From 112b1fa265f650c01eef2578e286214e3d82dcac Mon Sep 17 00:00:00 2001 From: Aboobacker MK Date: Sun, 21 Jan 2018 17:51:28 +0530 Subject: [PATCH] Redirect to 2FA creation page when otp_secret is not available (#6314) --- Gemfile.lock | 2 +- .../two_factor_authentication/confirmations_controller.rb | 5 +++++ .../confirmations_controller_spec.rb | 7 +++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 788da17fe..69ed3097b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -70,7 +70,7 @@ GEM coderay (>= 1.0.0) erubi (>= 1.0.0) rack (>= 0.9.0) - binding_of_caller (0.7.3) + binding_of_caller (0.8.0) debug_inspector (>= 0.0.1) bootsnap (1.1.5) msgpack (~> 1.0) diff --git a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb index 4cf62db13..8d534960d 100644 --- a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb +++ b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb @@ -6,6 +6,7 @@ module Settings layout 'admin' before_action :authenticate_user! + before_action :ensure_otp_secret def new prepare_two_factor_form @@ -38,6 +39,10 @@ module Settings @provision_url = current_user.otp_provisioning_uri(current_user.email, issuer: Rails.configuration.x.local_domain) @qrcode = RQRCode::QRCode.new(@provision_url) end + + def ensure_otp_secret + redirect_to settings_two_factor_authentication_path unless current_user.otp_secret + end end end end diff --git a/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb b/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb index 0676d6161..aee82a3d8 100644 --- a/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb +++ b/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb @@ -6,6 +6,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do render_views let(:user) { Fabricate(:user, email: 'local-part@domain', otp_secret: 'thisisasecretforthespecofnewview') } + let(:user_without_otp_secret) { Fabricate(:user, email: 'local-part@domain') } shared_examples 'renders :new' do it 'renders the new view' do @@ -33,6 +34,12 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do get :new expect(response).to redirect_to('/auth/sign_in') end + + it 'redirects if user do not have otp_secret' do + sign_in user_without_otp_secret, scope: :user + get :new + expect(response).to redirect_to('/settings/two_factor_authentication') + end end describe 'POST #create' do