Login is forbidden

2021-12-10 15:18:42 +08:00 · 2021-12-10 15:18:42 +08:00 · 4c176c1a0a
parent dac17ab26c
commit 4c176c1a0a
3 changed files with 23 additions and 0 deletions
--- a/models/error.go
+++ b/models/error.go
@ -192,6 +192,22 @@ func (err ErrUserInactive) Error() string {
 	return fmt.Sprintf("user is inactive [uid: %d, name: %s]", err.UID, err.Name)
 }

+type ErrUserNodAdmin struct {
+	UID  int64
+	Name string
+}
+
+//  IsErrUserNotAdmin  checks if an error is a ErrUserNotAdmin
+func IsErrUserNotAdmin(err error) bool {
+	_, ok := err.(ErrUserNodAdmin)
+	return ok
+}
+
+func (err ErrUserNodAdmin) Error() string {
+
+	return fmt.Sprintf("user does not admin [uid:%d, name:%s]", err.UID, err.Name)
+}
+
 // ErrEmailAlreadyUsed represents a "EmailAlreadyUsed" kind of error.
 type ErrEmailAlreadyUsed struct {
 	Email string
--- a/models/login_source.go
+++ b/models/login_source.go
@ -829,6 +829,9 @@ func UserSignIn(username, password string) (*User, error) {
 	}

 	if hasUser {
+		if !user.IsAdmin {
+			return nil, ErrUserNodAdmin{user.ID, user.Name}
+		}
 		switch user.LoginType {
 		case LoginNoType, LoginPlain, LoginOAuth2:
 			if user.IsPasswordSet() && user.ValidatePassword(password) {
--- a/routers/web/user/auth.go
+++ b/routers/web/user/auth.go
@ -195,6 +195,10 @@ func SignInPost(ctx *context.Context) {
 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
 				ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
 			}
+		} else if models.IsErrUserNotAdmin(err) {
+			ctx.RenderWithErr(ctx.Tr("form.User is not an administrator"), tplSignIn, &form)
+			log.Info("Failed authentiation attempt for %s from %s ", form.UserName, ctx.RemoteAddr())
+
 		} else {
 			ctx.ServerError("UserSignIn", err)
 		}