Users without two-factor authentication enabled cannot sign out when two-factor authentication is required (#35087).

Patch by Go MAEDA. git-svn-id: http://svn.redmine.org/redmine/trunk@20949 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2021-04-16 02:27:18 +00:00 · 2021-04-16 02:27:18 +00:00 · f9e937f85a
commit f9e937f85a
parent e41cf61de8
2 changed files with 14 additions and 0 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -25,6 +25,7 @@ class AccountController < ApplicationController

  # prevents login action to be filtered by check_if_login_required application scope filter
  skip_before_action :check_if_login_required, :check_password_change
+  skip_before_action :check_twofa_activation, :only => :logout

  # Overrides ApplicationController#verify_authenticity_token to disable
  # token verification on openid callbacks
--- a/test/integration/twofa_test.rb
+++ b/test/integration/twofa_test.rb
@ -43,6 +43,19 @@ class TwofaTest < Redmine::IntegrationTest
    end
  end

+  test 'should allow logout even if twofa setup is required' do
+    with_settings twofa: '2' do
+      log_user('jsmith', 'jsmith')
+      follow_redirect!
+      assert_redirected_to '/my/twofa/totp/activate/confirm'
+      follow_redirect!
+      post '/logout'
+      assert_redirected_to '/'
+      follow_redirect!
+      assert_response :success
+    end
+  end
+
  test "should generate and accept backup codes" do
    log_user('jsmith', 'jsmith')
    get "/my/account"