Commit 85bc6710 authored by Catalin Irimie's avatar Catalin Irimie

Exclude 2FA from upload#show routes and 404s

Nonexistent routes should not redirect to the 2FA page, as there can
be missing resources, which would cause the 2FA secret to be regenerated

For UploadsController#show routes, any resource trying to be loaded
while on the 2FA page (avatar, custom header etc) would redirect to
the 2FA page, also regenerating the token after the QR/key was already
rendered in the view.
parent 23910d26
......@@ -11,7 +11,7 @@ module EnforcesTwoFactorAuthentication
extend ActiveSupport::Concern
included do
before_action :check_two_factor_requirement
before_action :check_two_factor_requirement, except: [:route_not_found]
# to include this in controllers inheriting from `ActionController::Metal`
# we need to add this block
......
......@@ -19,6 +19,7 @@ class UploadsController < ApplicationController
rescue_from UnknownUploadModelError, with: :render_404
skip_before_action :authenticate_user!
skip_before_action :check_two_factor_requirement, only: [:show]
before_action :upload_mount_satisfied?
before_action :authorize_access!, only: [:show]
before_action :authorize_create_access!, only: [:create, :authorize]
......
---
title: Exclude 2FA from upload#show routes and 404s
merge_request: 42784
author:
type: fixed
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment