#1128: API calls are not hidden behind sign in

author: Unknwon <u@gogs.io> 2015-07-15 19:17:57 +0800
committer: Unknwon <u@gogs.io> 2015-07-15 19:17:57 +0800
commit: ff051e2106bb44203736934547a7a2c501b1a784 (patch)
tree: d5701892a22535ed546355a3b378aee40722660d /modules/middleware/auth.go
parent: 71b9a87fe15ea8da24301f25aa706b148fd3b940 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/modules/middleware/auth.go b/modules/middleware/auth.go
index 8f86b791..2a02d276 100644
--- a/modules/middleware/auth.go
+++ b/modules/middleware/auth.go
@@ -10,6 +10,7 @@ import (
 	"github.com/Unknwon/macaron"
 	"github.com/macaron-contrib/csrf"
 
+	"github.com/gogits/gogs/modules/auth"
 	"github.com/gogits/gogs/modules/setting"
 )
 
@@ -49,6 +50,12 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 
 		if options.SignInRequire {
 			if !ctx.IsSigned {
+				// Restrict API calls with error message.
+				if auth.IsAPIPath(ctx.Req.URL.Path) {
+					ctx.HandleAPI(403, "Only signed in user is allowed to call APIs.")
+					return
+				}
+
 				ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl)
 				ctx.Redirect(setting.AppSubUrl + "/user/login")
 				return
author	Unknwon <u@gogs.io>	2015-07-15 19:17:57 +0800
committer	Unknwon <u@gogs.io>	2015-07-15 19:17:57 +0800
commit	ff051e2106bb44203736934547a7a2c501b1a784 (patch)
tree	d5701892a22535ed546355a3b378aee40722660d /modules/middleware/auth.go
parent	71b9a87fe15ea8da24301f25aa706b148fd3b940 (diff)