Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix prohibit login check on authorization #6106

Merged
merged 5 commits into from Feb 19, 2019

Conversation

@lunny
Copy link
Member

commented Feb 18, 2019

Before this PR, a prohibit login account also can login and see the dashboard page. This PR will add more checks to fix that.

@codecov-io

This comment has been minimized.

Copy link

commented Feb 18, 2019

Codecov Report

Merging #6106 into master will decrease coverage by 0.02%.
The diff coverage is 11.53%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #6106      +/-   ##
==========================================
- Coverage   38.88%   38.86%   -0.03%     
==========================================
  Files         349      349              
  Lines       49755    49801      +46     
==========================================
+ Hits        19349    19355       +6     
- Misses      27611    27646      +35     
- Partials     2795     2800       +5
Impacted Files Coverage Δ
modules/context/auth.go 19.11% <0%> (-2.76%) ⬇️
routers/user/auth.go 13.11% <0%> (-0.18%) ⬇️
routers/home.go 46.29% <0%> (-0.7%) ⬇️
models/error.go 34.59% <0%> (-0.9%) ⬇️
models/login_source.go 26.31% <31.57%> (+0.01%) ⬆️
modules/process/manager.go 81.15% <0%> (+4.34%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 538a26d...05d4883. Read the comment docs.

@@ -642,6 +642,12 @@ func UserSignIn(username, password string) (*User, error) {
}

if hasUser {
if !user.IsActive {

This comment has been minimized.

Copy link
@lafriks

lafriks Feb 18, 2019

Member

This should be checked only after username&password is validated otherwise usernames can be leaked/guessed from private servers

@lafriks

This comment has been minimized.

Copy link
Member

commented Feb 18, 2019

Oh, and also ExternalUserLogin should need check to not allow Prohibited users to log in

@lunny

This comment has been minimized.

Copy link
Member Author

commented Feb 18, 2019

@lafriks done.

@GiteaBot GiteaBot added lgtm/need 1 and removed lgtm/need 2 labels Feb 18, 2019

@@ -113,6 +113,6 @@ func TestCreateReleasePaging(t *testing.T) {
checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.12", i18n.Tr("en", "repo.release.draft"), 10)

// Check that user3 does not see draft and still see 10 latest releases
session2 := loginUser(t, "user3")
session2 := loginUser(t, "user4")

This comment has been minimized.

Copy link
@techknowlogick

techknowlogick Feb 19, 2019

Member

Please change comment above to reference user4

This comment has been minimized.

Copy link
@lunny

lunny Feb 19, 2019

Author Member

done.

@techknowlogick
Copy link
Member

left a comment

One minor thing, but otherwise looks great!

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels Feb 19, 2019

lunny added some commits Feb 18, 2019

@lunny lunny force-pushed the lunny:lunny/fix_bug_prohibit_login branch from 925c303 to 9927680 Feb 19, 2019

@lafriks lafriks merged commit f5fa22a into go-gitea:master Feb 19, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr the build was successful
Details

@lafriks lafriks changed the title fix bug prohibit login not applied on dashboard Fix prohibit login check on authorization Feb 19, 2019

@lafriks

This comment has been minimized.

Copy link
Member

commented Feb 19, 2019

@lunny please backport

@lunny lunny deleted the lunny:lunny/fix_bug_prohibit_login branch Feb 19, 2019

lunny added a commit to lunny/gitea that referenced this pull request Feb 19, 2019

Fix prohibit login check on authorization (go-gitea#6106)
* fix bug prohibit login not applied on dashboard

* fix tests

* fix bug user status leak

* fix typo

* return after render

@lunny lunny added the backport/done label Feb 19, 2019

lafriks added a commit that referenced this pull request Feb 19, 2019

Fix prohibit login check on authorization (#6106) (#6115)
* Fix prohibit login check on authorization (#6106)

* fix bug prohibit login not applied on dashboard

* fix tests

* fix bug user status leak

* fix typo

* return after render

* remove unused tests

Mikescher added a commit to Mikescher/gitea that referenced this pull request Mar 20, 2019

Fix prohibit login check on authorization (go-gitea#6106)
* fix bug prohibit login not applied on dashboard

* fix tests

* fix bug user status leak

* fix typo

* return after render
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.