summaryrefslogtreecommitdiffstats
path: root/app/controllers/application_controller.rb
diff options
context:
space:
mode:
authorMarius Balteanu <marius.balteanu@zitec.com>2022-02-24 19:10:35 +0000
committerMarius Balteanu <marius.balteanu@zitec.com>2022-02-24 19:10:35 +0000
commit1db2566ff95c72c6e86e2c406b2bc7827a85dc46 (patch)
tree66a0ba4b2c79ce0380ee0c4edeb9ea3452e2a406 /app/controllers/application_controller.rb
parentba74ba1c702e7a122328094341e659c2baf9fd3d (diff)
downloadredmine-1db2566ff95c72c6e86e2c406b2bc7827a85dc46.tar.gz
redmine-1db2566ff95c72c6e86e2c406b2bc7827a85dc46.zip
Disable API authentication with username and password when two-factor authentication is enabled for the user (#35001).
Patch by Go MAEDA. git-svn-id: http://svn.redmine.org/redmine/trunk@21436 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers/application_controller.rb')
-rw-r--r--app/controllers/application_controller.rb9
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 8878026f3..c287cc96a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -132,7 +132,14 @@ class ApplicationController < ActionController::Base
elsif /\ABasic /i.match?(request.authorization.to_s)
# HTTP Basic, either username/password or API key/random
authenticate_with_http_basic do |username, password|
- user = User.try_to_login(username, password) || User.find_by_api_key(username)
+ user = User.try_to_login(username, password)
+ # Don't allow using username/password when two-factor auth is active
+ if user&.twofa_active?
+ render_error :message => 'HTTP Basic authentication is not allowed. Use API key instead', :status => 401
+ return
+ end
+
+ user ||= User.find_by_api_key(username)
end
if user && user.must_change_password?
render_error :message => 'You must change your password', :status => 403