SECURITY: Don't expose development route in production.

This commit is contained in:
Guo Xiang Tan 2018-03-28 11:22:43 +08:00
parent baa383b7f1
commit 70be8124a3
2 changed files with 15 additions and 8 deletions

View File

@ -10,7 +10,7 @@ class SessionController < ApplicationController
before_action :check_local_login_allowed, only: %i(create forgot_password email_login)
before_action :rate_limit_login, only: %i(create email_login)
skip_before_action :redirect_to_login_if_required
skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login become sso_provider destroy email_login)
skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login sso_provider destroy email_login)
ACTIVATE_USER_KEY = "activate_user"
@ -75,14 +75,18 @@ class SessionController < ApplicationController
# For use in development mode only when login options could be limited or disabled.
# NEVER allow this to work in production.
if Rails.env.development?
skip_before_action :check_xhr, only: [:become]
def become
raise Discourse::InvalidAccess.new unless Rails.env.development?
raise Discourse::InvalidAccess if Rails.env.production?
user = User.find_by_username(params[:session_id])
raise "User #{params[:session_id]} not found" if user.blank?
log_on_user(user)
redirect_to path("/")
end
end
def sso_login
raise Discourse::NotFound.new unless SiteSetting.enable_sso

View File

@ -292,7 +292,10 @@ Discourse::Application.routes.draw do
get "extra-locales/:bundle" => "extra_locales#show"
resources :session, id: RouteFormat.username, only: [:create, :destroy, :become] do
if Rails.env.development?
get 'become'
end
collection do
post "forgot_password"
end