FIX: Missing 2FA guards when sso is enabled or when local login is disabled.

2025-09-05 08:59:27 +08:00 · 2018-03-02 10:37:13 +08:00 · 2018-03-02 10:37:13 +08:00 · 939180efa8
commit 939180efa8
parent e19ae6c55e
4 changed files with 46 additions and 1 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -952,6 +952,7 @@ class UsersController < ApplicationController
  end

  def create_second_factor
+    raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
    RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
    RateLimiter.new(nil, "login-min-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_minute, 1.minute).performed!

--- a/app/models/concerns/second_factor_manager.rb
+++ b/app/models/concerns/second_factor_manager.rb
@ -33,6 +33,8 @@ module SecondFactorManager
  end

  def totp_enabled?
-    !!(self&.user_second_factor&.enabled?)
+    !!(self&.user_second_factor&.enabled?) &&
+      !SiteSetting.enable_sso &&
+      SiteSetting.enable_local_logins
  end
 end