Commit graph

33 commits

Author SHA1 Message Date
Robin Ward
b3a2c0c45b SECURITY: The SSO return_path was an open redirect
This security fix needs SSO to be configured, and the user has to go
through the entire auth process before being redirected to the wrong host so
it is probably lower priority for most installs.
2015-01-22 12:20:17 -05:00
Luciano Sousa
bc73238c8f controllers with rspec3 syntax 2015-01-09 14:04:02 -03:00
Robin Ward
9bb2ab6265 Merge pull request #3034 from fantasticfears/filter_system_user
disable sending email or show presence when forgot system user password
2014-12-19 16:52:01 -05:00
Erick Guan
ceca85c9eb use system user helper and constant when it's referred 2014-12-18 18:21:14 +08:00
Erick Guan
9937af7ac4 disable sending email or show presence when forgot system user password 2014-12-10 14:17:56 +08:00
Sam
013f1a6dd0 FEATURE: allow creating admin and moderator accounts via SSO 2014-11-27 12:39:00 +11:00
Sam
c10e3df012 FEATURE: implement SSO provider on Discourse so Auth can be farmed to it
FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 17:26:27 +11:00
Robin Ward
1252e7324f Added easy impersonate route while in development mode 2014-10-07 12:25:50 -04:00
riking
2c6d03f87f SECURITY: Limit passwords to 200 characters
Prevents layer 8 attack.
2014-09-12 12:07:11 -04:00
Neil Lalonde
ca5f361d0a FEATURE: restrict admin access based on IP address 2014-09-05 12:06:01 -04:00
Sam
e0a82d3088 FIX: rate limit password reset email 2014-08-18 10:55:30 +10:00
Louis Rose
1574485443 Perform the where(...).first to find_by(...) refactoring.
This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb"
2014-05-06 14:41:59 +01:00
Neil Lalonde
1da59e7e2e FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00
Sam
a3b2b4baca FEATURE: custom fields on User 2014-04-22 13:52:13 +10:00
Sam
be06156629 SECURITY: when enabled_local_logins is false users could log in via API
thanks @Nicholas Blanco
2014-03-26 15:39:44 +11:00
Stephen Birarda
c3eb2025d8 add option to override user attributes from SSO payload
add an external_username attribute for username from SSO payload

repair the field name in SingleSignOnRecord migration

move setting of external_username for sso to controller

add settings toggle to override username/email from SSO payload

fix changing of external username after override toggle

complete tests and logic for sso override

add some extra context to username override option

add external_email and external_name to single sign on record

add setting for name override from SSO payload

complete override with stored external_email and external_name

add missing checks to tests

remove an unneeded describe block

break up a monster method for single sign on

fixes for sso attribute override after failed tests
2014-03-04 09:52:21 -08:00
Sam
557af84ae2 FIX: broken spec 2014-02-26 10:52:11 +11:00
Sam
50a8d3caae BUGFIX: sso to send welcome emails 2014-02-26 10:28:03 +11:00
Sam
440435f023 FEATURE: SSO to handle return_path automatically 2014-02-26 09:58:30 +11:00
Sam
6f31d3f0e5 FEATURE: single sign on support
Added support for outsourcing auth to a different website, documentation on meta
2014-02-25 14:31:03 +11:00
Robin Ward
1dac3cfd64 API endpoint for retrieving the current user 2014-02-05 13:46:24 -05:00
Neil Lalonde
0c6f794eb0 Used the term suspended instead of banned. 2013-11-07 13:53:49 -05:00
Neil Lalonde
c74da0d262 Admins who haven't been approved can log in when must_approve_users is enabled 2013-08-06 16:51:29 -04:00
Michael Campagnaro
25f8692a79 Strip leading/trailing spaces from login 2013-07-23 23:03:38 -04:00
Neil Lalonde
5d6ad8f39c Show a useful message when a banned user tries to log in 2013-06-27 15:14:42 -04:00
Chris Hunt
93fc0e74bc Test correct login behavior when pending approval 2013-06-06 18:36:16 -07:00
Ian Christian Myers
0d01c33482 Enabled strong_parameters across all models/controllers.
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 00:30:59 -07:00
Régis Hanol
b24c1a1ad9 better consistency around email case sensitivity 2013-04-15 02:20:33 +02:00
Gosha Arinich
cafc75b238 remove trailing whitespaces ❤️ 2013-02-26 07:31:35 +03:00
tms
3e6641c07e Unsign auth token cookies per discussion on #215 2013-02-23 13:40:21 -05:00
tms
5616fdc475 Sign the auth token cookie and make it httpOnly 2013-02-20 17:24:19 -05:00
Neil Lalonde
c18b85873f Prevent login until email is confirmed 2013-02-11 11:18:37 -05:00
Robin Ward
21b5628528 Initial release of Discourse 2013-02-05 14:16:51 -05:00