From 741ef66ecfd4f884b870ec5a5308abf108d01a56 Mon Sep 17 00:00:00 2001 From: Lanre Adelowo Date: Sat, 21 Jul 2018 22:19:11 +0100 Subject: [PATCH] move route to use /settings prefix so as to make sure unauthenticated users can't view the page --- modules/context/auth.go | 4 ++-- routers/routes/routes.go | 4 ++-- routers/user/auth.go | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/context/auth.go b/modules/context/auth.go index 58cdc2cac..f6685ebc6 100644 --- a/modules/context/auth.go +++ b/modules/context/auth.go @@ -42,7 +42,7 @@ func Toggle(options *ToggleOptions) macaron.Handler { // prevent infinite redirection // also make sure that the form cannot be accessed by // users who don't need this - if ctx.Req.URL.Path == setting.AppSubURL+"/user/change_password" { + if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" { if !ctx.User.MustChangePassword { ctx.Redirect(setting.AppSubURL + "/") } @@ -52,7 +52,7 @@ func Toggle(options *ToggleOptions) macaron.Handler { if ctx.User.MustChangePassword { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" - ctx.Redirect(setting.AppSubURL + "/user/change_password") + ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") return } } diff --git a/routers/routes/routes.go b/routers/routes/routes.go index 991033cde..de6f24efa 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -203,8 +203,6 @@ func RegisterRoutes(m *macaron.Macaron) { }, openIDSignInEnabled) m.Get("/sign_up", user.SignUp) m.Post("/sign_up", bindIgnErr(auth.RegisterForm{}), user.SignUpPost) - m.Get("/change_password", user.MustChangePassword) - m.Post("/change_password", bindIgnErr(auth.MustChangePasswordForm{}), user.MustChangePasswordPost) m.Get("/reset_password", user.ResetPasswd) m.Post("/reset_password", user.ResetPasswdPost) m.Group("/oauth2", func() { @@ -231,6 +229,8 @@ func RegisterRoutes(m *macaron.Macaron) { m.Group("/user/settings", func() { m.Get("", userSetting.Profile) m.Post("", bindIgnErr(auth.UpdateProfileForm{}), userSetting.ProfilePost) + m.Get("/change_password", user.MustChangePassword) + m.Post("/change_password", bindIgnErr(auth.MustChangePasswordForm{}), user.MustChangePasswordPost) m.Post("/avatar", binding.MultipartForm(auth.AvatarForm{}), userSetting.AvatarPost) m.Post("/avatar/delete", userSetting.DeleteAvatar) m.Group("/account", func() { diff --git a/routers/user/auth.go b/routers/user/auth.go index b5e5c50ae..9ef2c8b74 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -1190,7 +1190,7 @@ func ResetPasswdPost(ctx *context.Context) { // MustChangePassword renders the page to change a user's password func MustChangePassword(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") - ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" + ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password" ctx.HTML(200, tplMustChangePassword) } @@ -1200,7 +1200,7 @@ func MustChangePassword(ctx *context.Context) { func MustChangePasswordPost(ctx *context.Context, cpt *captcha.Captcha, form auth.MustChangePasswordForm) { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") - ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" + ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password" if ctx.HasError() { ctx.HTML(200, tplMustChangePassword)