Guo Xiang Tan
1c44c87945
FIX: Store user's id instead for sending activation email.
...
* Email and username are both allowed to be used for logging in.
Therefore, it is easier to just store the user's id rather than
to store the username and email in the session.
2017-03-13 20:57:21 +08:00
Guo Xiang Tan
8c5e13afd6
SECURITY: Only allow users to resend activation email with a valid session.
...
* Improve error when an active user tries to request for an activation email.
2017-03-13 20:57:17 +08:00
Sam
dd383300b1
FEATURE: rate limit by login on password reset
2016-12-19 11:03:07 +11:00
Sam
61eb134181
FEATURE: setting to allow arbitrary redirects from sso origin
...
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
2016-12-16 13:37:44 +11:00
Guo Xiang Tan
559918c6c6
PERF: Add endpoint to check if a group can be mentioned by user.
2016-11-26 02:20:46 +08:00
Sam
e6fcaadd45
FIX: redirects back to origin for SSO and omniauth login
2016-09-16 13:48:50 +10:00
Sam
0b334cdf74
FIX: stop removing query params from destination url in sso
2016-08-16 17:06:52 +10:00
Robin Ward
2f8ab8cd30
SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions
2016-07-28 11:38:12 -04:00
Peter Lejeck
e265b7b090
Log RecordInvalid when verbose_sso_logging enabled
2016-06-29 22:12:25 -07:00
Sam
852860de66
FEATURE: simpler and friendlier unsubscribe workflow
...
- All unsubscribes go to the exact same page
- You may unsubscribe from watching a category on that page
- You no longer need to be logged in to unsubscribe from a topic
- Simplified footer on emails
2016-06-17 11:28:49 +10:00
Sam
19ca08857f
FEATURE: verbose SSO logging
...
By enabling the site setting verbose_sso_logging
you can log information every time a user tries initiates SSO
and during SSO failures
2016-04-08 11:20:01 +10:00
Sam
a130cb8305
FEATURE: move more urgent emails notifications to critical queue
...
Move signup, admin login and password change email notifications
to critical queue
2016-04-07 14:39:01 +10:00
Sam
8ec7fd84fd
FEATURE: prioritize sidekiq jobs
...
This commit introduces 3 queues for sidekiq
"critical" for urgent jobs (weighted at 4x weight)
"default" for standard jobs(weighted at 2x weight)
"low" for less important jobs
"critical jobs"
Reset Password emails has been seperated to its own job
Heartbeat which is required to keep sidekiq running
Test email which needs to return real quick
"low priority jobs"
Notify mailing list
Pull hotlinked images
Update gravatar
"default"
All the rest
Note: for people running sidekiq from command line use
bin/sidekiq -q critical,4 -q default,2 -q low
2016-04-07 12:56:43 +10:00
Robin Ward
f0552af5f1
FIX: Don't log validation errors for sso
2016-03-23 14:44:34 -04:00
Régis Hanol
0a84275800
missed a couple of newlines in the logs
2016-02-24 23:35:45 +01:00
Régis Hanol
97c7b894ce
better logs when an error happens in SSO
2016-02-24 21:57:01 +01:00
Neil Lalonde
97130463d6
FEATURE: show a new modal when suspended users try to log in
2016-02-19 12:19:20 -05:00
Régis Hanol
7d3be0f8f1
forgot password on a staged account does nothing
2015-11-09 17:37:33 +01:00
Arpit Jalan
c28843e87b
FIX: redirect to return_url when working as SSO provider
2015-10-25 11:30:38 +05:30
Dan Singerman
8055d065f2
Refactor ApplicationController#redirect_to_login_if_required to use session for SSO
2015-08-11 16:48:55 +01:00
Dan Singerman
7056db26e6
Respect cookie[:destination_url] in Single Sign On
...
When the login_required setting is true, the destination URL is dropped. This change means it will be
respected at login time
2015-08-11 16:31:28 +01:00
Sam
fc2a08731a
FIX: sso_not_approved_url not working correctly
2015-05-30 13:19:07 +10:00
Sam
02fa7448ca
FEATURE: custom url to redirect to on account pending approval for sso
2015-05-27 14:06:45 +10:00
Sam
918034aa7b
remove less useful error reporting
2015-05-27 11:17:28 +10:00
Sam
e5888cf090
PERF: avoid preloading json in cases where it is not needed
...
(uploads / avatars / non GET requests)
2015-05-20 17:12:16 +10:00
Sam
14ab9c45b6
Merge pull request #3470 from ahuling13/expired-nonce-return-status
...
In the case of an expired nonce, return a 400 status code instead of 500
2015-05-20 12:08:17 +10:00
Andrew Huling
e44ddff9bb
Change the expired nonce return status code from 400 to 419.
2015-05-19 13:13:14 -04:00
Paul Kaplan
b8a43e153c
Use session controller to prevent inactive SSO users
2015-05-15 12:15:06 -05:00
Andrew Huling
e1d2ecef10
In the case of an expired nonce, return a 400 status code instead of a 500.
...
500 status codes are for unexpected server-side error scenarios. When an expired nonce is used by the client, a 4XX-level error is more appropriate because the client has submitted a bad request (by using an expired nonce). A 500 also causes Internet Explorer to show its default 500 page which does not show the error message and leads to a bad end user experience. I am choosing 400 for the new status rather than 401 or 403 because 401 requires a WWW-Authenticate header which would be difficult to generate in an SSO scenario and a 403 implies that no re-authentication will address the failure.
2015-05-14 16:03:02 -04:00
Harm Geerts
d9a3e82516
Stop sso login processing after rendering error
...
This prevents a DoubleRenderError triggered on the redirect_to.
2015-05-11 14:17:32 +02:00
Sam
f5af4768eb
FEATURE: add clean support for running Discourse in a subfolder
...
To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-09 13:14:29 +11:00
Neil Lalonde
7c14db44cc
UX: improve message when admin login is blocked because of admin ip address whitelisting
2015-03-02 12:13:22 -05:00
Robin Ward
3e2ba5b30b
FIX: If an IP is blocked, don't allow people to login using it
2015-02-25 16:02:40 -05:00
Robin Ward
ca5730018a
FIX: SSO code should respect IP address filters
2015-02-23 16:01:46 -05:00
riking
5657006aca
Rename handle_exception to handle_job_exception
2015-02-09 12:47:46 -08:00
Robin Ward
b3a2c0c45b
SECURITY: The SSO return_path
was an open redirect
...
This security fix needs SSO to be configured, and the user has to go
through the entire auth process before being redirected to the wrong host so
it is probably lower priority for most installs.
2015-01-22 12:20:17 -05:00
Robin Ward
9bb2ab6265
Merge pull request #3034 from fantasticfears/filter_system_user
...
disable sending email or show presence when forgot system user password
2014-12-19 16:52:01 -05:00
Erick Guan
ceca85c9eb
use system user helper and constant when it's referred
2014-12-18 18:21:14 +08:00
Erick Guan
9937af7ac4
disable sending email or show presence when forgot system user password
2014-12-10 14:17:56 +08:00
Sam
800ae5265f
Add admin and moderator state to sso provider
2014-11-27 12:24:37 +11:00
Sam
c10e3df012
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it
...
FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 17:26:27 +11:00
Sam
9e1e3df6c9
FEATURE: Localize SSO error messages
2014-11-24 12:16:23 +11:00
Sam
d3b24b625b
Add more SSO logging for failure conditions
2014-11-24 10:02:22 +11:00
Robin Ward
1252e7324f
Added easy impersonate route while in development mode
2014-10-07 12:25:50 -04:00
Sam
d53e01619f
SECURITY: rate limit user/password login
2014-09-25 10:06:44 +10:00
riking
2c6d03f87f
SECURITY: Limit passwords to 200 characters
...
Prevents layer 8 attack.
2014-09-12 12:07:11 -04:00
Sam
45e8337a29
FEATURE: renames forgot_password_verbose, forgot_password_strict
2014-09-11 15:53:29 +10:00
Sam
61bcde6284
FEATURE: inform users if forgot password works or not
...
FIX: flash dialog in forgot password often had wrong color
(this can be disabled by setting forgot_password_verbose to false)
2014-09-11 12:04:44 +10:00
Neil Lalonde
ca5f361d0a
FEATURE: restrict admin access based on IP address
2014-09-05 12:06:01 -04:00
Sam
e0a82d3088
FIX: rate limit password reset email
2014-08-18 10:55:30 +10:00