Commit Graph

310 Commits

Author SHA1 Message Date
Guo Xiang Tan
939180efa8 FIX: Missing 2FA guards when sso is enabled or when local login is disabled. 2018-03-02 10:39:10 +08:00
Guo Xiang Tan
964624f3ab FIX: No error displayed when 2FA token is invalid on admin login page. 2018-02-22 09:45:57 +08:00
Guo Xiang Tan
14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong
f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Robin Ward
02093ecbdd Extensibility: Allow plugins to munge user params 2018-02-16 19:12:02 -05:00
Guo Xiang Tan
96e5a7da46 Prefer success_Json over custom success JSON payload. 2018-02-15 07:47:35 +08:00
Erick Guan
03b3e57a44 FEATURE: login by a link from email
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Sam
b34b1b6fe3 FIX: invite to message was not allowing groups
Previously we were incorrectly checking mentionable instead of messageable

Also fix edge case where multiple groups sharing a name mean that exact match override is not working

Also cleans up params sent to user selector
2018-02-13 13:28:46 +11:00
Sam
41986cdb2f Refactor requires login logic, reduce duplicate code
This also corrects the positioning in the chain of the check
and removes misuse of prepend_before_action
2018-02-01 15:17:59 +11:00
Sam
f2e7b74d88 FIX: don't return 200s when login is required to paths
When running `ensure_login_required` it should always happen prior to
`check_xhr` cause check xhr will trigger a 200 response
2018-02-01 12:26:45 +11:00
Robin Ward
2d340d1122 FIX: Don't allow username update via update route
It's not using the UsernameChanger
2018-01-26 16:53:43 -05:00
Gerhard Schlager
dde0fcc658 FEATURE: Allow sending invites to staged users 2018-01-22 15:37:18 +01:00
Régis Hanol
f74ac826c5 slightly more meaningful error message 2018-01-22 12:20:53 +01:00
Arpit Jalan
672888f526 FIX: handle invalid password reset token 2018-01-09 23:48:17 +05:30
Joffrey JAFFEUX
642645ba9a
FIX: broken select badge as user title (#5474)
* FIX: broken select badge as user title

* selected id wasn’t pass to underlying component
* <none> was rendered as an html tag <none></none>
* overriding a badge name wouldn’t work as it was using badge.name and not badge.display_name
* adds a spec to ensure this behavior is correct
2018-01-05 16:58:15 +01:00
Sam
62a27f9d57 FEATURE: warn if attempting to mention a group with too many members 2017-12-21 16:13:57 +11:00
Philipp Daniels
6a2bce1931 FIX: Data loss on update of single user_field.
https://meta.discourse.org/t/api-data-loss-caused-by-changed-behaviour-of-custom-user-field-update/74990
2017-12-20 16:33:23 +08:00
Sam
96584403cd SECURITY: prevent staged accounts from changing email 2017-12-14 17:16:49 +11:00
Sam
a393d3bcbb FIX: ensure staged accounts are always inactive
If for any reason active is stored in the user model, clear it out
prior to creating an account
2017-12-13 14:22:16 +11:00
Guo Xiang Tan
e2b64257b3 Fix undefined method for NilClass error. 2017-12-12 18:54:29 +08:00
Arpit Jalan
5003f07b2c FEATURE: new site setting show_inactive_accounts 2017-12-07 19:22:41 +05:30
Robin Ward
628275fc31 FIX: Some badge routes were still working even with badges disabled 2017-11-21 12:22:44 -05:00
Guo Xiang Tan
ed16cba77f REFACTOR: Raise error if email token fails to create. 2017-11-08 12:02:33 +08:00
Neil Lalonde
d7880af0bb FIX: change password form validation should instruct admins to use min password length for admin accounts 2017-11-07 16:14:56 -05:00
Guo Xiang Tan
d320f4840d FIX: Unable to invite groups that are not public visible into pms.
https://meta.discourse.org/t/inviting-groups-broken-in-head/73346/6
2017-11-03 21:40:33 +08:00
Guo Xiang Tan
edf4af608e FIX: Better match when searching for groups. 2017-11-02 10:20:14 +08:00
Guo Xiang Tan
defea6245c REFACTOR: Always validate email by default. 2017-10-25 13:48:34 +08:00
Neil Lalonde
2db66072d7 SECURITY: signup without verified email using Google auth 2017-10-16 13:51:41 -04:00
Neil Lalonde
1faae3c765 rename forgot_password_strict to hide_email_address_taken 2017-10-03 15:28:31 -04:00
Neil Lalonde
e47f5cedd2 FEATURE: forgot_password_strict setting also prevents reporting that an email address is taken during signup 2017-10-03 15:28:30 -04:00
Régis Hanol
daf1dda700 FIX: username autocomplete in assign modal wasn't working 2017-10-03 12:49:45 +02:00
Guo Xiang Tan
8140e54675 FIX: More fixes for Group#mentionable and Group#messageable feature. 2017-10-02 17:45:58 +08:00
Régis Hanol
f6c484881b FIX: wasn't able to save watched/tracked/muted categories/tags 2017-09-29 13:09:48 +02:00
Régis Hanol
cd6dff58dd FIX: add user option/profile fields that were not permitted 2017-09-28 14:59:53 +02:00
Régis Hanol
af01e62b14 FIX: wasn't allowed to set a user's title anymore 2017-09-26 20:13:24 +02:00
Régis Hanol
28c54b42c5 FIX: wasn't able to update user options anymore 2017-09-26 20:00:10 +02:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Régis Hanol
797936d2c5 FIX: don't leak whisper count in user card 2017-09-14 20:08:16 +02:00
Robin Ward
171d9e5aed SECURITY: Prevent users from updating to blacklisted email domains 2017-09-12 10:11:08 -04:00
Neil Lalonde
d7d9923b8e FIX: display email validation error messages 2017-09-11 13:22:14 -04:00
Sam
9f0f086b3e FEATURE: allow API to mark accounts as approved on creation 2017-08-28 15:36:46 -04:00
Arpit Jalan
6c997b65d9 optimize enqueuing activation email code 2017-07-31 22:57:39 +05:30
Arpit Jalan
2e2b5e28aa FIX: add slight delay when enqueuing activation email 2017-07-31 16:52:07 +05:30
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Leo McArdle
d0b027d88d FEATURE: phase 1 of supporting multiple email addresses 2017-07-20 11:22:27 +09:00
Guo Xiang Tan
5994c85ea9 FIX: Raise the right error when email params is missing. 2017-06-12 17:48:32 +09:00
Robin Ward
54bb2a6bc2 FIX: Don't redirect to wizard when resetting password 2017-06-07 12:36:52 -04:00
Guo Xiang Tan
2cad739262 FIX: Better error message when username change fails.
https://meta.discourse.org/t/500-error-on-username-edit/64064
2017-06-07 10:45:53 +09:00
Robin Ward
b584264d82 FIX: Don't show "resend email" option when user approval is on 2017-05-25 15:29:05 -04:00
Robin Ward
57a2042ef6 FIX: Quiet server side errors for requesting json for account-created 2017-05-04 12:30:13 -04:00