SECURITY: Don't expose development route in production.
This commit is contained in:
parent
baa383b7f1
commit
70be8124a3
|
@ -10,7 +10,7 @@ class SessionController < ApplicationController
|
|||
before_action :check_local_login_allowed, only: %i(create forgot_password email_login)
|
||||
before_action :rate_limit_login, only: %i(create email_login)
|
||||
skip_before_action :redirect_to_login_if_required
|
||||
skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login become sso_provider destroy email_login)
|
||||
skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login sso_provider destroy email_login)
|
||||
|
||||
ACTIVATE_USER_KEY = "activate_user"
|
||||
|
||||
|
@ -75,14 +75,18 @@ class SessionController < ApplicationController
|
|||
|
||||
# For use in development mode only when login options could be limited or disabled.
|
||||
# NEVER allow this to work in production.
|
||||
if Rails.env.development?
|
||||
skip_before_action :check_xhr, only: [:become]
|
||||
|
||||
def become
|
||||
raise Discourse::InvalidAccess.new unless Rails.env.development?
|
||||
raise Discourse::InvalidAccess if Rails.env.production?
|
||||
user = User.find_by_username(params[:session_id])
|
||||
raise "User #{params[:session_id]} not found" if user.blank?
|
||||
|
||||
log_on_user(user)
|
||||
redirect_to path("/")
|
||||
end
|
||||
end
|
||||
|
||||
def sso_login
|
||||
raise Discourse::NotFound.new unless SiteSetting.enable_sso
|
||||
|
|
|
@ -292,7 +292,10 @@ Discourse::Application.routes.draw do
|
|||
get "extra-locales/:bundle" => "extra_locales#show"
|
||||
|
||||
resources :session, id: RouteFormat.username, only: [:create, :destroy, :become] do
|
||||
if Rails.env.development?
|
||||
get 'become'
|
||||
end
|
||||
|
||||
collection do
|
||||
post "forgot_password"
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue