Backport #5250 on v1.6: Fix Issue 5249 and protect /api/v1/admin routes with CSRF token (#5272)

* Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware
2025-08-12 12:38:20 +00:00 · 2018-11-04 15:42:15 +00:00
parent f95c966770
commit c0bbbdd30b
5 changed files with 32 additions and 10 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -174,11 +174,15 @@ func repoAssignment() macaron.Handler {

 // Contexter middleware already checks token for user sign in process.
 func reqToken() macaron.Handler {
-	return func(ctx *context.Context) {
-		if true != ctx.Data["IsApiToken"] {
-			ctx.Error(401)
+	return func(ctx *context.APIContext) {
+		if true == ctx.Data["IsApiToken"] {
 			return
 		}
+		if ctx.IsSigned {
+			ctx.RequireCSRF()
+			return
+		}
+		ctx.Context.Error(401)
 	}
 }

@@ -627,7 +631,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)
 				})
 			})
-		}, reqAdmin())
+		}, reqToken(), reqAdmin())

 		m.Group("/topics", func() {
 			m.Get("/search", repo.TopicSearch)