go-gitea · lunny · May 20, 2024 · May 14, 2024 · May 14, 2024 · May 15, 2024
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
@@ -541,6 +541,16 @@ func GrantApplicationOAuth(ctx *context.Context) {
 		ctx.Error(http.StatusBadRequest)
 		return
 	}
+
+	if !form.Granted {
+		handleAuthorizeError(ctx, AuthorizeError{
+			State:            form.State,
+			ErrorDescription: "the request is denied",
+			ErrorCode:        ErrorCodeAccessDenied,
+		}, form.RedirectURI)
+		return
+	}
+
 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID)
 	if err != nil {
 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

diff --git a/services/forms/user_form.go b/services/forms/user_form.go
@@ -161,6 +161,7 @@ func (f *AuthorizationForm) Validate(req *http.Request, errs binding.Errors) bin
 // GrantApplicationForm form for authorizing oauth2 clients
 type GrantApplicationForm struct {
 	ClientID    string `binding:"Required"`
+	Granted     bool
 	RedirectURI string
 	State       string
 	Scope       string

diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl
@@ -16,15 +16,22 @@
 				<p>{{ctx.Locale.Tr "auth.authorize_redirect_notice" .ApplicationRedirectDomainHTML}}</p>
 			</div>
 			<div class="ui attached segment">
-				<form method="post" action="{{AppSubUrl}}/login/oauth/grant">
+				<form class="tw-inline-block" method="post" action="{{AppSubUrl}}/login/oauth/grant">
 					{{.CsrfTokenHtml}}
 					<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
+					<input type="hidden" name="granted" value="true">
 					<input type="hidden" name="state" value="{{.State}}">
 					<input type="hidden" name="scope" value="{{.Scope}}">
 					<input type="hidden" name="nonce" value="{{.Nonce}}">
 					<input type="hidden" name="redirect_uri" value="{{.RedirectURI}}">
 					<button type="submit" id="authorize-app" value="{{ctx.Locale.Tr "auth.authorize_application"}}" class="ui red inline button">{{ctx.Locale.Tr "auth.authorize_application"}}</button>
-					<a href="{{.RedirectURI}}" class="ui basic primary inline button">Cancel</a>
+				</form>
+				<form class="tw-inline-block" method="post" action="{{AppSubUrl}}/login/oauth/grant">
+					{{.CsrfTokenHtml}}
+					<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
+					<input type="hidden" name="state" value="{{.State}}">
+					<input type="hidden" name="redirect_uri" value="{{.RedirectURI}}">
+					<button type="submit" class="ui basic primary inline button">{{ctx.Locale.Tr "cancel"}}</button>
 				</form>
 			</div>
 		</div>