allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [allura] 01/01: [#8384] enforce auth during phone verification
Date Tue, 19 Jan 2021 18:11:42 GMT
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8384
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 25b96ab216a032401e3a751d492b96d7a9d2b663
Author: Dave Brondsema <dbrondsema@slashdotmedia.com>
AuthorDate: Tue Jan 19 13:11:21 2021 -0500

    [#8384] enforce auth during phone verification
---
 Allura/allura/controllers/project.py             | 4 ++++
 Allura/allura/lib/custom_middleware.py           | 3 ++-
 Allura/allura/public/nf/js/phone-verification.js | 5 ++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Allura/allura/controllers/project.py b/Allura/allura/controllers/project.py
index 5374a8c..649eccc 100644
--- a/Allura/allura/controllers/project.py
+++ b/Allura/allura/controllers/project.py
@@ -166,10 +166,12 @@ class NeighborhoodController(object):
 
     @expose('jinja:allura:templates/phone_verification_fragment.html')
     def phone_verification_fragment(self, *args, **kw):
+        require_access(self.neighborhood, 'register')
         return {}
 
     @expose('json:')
     def verify_phone(self, number, **kw):
+        require_access(self.neighborhood, 'register')
         p = plugin.ProjectRegistrationProvider.get()
         result = p.verify_phone(c.user, number)
         request_id = result.pop('request_id', None)
@@ -185,6 +187,7 @@ class NeighborhoodController(object):
 
     @expose('json:')
     def check_phone_verification(self, pin, **kw):
+        require_access(self.neighborhood, 'register')
         p = plugin.ProjectRegistrationProvider.get()
         request_id = session.get('phone_verification.request_id')
         number_hash = session.get('phone_verification.number_hash')
@@ -197,6 +200,7 @@ class NeighborhoodController(object):
     @expose('json:')
     @validate(W.add_project)
     def check_names(self, **raw_data):
+        require_access(self.neighborhood, 'register')
         return c.form_errors
 
     @h.vardec
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index bf6ce72..6b17600 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -34,6 +34,7 @@ import six
 from ming.odm import session
 
 from allura.lib import helpers as h
+from allura.lib.utils import is_ajax
 from allura import model as M
 import allura.model.repository
 from six.moves import range
@@ -157,7 +158,7 @@ class LoginRedirectMiddleware(object):
     def __call__(self, environ, start_response):
         status, headers, app_iter, exc_info = call_wsgi_application(self.app, environ)
         is_api_request = environ.get('PATH_INFO', '').startswith(str('/rest/'))
-        if status[:3] == '401' and not is_api_request:
+        if status[:3] == '401' and not is_api_request and not is_ajax(Request(environ)):
             login_url = tg.config.get('auth.login_url', '/auth/')
             if environ['REQUEST_METHOD'] == 'GET':
                 return_to = environ['PATH_INFO']
diff --git a/Allura/allura/public/nf/js/phone-verification.js b/Allura/allura/public/nf/js/phone-verification.js
index 32826be..e866fcd 100644
--- a/Allura/allura/public/nf/js/phone-verification.js
+++ b/Allura/allura/public/nf/js/phone-verification.js
@@ -143,8 +143,11 @@ var FormStepMixin = {
       } else {
         set_state({error: resp.error});
       }
-    }.bind(this)).fail(function() {
+    }.bind(this)).fail(function(xhr) {
       var error = 'Request to API failed, please try again';
+      if (xhr.status === 401) {
+        error = 'Authentication issue.  Please <a href="/p/add_project" target=_top>reload
the page</a> and make sure you are logged in.';
+      }
       set_state({error: error});
     }).always(function() {
       set_state({in_progress: false});


Mime
View raw message