move route to use /settings prefix so as to make sure unauthenticated users can't view the page

2018-07-21 22:19:11 +01:00 · 2018-07-21 22:19:11 +01:00 · 741ef66ecf
commit 741ef66ecf
parent 59432fae0a
3 changed files with 6 additions and 6 deletions
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@ -42,7 +42,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 			// prevent infinite redirection
 			// also make sure that the form cannot be accessed by
 			// users who don't need this
-			if ctx.Req.URL.Path == setting.AppSubURL+"/user/change_password" {
+			if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" {
 				if !ctx.User.MustChangePassword {
 					ctx.Redirect(setting.AppSubURL + "/")
 				}
@ -52,7 +52,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 			if ctx.User.MustChangePassword {
 				ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
 				ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
-				ctx.Redirect(setting.AppSubURL + "/user/change_password")
+				ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
 				return
 			}
 		}
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@ -203,8 +203,6 @@ func RegisterRoutes(m *macaron.Macaron) {
 		}, openIDSignInEnabled)
 		m.Get("/sign_up", user.SignUp)
 		m.Post("/sign_up", bindIgnErr(auth.RegisterForm{}), user.SignUpPost)
-		m.Get("/change_password", user.MustChangePassword)
-		m.Post("/change_password", bindIgnErr(auth.MustChangePasswordForm{}), user.MustChangePasswordPost)
 		m.Get("/reset_password", user.ResetPasswd)
 		m.Post("/reset_password", user.ResetPasswdPost)
 		m.Group("/oauth2", func() {
@ -231,6 +229,8 @@ func RegisterRoutes(m *macaron.Macaron) {
 	m.Group("/user/settings", func() {
 		m.Get("", userSetting.Profile)
 		m.Post("", bindIgnErr(auth.UpdateProfileForm{}), userSetting.ProfilePost)
+		m.Get("/change_password", user.MustChangePassword)
+		m.Post("/change_password", bindIgnErr(auth.MustChangePasswordForm{}), user.MustChangePasswordPost)
 		m.Post("/avatar", binding.MultipartForm(auth.AvatarForm{}), userSetting.AvatarPost)
 		m.Post("/avatar/delete", userSetting.DeleteAvatar)
 		m.Group("/account", func() {
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@ -1190,7 +1190,7 @@ func ResetPasswdPost(ctx *context.Context) {
 // MustChangePassword renders the page to change a user's password
 func MustChangePassword(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
-	ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
+	ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"

 	ctx.HTML(200, tplMustChangePassword)
 }
@ -1200,7 +1200,7 @@ func MustChangePassword(ctx *context.Context) {
 func MustChangePasswordPost(ctx *context.Context, cpt *captcha.Captcha, form auth.MustChangePasswordForm) {
 	ctx.Data["Title"] = ctx.Tr("auth.must_change_password")

-	ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
+	ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"

 	if ctx.HasError() {
 		ctx.HTML(200, tplMustChangePassword)