From fef385eb52a40da05976fc9ee693a4d513ac9947 Mon Sep 17 00:00:00 2001
From: Pawel Boguslawski <pawel.boguslawski@ib.pl>
Date: Fri, 4 Feb 2022 11:50:37 +0100
Subject: [PATCH 1/2] SignIn form disabled when reverse proxy auth is enabled

SignIn form should not be enabled when users are authenticated
with reverse proxy.

Author-Change-Id: IB#1115398
---
 modules/templates/helper.go     |  3 +++
 routers/web/web.go              | 12 ++++++++++--
 templates/base/head_navbar.tmpl |  2 +-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 255866e2ed1c6..f841a8ddfba58 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -240,6 +240,9 @@ func NewFuncMap() []template.FuncMap {
 		"DisableImportLocal": func() bool {
 			return !setting.ImportLocalPaths
 		},
+		"DisableReverseProxyAuth": func() bool {
+			return !setting.Service.EnableReverseProxyAuth
+		},
 		"Dict": func(values ...interface{}) (map[string]interface{}, error) {
 			if len(values)%2 != 0 {
 				return nil, errors.New("invalid dict call")
diff --git a/routers/web/web.go b/routers/web/web.go
index 545194aabd3ed..7f47319cffcd0 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -225,6 +225,14 @@ func RegisterRoutes(m *web.Route) {
 		}
 	}
 
+	// reverseProxyAuthDisabled rquires reverse proxy authentication to be disabled by admin.
+	reverseProxyAuthDisabled := func(ctx *context.Context) {
+		if setting.Service.EnableReverseProxyAuth {
+			ctx.Error(http.StatusForbidden)
+			return
+		}
+	}
+
 	// FIXME: not all routes need go through same middleware.
 	// Especially some AJAX requests, we can reduce middleware number to improve performance.
 	// Routers.
@@ -255,8 +263,8 @@ func RegisterRoutes(m *web.Route) {
 
 	// ***** START: User *****
 	m.Group("/user", func() {
-		m.Get("/login", auth.SignIn)
-		m.Post("/login", bindIgnErr(forms.SignInForm{}), auth.SignInPost)
+		m.Get("/login", reverseProxyAuthDisabled, auth.SignIn)
+		m.Post("/login", reverseProxyAuthDisabled, bindIgnErr(forms.SignInForm{}), auth.SignInPost)
 		m.Group("", func() {
 			m.Combo("/login/openid").
 				Get(auth.SignInOpenID).
diff --git a/templates/base/head_navbar.tmpl b/templates/base/head_navbar.tmpl
index 5ce1d0b888148..36d0171ee2873 100644
--- a/templates/base/head_navbar.tmpl
+++ b/templates/base/head_navbar.tmpl
@@ -183,7 +183,7 @@
 				</div><!-- end content avatar menu -->
 			</div><!-- end dropdown avatar menu -->
 		</div><!-- end signed user right menu -->
-	{{else}}
+	{{else if DisableReverseProxyAuth}}
 		<a class="item" target="_blank" rel="noopener noreferrer" href="https://docs.gitea.io">{{.i18n.Tr "help"}}</a>
 		<div class="right stackable menu">
 			{{if .ShowRegistrationButton}}

From 279ad150728c40286f513ba400f08db1a1a24cfb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Bogus=C5=82awski?= <pawel.boguslawski@ib.pl>
Date: Fri, 4 Feb 2022 16:33:18 +0100
Subject: [PATCH 2/2] Update routers/web/web.go

Co-authored-by: silverwind <me@silverwind.io>
---
 routers/web/web.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index 7f47319cffcd0..2291b10c45160 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -225,7 +225,7 @@ func RegisterRoutes(m *web.Route) {
 		}
 	}
 
-	// reverseProxyAuthDisabled rquires reverse proxy authentication to be disabled by admin.
+	// reverseProxyAuthDisabled requires reverse proxy authentication to be disabled by admin.
 	reverseProxyAuthDisabled := func(ctx *context.Context) {
 		if setting.Service.EnableReverseProxyAuth {
 			ctx.Error(http.StatusForbidden)