mirror of https://github.com/go-gitea/gitea.git
Force user to change password (#4489)
* redirect to login page after successfully activating account * force users to change password if account was created by an admin * force users to change password if account was created by an admin * fixed build * fixed build * fix pending issues with translation and wrong routes * make sure path check is safe * remove unneccessary newline * make sure users that don't have to view the form get redirected * move route to use /settings prefix so as to make sure unauthenticated users can't view the page * update as per @lafriks review * add necessary comment * remove unrelated changes * support redirecting to location the user actually want to go to before being forced to change his/her password * run make fmt * added tests * improve assertions * add assertion * fix copyright year Signed-off-by: Lanre Adelowo <yo@lanre.wtf>
This commit is contained in:
parent
10a2a904d7
commit
126ba796dc
|
@ -198,6 +198,8 @@ var migrations = []Migration{
|
|||
NewMigration("protect each scratch token", addScratchHash),
|
||||
// v72 -> v73
|
||||
NewMigration("add review", addReview),
|
||||
// v73 -> v74
|
||||
NewMigration("add must_change_password column for users table", addMustChangePassword),
|
||||
}
|
||||
|
||||
// Migrate database to current version
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
// Copyright 2018 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package migrations
|
||||
|
||||
import (
|
||||
"github.com/go-xorm/xorm"
|
||||
)
|
||||
|
||||
func addMustChangePassword(x *xorm.Engine) error {
|
||||
// User see models/user.go
|
||||
type User struct {
|
||||
ID int64 `xorm:"pk autoincr"`
|
||||
MustChangePassword bool `xorm:"NOT NULL DEFAULT false"`
|
||||
}
|
||||
|
||||
return x.Sync2(new(User))
|
||||
}
|
|
@ -83,18 +83,23 @@ type User struct {
|
|||
Email string `xorm:"NOT NULL"`
|
||||
KeepEmailPrivate bool
|
||||
Passwd string `xorm:"NOT NULL"`
|
||||
LoginType LoginType
|
||||
LoginSource int64 `xorm:"NOT NULL DEFAULT 0"`
|
||||
LoginName string
|
||||
Type UserType
|
||||
OwnedOrgs []*User `xorm:"-"`
|
||||
Orgs []*User `xorm:"-"`
|
||||
Repos []*Repository `xorm:"-"`
|
||||
Location string
|
||||
Website string
|
||||
Rands string `xorm:"VARCHAR(10)"`
|
||||
Salt string `xorm:"VARCHAR(10)"`
|
||||
Language string `xorm:"VARCHAR(5)"`
|
||||
|
||||
// MustChangePassword is an attribute that determines if a user
|
||||
// is to change his/her password after registration.
|
||||
MustChangePassword bool `xorm:"NOT NULL DEFAULT false"`
|
||||
|
||||
LoginType LoginType
|
||||
LoginSource int64 `xorm:"NOT NULL DEFAULT 0"`
|
||||
LoginName string
|
||||
Type UserType
|
||||
OwnedOrgs []*User `xorm:"-"`
|
||||
Orgs []*User `xorm:"-"`
|
||||
Repos []*Repository `xorm:"-"`
|
||||
Location string
|
||||
Website string
|
||||
Rands string `xorm:"VARCHAR(10)"`
|
||||
Salt string `xorm:"VARCHAR(10)"`
|
||||
Language string `xorm:"VARCHAR(5)"`
|
||||
|
||||
CreatedUnix util.TimeStamp `xorm:"INDEX created"`
|
||||
UpdatedUnix util.TimeStamp `xorm:"INDEX updated"`
|
||||
|
|
|
@ -84,6 +84,18 @@ func (f *RegisterForm) Validate(ctx *macaron.Context, errs binding.Errors) bindi
|
|||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// MustChangePasswordForm form for updating your password after account creation
|
||||
// by an admin
|
||||
type MustChangePasswordForm struct {
|
||||
Password string `binding:"Required;MaxSize(255)"`
|
||||
Retype string
|
||||
}
|
||||
|
||||
// Validate valideates the fields
|
||||
func (f *MustChangePasswordForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
|
||||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// SignInForm form for signing in with user/password
|
||||
type SignInForm struct {
|
||||
UserName string `binding:"Required;MaxSize(254)"`
|
||||
|
|
|
@ -31,10 +31,31 @@ func Toggle(options *ToggleOptions) macaron.Handler {
|
|||
}
|
||||
|
||||
// Check prohibit login users.
|
||||
if ctx.IsSigned && ctx.User.ProhibitLogin {
|
||||
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
||||
ctx.HTML(200, "user/auth/prohibit_login")
|
||||
return
|
||||
if ctx.IsSigned {
|
||||
|
||||
if ctx.User.ProhibitLogin {
|
||||
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
||||
ctx.HTML(200, "user/auth/prohibit_login")
|
||||
return
|
||||
}
|
||||
|
||||
// prevent infinite redirection
|
||||
// also make sure that the form cannot be accessed by
|
||||
// users who don't need this
|
||||
if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" {
|
||||
if !ctx.User.MustChangePassword {
|
||||
ctx.Redirect(setting.AppSubURL + "/")
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
if ctx.User.MustChangePassword {
|
||||
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
||||
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
|
||||
ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubURL+ctx.Req.RequestURI), 0, setting.AppSubURL)
|
||||
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// Redirect to dashboard if user tries to visit any non-login page.
|
||||
|
|
|
@ -205,6 +205,7 @@ forgot_password = Forgot password?
|
|||
sign_up_now = Need an account? Register now.
|
||||
sign_up_successful = Account was successfully created.
|
||||
confirmation_mail_sent_prompt = A new confirmation email has been sent to <b>%s</b>. Please check your inbox within the next %s to complete the registration process.
|
||||
must_change_password = Update your password
|
||||
reset_password_mail_sent_prompt = A confirmation email has been sent to <b>%s</b>. Please check your inbox within the next %s to complete the password reset process.
|
||||
active_your_account = Activate Your Account
|
||||
account_activated = Account has been activated
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
// Copyright 2018 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package admin
|
||||
|
||||
import (
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"code.gitea.io/gitea/models"
|
||||
)
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
models.MainTest(m, filepath.Join("..", ".."))
|
||||
}
|
|
@ -77,11 +77,12 @@ func NewUserPost(ctx *context.Context, form auth.AdminCreateUserForm) {
|
|||
}
|
||||
|
||||
u := &models.User{
|
||||
Name: form.UserName,
|
||||
Email: form.Email,
|
||||
Passwd: form.Password,
|
||||
IsActive: true,
|
||||
LoginType: models.LoginPlain,
|
||||
Name: form.UserName,
|
||||
Email: form.Email,
|
||||
Passwd: form.Password,
|
||||
IsActive: true,
|
||||
LoginType: models.LoginPlain,
|
||||
MustChangePassword: true,
|
||||
}
|
||||
|
||||
if len(form.LoginType) > 0 {
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
// Copyright 2017 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package admin
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"code.gitea.io/gitea/models"
|
||||
"code.gitea.io/gitea/modules/auth"
|
||||
"code.gitea.io/gitea/modules/test"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestNewUserPost_MustChangePassword(t *testing.T) {
|
||||
|
||||
models.PrepareTestEnv(t)
|
||||
ctx := test.MockContext(t, "admin/users/new")
|
||||
|
||||
u := models.AssertExistsAndLoadBean(t, &models.User{
|
||||
IsAdmin: true,
|
||||
ID: 2,
|
||||
}).(*models.User)
|
||||
|
||||
ctx.User = u
|
||||
|
||||
username := "gitea"
|
||||
email := "gitea@gitea.io"
|
||||
|
||||
form := auth.AdminCreateUserForm{
|
||||
LoginType: "local",
|
||||
LoginName: "local",
|
||||
UserName: username,
|
||||
Email: email,
|
||||
Password: "xxxxxxxx",
|
||||
SendNotify: false,
|
||||
}
|
||||
|
||||
NewUserPost(ctx, form)
|
||||
|
||||
assert.NotEmpty(t, ctx.Flash.SuccessMsg)
|
||||
|
||||
u, err := models.GetUserByName(username)
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, username, u.Name)
|
||||
assert.Equal(t, email, u.Email)
|
||||
assert.True(t, u.MustChangePassword)
|
||||
}
|
|
@ -230,6 +230,8 @@ func RegisterRoutes(m *macaron.Macaron) {
|
|||
m.Group("/user/settings", func() {
|
||||
m.Get("", userSetting.Profile)
|
||||
m.Post("", bindIgnErr(auth.UpdateProfileForm{}), userSetting.ProfilePost)
|
||||
m.Get("/change_password", user.MustChangePassword)
|
||||
m.Post("/change_password", bindIgnErr(auth.MustChangePasswordForm{}), user.MustChangePasswordPost)
|
||||
m.Post("/avatar", binding.MultipartForm(auth.AvatarForm{}), userSetting.AvatarPost)
|
||||
m.Post("/avatar/delete", userSetting.DeleteAvatar)
|
||||
m.Group("/account", func() {
|
||||
|
|
|
@ -28,6 +28,8 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
// tplMustChangePassword template for updating a user's password
|
||||
tplMustChangePassword = "user/auth/change_passwd"
|
||||
// tplSignIn template for sign in page
|
||||
tplSignIn base.TplName = "user/auth/signin"
|
||||
// tplSignUp template path for sign up page
|
||||
|
@ -1178,7 +1180,8 @@ func ResetPasswdPost(ctx *context.Context) {
|
|||
return
|
||||
}
|
||||
u.HashPassword(passwd)
|
||||
if err := models.UpdateUserCols(u, "passwd", "rands", "salt"); err != nil {
|
||||
u.MustChangePassword = false
|
||||
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil {
|
||||
ctx.ServerError("UpdateUser", err)
|
||||
return
|
||||
}
|
||||
|
@ -1191,3 +1194,71 @@ func ResetPasswdPost(ctx *context.Context) {
|
|||
ctx.Data["IsResetFailed"] = true
|
||||
ctx.HTML(200, tplResetPassword)
|
||||
}
|
||||
|
||||
// MustChangePassword renders the page to change a user's password
|
||||
func MustChangePassword(ctx *context.Context) {
|
||||
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
||||
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
|
||||
|
||||
ctx.HTML(200, tplMustChangePassword)
|
||||
}
|
||||
|
||||
// MustChangePasswordPost response for updating a user's password after his/her
|
||||
// account was created by an admin
|
||||
func MustChangePasswordPost(ctx *context.Context, cpt *captcha.Captcha, form auth.MustChangePasswordForm) {
|
||||
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
||||
|
||||
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
|
||||
|
||||
if ctx.HasError() {
|
||||
ctx.HTML(200, tplMustChangePassword)
|
||||
return
|
||||
}
|
||||
|
||||
u := ctx.User
|
||||
|
||||
// Make sure only requests for users who are eligible to change their password via
|
||||
// this method passes through
|
||||
if !u.MustChangePassword {
|
||||
ctx.ServerError("MustUpdatePassword", errors.New("cannot update password.. Please visit the settings page"))
|
||||
return
|
||||
}
|
||||
|
||||
if form.Password != form.Retype {
|
||||
ctx.Data["Err_Password"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplMustChangePassword, &form)
|
||||
return
|
||||
}
|
||||
|
||||
if len(form.Password) < setting.MinPasswordLength {
|
||||
ctx.Data["Err_Password"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
|
||||
return
|
||||
}
|
||||
|
||||
var err error
|
||||
if u.Salt, err = models.GetUserSalt(); err != nil {
|
||||
ctx.ServerError("UpdateUser", err)
|
||||
return
|
||||
}
|
||||
|
||||
u.HashPassword(form.Password)
|
||||
u.MustChangePassword = false
|
||||
|
||||
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "salt"); err != nil {
|
||||
ctx.ServerError("UpdateUser", err)
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Flash.Success(ctx.Tr("settings.change_password_success"))
|
||||
|
||||
log.Trace("User updated password: %s", u.Name)
|
||||
|
||||
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
|
||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
|
||||
ctx.RedirectToFirst(redirectTo)
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Redirect(setting.AppSubURL + "/")
|
||||
}
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
{{template "base/head" .}}
|
||||
<div class="user signin{{if .LinkAccountMode}} icon{{end}}">
|
||||
<div class="ui container">
|
||||
{{template "user/auth/change_passwd_inner" .}}
|
||||
</div>
|
||||
</div>
|
||||
{{template "base/footer" .}}
|
|
@ -0,0 +1,26 @@
|
|||
{{if or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn)}}
|
||||
{{template "base/alert" .}}
|
||||
{{end}}
|
||||
<h4 class="ui top attached header center">
|
||||
{{.i18n.Tr "settings.change_password"}}
|
||||
</h4>
|
||||
<div class="ui attached segment">
|
||||
<form class="ui form" action="{{.ChangePasscodeLink}}" method="post">
|
||||
{{.CsrfTokenHtml}}
|
||||
<div class="required inline field {{if and (.Err_Password) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn))}}error{{end}}">
|
||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
||||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
|
||||
</div>
|
||||
|
||||
|
||||
<div class="required inline field {{if and (.Err_Password) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeRegister))}}error{{end}}">
|
||||
<label for="retype">{{.i18n.Tr "re_type"}}</label>
|
||||
<input id="retype" name="retype" type="password" autocomplete="off" required>
|
||||
</div>
|
||||
|
||||
<div class="inline field">
|
||||
<label></label>
|
||||
<button class="ui green button">{{.i18n.Tr "settings.change_password" }}</button>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
Loading…
Reference in New Issue