mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-23 23:58:31 -05:00
UX: improve message when admin login is blocked because of admin ip address whitelisting
This commit is contained in:
parent
1bf4f34049
commit
7c14db44cc
8 changed files with 36 additions and 17 deletions
|
@ -164,6 +164,12 @@ export default DiscourseController.extend(ModalFunctionality, {
|
||||||
this.set('authenticate', null);
|
this.set('authenticate', null);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (options.admin_not_allowed_from_ip_address) {
|
||||||
|
this.send('showLogin');
|
||||||
|
this.flash(I18n.t('login.admin_not_allowed_from_ip_address'), 'success');
|
||||||
|
this.set('authenticate', null);
|
||||||
|
return;
|
||||||
|
}
|
||||||
if (options.not_allowed_from_ip_address) {
|
if (options.not_allowed_from_ip_address) {
|
||||||
this.send('showLogin');
|
this.send('showLogin');
|
||||||
this.flash(I18n.t('login.not_allowed_from_ip_address'), 'success');
|
this.flash(I18n.t('login.not_allowed_from_ip_address'), 'success');
|
||||||
|
|
|
@ -147,11 +147,14 @@ class SessionController < ApplicationController
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
if ScreenedIpAddress.block_login?(user, request.remote_ip) ||
|
if ScreenedIpAddress.should_block?(request.remote_ip)
|
||||||
ScreenedIpAddress.should_block?(request.remote_ip)
|
|
||||||
return not_allowed_from_ip_address(user)
|
return not_allowed_from_ip_address(user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if ScreenedIpAddress.block_admin_login?(user, request.remote_ip)
|
||||||
|
return admin_not_allowed_from_ip_address(user)
|
||||||
|
end
|
||||||
|
|
||||||
(user.active && user.email_confirmed?) ? login(user) : not_activated(user)
|
(user.active && user.email_confirmed?) ? login(user) : not_activated(user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -229,6 +232,10 @@ class SessionController < ApplicationController
|
||||||
render json: {error: I18n.t("login.not_allowed_from_ip_address", username: user.username)}
|
render json: {error: I18n.t("login.not_allowed_from_ip_address", username: user.username)}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def admin_not_allowed_from_ip_address(user)
|
||||||
|
render json: {error: I18n.t("login.admin_not_allowed_from_ip_address", username: user.username)}
|
||||||
|
end
|
||||||
|
|
||||||
def failed_to_login(user)
|
def failed_to_login(user)
|
||||||
message = user.suspend_reason ? "login.suspended_with_reason" : "login.suspended"
|
message = user.suspend_reason ? "login.suspended_with_reason" : "login.suspended"
|
||||||
|
|
||||||
|
|
|
@ -85,8 +85,10 @@ class Users::OmniauthCallbacksController < ApplicationController
|
||||||
user.toggle(:active).save
|
user.toggle(:active).save
|
||||||
end
|
end
|
||||||
|
|
||||||
if ScreenedIpAddress.block_login?(user, request.remote_ip)
|
if ScreenedIpAddress.should_block?(request.remote_ip)
|
||||||
@data.not_allowed_from_ip_address = true
|
@data.not_allowed_from_ip_address = true
|
||||||
|
elsif ScreenedIpAddress.block_admin_login?(user, request.remote_ip)
|
||||||
|
@data.admin_not_allowed_from_ip_address = true
|
||||||
elsif Guardian.new(user).can_access_forum? && user.active # log on any account that is active with forum access
|
elsif Guardian.new(user).can_access_forum? && user.active # log on any account that is active with forum access
|
||||||
log_on_user(user)
|
log_on_user(user)
|
||||||
Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore
|
Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore
|
||||||
|
|
|
@ -74,7 +74,7 @@ class ScreenedIpAddress < ActiveRecord::Base
|
||||||
found
|
found
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.block_login?(user, ip_address)
|
def self.block_admin_login?(user, ip_address)
|
||||||
return false if user.nil?
|
return false if user.nil?
|
||||||
return false if !user.admin?
|
return false if !user.admin?
|
||||||
return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0
|
return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0
|
||||||
|
|
|
@ -640,6 +640,7 @@ en:
|
||||||
requires_invite: "Sorry, access to this forum is by invite only."
|
requires_invite: "Sorry, access to this forum is by invite only."
|
||||||
not_activated: "You can't log in yet. We previously sent an activation email to you at <b>{{sentTo}}</b>. Please follow the instructions in that email to activate your account."
|
not_activated: "You can't log in yet. We previously sent an activation email to you at <b>{{sentTo}}</b>. Please follow the instructions in that email to activate your account."
|
||||||
not_allowed_from_ip_address: "You can't login from that IP address."
|
not_allowed_from_ip_address: "You can't login from that IP address."
|
||||||
|
admin_not_allowed_from_ip_address: "You can't log in as admin from that IP address."
|
||||||
resend_activation_email: "Click here to send the activation email again."
|
resend_activation_email: "Click here to send the activation email again."
|
||||||
sent_activation_email_again: "We sent another activation email to you at <b>{{currentEmail}}</b>. It might take a few minutes for it to arrive; be sure to check your spam folder."
|
sent_activation_email_again: "We sent another activation email to you at <b>{{currentEmail}}</b>. It might take a few minutes for it to arrive; be sure to check your spam folder."
|
||||||
google:
|
google:
|
||||||
|
|
|
@ -1228,7 +1228,8 @@ en:
|
||||||
active: "Your account is activated and ready to use."
|
active: "Your account is activated and ready to use."
|
||||||
activate_email: "<p>You're almost done! We sent an activation mail to <b>%{email}</b>. Please follow the instructions in the email to activate your account.</p><p>If it doesn't arrive, check your spam folder, or try to log in again to send another activation mail.</p>"
|
activate_email: "<p>You're almost done! We sent an activation mail to <b>%{email}</b>. Please follow the instructions in the email to activate your account.</p><p>If it doesn't arrive, check your spam folder, or try to log in again to send another activation mail.</p>"
|
||||||
not_activated: "You can't log in yet. We sent an activation email to you. Please follow the instructions in the email to activate your account."
|
not_activated: "You can't log in yet. We sent an activation email to you. Please follow the instructions in the email to activate your account."
|
||||||
not_allowed_from_ip_address: "You can't login as %{username} from that IP address."
|
not_allowed_from_ip_address: "You can't log in as %{username} from that IP address."
|
||||||
|
admin_not_allowed_from_ip_address: "You can't log in as admin from that IP address."
|
||||||
suspended: "You can't log in until %{date}."
|
suspended: "You can't log in until %{date}."
|
||||||
suspended_with_reason: "You can't log in until %{date}. The reason you were suspended: %{reason}"
|
suspended_with_reason: "You can't log in until %{date}. The reason you were suspended: %{reason}"
|
||||||
errors: "%{errors}"
|
errors: "%{errors}"
|
||||||
|
|
|
@ -2,7 +2,8 @@ class Auth::Result
|
||||||
attr_accessor :user, :name, :username, :email, :user,
|
attr_accessor :user, :name, :username, :email, :user,
|
||||||
:email_valid, :extra_data, :awaiting_activation,
|
:email_valid, :extra_data, :awaiting_activation,
|
||||||
:awaiting_approval, :authenticated, :authenticator_name,
|
:awaiting_approval, :authenticated, :authenticator_name,
|
||||||
:requires_invite, :not_allowed_from_ip_address
|
:requires_invite, :not_allowed_from_ip_address,
|
||||||
|
:admin_not_allowed_from_ip_address
|
||||||
|
|
||||||
def session_data
|
def session_data
|
||||||
{
|
{
|
||||||
|
@ -30,7 +31,8 @@ class Auth::Result
|
||||||
authenticated: !!authenticated,
|
authenticated: !!authenticated,
|
||||||
awaiting_activation: !!awaiting_activation,
|
awaiting_activation: !!awaiting_activation,
|
||||||
awaiting_approval: !!awaiting_approval,
|
awaiting_approval: !!awaiting_approval,
|
||||||
not_allowed_from_ip_address: !!not_allowed_from_ip_address
|
not_allowed_from_ip_address: !!not_allowed_from_ip_address,
|
||||||
|
admin_not_allowed_from_ip_address: !!admin_not_allowed_from_ip_address
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
|
|
|
@ -238,22 +238,22 @@ describe ScreenedIpAddress do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#block_login?' do
|
describe '#block_admin_login?' do
|
||||||
context 'no allow_admin records exist' do
|
context 'no allow_admin records exist' do
|
||||||
it "returns false when user is nil" do
|
it "returns false when user is nil" do
|
||||||
expect(described_class.block_login?(nil, '123.12.12.12')).to eq(false)
|
expect(described_class.block_admin_login?(nil, '123.12.12.12')).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns false for non-admin user" do
|
it "returns false for non-admin user" do
|
||||||
expect(described_class.block_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
|
expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns false for admin user" do
|
it "returns false for admin user" do
|
||||||
expect(described_class.block_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
|
expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns false for admin user and ip_address arg is nil" do
|
it "returns false for admin user and ip_address arg is nil" do
|
||||||
expect(described_class.block_login?(Fabricate.build(:admin), nil)).to eq(false)
|
expect(described_class.block_admin_login?(Fabricate.build(:admin), nil)).to eq(false)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -264,23 +264,23 @@ describe ScreenedIpAddress do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns false when user is nil" do
|
it "returns false when user is nil" do
|
||||||
expect(described_class.block_login?(nil, @permitted_ip_address)).to eq(false)
|
expect(described_class.block_admin_login?(nil, @permitted_ip_address)).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns false for an admin user at the allowed ip address" do
|
it "returns false for an admin user at the allowed ip address" do
|
||||||
expect(described_class.block_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false)
|
expect(described_class.block_admin_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns true for an admin user at another ip address" do
|
it "returns true for an admin user at another ip address" do
|
||||||
expect(described_class.block_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true)
|
expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns false for regular user at allowed ip address" do
|
it "returns false for regular user at allowed ip address" do
|
||||||
expect(described_class.block_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false)
|
expect(described_class.block_admin_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns false for regular user at another ip address" do
|
it "returns false for regular user at another ip address" do
|
||||||
expect(described_class.block_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
|
expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue