diff options
| author | Unknwon <u@gogs.io> | 2015-07-15 19:17:57 +0800 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2015-07-15 19:17:57 +0800 |
| commit | ff051e2106bb44203736934547a7a2c501b1a784 (patch) | |
| tree | d5701892a22535ed546355a3b378aee40722660d | |
| parent | 71b9a87fe15ea8da24301f25aa706b148fd3b940 (diff) | |
#1128: API calls are not hidden behind sign in
| -rw-r--r-- | cmd/web.go | 2 | ||||
| -rw-r--r-- | conf/locale/TRANSLATORS | 1 | ||||
| -rw-r--r-- | gogs.go | 2 | ||||
| -rw-r--r-- | modules/auth/auth.go | 6 | ||||
| -rw-r--r-- | modules/middleware/auth.go | 7 | ||||
| -rw-r--r-- | templates/.VERSION | 2 |
6 files changed, 16 insertions, 4 deletions
@@ -242,7 +242,7 @@ func runWeb(ctx *cli.Context) { ctx.HandleAPI(404, "Page not found") }) }) - }) + }, ignSignIn) // User. m.Group("/user", func() { diff --git a/conf/locale/TRANSLATORS b/conf/locale/TRANSLATORS index 1c2768af..733c4ef4 100644 --- a/conf/locale/TRANSLATORS +++ b/conf/locale/TRANSLATORS @@ -8,6 +8,7 @@ Huimin Wang <wanghm2009@hotmail.co.jp> Thomas Fanninger <gogs.thomas@fanninger.at> Ćukasz Jan Niemier <lukasz@niemier.pl> Lafriks <lafriks@gmail.com> +Luc Stepniewski <luc@stepniewski.fr> Miguel de la Cruz <miguel@mcrx.me> Natan Albuquerque <natanalbuquerque5@gmail.com> Marc Schiller <marc@schiller.im> @@ -17,7 +17,7 @@ import ( "github.com/gogits/gogs/modules/setting" ) -const APP_VER = "0.6.1.0714 Beta" +const APP_VER = "0.6.1.0715 Beta" func init() { runtime.GOMAXPROCS(runtime.NumCPU()) diff --git a/modules/auth/auth.go b/modules/auth/auth.go index edcb1306..42346430 100644 --- a/modules/auth/auth.go +++ b/modules/auth/auth.go @@ -21,6 +21,10 @@ import ( "github.com/gogits/gogs/modules/uuid" ) +func IsAPIPath(url string) bool { + return strings.HasPrefix(url, "/api/") +} + // SignedInId returns the id of signed in user. func SignedInId(req *http.Request, sess session.Store) int64 { if !models.HasEngine { @@ -28,7 +32,7 @@ func SignedInId(req *http.Request, sess session.Store) int64 { } // API calls need to check access token. - if strings.HasPrefix(req.URL.Path, "/api/") { + if IsAPIPath(req.URL.Path) { auHead := req.Header.Get("Authorization") if len(auHead) > 0 { auths := strings.Fields(auHead) diff --git a/modules/middleware/auth.go b/modules/middleware/auth.go index 8f86b791..2a02d276 100644 --- a/modules/middleware/auth.go +++ b/modules/middleware/auth.go @@ -10,6 +10,7 @@ import ( "github.com/Unknwon/macaron" "github.com/macaron-contrib/csrf" + "github.com/gogits/gogs/modules/auth" "github.com/gogits/gogs/modules/setting" ) @@ -49,6 +50,12 @@ func Toggle(options *ToggleOptions) macaron.Handler { if options.SignInRequire { if !ctx.IsSigned { + // Restrict API calls with error message. + if auth.IsAPIPath(ctx.Req.URL.Path) { + ctx.HandleAPI(403, "Only signed in user is allowed to call APIs.") + return + } + ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl) ctx.Redirect(setting.AppSubUrl + "/user/login") return diff --git a/templates/.VERSION b/templates/.VERSION index 627dda90..815ab417 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.6.1.0714 Beta
\ No newline at end of file +0.6.1.0715 Beta
\ No newline at end of file |