mirror of
https://github.com/go-gitea/gitea.git
synced 2024-12-04 14:46:57 -05:00
1ee59f0fa3
We have some instances that only allow using an external authentication source for authentication. In this case, users changing their email, password, or linked OpenID connections will not have any effect, and we'd like to prevent showing that to them to prevent confusion. Included in this are several changes to support this: * A new setting to disable user managed authentication credentials (email, password & OpenID connections) * A new setting to disable user managed MFA (2FA codes & WebAuthn) * Fix an issue where some templates had separate logic for determining if a feature was disabled since it didn't check the globally disabled features * Hide more user setting pages in the navbar when their settings aren't enabled --------- Co-authored-by: Kyle D <kdumontnu@gmail.com>
161 lines
4.4 KiB
Go
161 lines
4.4 KiB
Go
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
// Copyright 2018 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package security
|
|
|
|
import (
|
|
"net/http"
|
|
"sort"
|
|
|
|
auth_model "code.gitea.io/gitea/models/auth"
|
|
"code.gitea.io/gitea/models/db"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
"code.gitea.io/gitea/modules/base"
|
|
"code.gitea.io/gitea/modules/optional"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/services/auth/source/oauth2"
|
|
"code.gitea.io/gitea/services/context"
|
|
)
|
|
|
|
const (
|
|
tplSettingsSecurity base.TplName = "user/settings/security/security"
|
|
tplSettingsTwofaEnroll base.TplName = "user/settings/security/twofa_enroll"
|
|
)
|
|
|
|
// Security render change user's password page and 2FA
|
|
func Security(ctx *context.Context) {
|
|
if user_model.IsFeatureDisabledWithLoginType(ctx.Doer,
|
|
setting.UserFeatureManageMFA, setting.UserFeatureManageCredentials) {
|
|
ctx.Error(http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
ctx.Data["Title"] = ctx.Tr("settings.security")
|
|
ctx.Data["PageIsSettingsSecurity"] = true
|
|
|
|
if ctx.FormString("openid.return_to") != "" {
|
|
settingsOpenIDVerify(ctx)
|
|
return
|
|
}
|
|
|
|
loadSecurityData(ctx)
|
|
|
|
ctx.HTML(http.StatusOK, tplSettingsSecurity)
|
|
}
|
|
|
|
// DeleteAccountLink delete a single account link
|
|
func DeleteAccountLink(ctx *context.Context) {
|
|
if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageCredentials) {
|
|
ctx.Error(http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
id := ctx.FormInt64("id")
|
|
if id <= 0 {
|
|
ctx.Flash.Error("Account link id is not given")
|
|
} else {
|
|
if _, err := user_model.RemoveAccountLink(ctx, ctx.Doer, id); err != nil {
|
|
ctx.Flash.Error("RemoveAccountLink: " + err.Error())
|
|
} else {
|
|
ctx.Flash.Success(ctx.Tr("settings.remove_account_link_success"))
|
|
}
|
|
}
|
|
|
|
ctx.JSONRedirect(setting.AppSubURL + "/user/settings/security")
|
|
}
|
|
|
|
func loadSecurityData(ctx *context.Context) {
|
|
enrolled, err := auth_model.HasTwoFactorByUID(ctx, ctx.Doer.ID)
|
|
if err != nil {
|
|
ctx.ServerError("SettingsTwoFactor", err)
|
|
return
|
|
}
|
|
ctx.Data["TOTPEnrolled"] = enrolled
|
|
|
|
credentials, err := auth_model.GetWebAuthnCredentialsByUID(ctx, ctx.Doer.ID)
|
|
if err != nil {
|
|
ctx.ServerError("GetWebAuthnCredentialsByUID", err)
|
|
return
|
|
}
|
|
ctx.Data["WebAuthnCredentials"] = credentials
|
|
|
|
tokens, err := db.Find[auth_model.AccessToken](ctx, auth_model.ListAccessTokensOptions{UserID: ctx.Doer.ID})
|
|
if err != nil {
|
|
ctx.ServerError("ListAccessTokens", err)
|
|
return
|
|
}
|
|
ctx.Data["Tokens"] = tokens
|
|
|
|
accountLinks, err := db.Find[user_model.ExternalLoginUser](ctx, user_model.FindExternalUserOptions{
|
|
UserID: ctx.Doer.ID,
|
|
OrderBy: "login_source_id DESC",
|
|
})
|
|
if err != nil {
|
|
ctx.ServerError("ListAccountLinks", err)
|
|
return
|
|
}
|
|
|
|
// map the provider display name with the AuthSource
|
|
sources := make(map[*auth_model.Source]string)
|
|
for _, externalAccount := range accountLinks {
|
|
if authSource, err := auth_model.GetSourceByID(ctx, externalAccount.LoginSourceID); err == nil {
|
|
var providerDisplayName string
|
|
|
|
type DisplayNamed interface {
|
|
DisplayName() string
|
|
}
|
|
|
|
type Named interface {
|
|
Name() string
|
|
}
|
|
|
|
if displayNamed, ok := authSource.Cfg.(DisplayNamed); ok {
|
|
providerDisplayName = displayNamed.DisplayName()
|
|
} else if named, ok := authSource.Cfg.(Named); ok {
|
|
providerDisplayName = named.Name()
|
|
} else {
|
|
providerDisplayName = authSource.Name
|
|
}
|
|
sources[authSource] = providerDisplayName
|
|
}
|
|
}
|
|
ctx.Data["AccountLinks"] = sources
|
|
|
|
authSources, err := db.Find[auth_model.Source](ctx, auth_model.FindSourcesOptions{
|
|
IsActive: optional.None[bool](),
|
|
LoginType: auth_model.OAuth2,
|
|
})
|
|
if err != nil {
|
|
ctx.ServerError("FindSources", err)
|
|
return
|
|
}
|
|
|
|
var orderedOAuth2Names []string
|
|
oauth2Providers := make(map[string]oauth2.Provider)
|
|
for _, source := range authSources {
|
|
provider, err := oauth2.CreateProviderFromSource(source)
|
|
if err != nil {
|
|
ctx.ServerError("CreateProviderFromSource", err)
|
|
return
|
|
}
|
|
oauth2Providers[source.Name] = provider
|
|
if source.IsActive {
|
|
orderedOAuth2Names = append(orderedOAuth2Names, source.Name)
|
|
}
|
|
}
|
|
|
|
sort.Strings(orderedOAuth2Names)
|
|
|
|
ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
|
|
ctx.Data["OAuth2Providers"] = oauth2Providers
|
|
|
|
openid, err := user_model.GetUserOpenIDs(ctx, ctx.Doer.ID)
|
|
if err != nil {
|
|
ctx.ServerError("GetUserOpenIDs", err)
|
|
return
|
|
}
|
|
ctx.Data["OpenIDs"] = openid
|
|
ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer)
|
|
}
|