From 535d47c3fe2f70063061a3e06e4a066998ba02e8 Mon Sep 17 00:00:00 2001 From: Paul S Dennis Date: Tue, 30 Mar 2021 16:29:50 +0100 Subject: [PATCH] Optionally always redirect user to login page if they are not authenticated and land on a page that guest is not authorized to view If a wiki is configured to be private, eg guest does not have any permissions to view any of the pages on the wiki, it is an annoyance to always be told that you aren't authorized to view a page when you aren't logged in. A more natural flow in this sort of scenario would be to be automatically directed to the login page so that the user can authenticate (and then hopefully gain access to the page). This change adds a configuration option to the security page to enable "Bypass Unauthatorized Screen" functionality. This option defaults to false, so there is no change in behavior for existing/new installations, it is an opt-in configuration change. Two new translatable strings are added: "admin:security.bypassUnauthorized": "Bypass Unauthorized Screen" "admin:security.bypassUnauthorizedHint": "Should the user be redirected automatically to the login screen if they are not authenticated and attempt to access a page not accessible to Guest" --- client/components/admin/admin-security.vue | 14 ++++++++++++++ server/app/data.yml | 1 + server/controllers/common.js | 6 +++++- server/graph/resolvers/site.js | 2 ++ server/graph/schemas/site.graphql | 2 ++ 5 files changed, 24 insertions(+), 1 deletion(-) diff --git a/client/components/admin/admin-security.vue b/client/components/admin/admin-security.vue index d2450039..5a28ad1c 100644 --- a/client/components/admin/admin-security.vue +++ b/client/components/admin/admin-security.vue @@ -169,6 +169,15 @@ persistent-hint :hint='$t(`admin:security.bypassLoginHint`)' ) + v-switch( + inset + :label='$t(`admin:security.bypassUnauthorized`)' + color='primary' + v-model='config.authBypassUnauthorized' + prepend-icon='mdi-fast-forward' + persistent-hint + :hint='$t(`admin:security.bypassUnauthorizedHint`)' + ) v-switch( inset :label='$t(`admin:security.hideLocalLogin`)' @@ -252,6 +261,7 @@ export default { securityCSP: false, securityCSPDirectives: '', authAutoLogin: false, + authBypassUnauthorized: false, authHideLocal: false, authLoginBgUrl: '', authJwtAudience: 'urn:wiki.js', @@ -278,6 +288,7 @@ export default { mutation: gql` mutation ( $authAutoLogin: Boolean + $authBypassUnauthorized: Boolean $authEnforce2FA: Boolean $authHideLocal: Boolean $authLoginBgUrl: String @@ -299,6 +310,7 @@ export default { site { updateConfig( authAutoLogin: $authAutoLogin, + authBypassUnauthorized: $authBypassUnauthorized, authEnforce2FA: $authEnforce2FA, authHideLocal: $authHideLocal, authLoginBgUrl: $authLoginBgUrl, @@ -329,6 +341,7 @@ export default { `, variables: { authAutoLogin: _.get(this.config, 'authAutoLogin', false), + authBypassUnauthorized: _.get(this.config, 'authBypassUnauthorized', false), authEnforce2FA: _.get(this.config, 'authEnforce2FA', false), authHideLocal: _.get(this.config, 'authHideLocal', false), authLoginBgUrl: _.get(this.config, 'authLoginBgUrl', ''), @@ -380,6 +393,7 @@ export default { site { config { authAutoLogin + authBypassUnauthorized authEnforce2FA authHideLocal authLoginBgUrl diff --git a/server/app/data.yml b/server/app/data.yml index 60f308f5..21155b40 100644 --- a/server/app/data.yml +++ b/server/app/data.yml @@ -55,6 +55,7 @@ defaults: darkMode: false auth: autoLogin: false + bypassUnauthorized: false enforce2FA: false hideLocal: false loginBgUrl: '' diff --git a/server/controllers/common.js b/server/controllers/common.js index 03b931ef..d1b5895f 100644 --- a/server/controllers/common.js +++ b/server/controllers/common.js @@ -444,7 +444,11 @@ router.get('/*', async (req, res, next) => { maxAge: 15 * 60 * 1000 }) } - if (pageArgs.path === 'home' && req.user.id === 2) { + + // If the user is the guest user (id 2) and either trying to access the home page for the wiki + // or the wiki is configured to not show unauthorized for the guest user, + // redirect to the login page for the wiki. + if ((pageArgs.path === 'home' || WIKI.config.auth.bypassUnauthorized) && req.user.id === 2) { return res.redirect('/login') } _.set(res.locals, 'pageMeta.title', 'Unauthorized') diff --git a/server/graph/resolvers/site.js b/server/graph/resolvers/site.js index 7b7d4119..4e759736 100644 --- a/server/graph/resolvers/site.js +++ b/server/graph/resolvers/site.js @@ -22,6 +22,7 @@ module.exports = { ...WIKI.config.features, ...WIKI.config.security, authAutoLogin: WIKI.config.auth.autoLogin, + authBypassUnauthorized: WIKI.config.auth.bypassUnauthorized, authEnforce2FA: WIKI.config.auth.enforce2FA, authHideLocal: WIKI.config.auth.hideLocal, authLoginBgUrl: WIKI.config.auth.loginBgUrl, @@ -69,6 +70,7 @@ module.exports = { WIKI.config.auth = { autoLogin: _.get(args, 'authAutoLogin', WIKI.config.auth.autoLogin), + bypassUnauthorized: _.get(args, 'authBypassUnauthorized', WIKI.config.auth.bypassUnauthorized), enforce2FA: _.get(args, 'authEnforce2FA', WIKI.config.auth.enforce2FA), hideLocal: _.get(args, 'authHideLocal', WIKI.config.auth.hideLocal), loginBgUrl: _.get(args, 'authLoginBgUrl', WIKI.config.auth.loginBgUrl), diff --git a/server/graph/schemas/site.graphql b/server/graph/schemas/site.graphql index fcd68f50..076776d0 100644 --- a/server/graph/schemas/site.graphql +++ b/server/graph/schemas/site.graphql @@ -34,6 +34,7 @@ type SiteMutation { contentLicense: String logoUrl: String authAutoLogin: Boolean + authBypassUnauthorized: Boolean authEnforce2FA: Boolean authHideLocal: Boolean authLoginBgUrl: String @@ -73,6 +74,7 @@ type SiteConfig { contentLicense: String! logoUrl: String! authAutoLogin: Boolean + authBypassUnauthorized: Boolean authEnforce2FA: Boolean authHideLocal: Boolean authLoginBgUrl: String