Only show SSH clone URL if signed in (#2169) #2170
Conversation
|
If you have configurable solution than submit that |
tboerger
added
the
lgtm/need 2
If this flag (default True) is set to false, the SSH clone URL will only be exposed if the current user is signed in.
|
Done. Updated my branch and the above description. |
conf/app.ini
Outdated
| @@ -154,7 +156,7 @@ LFS_START_SERVER = false | |||
| ; Where your lfs files put on, default is data/lfs. | |||
| LFS_CONTENT_PATH = data/lfs | |||
| ; LFS authentication secret, changed this to yourself. | |||
| LFS_JWT_SECRET = | |||
| LFS_JWT_SECRET = | |||
conf/app.ini
Outdated
| @@ -126,6 +126,8 @@ SSH_KEY_TEST_PATH = | |||
| SSH_KEYGEN_PATH = ssh-keygen | |||
| ; Enable SSH Authorized Key Backup when rewriting all keys, default is true | |||
| SSH_BACKUP_AUTHORIZED_KEYS = true | |||
| ; Enable exposure of SSH clone URL to anonymous visitors, default is true | |||
| SSH_EXPOSE_ANONYMOUS = true | |||
There was a problem hiding this comment.
I think default should be false to match GitHub and also for security reason not to expose unneeded URL's
modules/setting/setting.go
Outdated
| }{ | ||
| Disabled: false, | ||
| StartBuiltinServer: false, | ||
| Domain: "", | ||
| Port: 22, | ||
| KeygenPath: "ssh-keygen", | ||
| ExposeAnonymous: true, |
There was a problem hiding this comment.
Default value should be better set lower like AuthorizedKeysBackup:
https://github.com/stklcode/gitea/blob/24109f4093603a6b4dbcf0735a7506e24ef1e289/modules/setting/setting.go#L711
|
Also integration test would be nice to check that |
To match GitHub and for security reasons, SSH URL exposure is disabled by default. In addition to that. minor code changes have been applied. Signed-off-by: Stefan Kalscheuer <[email protected]>
|
I hope you don't mind that I added integration tests, thanks for your first PR 👍 |
conf/app.ini
Outdated
| @@ -126,6 +126,8 @@ SSH_KEY_TEST_PATH = | |||
| SSH_KEYGEN_PATH = ssh-keygen | |||
| ; Enable SSH Authorized Key Backup when rewriting all keys, default is true | |||
| SSH_BACKUP_AUTHORIZED_KEYS = true | |||
| ; Enable exposure of SSH clone URL to anonymous visitors, default is true | |||
There was a problem hiding this comment.
Please change also comment that default is false
templates/repo/home.tmpl
Outdated
| <button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.CloneLink.SSH}}"> | ||
| SSH | ||
| </button> | ||
| {{end}} | ||
| {{if not $.DisableHTTP}} | ||
| <input id="repo-clone-url" value="{{$.CloneLink.HTTPS}}" readonly> | ||
| {{else}} | ||
| {{else if or $.IsSigned $.ExposeAnonSSH}} |
There was a problem hiding this comment.
Please also change condition to be same as for button to take into account that ssh is not disabled
templates/repo/home.tmpl
Outdated
| <button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.CloneLink.SSH}}"> | ||
| SSH | ||
| </button> | ||
| {{end}} | ||
| {{if not $.DisableHTTP}} | ||
| <input id="repo-clone-url" value="{{$.CloneLink.HTTPS}}" readonly> | ||
| {{else}} | ||
| {{else if or $.IsSigned $.ExposeAnonSSH}} | ||
| <input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly> | ||
| {{end}} | ||
| <button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url"> |
There was a problem hiding this comment.
Also do not show copy button if both http and ssh clone are disabled or is not signed in and because of that clone url is not visible
There was a problem hiding this comment.
The button has been shown before, if both were disabled. But you're right, definitely a reasonable change.
templates/repo/bare.tmpl
Outdated
| @@ -18,14 +18,14 @@ | |||
| {{if UseHTTPS}}HTTPS{{else}}HTTP{{end}} | |||
| </button> | |||
| {{end}} | |||
| {{if not $.DisableSSH}} | |||
| {{if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}} | |||
There was a problem hiding this comment.
For bare repository check is not needed as there is already check to show clone url only if user is IsRepositoryAdmin
Signed-off-by: Stefan Kalscheuer <[email protected]>
|
Great job 👍 LGTM |
tboerger
added
lgtm/need 1
|
LGTM |
tboerger
added
lgtm/done
This PR targets issue #2169
For cloning via SSH a user needs to provide a public key. If this is the case, this user has an account or is added by a member. Anonymous visitors hence do not need to see the SSH URL.
This is a hard-coded soliton (as voted by @lafriks), equivalent to GitHub's behavior. If a configurable solution is desired instead, I got another diofferent branch (stklcode/gitea@d7cbf5d) ready.This solution introduces a config flag
SSH_EXPOSE_ANONYMOUS(defaultfalse) to hide by default and opt-in to the old behavior.