This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8384 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 25b96ab216a032401e3a751d492b96d7a9d2b663 Author: Dave Brondsema <[email protected]> AuthorDate: Tue Jan 19 13:11:21 2021 -0500 [#8384] enforce auth during phone verification --- Allura/allura/controllers/project.py | 4 ++++ Allura/allura/lib/custom_middleware.py | 3 ++- Allura/allura/public/nf/js/phone-verification.js | 5 ++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Allura/allura/controllers/project.py b/Allura/allura/controllers/project.py index 5374a8c..649eccc 100644 --- a/Allura/allura/controllers/project.py +++ b/Allura/allura/controllers/project.py @@ -166,10 +166,12 @@ class NeighborhoodController(object): @expose('jinja:allura:templates/phone_verification_fragment.html') def phone_verification_fragment(self, *args, **kw): + require_access(self.neighborhood, 'register') return {} @expose('json:') def verify_phone(self, number, **kw): + require_access(self.neighborhood, 'register') p = plugin.ProjectRegistrationProvider.get() result = p.verify_phone(c.user, number) request_id = result.pop('request_id', None) @@ -185,6 +187,7 @@ class NeighborhoodController(object): @expose('json:') def check_phone_verification(self, pin, **kw): + require_access(self.neighborhood, 'register') p = plugin.ProjectRegistrationProvider.get() request_id = session.get('phone_verification.request_id') number_hash = session.get('phone_verification.number_hash') @@ -197,6 +200,7 @@ class NeighborhoodController(object): @expose('json:') @validate(W.add_project) def check_names(self, **raw_data): + require_access(self.neighborhood, 'register') return c.form_errors @h.vardec diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index bf6ce72..6b17600 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -34,6 +34,7 @@ import six from ming.odm import session from allura.lib import helpers as h +from allura.lib.utils import is_ajax from allura import model as M import allura.model.repository from six.moves import range @@ -157,7 +158,7 @@ class LoginRedirectMiddleware(object): def __call__(self, environ, start_response): status, headers, app_iter, exc_info = call_wsgi_application(self.app, environ) is_api_request = environ.get('PATH_INFO', '').startswith(str('/rest/')) - if status[:3] == '401' and not is_api_request: + if status[:3] == '401' and not is_api_request and not is_ajax(Request(environ)): login_url = tg.config.get('auth.login_url', '/auth/') if environ['REQUEST_METHOD'] == 'GET': return_to = environ['PATH_INFO'] diff --git a/Allura/allura/public/nf/js/phone-verification.js b/Allura/allura/public/nf/js/phone-verification.js index 32826be..e866fcd 100644 --- a/Allura/allura/public/nf/js/phone-verification.js +++ b/Allura/allura/public/nf/js/phone-verification.js @@ -143,8 +143,11 @@ var FormStepMixin = { } else { set_state({error: resp.error}); } - }.bind(this)).fail(function() { + }.bind(this)).fail(function(xhr) { var error = 'Request to API failed, please try again'; + if (xhr.status === 401) { + error = 'Authentication issue. Please <a href="/p/add_project" target=_top>reload the page</a> and make sure you are logged in.'; + } set_state({error: error}); }).always(function() { set_state({in_progress: false});
