github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 18:43:37 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Missing 2FA guards when sso is enabled or when local login is disabled.

Browse Source
This commit is contained in:
Guo Xiang Tan 2018-03-02 10:37:13 +08:00
parent e19ae6c55e
commit 939180efa8
4 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/users_controller.rb
View File

@ -952,6 +952,7 @@ class UsersController < ApplicationController
end
def create_second_factor
raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
RateLimiter.new(nil, "login-min-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_minute, 1.minute).performed!

4
app/models/concerns/second_factor_manager.rb
View File

@ -33,6 +33,8 @@ module SecondFactorManager
end
def totp_enabled?
!!(self&.user_second_factor&.enabled?)
!!(self&.user_second_factor&.enabled?) &&
!SiteSetting.enable_sso &&
SiteSetting.enable_local_logins
end
end

17
spec/components/concern/second_factor_manager_spec.rb
View File

@ -89,5 +89,22 @@ RSpec.describe SecondFactorManager do
expect(user.totp_enabled?).to eq(true)
end
end
describe 'when SSO is enabled' do
it 'should return false' do
SiteSetting.sso_url = 'http://someurl.com'
SiteSetting.enable_sso = true
expect(user.totp_enabled?).to eq(false)
end
end
describe 'when local login is disabled' do
it 'should return false' do
SiteSetting.enable_local_logins = false
expect(user.totp_enabled?).to eq(false)
end
end
end
end

25
spec/requests/users_controller_spec.rb
View File

@ -431,6 +431,31 @@ RSpec.describe UsersController do
)
end
describe 'when local logins are disabled' do
it 'should return the right response' do
SiteSetting.enable_local_logins = false
post "/users/second_factors.json", params: {
password: 'somecomplicatedpassword'
}
expect(response.status).to eq(404)
end
end
describe 'when SSO is enabled' do
it 'should return the right response' do
SiteSetting.sso_url = 'http://someurl.com'
SiteSetting.enable_sso = true
post "/users/second_factors.json", params: {
password: 'somecomplicatedpassword'
}
expect(response.status).to eq(404)
end
end
it 'succeeds on correct password' do
post "/users/second_factors.json", params: {
password: 'somecomplicatedpassword'