mirror of https://github.com/MISP/MISP
Merge branch 'develop' of github.com:MISP/MISP into develop
commit
ba9f9f4781
|
@ -649,21 +649,21 @@ class AppController extends Controller
|
|||
}
|
||||
|
||||
// Check if user accepted terms and conditions
|
||||
if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms']])) {
|
||||
if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms', 'totp_new', 'email_otp']])) {
|
||||
//if ($this->_isRest()) throw new MethodNotAllowedException('You have not accepted the terms of use yet, please log in via the web interface and accept them.');
|
||||
$this->redirect(array('controller' => 'users', 'action' => 'terms', 'admin' => false));
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check if user must change password
|
||||
if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login']])) {
|
||||
if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login', 'totp_new', 'email_otp']])) {
|
||||
//if ($this->_isRest()) throw new MethodNotAllowedException('Your user account is expecting a password change, please log in via the web interface and change it before proceeding.');
|
||||
$this->redirect(array('controller' => 'users', 'action' => 'change_pw', 'admin' => false));
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check if user must read news
|
||||
if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout']])) {
|
||||
if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout', 'totp_new', 'email_otp']])) {
|
||||
$this->loadModel('News');
|
||||
$latestNewsCreated = $this->News->latestNewsTimestamp();
|
||||
if ($latestNewsCreated && $user['newsread'] < $latestNewsCreated) {
|
||||
|
|
|
@ -925,7 +925,7 @@ class ACLComponent extends Component
|
|||
}
|
||||
return true;
|
||||
};
|
||||
$this->dynamicChecks['otp_enabled'] = function (array $user) {
|
||||
$this->dynamicChecks['otp_enabled'] = function ($user) {
|
||||
if (Configure::read('Security.otp_disabled')) {
|
||||
throw new ForbiddenException('OTP has been disabled on this instance.');
|
||||
}
|
||||
|
|
|
@ -1214,11 +1214,13 @@ class UsersController extends AppController
|
|||
$this->Auth->constructAuthenticate();
|
||||
}
|
||||
// user has TOTP token, check creds and redirect to TOTP validation
|
||||
if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) {
|
||||
$user = $this->Auth->identify($this->request, $this->response);
|
||||
if ($user && !$user['disabled']) {
|
||||
$this->Session->write('otp_user', $user);
|
||||
return $this->redirect('otp');
|
||||
if (!Configure::read('Security.otp_disabled')) {
|
||||
if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) {
|
||||
$user = $this->Auth->identify($this->request, $this->response);
|
||||
if ($user && !$user['disabled']) {
|
||||
$this->Session->write('otp_user', $user);
|
||||
return $this->redirect('otp');
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
<div class="index">
|
||||
<h2><?= __("Latest news") ?></h2>
|
||||
|
||||
<?php if ($hasUnreadNews): ?>
|
||||
<div class="alert alert-success">
|
||||
<p><?= __('You have unread news.') ?></p>
|
||||
<a class="btn btn-success" href="<?= $homepage ?>"><?= __('Continue to homepage') ?></a>
|
||||
<a class="btn btn-success" href="<?= isset($homepage['path']) ? $homepage['path'] : $homepage ?>"><?= __('Continue to homepage') ?></a>
|
||||
</div>
|
||||
<?php endif; ?>
|
||||
|
||||
|
|
|
@ -1237,25 +1237,25 @@
|
|||
},
|
||||
{
|
||||
"column_name": "created",
|
||||
"is_nullable": "YES",
|
||||
"is_nullable": "NO",
|
||||
"data_type": "datetime",
|
||||
"character_maximum_length": null,
|
||||
"numeric_precision": null,
|
||||
"collation_name": null,
|
||||
"column_type": "datetime",
|
||||
"column_default": "current_timestamp()",
|
||||
"column_default": null,
|
||||
"extra": ""
|
||||
},
|
||||
{
|
||||
"column_name": "modified",
|
||||
"is_nullable": "YES",
|
||||
"is_nullable": "NO",
|
||||
"data_type": "datetime",
|
||||
"character_maximum_length": null,
|
||||
"numeric_precision": null,
|
||||
"collation_name": null,
|
||||
"column_type": "datetime",
|
||||
"column_default": "NULL",
|
||||
"extra": "on update current_timestamp()"
|
||||
"column_default": null,
|
||||
"extra": ""
|
||||
},
|
||||
{
|
||||
"column_name": "distribution",
|
||||
|
|
|
@ -804,9 +804,6 @@ class TestSecurity(unittest.TestCase):
|
|||
logged_in = PyMISP(url, self.test_usr.authkey)
|
||||
logged_in.global_pythonify = True
|
||||
|
||||
with self.assertRaises(Exception):
|
||||
send(logged_in, "GET", f"/users/email_otp")
|
||||
|
||||
with self.assertRaises(Exception):
|
||||
send(logged_in, "GET", f"/users/totp_new")
|
||||
|
||||
|
|
Loading…
Reference in New Issue