diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 757b406799..fd7d3687ac 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -90,6 +90,7 @@ import (
"code.gitea.io/gitea/routers/api/v1/repo"
"code.gitea.io/gitea/routers/api/v1/settings"
"code.gitea.io/gitea/routers/api/v1/user"
+ "code.gitea.io/gitea/routers/common"
"code.gitea.io/gitea/services/auth"
context_service "code.gitea.io/gitea/services/context"
"code.gitea.io/gitea/services/forms"
@@ -709,6 +710,106 @@ func buildAuthGroup() *auth.Group {
return group
}
+func apiAuth(authMethod auth.Method) func(*context.APIContext) {
+ return func(ctx *context.APIContext) {
+ ar, err := common.AuthShared(ctx.Base, nil, authMethod)
+ if err != nil {
+ ctx.Error(http.StatusUnauthorized, "APIAuth", err)
+ return
+ }
+ ctx.Doer = ar.Doer
+ ctx.IsSigned = ar.Doer != nil
+ ctx.IsBasicAuth = ar.IsBasicAuth
+ }
+}
+
+// verifyAuthWithOptions checks authentication according to options
+func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIContext) {
+ return func(ctx *context.APIContext) {
+ // Check prohibit login users.
+ if ctx.IsSigned {
+ if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
+ ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+ ctx.JSON(http.StatusForbidden, map[string]string{
+ "message": "This account is not activated.",
+ })
+ return
+ }
+ if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {
+ log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())
+ ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+ ctx.JSON(http.StatusForbidden, map[string]string{
+ "message": "This account is prohibited from signing in, please contact your site administrator.",
+ })
+ return
+ }
+
+ if ctx.Doer.MustChangePassword {
+ ctx.JSON(http.StatusForbidden, map[string]string{
+ "message": "You must change your password. Change it at: " + setting.AppURL + "/user/change_password",
+ })
+ return
+ }
+ }
+
+ // Redirect to dashboard if user tries to visit any non-login page.
+ if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {
+ ctx.Redirect(setting.AppSubURL + "/")
+ return
+ }
+
+ if options.SignInRequired {
+ if !ctx.IsSigned {
+ // Restrict API calls with error message.
+ ctx.JSON(http.StatusForbidden, map[string]string{
+ "message": "Only signed in user is allowed to call APIs.",
+ })
+ return
+ } else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
+ ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+ ctx.JSON(http.StatusForbidden, map[string]string{
+ "message": "This account is not activated.",
+ })
+ return
+ }
+ if ctx.IsSigned && ctx.IsBasicAuth {
+ if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
+ return // Skip 2FA
+ }
+ twofa, err := auth_model.GetTwoFactorByUID(ctx.Doer.ID)
+ if err != nil {
+ if auth_model.IsErrTwoFactorNotEnrolled(err) {
+ return // No 2FA enrollment for this user
+ }
+ ctx.InternalServerError(err)
+ return
+ }
+ otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
+ ok, err := twofa.ValidateTOTP(otpHeader)
+ if err != nil {
+ ctx.InternalServerError(err)
+ return
+ }
+ if !ok {
+ ctx.JSON(http.StatusForbidden, map[string]string{
+ "message": "Only signed in user is allowed to call APIs.",
+ })
+ return
+ }
+ }
+ }
+
+ if options.AdminRequired {
+ if !ctx.Doer.IsAdmin {
+ ctx.JSON(http.StatusForbidden, map[string]string{
+ "message": "You have no permission to request for this.",
+ })
+ return
+ }
+ }
+ }
+}
+
// Routes registers all v1 APIs routes to web application.
func Routes() *web.Route {
m := web.NewRoute()
@@ -728,9 +829,9 @@ func Routes() *web.Route {
m.Use(context.APIContexter())
// Get user from session if logged in.
- m.Use(auth.APIAuth(buildAuthGroup()))
+ m.Use(apiAuth(buildAuthGroup()))
- m.Use(auth.VerifyAuthWithOptionsAPI(&auth.VerifyOptions{
+ m.Use(verifyAuthWithOptions(&common.VerifyOptions{
SignInRequired: setting.Service.RequireSignInView,
}))
diff --git a/routers/common/auth.go b/routers/common/auth.go
new file mode 100644
index 0000000000..8904785d51
--- /dev/null
+++ b/routers/common/auth.go
@@ -0,0 +1,45 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/web/middleware"
+ auth_service "code.gitea.io/gitea/services/auth"
+)
+
+type AuthResult struct {
+ Doer *user_model.User
+ IsBasicAuth bool
+}
+
+func AuthShared(ctx *context.Base, sessionStore auth_service.SessionStore, authMethod auth_service.Method) (ar AuthResult, err error) {
+ ar.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, sessionStore)
+ if err != nil {
+ return ar, err
+ }
+ if ar.Doer != nil {
+ if ctx.Locale.Language() != ar.Doer.Language {
+ ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+ }
+ ar.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == auth_service.BasicMethodName
+
+ ctx.Data["IsSigned"] = true
+ ctx.Data[middleware.ContextDataKeySignedUser] = ar.Doer
+ ctx.Data["SignedUserID"] = ar.Doer.ID
+ ctx.Data["IsAdmin"] = ar.Doer.IsAdmin
+ } else {
+ ctx.Data["SignedUserID"] = int64(0)
+ }
+ return ar, nil
+}
+
+// VerifyOptions contains required or check options
+type VerifyOptions struct {
+ SignInRequired bool
+ SignOutRequired bool
+ AdminRequired bool
+ DisableCSRF bool
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index ec6742f6ce..077a076864 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -6,6 +6,7 @@ package web
import (
gocontext "context"
"net/http"
+ "strings"
"code.gitea.io/gitea/models/perm"
"code.gitea.io/gitea/models/unit"
@@ -19,6 +20,7 @@ import (
"code.gitea.io/gitea/modules/templates"
"code.gitea.io/gitea/modules/validation"
"code.gitea.io/gitea/modules/web"
+ "code.gitea.io/gitea/modules/web/middleware"
"code.gitea.io/gitea/modules/web/routing"
"code.gitea.io/gitea/routers/common"
"code.gitea.io/gitea/routers/web/admin"
@@ -46,7 +48,7 @@ import (
"gitea.com/go-chi/captcha"
"github.com/NYTimes/gziphandler"
- "github.com/go-chi/chi/v5/middleware"
+ chi_middleware "github.com/go-chi/chi/v5/middleware"
"github.com/go-chi/cors"
"github.com/prometheus/client_golang/prometheus"
)
@@ -95,6 +97,109 @@ func buildAuthGroup() *auth_service.Group {
return group
}
+func webAuth(authMethod auth_service.Method) func(*context.Context) {
+ return func(ctx *context.Context) {
+ ar, err := common.AuthShared(ctx.Base, ctx.Session, authMethod)
+ if err != nil {
+ log.Error("Failed to verify user: %v", err)
+ ctx.Error(http.StatusUnauthorized, "Verify")
+ return
+ }
+ ctx.Doer = ar.Doer
+ ctx.IsSigned = ar.Doer != nil
+ ctx.IsBasicAuth = ar.IsBasicAuth
+ if ctx.Doer == nil {
+ // ensure the session uid is deleted
+ _ = ctx.Session.Delete("uid")
+ }
+ }
+}
+
+// verifyAuthWithOptions checks authentication according to options
+func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Context) {
+ return func(ctx *context.Context) {
+ // Check prohibit login users.
+ if ctx.IsSigned {
+ if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
+ ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+ ctx.HTML(http.StatusOK, "user/auth/activate")
+ return
+ }
+ if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {
+ log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())
+ ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+ ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+ return
+ }
+
+ if ctx.Doer.MustChangePassword {
+ if ctx.Req.URL.Path != "/user/settings/change_password" {
+ if strings.HasPrefix(ctx.Req.UserAgent(), "git") {
+ ctx.Error(http.StatusUnauthorized, ctx.Tr("auth.must_change_password"))
+ return
+ }
+ ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+ ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
+ if ctx.Req.URL.Path != "/user/events" {
+ middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
+ }
+ ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
+ return
+ }
+ } else if ctx.Req.URL.Path == "/user/settings/change_password" {
+ // make sure that the form cannot be accessed by users who don't need this
+ ctx.Redirect(setting.AppSubURL + "/")
+ return
+ }
+ }
+
+ // Redirect to dashboard (or alternate location) if user tries to visit any non-login page.
+ if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {
+ ctx.RedirectToFirst(ctx.FormString("redirect_to"))
+ return
+ }
+
+ if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
+ ctx.Csrf.Validate(ctx)
+ if ctx.Written() {
+ return
+ }
+ }
+
+ if options.SignInRequired {
+ if !ctx.IsSigned {
+ if ctx.Req.URL.Path != "/user/events" {
+ middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
+ }
+ ctx.Redirect(setting.AppSubURL + "/user/login")
+ return
+ } else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
+ ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+ ctx.HTML(http.StatusOK, "user/auth/activate")
+ return
+ }
+ }
+
+ // Redirect to log in page if auto-signin info is provided and has not signed in.
+ if !options.SignOutRequired && !ctx.IsSigned &&
+ len(ctx.GetSiteCookie(setting.CookieUserName)) > 0 {
+ if ctx.Req.URL.Path != "/user/events" {
+ middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
+ }
+ ctx.Redirect(setting.AppSubURL + "/user/login")
+ return
+ }
+
+ if options.AdminRequired {
+ if !ctx.Doer.IsAdmin {
+ ctx.Error(http.StatusForbidden)
+ return
+ }
+ ctx.Data["PageIsAdmin"] = true
+ }
+ }
+}
+
func ctxDataSet(args ...any) func(ctx *context.Context) {
return func(ctx *context.Context) {
for i := 0; i < len(args); i += 2 {
@@ -144,10 +249,10 @@ func Routes() *web.Route {
mid = append(mid, common.Sessioner(), context.Contexter())
// Get user from session if logged in.
- mid = append(mid, auth_service.Auth(buildAuthGroup()))
+ mid = append(mid, webAuth(buildAuthGroup()))
// GetHead allows a HEAD request redirect to GET if HEAD method is not defined for that route
- mid = append(mid, middleware.GetHead)
+ mid = append(mid, chi_middleware.GetHead)
if setting.API.EnableSwagger {
// Note: The route is here but no in API routes because it renders a web page
@@ -168,12 +273,12 @@ func Routes() *web.Route {
// registerRoutes register routes
func registerRoutes(m *web.Route) {
- reqSignIn := auth_service.VerifyAuthWithOptions(&auth_service.VerifyOptions{SignInRequired: true})
- reqSignOut := auth_service.VerifyAuthWithOptions(&auth_service.VerifyOptions{SignOutRequired: true})
+ reqSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: true})
+ reqSignOut := verifyAuthWithOptions(&common.VerifyOptions{SignOutRequired: true})
// TODO: rename them to "optSignIn", which means that the "sign-in" could be optional, depends on the VerifyOptions (RequireSignInView)
- ignSignIn := auth_service.VerifyAuthWithOptions(&auth_service.VerifyOptions{SignInRequired: setting.Service.RequireSignInView})
- ignExploreSignIn := auth_service.VerifyAuthWithOptions(&auth_service.VerifyOptions{SignInRequired: setting.Service.RequireSignInView || setting.Service.Explore.RequireSigninView})
- ignSignInAndCsrf := auth_service.VerifyAuthWithOptions(&auth_service.VerifyOptions{DisableCSRF: true})
+ ignSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInView})
+ ignExploreSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInView || setting.Service.Explore.RequireSigninView})
+ ignSignInAndCsrf := verifyAuthWithOptions(&common.VerifyOptions{DisableCSRF: true})
validation.AddBindingRules()
linkAccountEnabled := func(ctx *context.Context) {
@@ -543,7 +648,7 @@ func registerRoutes(m *web.Route) {
m.Get("/avatar/{hash}", user.AvatarByEmailHash)
- adminReq := auth_service.VerifyAuthWithOptions(&auth_service.VerifyOptions{SignInRequired: true, AdminRequired: true})
+ adminReq := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: true, AdminRequired: true})
// ***** START: Admin *****
m.Group("/admin", func() {
diff --git a/services/auth/middleware.go b/services/auth/middleware.go
deleted file mode 100644
index 4a0b613fa6..0000000000
--- a/services/auth/middleware.go
+++ /dev/null
@@ -1,255 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package auth
-
-import (
- "net/http"
- "strings"
-
- "code.gitea.io/gitea/models/auth"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/context"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/web/middleware"
-)
-
-// Auth is a middleware to authenticate a web user
-func Auth(authMethod Method) func(*context.Context) {
- return func(ctx *context.Context) {
- ar, err := authShared(ctx.Base, ctx.Session, authMethod)
- if err != nil {
- log.Error("Failed to verify user: %v", err)
- ctx.Error(http.StatusUnauthorized, "Verify")
- return
- }
- ctx.Doer = ar.Doer
- ctx.IsSigned = ar.Doer != nil
- ctx.IsBasicAuth = ar.IsBasicAuth
- if ctx.Doer == nil {
- // ensure the session uid is deleted
- _ = ctx.Session.Delete("uid")
- }
- }
-}
-
-// APIAuth is a middleware to authenticate an api user
-func APIAuth(authMethod Method) func(*context.APIContext) {
- return func(ctx *context.APIContext) {
- ar, err := authShared(ctx.Base, nil, authMethod)
- if err != nil {
- ctx.Error(http.StatusUnauthorized, "APIAuth", err)
- return
- }
- ctx.Doer = ar.Doer
- ctx.IsSigned = ar.Doer != nil
- ctx.IsBasicAuth = ar.IsBasicAuth
- }
-}
-
-type authResult struct {
- Doer *user_model.User
- IsBasicAuth bool
-}
-
-func authShared(ctx *context.Base, sessionStore SessionStore, authMethod Method) (ar authResult, err error) {
- ar.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, sessionStore)
- if err != nil {
- return ar, err
- }
- if ar.Doer != nil {
- if ctx.Locale.Language() != ar.Doer.Language {
- ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
- }
- ar.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == BasicMethodName
-
- ctx.Data["IsSigned"] = true
- ctx.Data[middleware.ContextDataKeySignedUser] = ar.Doer
- ctx.Data["SignedUserID"] = ar.Doer.ID
- ctx.Data["IsAdmin"] = ar.Doer.IsAdmin
- } else {
- ctx.Data["SignedUserID"] = int64(0)
- }
- return ar, nil
-}
-
-// VerifyOptions contains required or check options
-type VerifyOptions struct {
- SignInRequired bool
- SignOutRequired bool
- AdminRequired bool
- DisableCSRF bool
-}
-
-// VerifyAuthWithOptions checks authentication according to options
-func VerifyAuthWithOptions(options *VerifyOptions) func(ctx *context.Context) {
- return func(ctx *context.Context) {
- // Check prohibit login users.
- if ctx.IsSigned {
- if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
- ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
- ctx.HTML(http.StatusOK, "user/auth/activate")
- return
- }
- if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {
- log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
- return
- }
-
- if ctx.Doer.MustChangePassword {
- if ctx.Req.URL.Path != "/user/settings/change_password" {
- if strings.HasPrefix(ctx.Req.UserAgent(), "git") {
- ctx.Error(http.StatusUnauthorized, ctx.Tr("auth.must_change_password"))
- return
- }
- ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
- ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
- if ctx.Req.URL.Path != "/user/events" {
- middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
- }
- ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
- return
- }
- } else if ctx.Req.URL.Path == "/user/settings/change_password" {
- // make sure that the form cannot be accessed by users who don't need this
- ctx.Redirect(setting.AppSubURL + "/")
- return
- }
- }
-
- // Redirect to dashboard (or alternate location) if user tries to visit any non-login page.
- if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {
- ctx.RedirectToFirst(ctx.FormString("redirect_to"))
- return
- }
-
- if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
- ctx.Csrf.Validate(ctx)
- if ctx.Written() {
- return
- }
- }
-
- if options.SignInRequired {
- if !ctx.IsSigned {
- if ctx.Req.URL.Path != "/user/events" {
- middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
- }
- ctx.Redirect(setting.AppSubURL + "/user/login")
- return
- } else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
- ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
- ctx.HTML(http.StatusOK, "user/auth/activate")
- return
- }
- }
-
- // Redirect to log in page if auto-signin info is provided and has not signed in.
- if !options.SignOutRequired && !ctx.IsSigned &&
- len(ctx.GetSiteCookie(setting.CookieUserName)) > 0 {
- if ctx.Req.URL.Path != "/user/events" {
- middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
- }
- ctx.Redirect(setting.AppSubURL + "/user/login")
- return
- }
-
- if options.AdminRequired {
- if !ctx.Doer.IsAdmin {
- ctx.Error(http.StatusForbidden)
- return
- }
- ctx.Data["PageIsAdmin"] = true
- }
- }
-}
-
-// VerifyAuthWithOptionsAPI checks authentication according to options
-func VerifyAuthWithOptionsAPI(options *VerifyOptions) func(ctx *context.APIContext) {
- return func(ctx *context.APIContext) {
- // Check prohibit login users.
- if ctx.IsSigned {
- if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
- ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
- ctx.JSON(http.StatusForbidden, map[string]string{
- "message": "This account is not activated.",
- })
- return
- }
- if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {
- log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.JSON(http.StatusForbidden, map[string]string{
- "message": "This account is prohibited from signing in, please contact your site administrator.",
- })
- return
- }
-
- if ctx.Doer.MustChangePassword {
- ctx.JSON(http.StatusForbidden, map[string]string{
- "message": "You must change your password. Change it at: " + setting.AppURL + "/user/change_password",
- })
- return
- }
- }
-
- // Redirect to dashboard if user tries to visit any non-login page.
- if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {
- ctx.Redirect(setting.AppSubURL + "/")
- return
- }
-
- if options.SignInRequired {
- if !ctx.IsSigned {
- // Restrict API calls with error message.
- ctx.JSON(http.StatusForbidden, map[string]string{
- "message": "Only signed in user is allowed to call APIs.",
- })
- return
- } else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
- ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
- ctx.JSON(http.StatusForbidden, map[string]string{
- "message": "This account is not activated.",
- })
- return
- }
- if ctx.IsSigned && ctx.IsBasicAuth {
- if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
- return // Skip 2FA
- }
- twofa, err := auth.GetTwoFactorByUID(ctx.Doer.ID)
- if err != nil {
- if auth.IsErrTwoFactorNotEnrolled(err) {
- return // No 2FA enrollment for this user
- }
- ctx.InternalServerError(err)
- return
- }
- otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
- ok, err := twofa.ValidateTOTP(otpHeader)
- if err != nil {
- ctx.InternalServerError(err)
- return
- }
- if !ok {
- ctx.JSON(http.StatusForbidden, map[string]string{
- "message": "Only signed in user is allowed to call APIs.",
- })
- return
- }
- }
- }
-
- if options.AdminRequired {
- if !ctx.Doer.IsAdmin {
- ctx.JSON(http.StatusForbidden, map[string]string{
- "message": "You have no permission to request for this.",
- })
- return
- }
- }
- }
-}