From 75b6cacb5d001bb7a4dd24904e47e1deef1ab847 Mon Sep 17 00:00:00 2001 From: Go MAEDA Date: Tue, 2 Feb 2021 07:15:08 +0000 Subject: [PATCH] Fix redirect loop when both enabling two-factor authentication and changing password are required (#1237, #34618). Patch by Go MAEDA. git-svn-id: http://svn.redmine.org/redmine/trunk@20734 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/my_controller.rb | 2 +- test/integration/twofa_test.rb | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb index 9083b1317..e74274a77 100644 --- a/app/controllers/my_controller.rb +++ b/app/controllers/my_controller.rb @@ -21,7 +21,7 @@ class MyController < ApplicationController self.main_menu = false before_action :require_login # let user change user's password when user has to - skip_before_action :check_password_change, :only => :password + skip_before_action :check_password_change, :check_twofa_activation, :only => :password accept_api_auth :account diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb index e086d683e..b0aa69466 100644 --- a/test/integration/twofa_test.rb +++ b/test/integration/twofa_test.rb @@ -30,6 +30,19 @@ class TwofaTest < Redmine::IntegrationTest end end + test 'should require to change password first when must_change_passwd is true' do + User.find_by(login: 'jsmith').update_attribute(:must_change_passwd, true) + with_settings twofa: '2' do + log_user('jsmith', 'jsmith') + follow_redirect! + assert_redirected_to '/my/password' + follow_redirect! + # Skip the before action check_twofa_activation for '/my/password' + # to avoid redirect loop + assert_response :success + end + end + test "should generate and accept backup codes" do log_user('jsmith', 'jsmith') get "/my/account" -- 2.39.5