Merge branch 'develop' of github.com:MISP/MISP into develop

app/Controller/AppController.php

@@ -649,21 +649,21 @@ class AppController extends Controller
         }
 
         // Check if user accepted terms and conditions
-        if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms']])) {
+        if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms', 'totp_new', 'email_otp']])) {
             //if ($this->_isRest()) throw new MethodNotAllowedException('You have not accepted the terms of use yet, please log in via the web interface and accept them.');
             $this->redirect(array('controller' => 'users', 'action' => 'terms', 'admin' => false));
             return false;
         }
 
         // Check if user must change password
-        if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login']])) {
+        if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login', 'totp_new', 'email_otp']])) {
             //if ($this->_isRest()) throw new MethodNotAllowedException('Your user account is expecting a password change, please log in via the web interface and change it before proceeding.');
             $this->redirect(array('controller' => 'users', 'action' => 'change_pw', 'admin' => false));
             return false;
         }
 
         // Check if user must read news
-        if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout']])) {
+        if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout', 'totp_new', 'email_otp']])) {
             $this->loadModel('News');
             $latestNewsCreated = $this->News->latestNewsTimestamp();
             if ($latestNewsCreated && $user['newsread'] < $latestNewsCreated) {

app/Controller/Component/ACLComponent.php

@@ -925,7 +925,7 @@ class ACLComponent extends Component
             }
             return true;
         };
-        $this->dynamicChecks['otp_enabled'] = function (array $user) {
+        $this->dynamicChecks['otp_enabled'] = function ($user) {
             if (Configure::read('Security.otp_disabled')) {
                 throw new ForbiddenException('OTP has been disabled on this instance.');
             }

app/Controller/UsersController.php

@@ -1214,11 +1214,13 @@ class UsersController extends AppController
                     $this->Auth->constructAuthenticate();
                 }
                 // user has TOTP token, check creds and redirect to TOTP validation
-                if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) {
-                    $user = $this->Auth->identify($this->request, $this->response);
-                    if ($user && !$user['disabled']) {
-                        $this->Session->write('otp_user', $user);
-                        return $this->redirect('otp');
+                if (!Configure::read('Security.otp_disabled')) {
+                    if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) {
+                        $user = $this->Auth->identify($this->request, $this->response);
+                        if ($user && !$user['disabled']) {
+                            $this->Session->write('otp_user', $user);
+                            return $this->redirect('otp');
+                        }
                     }
                 }
             }

app/View/News/index.ctp

@@ -1,10 +1,9 @@
 <div class="index">
     <h2><?= __("Latest news") ?></h2>
-
     <?php if ($hasUnreadNews): ?>
     <div class="alert alert-success">
         <p><?= __('You have unread news.') ?></p>
-        <a class="btn btn-success" href="<?= $homepage ?>"><?= __('Continue to homepage') ?></a>
+        <a class="btn btn-success" href="<?= isset($homepage['path']) ? $homepage['path'] : $homepage ?>"><?= __('Continue to homepage') ?></a>
     </div>
     <?php endif; ?>
 

db_schema.json

@@ -1237,25 +1237,25 @@
             },
             {
                 "column_name": "created",
-                "is_nullable": "YES",
+                "is_nullable": "NO",
                 "data_type": "datetime",
                 "character_maximum_length": null,
                 "numeric_precision": null,
                 "collation_name": null,
                 "column_type": "datetime",
-                "column_default": "current_timestamp()",
+                "column_default": null,
                 "extra": ""
             },
             {
                 "column_name": "modified",
-                "is_nullable": "YES",
+                "is_nullable": "NO",
                 "data_type": "datetime",
                 "character_maximum_length": null,
                 "numeric_precision": null,
                 "collation_name": null,
                 "column_type": "datetime",
-                "column_default": "NULL",
-                "extra": "on update current_timestamp()"
+                "column_default": null,
+                "extra": ""
             },
             {
                 "column_name": "distribution",

tests/testlive_security.py

@@ -804,9 +804,6 @@ class TestSecurity(unittest.TestCase):
             logged_in = PyMISP(url, self.test_usr.authkey)
             logged_in.global_pythonify = True
 
-            with self.assertRaises(Exception):
-                send(logged_in, "GET", f"/users/email_otp")
-
             with self.assertRaises(Exception):
                 send(logged_in, "GET", f"/users/totp_new")