Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Prevent all kinds of login in readonly mode (#16743)

This commit is contained in:
Daniel Waterworth 2022-05-13 10:52:01 -05:00 committed by GitHub
parent 7412f665e7
commit 66a04c5cfe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/controllers/session_controller.rb
View File

@ -99,6 +99,7 @@ class SessionController < ApplicationController
def become def become
raise Discourse::InvalidAccess if Rails.env.production? raise Discourse::InvalidAccess if Rails.env.production?
raise Discourse::ReadOnly if @readonly_mode
if ENV['DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE'] != "1" if ENV['DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE'] != "1"
render(content_type: 'text/plain', inline: <<~TEXT) render(content_type: 'text/plain', inline: <<~TEXT)
@ -121,8 +122,8 @@ class SessionController < ApplicationController
end end
def sso_login def sso_login
return render_sso_error(text: I18n.t("read_only_mode_enabled"), status: 503) if @readonly_mode
raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect
raise Discourse::ReadOnly if @readonly_mode
params.require(:sso) params.require(:sso)
params.require(:sig) params.require(:sig)

1
app/controllers/users/omniauth_callbacks_controller.rb
View File

@ -22,6 +22,7 @@ class Users::OmniauthCallbacksController < ApplicationController
def complete def complete
auth = request.env["omniauth.auth"] auth = request.env["omniauth.auth"]
raise Discourse::NotFound unless request.env["omniauth.auth"] raise Discourse::NotFound unless request.env["omniauth.auth"]
raise Discourse::ReadOnly if @readonly_mode
auth[:session] = session auth[:session] = session

11
spec/requests/omniauth_callbacks_controller_spec.rb
View File

@ -157,6 +157,17 @@ RSpec.describe Users::OmniauthCallbacksController do
end end
end end
context "in readonly mode" do
use_redis_snapshotting
it "should return a 503" do
Discourse.enable_readonly_mode
get "/auth/google_oauth2/callback"
expect(response.code).to eq("503")
end
end
context "without an `omniauth.auth` env" do context "without an `omniauth.auth` env" do
it "should return a 404" do it "should return a 404" do
get "/auth/eviltrout/callback" get "/auth/eviltrout/callback"