Fix redirect loop when both enabling two-factor authentication and changing password...

Patch by Go MAEDA.

git-svn-id: http://svn.redmine.org/redmine/trunk@20734 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb
index 9083b1317481aa84bc6c3e394195204923448de1..e74274a776121ce182ce435881682fe80dd9c26f 100644 (file)
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@@ -21,7 +21,7 @@ class MyController < ApplicationController
   self.main_menu = false
   before_action :require_login
   # let user change user's password when user has to
-  skip_before_action :check_password_change, :only => :password
+  skip_before_action :check_password_change, :check_twofa_activation, :only => :password
 
   accept_api_auth :account
 

diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb
index e086d683e0b359c529fc765277697695f9fa22e0..b0aa6946601d049e965c423c92d108f38b1ed525 100644 (file)
--- a/test/integration/twofa_test.rb
+++ b/test/integration/twofa_test.rb
@@ -30,6 +30,19 @@ class TwofaTest < Redmine::IntegrationTest
     end
   end
 
+  test 'should require to change password first when must_change_passwd is true' do
+    User.find_by(login: 'jsmith').update_attribute(:must_change_passwd, true)
+    with_settings twofa: '2' do
+      log_user('jsmith', 'jsmith')
+      follow_redirect!
+      assert_redirected_to '/my/password'
+      follow_redirect!
+      # Skip the before action check_twofa_activation for '/my/password'
+      # to avoid redirect loop
+      assert_response :success
+    end
+  end
+
   test "should generate and accept backup codes" do
     log_user('jsmith', 'jsmith')
     get "/my/account"