diff options
author | dizzy <diosmosis@users.noreply.github.com> | 2021-05-10 03:00:42 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-10 03:00:42 +0300 |
commit | 07d33998967f4c42a800c2374fd951e9d42cd2b4 (patch) | |
tree | 496c0b7ce4cd2f9a1a826aaa9af4270831df8c1d | |
parent | 13e784ea481a9e35d5ccd9521c5464889411e970 (diff) |
require password confirmation when resetting 2fa (#17528)
* require password confirmation when resetting 2fa
* fix test
* fix test
* update screenshots
7 files changed, 40 insertions, 10 deletions
diff --git a/plugins/TwoFactorAuth/API.php b/plugins/TwoFactorAuth/API.php index d0ef5024f1..08532470cd 100644 --- a/plugins/TwoFactorAuth/API.php +++ b/plugins/TwoFactorAuth/API.php @@ -9,6 +9,7 @@ namespace Piwik\Plugins\TwoFactorAuth; use Piwik\Piwik; +use Piwik\Plugins\Login\PasswordVerifier; class API extends \Piwik\Plugin\API { @@ -17,15 +18,25 @@ class API extends \Piwik\Plugin\API */ private $twoFa; - public function __construct(TwoFactorAuthentication $twoFa) + /** + * @var PasswordVerifier + */ + private $passwordVerifier; + + public function __construct(TwoFactorAuthentication $twoFa, PasswordVerifier $passwordVerifier) { $this->twoFa = $twoFa; + $this->passwordVerifier = $passwordVerifier; } - public function resetTwoFactorAuth($userLogin) + public function resetTwoFactorAuth($userLogin, $passwordConfirmation) { Piwik::checkUserHasSuperUserAccess(); + if (!$this->passwordVerifier->isPasswordCorrect(Piwik::getCurrentUserLogin(), $passwordConfirmation)) { + throw new \Exception(Piwik::translate('UsersManager_CurrentPasswordNotCorrect')); + } + $this->twoFa->disable2FAforUser($userLogin); } } diff --git a/plugins/TwoFactorAuth/tests/Integration/APITest.php b/plugins/TwoFactorAuth/tests/Integration/APITest.php index af73c410d3..3ab31070c7 100644 --- a/plugins/TwoFactorAuth/tests/Integration/APITest.php +++ b/plugins/TwoFactorAuth/tests/Integration/APITest.php @@ -50,7 +50,7 @@ class APITest extends IntegrationTestCase Fixture::createWebsite('2014-01-02 03:04:05'); } - foreach (['mylogin1', 'mylogin2'] as $user) { + foreach (['mylogin1', 'mylogin2', 'login'] as $user) { UsersAPI::getInstance()->addUser($user, '123abcDk3_l3', $user . '@matomo.org'); } $this->twoFa = StaticContainer::get(TwoFactorAuthentication::class); @@ -62,7 +62,7 @@ class APITest extends IntegrationTestCase $this->expectExceptionMessage('checkUserHasSuperUserAccess Fake exception'); $this->setAdminUser(); - $this->api->resetTwoFactorAuth('login'); + $this->api->resetTwoFactorAuth('login', 'superUserPass'); } public function test_resetTwoFactorAuth_resetsSecret() @@ -74,7 +74,7 @@ class APITest extends IntegrationTestCase $this->assertTrue(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin1')); $this->assertTrue(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin2')); - $this->api->resetTwoFactorAuth('mylogin1'); + $this->api->resetTwoFactorAuth('mylogin1', 'superUserPass'); $this->assertFalse(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin1')); $this->assertTrue(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin2')); @@ -95,4 +95,10 @@ class APITest extends IntegrationTestCase 'Piwik\Access' => new FakeAccess() ); } + + protected static function configureFixture($fixture) + { + parent::configureFixture($fixture); + $fixture->createSuperUser = true; + } } diff --git a/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js b/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js index 47fca9a69b..a426289eb5 100644 --- a/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js +++ b/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js @@ -48,6 +48,7 @@ describe("TwoFactorAuthUsersManager", function () { }); it('should be possible to confirm the reset', async function () { + await page.type('.twofa-confirm-modal input[name=currentUserPassword]', 'superUserPass'); await page.click('.twofa-confirm-modal .modal-close:not(.modal-no)'); await page.waitFor(500); // wait for modal to close expect(await page.screenshotSelector('#content,#notificationContainer')).to.matchImage('edit_with_2fa_reset_confirmed'); diff --git a/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png b/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png index 22d055d45b..0135388791 100644 --- a/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png +++ b/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c258506e4b5a92ef47e7340c33a6eabe97c31dbeffcfc65206b23366db05a2e5 -size 6116 +oid sha256:ff3bf08635ffd75bca6aaa99d96299675f81fac5e5d68bb4db99fe8bae79bf19 +size 14249 diff --git a/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.html b/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.html index 4c7f016bb5..af48840665 100644 --- a/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.html +++ b/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.html @@ -166,7 +166,16 @@ <div class="twofa-confirm-modal modal"> <div class="modal-content"> <h2>{{:: 'UsersManager_AreYouSure'|translate }}</h2> + <p>{{:: 'UsersManager_ConfirmWithPassword'|translate }}</p> + + <div piwik-field uicontrol="password" name="currentUserPassword" autocomplete="off" + ng-model="$ctrl.passwordConfirmation" + full-width="true" + title="{{ 'UsersManager_YourCurrentPassword'|translate }}" + value=""> + </div> </div> + <div class="modal-footer"> <a href="" class="modal-action modal-close btn" ng-click="$ctrl.reset2FA()">{{:: 'General_Yes'|translate }}</a> <a href="" class="modal-action modal-close modal-no">{{:: 'General_No'|translate }}</a> diff --git a/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.js b/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.js index 449eddf29b..9b6792ea41 100644 --- a/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.js +++ b/plugins/UsersManager/angularjs/user-edit-form/user-edit-form.component.js @@ -139,7 +139,8 @@ vm.isResetting2FA = true; return piwikApi.post({ method: 'TwoFactorAuth.resetTwoFactorAuth', - userLogin: vm.user.login + userLogin: vm.user.login, + passwordConfirmation: vm.passwordConfirmation }).catch(function (e) { vm.isResetting2FA = false; throw e; @@ -149,6 +150,8 @@ vm.activeTab = 'basic'; showUserSavedNotification(); + }).finally(function () { + vm.passwordConfirmation = ''; }); } diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png b/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png index fd41d83033..d5cb018801 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8e0c50a1a09cbe9ee04661ab3257d5b32e6f6fa460ac36d52b45b2224253c52e -size 4984702 +oid sha256:44634eadf74af1538514b5a96a05e9a45dd7e856abe0380965d7b8fdfe2e5867 +size 4985109 |