Fix the permission check for user search API and limit the number of returned users for /user/search (#32310)
Some checks failed
release-nightly / disk-clean (push) Has been cancelled
release-nightly / nightly-binary (push) Has been cancelled
release-nightly / nightly-docker-rootful (push) Has been cancelled
release-nightly / nightly-docker-rootless (push) Has been cancelled

Partially backport #32288

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Zettat123 2024-10-23 12:56:13 +08:00 committed by GitHub
parent b7d12347f3
commit 0d11ba93dd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 32 additions and 40 deletions

View File

@ -356,12 +356,20 @@ func reqToken() func(ctx *context.APIContext) {
func reqExploreSignIn() func(ctx *context.APIContext) { func reqExploreSignIn() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) { return func(ctx *context.APIContext) {
if setting.Service.Explore.RequireSigninView && !ctx.IsSigned { if (setting.Service.RequireSignInView || setting.Service.Explore.RequireSigninView) && !ctx.IsSigned {
ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users") ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")
} }
} }
} }
func reqUsersExploreEnabled() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) {
if setting.Service.Explore.DisableUsersPage {
ctx.NotFound()
}
}
}
func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) { return func(ctx *context.APIContext) {
if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName { if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName {
@ -955,7 +963,7 @@ func Routes() *web.Route {
// Users (requires user scope) // Users (requires user scope)
m.Group("/users", func() { m.Group("/users", func() {
m.Get("/search", reqExploreSignIn(), user.Search) m.Get("/search", reqExploreSignIn(), reqUsersExploreEnabled(), user.Search)
m.Group("/{username}", func() { m.Group("/{username}", func() {
m.Get("", reqExploreSignIn(), user.GetInfo) m.Get("", reqExploreSignIn(), user.GetInfo)

View File

@ -8,37 +8,24 @@ import (
"code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/db"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/optional"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/services/context" "code.gitea.io/gitea/services/context"
"code.gitea.io/gitea/services/convert" "code.gitea.io/gitea/services/convert"
) )
// Search search users // SearchCandidates searches candidate users for dropdown list
func Search(ctx *context.Context) { func SearchCandidates(ctx *context.Context) {
listOptions := db.ListOptions{ users, _, err := user_model.SearchUsers(ctx, &user_model.SearchUserOptions{
Page: ctx.FormInt("page"),
PageSize: convert.ToCorrectPageSize(ctx.FormInt("limit")),
}
users, maxResults, err := user_model.SearchUsers(ctx, &user_model.SearchUserOptions{
Actor: ctx.Doer, Actor: ctx.Doer,
Keyword: ctx.FormTrim("q"), Keyword: ctx.FormTrim("q"),
UID: ctx.FormInt64("uid"),
Type: user_model.UserTypeIndividual, Type: user_model.UserTypeIndividual,
IsActive: ctx.FormOptionalBool("active"), IsActive: optional.Some(true),
ListOptions: listOptions, ListOptions: db.ListOptions{PageSize: setting.UI.MembersPagingNum},
}) })
if err != nil { if err != nil {
ctx.JSON(http.StatusInternalServerError, map[string]any{ ctx.ServerError("Unable to search users", err)
"ok": false,
"error": err.Error(),
})
return return
} }
ctx.JSON(http.StatusOK, map[string]any{"data": convert.ToUsers(ctx, ctx.Doer, users)})
ctx.SetTotalCountHeader(maxResults)
ctx.JSON(http.StatusOK, map[string]any{
"ok": true,
"data": convert.ToUsers(ctx, ctx.Doer, users),
})
} }

View File

@ -668,7 +668,7 @@ func registerRoutes(m *web.Route) {
m.Post("/forgot_password", auth.ForgotPasswdPost) m.Post("/forgot_password", auth.ForgotPasswdPost)
m.Post("/logout", auth.SignOut) m.Post("/logout", auth.SignOut)
m.Get("/stopwatches", reqSignIn, user.GetStopwatches) m.Get("/stopwatches", reqSignIn, user.GetStopwatches)
m.Get("/search", ignExploreSignIn, user.Search) m.Get("/search_candidates", ignExploreSignIn, user.SearchCandidates)
m.Group("/oauth2", func() { m.Group("/oauth2", func() {
m.Get("/{provider}", auth.SignInOAuth) m.Get("/{provider}", auth.SignInOAuth)
m.Get("/{provider}/callback", auth.SignInOAuthCallback) m.Get("/{provider}/callback", auth.SignInOAuthCallback)

View File

@ -8,41 +8,38 @@ export function initCompSearchUserBox() {
const searchUserBox = document.getElementById('search-user-box'); const searchUserBox = document.getElementById('search-user-box');
if (!searchUserBox) return; if (!searchUserBox) return;
const $searchUserBox = $(searchUserBox);
const allowEmailInput = searchUserBox.getAttribute('data-allow-email') === 'true'; const allowEmailInput = searchUserBox.getAttribute('data-allow-email') === 'true';
const allowEmailDescription = searchUserBox.getAttribute('data-allow-email-description') ?? undefined; const allowEmailDescription = searchUserBox.getAttribute('data-allow-email-description') ?? undefined;
$searchUserBox.search({ $(searchUserBox).search({
minCharacters: 2, minCharacters: 2,
apiSettings: { apiSettings: {
url: `${appSubUrl}/user/search?active=1&q={query}`, url: `${appSubUrl}/user/search_candidates?q={query}`,
onResponse(response) { onResponse(response) {
const items = []; const resultItems = [];
const searchQuery = $searchUserBox.find('input').val(); const searchQuery = searchUserBox.querySelector('input').value;
const searchQueryUppercase = searchQuery.toUpperCase(); const searchQueryUppercase = searchQuery.toUpperCase();
$.each(response.data, (_i, item) => { for (const item of response.data) {
const resultItem = { const resultItem = {
title: item.login, title: item.login,
image: item.avatar_url, image: item.avatar_url,
description: htmlEscape(item.full_name),
}; };
if (item.full_name) {
resultItem.description = htmlEscape(item.full_name);
}
if (searchQueryUppercase === item.login.toUpperCase()) { if (searchQueryUppercase === item.login.toUpperCase()) {
items.unshift(resultItem); resultItems.unshift(resultItem); // add the exact match to the top
} else { } else {
items.push(resultItem); resultItems.push(resultItem);
} }
}); }
if (allowEmailInput && !items.length && looksLikeEmailAddressCheck.test(searchQuery)) { if (allowEmailInput && !resultItems.length && looksLikeEmailAddressCheck.test(searchQuery)) {
const resultItem = { const resultItem = {
title: searchQuery, title: searchQuery,
description: allowEmailDescription, description: allowEmailDescription,
}; };
items.push(resultItem); resultItems.push(resultItem);
} }
return {results: items}; return {results: resultItems};
}, },
}, },
searchFields: ['login', 'full_name'], searchFields: ['login', 'full_name'],