.IsSigned {
// Restrict API calls with error message.
if auth.IsAPIPath(ctx.Req.URL.Path) {
ctx.HandleAPI(403, "Only signed in user is allowed to call APIs.")
return
}
ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl) ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl)
ctx.Redirect(setting.AppSubUrl + "/user/login") ctx.Redirect(setting.AppSubUrl + "/user/login")
return return

2
templates/.VERSION
Unescape View File

@ -1 +1 @@
0.6.1.0714 Beta 0.6.1.0715 Beta
Write Preview
Loading…
Cancel
Save