diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 187ef30b6..c6b805cc6 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -649,21 +649,21 @@ class AppController extends Controller } // Check if user accepted terms and conditions - if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms']])) { + if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms', 'totp_new', 'email_otp']])) { //if ($this->_isRest()) throw new MethodNotAllowedException('You have not accepted the terms of use yet, please log in via the web interface and accept them.'); $this->redirect(array('controller' => 'users', 'action' => 'terms', 'admin' => false)); return false; } // Check if user must change password - if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login']])) { + if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login', 'totp_new', 'email_otp']])) { //if ($this->_isRest()) throw new MethodNotAllowedException('Your user account is expecting a password change, please log in via the web interface and change it before proceeding.'); $this->redirect(array('controller' => 'users', 'action' => 'change_pw', 'admin' => false)); return false; } // Check if user must read news - if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout']])) { + if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout', 'totp_new', 'email_otp']])) { $this->loadModel('News'); $latestNewsCreated = $this->News->latestNewsTimestamp(); if ($latestNewsCreated && $user['newsread'] < $latestNewsCreated) { diff --git a/app/Controller/Component/ACLComponent.php b/app/Controller/Component/ACLComponent.php index aa8d6830f..b143a83d9 100644 --- a/app/Controller/Component/ACLComponent.php +++ b/app/Controller/Component/ACLComponent.php @@ -925,7 +925,7 @@ class ACLComponent extends Component } return true; }; - $this->dynamicChecks['otp_enabled'] = function (array $user) { + $this->dynamicChecks['otp_enabled'] = function ($user) { if (Configure::read('Security.otp_disabled')) { throw new ForbiddenException('OTP has been disabled on this instance.'); } diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php index aa853e24c..83254eb87 100644 --- a/app/Controller/UsersController.php +++ b/app/Controller/UsersController.php @@ -1214,11 +1214,13 @@ class UsersController extends AppController $this->Auth->constructAuthenticate(); } // user has TOTP token, check creds and redirect to TOTP validation - if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) { - $user = $this->Auth->identify($this->request, $this->response); - if ($user && !$user['disabled']) { - $this->Session->write('otp_user', $user); - return $this->redirect('otp'); + if (!Configure::read('Security.otp_disabled')) { + if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) { + $user = $this->Auth->identify($this->request, $this->response); + if ($user && !$user['disabled']) { + $this->Session->write('otp_user', $user); + return $this->redirect('otp'); + } } } } diff --git a/app/View/News/index.ctp b/app/View/News/index.ctp index db852841c..52cc0969e 100644 --- a/app/View/News/index.ctp +++ b/app/View/News/index.ctp @@ -1,10 +1,9 @@

-

- +
diff --git a/db_schema.json b/db_schema.json index e2c975312..36937d554 100644 --- a/db_schema.json +++ b/db_schema.json @@ -1237,25 +1237,25 @@ }, { "column_name": "created", - "is_nullable": "YES", + "is_nullable": "NO", "data_type": "datetime", "character_maximum_length": null, "numeric_precision": null, "collation_name": null, "column_type": "datetime", - "column_default": "current_timestamp()", + "column_default": null, "extra": "" }, { "column_name": "modified", - "is_nullable": "YES", + "is_nullable": "NO", "data_type": "datetime", "character_maximum_length": null, "numeric_precision": null, "collation_name": null, "column_type": "datetime", - "column_default": "NULL", - "extra": "on update current_timestamp()" + "column_default": null, + "extra": "" }, { "column_name": "distribution", diff --git a/tests/testlive_security.py b/tests/testlive_security.py index c09d68729..e003e10bf 100644 --- a/tests/testlive_security.py +++ b/tests/testlive_security.py @@ -804,9 +804,6 @@ class TestSecurity(unittest.TestCase): logged_in = PyMISP(url, self.test_usr.authkey) logged_in.global_pythonify = True - with self.assertRaises(Exception): - send(logged_in, "GET", f"/users/email_otp") - with self.assertRaises(Exception): send(logged_in, "GET", f"/users/totp_new")