SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071)
Do not allow authentication with disabled plugin-supplied auth providers
This commit is contained in:
parent
81188060d6
commit
9a813210b9
|
@ -93,16 +93,19 @@ class Users::OmniauthCallbacksController < ApplicationController
|
|||
def self.find_authenticator(name)
|
||||
BUILTIN_AUTH.each do |authenticator|
|
||||
if authenticator.name == name
|
||||
raise Discourse::InvalidAccess.new("provider is not enabled") unless SiteSetting.send("enable_#{name}_logins?")
|
||||
raise Discourse::InvalidAccess.new(I18n.t("provider_not_enabled")) unless SiteSetting.send("enable_#{name}_logins?")
|
||||
return authenticator
|
||||
end
|
||||
end
|
||||
|
||||
Discourse.auth_providers.each do |provider|
|
||||
unless provider.enabled_setting.nil? || SiteSetting.send(provider.enabled_setting)
|
||||
raise Discourse::InvalidAccess.new(I18n.t("provider_not_enabled"))
|
||||
end
|
||||
return provider.authenticator if provider.name == name
|
||||
end
|
||||
|
||||
raise Discourse::InvalidAccess.new("provider is not found")
|
||||
raise Discourse::InvalidAccess.new(I18n.t("provider_not_found"))
|
||||
end
|
||||
|
||||
protected
|
||||
|
|
|
@ -198,6 +198,8 @@ en:
|
|||
not_found: "The requested URL or resource could not be found."
|
||||
invalid_access: "You are not permitted to view the requested resource."
|
||||
invalid_api_credentials: "You are not permitted to view the requested resource. The API username or key is invalid."
|
||||
provider_not_enabled: "You are not permitted to view the requested resource. The authentication provider is not enabled."
|
||||
provider_not_found: "You are not permitted to view the requested resource. The authentication provider does not exist."
|
||||
read_only_mode_enabled: "The site is in read only mode. Interactions are disabled."
|
||||
|
||||
reading_time: "Reading time"
|
||||
|
|
|
@ -33,6 +33,42 @@ RSpec.describe Users::OmniauthCallbacksController do
|
|||
expect(Users::OmniauthCallbacksController.find_authenticator("twitter"))
|
||||
.not_to eq(nil)
|
||||
end
|
||||
|
||||
context "with a plugin-contributed auth provider" do
|
||||
|
||||
let :provider do
|
||||
provider = Plugin::AuthProvider.new
|
||||
provider.authenticator = Auth::OpenIdAuthenticator.new('ubuntu', 'https://login.ubuntu.com', trusted: true)
|
||||
provider.enabled_setting = "ubuntu_login_enabled"
|
||||
provider
|
||||
end
|
||||
|
||||
before do
|
||||
Discourse.stubs(:auth_providers).returns [provider]
|
||||
end
|
||||
|
||||
it "finds an authenticator when enabled" do
|
||||
SiteSetting.stubs(:ubuntu_login_enabled).returns(true)
|
||||
|
||||
expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
|
||||
.to be(provider.authenticator)
|
||||
end
|
||||
|
||||
it "fails if an authenticator is disabled" do
|
||||
SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
|
||||
|
||||
expect { Users::OmniauthCallbacksController.find_authenticator("ubuntu") }
|
||||
.to raise_error(Discourse::InvalidAccess)
|
||||
end
|
||||
|
||||
it "succeeds if an authenticator does not have a site setting" do
|
||||
provider.enabled_setting = nil
|
||||
SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
|
||||
|
||||
expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
|
||||
.to be(provider.authenticator)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'Google Oauth2' do
|
||||
|
|
Loading…
Reference in New Issue