Fix redirect loop when both enabling two-factor authentication and changing password are required (#1237, #34618).

Patch by Go MAEDA. git-svn-id: http://svn.redmine.org/redmine/trunk@20734 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-19 15:01:14 +00:00 · 2021-02-02 07:15:08 +00:00 · 2021-02-02 07:15:08 +00:00 · 75b6cacb5d
commit 75b6cacb5d
parent 097e75987b
2 changed files with 14 additions and 1 deletions
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@ -21,7 +21,7 @@ class MyController < ApplicationController
  self.main_menu = false
  before_action :require_login
  # let user change user's password when user has to
-  skip_before_action :check_password_change, :only => :password
+  skip_before_action :check_password_change, :check_twofa_activation, :only => :password

  accept_api_auth :account

--- a/test/integration/twofa_test.rb
+++ b/test/integration/twofa_test.rb
@ -30,6 +30,19 @@ class TwofaTest < Redmine::IntegrationTest
    end
  end

+  test 'should require to change password first when must_change_passwd is true' do
+    User.find_by(login: 'jsmith').update_attribute(:must_change_passwd, true)
+    with_settings twofa: '2' do
+      log_user('jsmith', 'jsmith')
+      follow_redirect!
+      assert_redirected_to '/my/password'
+      follow_redirect!
+      # Skip the before action check_twofa_activation for '/my/password'
+      # to avoid redirect loop
+      assert_response :success
+    end
+  end
+
  test "should generate and accept backup codes" do
    log_user('jsmith', 'jsmith')
    get "/my/account"