Move reverproxyauth before session so the header will not be ignored even if user has login (#27821)
When a user logout and then login another user, the reverseproxy auth should be checked before session otherwise the old user is still login. (cherry picked from commit 26ae5922348d2dbaf2161bbd6ac79b2aa455e5f0)
This commit is contained in:
parent
32c97efab4
commit
1f56a49f28
1 changed files with 6 additions and 6 deletions
|
@ -98,14 +98,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
|
|||
// The Session plugin is expected to be executed second, in order to skip authentication
|
||||
// for users that have already signed in.
|
||||
func buildAuthGroup() *auth_service.Group {
|
||||
group := auth_service.NewGroup(
|
||||
&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers
|
||||
&auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers
|
||||
&auth_service.Session{},
|
||||
)
|
||||
group := auth_service.NewGroup()
|
||||
group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
|
||||
group.Add(&auth_service.Basic{}) // FIXME: this should be removed and only applied in download and git/lfs routers
|
||||
|
||||
if setting.Service.EnableReverseProxyAuth {
|
||||
group.Add(&auth_service.ReverseProxy{})
|
||||
group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
|
||||
}
|
||||
group.Add(&auth_service.Session{})
|
||||
|
||||
if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) {
|
||||
group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI
|
||||
|
|
Loading…
Reference in a new issue