Force user to change password (#4489)

* redirect to login page after successfully activating account * force users to change password if account was created by an admin * force users to change password if account was created by an admin * fixed build * fixed build * fix pending issues with translation and wrong routes * make sure path check is safe * remove unneccessary newline * make sure users that don't have to view the form get redirected * move route to use /settings prefix so as to make sure unauthenticated users can't view the page * update as per @lafriks review * add necessary comment * remove unrelated changes * support redirecting to location the user actually want to go to before being forced to change his/her password * run make fmt * added tests * improve assertions * add assertion * fix copyright year Signed-off-by: Lanre Adelowo <yo@lanre.wtf>
2018-09-13 13:04:25 +01:00 · 2018-09-13 13:04:25 +01:00 · 126ba796dc
commit 126ba796dc
parent 10a2a904d7
13 changed files with 255 additions and 22 deletions
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@ -31,10 +31,31 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 		}

 		// Check prohibit login users.
-		if ctx.IsSigned && ctx.User.ProhibitLogin {
-			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
-			ctx.HTML(200, "user/auth/prohibit_login")
-			return
+		if ctx.IsSigned {
+
+			if ctx.User.ProhibitLogin {
+				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+				ctx.HTML(200, "user/auth/prohibit_login")
+				return
+			}
+
+			// prevent infinite redirection
+			// also make sure that the form cannot be accessed by
+			// users who don't need this
+			if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" {
+				if !ctx.User.MustChangePassword {
+					ctx.Redirect(setting.AppSubURL + "/")
+				}
+				return
+			}
+
+			if ctx.User.MustChangePassword {
+				ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+				ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
+				ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubURL+ctx.Req.RequestURI), 0, setting.AppSubURL)
+				ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
+				return
+			}
 		}

 		// Redirect to dashboard if user tries to visit any non-login page.