diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2016-08-24 10:42:07 +0200 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2016-08-24 10:49:23 +0200 |
| commit | 6af2efb67931863b27d96c74cdff1d2ca2615e52 (patch) | |
| tree | 2ab4525949cef9c9bc818fa49d8eefe70d22f443 /core/Middleware | |
| parent | 8d8366762be728f10af7ae9e465dcdba727d0eaf (diff) | |
| download | nextcloud-server-6af2efb67931863b27d96c74cdff1d2ca2615e52.tar.gz nextcloud-server-6af2efb67931863b27d96c74cdff1d2ca2615e52.zip | |
prevent infinite redirect loops if the there is no 2fa provider to pass
This fixes infinite loops that are caused whenever a user is about to solve a 2FA
challenge, but the provider app is disabled at the same time. Since the session
value usually indicates that the challenge needs to be solved before we grant access
we have to remove that value instead in this special case.
Diffstat (limited to 'core/Middleware')
| -rw-r--r-- | core/Middleware/TwoFactorMiddleware.php | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php index 9b930edd57d..c4c3b724eb5 100644 --- a/core/Middleware/TwoFactorMiddleware.php +++ b/core/Middleware/TwoFactorMiddleware.php @@ -27,6 +27,7 @@ use Exception; use OC\Authentication\Exceptions\TwoFactorAuthRequiredException; use OC\Authentication\Exceptions\UserAlreadyLoggedInException; use OC\Authentication\TwoFactorAuth\Manager; +use OC\Core\Controller\LoginController; use OC\Core\Controller\TwoFactorChallengeController; use OC\User\Session; use OCP\AppFramework\Controller; @@ -36,6 +37,7 @@ use OCP\AppFramework\Utility\IControllerMethodReflector; use OCP\IRequest; use OCP\ISession; use OCP\IURLGenerator; +use OCP\IUser; class TwoFactorMiddleware extends Middleware { @@ -83,7 +85,7 @@ class TwoFactorMiddleware extends Middleware { return; } - if ($controller instanceof \OC\Core\Controller\LoginController && $methodName === 'logout') { + if ($controller instanceof LoginController && $methodName === 'logout') { // Don't block the logout page, to allow canceling the 2FA return; } @@ -92,7 +94,7 @@ class TwoFactorMiddleware extends Middleware { $user = $this->userSession->getUser(); if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) { - $this->checkTwoFactor($controller, $methodName); + $this->checkTwoFactor($controller, $methodName, $user); } else if ($controller instanceof TwoFactorChallengeController) { // Allow access to the two-factor controllers only if two-factor authentication // is in progress. @@ -102,10 +104,10 @@ class TwoFactorMiddleware extends Middleware { // TODO: dont check/enforce 2FA if a auth token is used } - private function checkTwoFactor($controller, $methodName) { + private function checkTwoFactor($controller, $methodName, IUser $user) { // If two-factor auth is in progress disallow access to any controllers // defined within "LoginController". - $needsSecondFactor = $this->twoFactorManager->needsSecondFactor(); + $needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user); $twoFactor = $controller instanceof TwoFactorChallengeController; // Disallow access to any controller if 2FA needs to be checked |