本站源代码
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.

135 líneas
4.1KB

  1. // Copyright 2014 The Gogs Authors. All rights reserved.
  2. // Copyright 2019 The Gitea Authors. All rights reserved.
  3. // Use of this source code is governed by a MIT-style
  4. // license that can be found in the LICENSE file.
  5. package context
  6. import (
  7. "code.gitea.io/gitea/models"
  8. "code.gitea.io/gitea/modules/auth"
  9. "code.gitea.io/gitea/modules/log"
  10. "code.gitea.io/gitea/modules/setting"
  11. "gitea.com/macaron/csrf"
  12. "gitea.com/macaron/macaron"
  13. )
  14. // ToggleOptions contains required or check options
  15. type ToggleOptions struct {
  16. SignInRequired bool
  17. SignOutRequired bool
  18. AdminRequired bool
  19. DisableCSRF bool
  20. }
  21. // Toggle returns toggle options as middleware
  22. func Toggle(options *ToggleOptions) macaron.Handler {
  23. return func(ctx *Context) {
  24. // Cannot view any page before installation.
  25. if !setting.InstallLock {
  26. ctx.Redirect(setting.AppSubURL + "/install")
  27. return
  28. }
  29. // Check prohibit login users.
  30. if ctx.IsSigned {
  31. if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
  32. ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
  33. ctx.HTML(200, "user/auth/activate")
  34. return
  35. } else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
  36. log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
  37. ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
  38. ctx.HTML(200, "user/auth/prohibit_login")
  39. return
  40. }
  41. if ctx.User.MustChangePassword {
  42. if ctx.Req.URL.Path != "/user/settings/change_password" {
  43. ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
  44. ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
  45. ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL)
  46. ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
  47. return
  48. }
  49. } else if ctx.Req.URL.Path == "/user/settings/change_password" {
  50. // make sure that the form cannot be accessed by users who don't need this
  51. ctx.Redirect(setting.AppSubURL + "/")
  52. return
  53. }
  54. }
  55. // Redirect to dashboard if user tries to visit any non-login page.
  56. if options.SignOutRequired && ctx.IsSigned && ctx.Req.RequestURI != "/" {
  57. ctx.Redirect(setting.AppSubURL + "/")
  58. return
  59. }
  60. if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" && !auth.IsAPIPath(ctx.Req.URL.Path) {
  61. csrf.Validate(ctx.Context, ctx.csrf)
  62. if ctx.Written() {
  63. return
  64. }
  65. }
  66. if options.SignInRequired {
  67. if !ctx.IsSigned {
  68. // Restrict API calls with error message.
  69. if auth.IsAPIPath(ctx.Req.URL.Path) {
  70. ctx.JSON(403, map[string]string{
  71. "message": "Only signed in user is allowed to call APIs.",
  72. })
  73. return
  74. }
  75. ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL)
  76. ctx.Redirect(setting.AppSubURL + "/user/login")
  77. return
  78. } else if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
  79. ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
  80. ctx.HTML(200, "user/auth/activate")
  81. return
  82. }
  83. if ctx.IsSigned && auth.IsAPIPath(ctx.Req.URL.Path) && ctx.IsBasicAuth {
  84. twofa, err := models.GetTwoFactorByUID(ctx.User.ID)
  85. if err != nil {
  86. if models.IsErrTwoFactorNotEnrolled(err) {
  87. return // No 2FA enrollment for this user
  88. }
  89. ctx.Error(500)
  90. return
  91. }
  92. otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
  93. ok, err := twofa.ValidateTOTP(otpHeader)
  94. if err != nil {
  95. ctx.Error(500)
  96. return
  97. }
  98. if !ok {
  99. ctx.JSON(403, map[string]string{
  100. "message": "Only signed in user is allowed to call APIs.",
  101. })
  102. return
  103. }
  104. }
  105. }
  106. // Redirect to log in page if auto-signin info is provided and has not signed in.
  107. if !options.SignOutRequired && !ctx.IsSigned && !auth.IsAPIPath(ctx.Req.URL.Path) &&
  108. len(ctx.GetCookie(setting.CookieUserName)) > 0 {
  109. ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL)
  110. ctx.Redirect(setting.AppSubURL + "/user/login")
  111. return
  112. }
  113. if options.AdminRequired {
  114. if !ctx.User.IsAdmin {
  115. ctx.Error(403)
  116. return
  117. }
  118. ctx.Data["PageIsAdmin"] = true
  119. }
  120. }
  121. }
上海开阖软件有限公司 沪ICP备12045867号-1