MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [test] Security test for OTP disabled

pull/9690/head
Jakub Onderka 2024-04-20 13:54:10 +02:00
parent 97e6224755
commit 9ea64750bc
2 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Controller/UsersController.php
View File

@ -1,5 +1,5 @@
<?php <?php
App::uses('AppController', 'Controller', 'OTPHP\TOTP'); App::uses('AppController', 'Controller');
/** /**
* @property User $User * @property User $User
@ -1883,7 +1883,7 @@ class UsersController extends AppController
public function totp_delete($id) public function totp_delete($id)
{ {
if ($this->request->is('post') || $this->request->is('delete')) { if ($this->request->is(['post', 'delete'])) {
$user = $this->User->find('first', array( $user = $this->User->find('first', array(
'conditions' => $this->__adminFetchConditions($id), 'conditions' => $this->__adminFetchConditions($id),
'recursive' => -1, 'recursive' => -1,

14
tests/testlive_security.py
View File

@ -799,6 +799,20 @@ class TestSecurity(unittest.TestCase):
with self.assertRaises(Exception): with self.assertRaises(Exception):
send(logged_in, "GET", f"/users/password_reset/abcd") send(logged_in, "GET", f"/users/password_reset/abcd")
def test_otp_disabled(self):
with self.__setting("Security.otp_disabled", True):
logged_in = PyMISP(url, self.test_usr.authkey)
logged_in.global_pythonify = True
with self.assertRaises(Exception):
send(logged_in, "GET", f"/users/email_otp")
with self.assertRaises(Exception):
send(logged_in, "GET", f"/users/totp_new")
with self.assertRaises(Exception):
send(logged_in, "GET", f"/users/totp_delete/1")
def test_add_user_by_org_admin(self): def test_add_user_by_org_admin(self):
user = MISPUser() user = MISPUser()
user.email = 'testusr@user' + random() + '.local' # make name always unique user.email = 'testusr@user' + random() + '.local' # make name always unique