github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: second factor cannot be enabled if SSO is enabled (#10880)

Browse Source 
* FIX: second factor cannot be enabled if SSO is enabled

If `enable_sso` setting is enabled then admin should not be able to
enable `enforce_second_factor` setting as that will lock users out.

Co-authored-by: Robin Ward <robin.ward@gmail.com>
This commit is contained in:
Arpit Jalan
2020-10-09 22:36:38 +05:30
committed by GitHub
parent d96b35b0f5
commit 4326827a4e
3 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/locales/server.en.yml
View File

@ -196,6 +196,7 @@ en:
share_quote_facebook_requirements: "You must set a Facebook app id to enable quote sharing for Facebook." share_quote_facebook_requirements: "You must set a Facebook app id to enable quote sharing for Facebook."
second_factor_cannot_enforce_with_socials: "You cannot enforce 2FA with social logins enabled. You must first disable login via: %{auth_provider_names}" second_factor_cannot_enforce_with_socials: "You cannot enforce 2FA with social logins enabled. You must first disable login via: %{auth_provider_names}"
second_factor_cannot_be_enforced_with_disabled_local_login: "You cannot enforce 2FA if local logins are disabled." second_factor_cannot_be_enforced_with_disabled_local_login: "You cannot enforce 2FA if local logins are disabled."
second_factor_cannot_be_enforced_with_sso_enabled: "You cannot enforce 2FA if SSO is enabled."
local_login_cannot_be_disabled_if_second_factor_enforced: "You cannot disable local login if 2FA is enforced. Disable enforced 2FA before disabling local logins." local_login_cannot_be_disabled_if_second_factor_enforced: "You cannot disable local login if 2FA is enforced. Disable enforced 2FA before disabling local logins."
cannot_enable_s3_uploads_when_s3_enabled_globally: "You cannot enable S3 uploads because S3 uploads are already globally enabled, and enabling this site-level could cause critical issues with uploads" cannot_enable_s3_uploads_when_s3_enabled_globally: "You cannot enable S3 uploads because S3 uploads are already globally enabled, and enabling this site-level could cause critical issues with uploads"
conflicting_google_user_id: 'The Google Account ID for this account has changed; staff intervention is required for security reasons. Please contact staff and point them to <br><a href="https://meta.discourse.org/t/76575">https://meta.discourse.org/t/76575</a>' conflicting_google_user_id: 'The Google Account ID for this account has changed; staff intervention is required for security reasons. Please contact staff and point them to <br><a href="https://meta.discourse.org/t/76575">https://meta.discourse.org/t/76575</a>'

3
lib/site_settings/validations.rb
View File

@ -173,6 +173,9 @@ module SiteSettings::Validations
end end
def validate_enforce_second_factor(new_val) def validate_enforce_second_factor(new_val)
if SiteSetting.enable_sso?
return validate_error :second_factor_cannot_be_enforced_with_sso_enabled
end
if new_val == "all" && Discourse.enabled_auth_providers.count > 0 if new_val == "all" && Discourse.enabled_auth_providers.count > 0
auth_provider_names = Discourse.enabled_auth_providers.map(&:name).join(", ") auth_provider_names = Discourse.enabled_auth_providers.map(&:name).join(", ")
return validate_error(:second_factor_cannot_enforce_with_socials, auth_provider_names: auth_provider_names) return validate_error(:second_factor_cannot_enforce_with_socials, auth_provider_names: auth_provider_names)

12
spec/lib/site_settings/validations_spec.rb
View File

@ -149,6 +149,18 @@ describe SiteSettings::Validations do
expect { subject.validate_enforce_second_factor("all") }.to raise_error(Discourse::InvalidParameters, error_message) expect { subject.validate_enforce_second_factor("all") }.to raise_error(Discourse::InvalidParameters, error_message)
end end
end end
context "when SSO is enabled" do
let(:error_message) { I18n.t("errors.site_settings.second_factor_cannot_be_enforced_with_sso_enabled") }
before do
SiteSetting.sso_url = "https://www.example.com/sso"
SiteSetting.enable_sso = true
end
it "should raise an error" do
expect { subject.validate_enforce_second_factor("t") }.to raise_error(Discourse::InvalidParameters, error_message)
end
end
end end
describe "#validate_enable_local_logins" do describe "#validate_enable_local_logins" do