Commit Graph

213 Commits

Author SHA1 Message Date
Neil Lalonde
73c1d3e7fe FIX: tag notification preferences were being cleared when other preferences were changed 2018-03-29 15:08:32 -04:00
Guo Xiang Tan
ea1733ca64 Fix failing spec. 2018-02-23 11:31:10 +08:00
Guo Xiang Tan
1f74509a75 FIX: 2FA prompt incorrectly displayed on admin login page. 2018-02-23 11:05:39 +08:00
Guo Xiang Tan
964624f3ab FIX: No error displayed when 2FA token is invalid on admin login page. 2018-02-22 09:45:57 +08:00
Guo Xiang Tan
14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong
f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Sam
49ed382c2a FIX: return 429 when admin api key is limited on admin route
This also handles a general case where exceptions leak out prior to being handled by the application controller
2018-01-12 14:15:26 +11:00
Arpit Jalan
672888f526 FIX: handle invalid password reset token 2018-01-09 23:48:17 +05:30
Joffrey JAFFEUX
642645ba9a
FIX: broken select badge as user title (#5474)
* FIX: broken select badge as user title

* selected id wasn’t pass to underlying component
* <none> was rendered as an html tag <none></none>
* overriding a badge name wouldn’t work as it was using badge.name and not badge.display_name
* adds a spec to ensure this behavior is correct
2018-01-05 16:58:15 +01:00
Arpit Jalan
ef4c6c67ba fix the build 2017-12-23 14:42:40 +05:30
Philipp Daniels
6a2bce1931 FIX: Data loss on update of single user_field.
https://meta.discourse.org/t/api-data-loss-caused-by-changed-behaviour-of-custom-user-field-update/74990
2017-12-20 16:33:23 +08:00
Sam
96584403cd SECURITY: prevent staged accounts from changing email 2017-12-14 17:16:49 +11:00
Sam
a393d3bcbb FIX: ensure staged accounts are always inactive
If for any reason active is stored in the user model, clear it out
prior to creating an account
2017-12-13 14:22:16 +11:00
Arpit Jalan
1d43d7f136 optimize spec 2017-12-12 13:00:53 +05:30
Arpit Jalan
d21db0f186 add a test case to verify presence of registration_ip_address for staged users 2017-12-11 21:33:00 +05:30
Arpit Jalan
5003f07b2c FEATURE: new site setting show_inactive_accounts 2017-12-07 19:22:41 +05:30
Neil Lalonde
9dc9ca4ac0 FIX: be consistent with how first posts in topics are counted. do like DirectoryItem.refresh_period :all 2017-11-10 12:18:25 -05:00
Neil Lalonde
d7880af0bb FIX: change password form validation should instruct admins to use min password length for admin accounts 2017-11-07 16:14:56 -05:00
Neil Lalonde
2db66072d7 SECURITY: signup without verified email using Google auth 2017-10-16 13:51:41 -04:00
Neil Lalonde
1faae3c765 rename forgot_password_strict to hide_email_address_taken 2017-10-03 15:28:31 -04:00
Neil Lalonde
e47f5cedd2 FEATURE: forgot_password_strict setting also prevents reporting that an email address is taken during signup 2017-10-03 15:28:30 -04:00
Guo Xiang Tan
8140e54675 FIX: More fixes for Group#mentionable and Group#messageable feature. 2017-10-02 17:45:58 +08:00
Régis Hanol
af01e62b14 FIX: wasn't allowed to set a user's title anymore 2017-09-26 20:13:24 +02:00
Régis Hanol
28c54b42c5 FIX: wasn't able to update user options anymore 2017-09-26 20:00:10 +02:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Régis Hanol
797936d2c5 FIX: don't leak whisper count in user card 2017-09-14 20:08:16 +02:00
Robin Ward
9b3b39d8a2 FIX: Users should be able to activate their emails even if unapproved
Note in discourse `active` means "Email is active" - they still can't
login until approved
2017-09-12 15:04:39 -04:00
Robin Ward
171d9e5aed SECURITY: Prevent users from updating to blacklisted email domains 2017-09-12 10:11:08 -04:00
Sam
9f0f086b3e FEATURE: allow API to mark accounts as approved on creation 2017-08-28 15:36:46 -04:00
Guo Xiang Tan
0bc690ed11 FIX: Staged users are still missing primary email. 2017-08-09 12:03:49 +09:00
Arpit Jalan
6c997b65d9 optimize enqueuing activation email code 2017-07-31 22:57:39 +05:30
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Guo Xiang Tan
54b508dda3 Add back test to ensure user can't edit name after SiteSetting.username_change_period. 2017-07-24 20:47:34 +09:00
Leo McArdle
d0b027d88d FEATURE: phase 1 of supporting multiple email addresses 2017-07-20 11:22:27 +09:00
Guo Xiang Tan
5994c85ea9 FIX: Raise the right error when email params is missing. 2017-06-12 17:48:32 +09:00
Robin Ward
54bb2a6bc2 FIX: Don't redirect to wizard when resetting password 2017-06-07 12:36:52 -04:00
Guo Xiang Tan
2cad739262 FIX: Better error message when username change fails.
https://meta.discourse.org/t/500-error-on-username-edit/64064
2017-06-07 10:45:53 +09:00
Guo Xiang Tan
2ee144c27f FEATURE: Add DiscourseEvent trigger when a user logs in.
* Also adds a event trigger when user logs in for the first time.
2017-06-01 17:44:49 +09:00
Robin Ward
b584264d82 FIX: Don't show "resend email" option when user approval is on 2017-05-25 15:29:05 -04:00
Sam
2d96a0785d FEATURE: theme selection is now global per-user 2017-05-12 12:41:34 -04:00
Robin Ward
81190f5d66 FIX: Redirect away from account-created if you're logged in 2017-05-03 11:18:01 -04:00
Robin Ward
12fb20fe1b FEATURE: Allow users to resend/update email from confirmation page 2017-05-03 11:18:01 -04:00
Neil Lalonde
0722ffadf1 Remove site settings enforce_global_nicknames and discourse_org_access_key 2017-05-01 14:53:16 -04:00
Arpit Jalan
ea26c56631 FIX: redirect to login page for anonymous user when profiles are hidden 2017-04-20 13:00:45 +05:30
Robin Ward
40ab2e5667 FEATURE: Let users update their emails before confirming
This allows users who entered a typo or invalid email address when
signing up an opportunity to fix it and resending the confirmation
email to that address.
2017-04-05 16:44:49 -04:00
Robin Ward
17f2974d0a SECURITY: Confirm new administrator accounts via email 2017-04-04 15:59:01 -04:00
Robin Ward
6b976433c9 Support for both /users/ and /u/ paths 2017-03-30 10:23:24 -04:00
Arpit Jalan
7c3ae50dcd FIX: send activation email if user have unconfirmed email 2017-03-21 09:41:50 +05:30
Guo Xiang Tan
ca965bb455 FEATURE: Redirect to groups page after login/registration flow. 2017-03-16 09:48:51 +08:00
Sam
a690121805 SECURITY: always allow staff to resend activation mails 2017-03-13 10:32:24 -04:00