github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-28 22:17:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: when enabled_local_logins is false users could log in via API

Browse Source 
thanks @Nicholas Blanco
This commit is contained in:
Sam
2014-03-26 15:39:44 +11:00
parent 1a60969347
commit be06156629
4 changed files with 60 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/session_controller.rb
View File

@ -44,7 +44,7 @@ class SessionController < ApplicationController
def create
if SiteSetting.enable_sso
unless allow_local_auth?
render nothing: true, status: 500
return
end
@ -88,7 +88,7 @@ class SessionController < ApplicationController
def forgot_password
params.require(:login)
if SiteSetting.enable_sso
unless allow_local_auth?
render nothing: true, status: 500
return
end
@ -118,6 +118,10 @@ class SessionController < ApplicationController
private
def allow_local_auth?
!SiteSetting.enable_sso && SiteSetting.enable_local_logins
end
def login_not_approved_for?(user)
SiteSetting.must_approve_users? && !user.approved? && !user.admin?
end