Create a session on ReverseProxy and ensure that ReverseProxy users c…

…annot change username (go-gitea#15304) * Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username ReverseProxy users should generate a session on reverse proxy username change. Also prevent ReverseProxy users from changing their username. Fix go-gitea#2407 * add testcase Signed-off-by: Andrew Thornton <[email protected]>
kitspace · Aug 10, 2021 · 0807510 · 0807510
1 parent 301ec6d
commit 0807510
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 7 deletions.
diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web/middleware"
 
 	gouuid "github.com/google/uuid"
 )
@@ -69,13 +70,21 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
 
 	user, err := models.GetUserByName(username)
 	if err != nil {
-		if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() {
-			return r.newUser(req)
+		if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
+			log.Error("GetUserByName: %v", err)
+			return nil
 		}
-		log.Error("GetUserByName: %v", err)
-		return nil
+		user = r.newUser(req)
 	}
 
+	// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+		if sess.Get("uid").(int64) != user.ID {
+			handleSignIn(w, req, sess, user)
+		}
+	}
+	store.GetData()["IsReverseProxy"] = true
+
 	log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
 	return user
 }
@@ -104,13 +113,13 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User {
 	user := &models.User{
 		Name:     username,
 		Email:    email,
-		Passwd:   username,
 		IsActive: true,
 	}
 	if err := models.CreateUser(user); err != nil {
 		// FIXME: should I create a system notice?
 		log.Error("CreateUser: %v", err)
 		return nil
 	}
+
 	return user
 }
diff --git a/templates/user/settings/profile.tmpl b/templates/user/settings/profile.tmpl
@@ -15,8 +15,8 @@
 						<span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span>
 						<span class="text red hide" id="name-change-redirect-prompt"> {{.i18n.Tr "settings.change_username_redirect_prompt"}}</span>
 					</label>
-					<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if not .SignedUser.IsLocal}}disabled{{end}}>
-					{{if not .SignedUser.IsLocal}}
+					<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}disabled{{end}}>
+					{{if or (not .SignedUser.IsLocal) .IsReverseProxy}}
 					<p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p>
 					{{end}}
 				</div>