diff options
| author | dizzy <diosmosis@users.noreply.github.com> | 2021-05-10 03:00:42 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-10 03:00:42 +0300 |
| commit | 07d33998967f4c42a800c2374fd951e9d42cd2b4 (patch) | |
| tree | 496c0b7ce4cd2f9a1a826aaa9af4270831df8c1d /plugins/TwoFactorAuth | |
| parent | 13e784ea481a9e35d5ccd9521c5464889411e970 (diff) | |
require password confirmation when resetting 2fa (#17528)
* require password confirmation when resetting 2fa
* fix test
* fix test
* update screenshots
Diffstat (limited to 'plugins/TwoFactorAuth')
4 files changed, 25 insertions, 7 deletions
diff --git a/plugins/TwoFactorAuth/API.php b/plugins/TwoFactorAuth/API.php index d0ef5024f1..08532470cd 100644 --- a/plugins/TwoFactorAuth/API.php +++ b/plugins/TwoFactorAuth/API.php @@ -9,6 +9,7 @@ namespace Piwik\Plugins\TwoFactorAuth; use Piwik\Piwik; +use Piwik\Plugins\Login\PasswordVerifier; class API extends \Piwik\Plugin\API { @@ -17,15 +18,25 @@ class API extends \Piwik\Plugin\API */ private $twoFa; - public function __construct(TwoFactorAuthentication $twoFa) + /** + * @var PasswordVerifier + */ + private $passwordVerifier; + + public function __construct(TwoFactorAuthentication $twoFa, PasswordVerifier $passwordVerifier) { $this->twoFa = $twoFa; + $this->passwordVerifier = $passwordVerifier; } - public function resetTwoFactorAuth($userLogin) + public function resetTwoFactorAuth($userLogin, $passwordConfirmation) { Piwik::checkUserHasSuperUserAccess(); + if (!$this->passwordVerifier->isPasswordCorrect(Piwik::getCurrentUserLogin(), $passwordConfirmation)) { + throw new \Exception(Piwik::translate('UsersManager_CurrentPasswordNotCorrect')); + } + $this->twoFa->disable2FAforUser($userLogin); } } diff --git a/plugins/TwoFactorAuth/tests/Integration/APITest.php b/plugins/TwoFactorAuth/tests/Integration/APITest.php index af73c410d3..3ab31070c7 100644 --- a/plugins/TwoFactorAuth/tests/Integration/APITest.php +++ b/plugins/TwoFactorAuth/tests/Integration/APITest.php @@ -50,7 +50,7 @@ class APITest extends IntegrationTestCase Fixture::createWebsite('2014-01-02 03:04:05'); } - foreach (['mylogin1', 'mylogin2'] as $user) { + foreach (['mylogin1', 'mylogin2', 'login'] as $user) { UsersAPI::getInstance()->addUser($user, '123abcDk3_l3', $user . '@matomo.org'); } $this->twoFa = StaticContainer::get(TwoFactorAuthentication::class); @@ -62,7 +62,7 @@ class APITest extends IntegrationTestCase $this->expectExceptionMessage('checkUserHasSuperUserAccess Fake exception'); $this->setAdminUser(); - $this->api->resetTwoFactorAuth('login'); + $this->api->resetTwoFactorAuth('login', 'superUserPass'); } public function test_resetTwoFactorAuth_resetsSecret() @@ -74,7 +74,7 @@ class APITest extends IntegrationTestCase $this->assertTrue(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin1')); $this->assertTrue(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin2')); - $this->api->resetTwoFactorAuth('mylogin1'); + $this->api->resetTwoFactorAuth('mylogin1', 'superUserPass'); $this->assertFalse(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin1')); $this->assertTrue(TwoFactorAuthentication::isUserUsingTwoFactorAuthentication('mylogin2')); @@ -95,4 +95,10 @@ class APITest extends IntegrationTestCase 'Piwik\Access' => new FakeAccess() ); } + + protected static function configureFixture($fixture) + { + parent::configureFixture($fixture); + $fixture->createSuperUser = true; + } } diff --git a/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js b/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js index 47fca9a69b..a426289eb5 100644 --- a/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js +++ b/plugins/TwoFactorAuth/tests/UI/TwoFactorAuthUsersManager_spec.js @@ -48,6 +48,7 @@ describe("TwoFactorAuthUsersManager", function () { }); it('should be possible to confirm the reset', async function () { + await page.type('.twofa-confirm-modal input[name=currentUserPassword]', 'superUserPass'); await page.click('.twofa-confirm-modal .modal-close:not(.modal-no)'); await page.waitFor(500); // wait for modal to close expect(await page.screenshotSelector('#content,#notificationContainer')).to.matchImage('edit_with_2fa_reset_confirmed'); diff --git a/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png b/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png index 22d055d45b..0135388791 100644 --- a/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png +++ b/plugins/TwoFactorAuth/tests/UI/expected-screenshots/TwoFactorAuthUsersManager_edit_with_2fa_reset_confirm.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c258506e4b5a92ef47e7340c33a6eabe97c31dbeffcfc65206b23366db05a2e5 -size 6116 +oid sha256:ff3bf08635ffd75bca6aaa99d96299675f81fac5e5d68bb4db99fe8bae79bf19 +size 14249 |
