From 9ea64750bca1e71f19754e7f13d60bc71665ef7d Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Sat, 20 Apr 2024 13:54:10 +0200 Subject: [PATCH] new: [test] Security test for OTP disabled --- app/Controller/UsersController.php | 4 ++-- tests/testlive_security.py | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php index cb469e3f7..c61593649 100644 --- a/app/Controller/UsersController.php +++ b/app/Controller/UsersController.php @@ -1,5 +1,5 @@ request->is('post') || $this->request->is('delete')) { + if ($this->request->is(['post', 'delete'])) { $user = $this->User->find('first', array( 'conditions' => $this->__adminFetchConditions($id), 'recursive' => -1, diff --git a/tests/testlive_security.py b/tests/testlive_security.py index 7440d4e91..c09d68729 100644 --- a/tests/testlive_security.py +++ b/tests/testlive_security.py @@ -799,6 +799,20 @@ class TestSecurity(unittest.TestCase): with self.assertRaises(Exception): send(logged_in, "GET", f"/users/password_reset/abcd") + def test_otp_disabled(self): + with self.__setting("Security.otp_disabled", True): + logged_in = PyMISP(url, self.test_usr.authkey) + logged_in.global_pythonify = True + + with self.assertRaises(Exception): + send(logged_in, "GET", f"/users/email_otp") + + with self.assertRaises(Exception): + send(logged_in, "GET", f"/users/totp_new") + + with self.assertRaises(Exception): + send(logged_in, "GET", f"/users/totp_delete/1") + def test_add_user_by_org_admin(self): user = MISPUser() user.email = 'testusr@user' + random() + '.local' # make name always unique