diff options
| author | Thomas Steur <tsteur@users.noreply.github.com> | 2019-03-18 02:30:03 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-03-18 02:30:03 +0300 |
| commit | c3a9183f00486007a84af5766f28f4298c74e446 (patch) | |
| tree | 6022115b0e34ebd3c5bf0357e95f4f8b26700a51 /plugins/TwoFactorAuth | |
| parent | cdbf954ebeb1e5127df0a0f41c763d16abf8b7f0 (diff) | |
Make sure to anonymize token only when needed (#14216)
Diffstat (limited to 'plugins/TwoFactorAuth')
| -rw-r--r-- | plugins/TwoFactorAuth/TwoFactorAuth.php | 51 |
1 files changed, 30 insertions, 21 deletions
diff --git a/plugins/TwoFactorAuth/TwoFactorAuth.php b/plugins/TwoFactorAuth/TwoFactorAuth.php index 6bfe0d9ac5..06091294f4 100644 --- a/plugins/TwoFactorAuth/TwoFactorAuth.php +++ b/plugins/TwoFactorAuth/TwoFactorAuth.php @@ -144,19 +144,40 @@ class TwoFactorAuth extends \Piwik\Plugin } if ($module === 'Proxy') { + return false; + } + + if (!$this->requiresAuth($module, $action, $parameters)) { return; } + $twoFa = $this->getTwoFa(); + + $isUsing2FA = $twoFa->isUserUsingTwoFactorAuthentication(Piwik::getCurrentUserLogin()); + if ($isUsing2FA && !Request::isRootRequestApiRequest() && Session::isStarted()) { + $sessionFingerprint = new SessionFingerprint(); + if (!$sessionFingerprint->hasVerifiedTwoFactor()) { + $module = 'TwoFactorAuth'; + $action = 'loginTwoFactorAuth'; + } + } elseif (!$isUsing2FA && $twoFa->isUserRequiredToHaveTwoFactorEnabled()) { + $module = 'TwoFactorAuth'; + $action = 'onLoginSetupTwoFactorAuth'; + } + } + + private function requiresAuth($module, $action, $parameters) + { if ($module === 'TwoFactorAuth' && $action === 'showQrCode') { - return; + return false; } if ($module === 'CoreUpdater') { - return; + return false; } if ($module === Piwik::getLoginPluginName() && $action === 'logout') { - return; + return false; } if (Piwik::getModule() === 'Widgetize') { @@ -165,30 +186,14 @@ class TwoFactorAuth extends \Piwik\Plugin if ($auth && !$auth->getLogin() && method_exists($auth, 'getTokenAuth') && $auth->getTokenAuth()) { // when authenticated by token only, we do not require 2fa // needed eg for rendering exported widgets authenticated by token - return; + return false; } } $requiresAuth = true; Piwik::postEvent('TwoFactorAuth.requiresTwoFactorAuthentication', array(&$requiresAuth, $module, $action, $parameters)); - if (!$requiresAuth) { - return; - } - - $twoFa = $this->getTwoFa(); - - $isUsing2FA = $twoFa->isUserUsingTwoFactorAuthentication(Piwik::getCurrentUserLogin()); - if ($isUsing2FA && !Request::isRootRequestApiRequest() && Session::isStarted()) { - $sessionFingerprint = new SessionFingerprint(); - if (!$sessionFingerprint->hasVerifiedTwoFactor()) { - $module = 'TwoFactorAuth'; - $action = 'loginTwoFactorAuth'; - } - } elseif (!$isUsing2FA && $twoFa->isUserRequiredToHaveTwoFactorEnabled()) { - $module = 'TwoFactorAuth'; - $action = 'onLoginSetupTwoFactorAuth'; - } + return $requiresAuth; } public function onRequestDispatchEnd(&$result, $module, $action, $parameters) @@ -198,6 +203,10 @@ class TwoFactorAuth extends \Piwik\Plugin return; } + if (!$this->requiresAuth($module, $action, $parameters)) { + return; + } + $twoFa = $this->getTwoFa(); $isUsing2FA = $twoFa->isUserUsingTwoFactorAuthentication(Piwik::getCurrentUserLogin()); |