Fix redirect loop when both enabling two-factor authentication and changing password are required (#1237, #34618).

Patch by Go MAEDA.


git-svn-id: http://svn.redmine.org/redmine/trunk@20734 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/my_controller.rb

@@ -21,7 +21,7 @@ class MyController < ApplicationController
   self.main_menu = false
   before_action :require_login
   # let user change user's password when user has to
-  skip_before_action :check_password_change, :only => :password
+  skip_before_action :check_password_change, :check_twofa_activation, :only => :password
 
   accept_api_auth :account
 

test/integration/twofa_test.rb

@@ -30,6 +30,19 @@ class TwofaTest < Redmine::IntegrationTest
     end
   end
 
+  test 'should require to change password first when must_change_passwd is true' do
+    User.find_by(login: 'jsmith').update_attribute(:must_change_passwd, true)
+    with_settings twofa: '2' do
+      log_user('jsmith', 'jsmith')
+      follow_redirect!
+      assert_redirected_to '/my/password'
+      follow_redirect!
+      # Skip the before action check_twofa_activation for '/my/password'
+      # to avoid redirect loop
+      assert_response :success
+    end
+  end
+
   test "should generate and accept backup codes" do
     log_user('jsmith', 'jsmith')
     get "/my/account"