Test authLevel before removing 2F device (#2332)
This commit is contained in:
parent
c615ba2b7d
commit
a8343ac7be
|
@ -38,7 +38,7 @@ sub run {
|
|||
|
||||
# Check if TOTP can be updated
|
||||
return $self->p->sendError( $req, 'notAuthorized', 400 )
|
||||
unless $self->allowedUpdateSfa($req);
|
||||
unless $self->allowedUpdateSfa($req, $action);
|
||||
|
||||
# Verification that user has a valid TOTP app
|
||||
if ( $action eq 'verify' ) {
|
||||
|
|
|
@ -35,7 +35,7 @@ sub run {
|
|||
|
||||
# Check if U2F key can be updated
|
||||
return $self->p->sendError( $req, 'notAuthorized', 400 )
|
||||
unless $self->allowedUpdateSfa($req);
|
||||
unless $self->allowedUpdateSfa($req, $action);
|
||||
|
||||
if ( $action eq 'register' ) {
|
||||
|
||||
|
|
|
@ -42,7 +42,7 @@ sub run {
|
|||
RAW_ERROR => 'notAuthorized',
|
||||
AUTH_ERROR_TYPE => 'warning',
|
||||
}
|
||||
) unless $self->allowedUpdateSfa($req);
|
||||
) unless $self->allowedUpdateSfa($req, $action);
|
||||
|
||||
if ( $action eq 'register' ) {
|
||||
my $otp = $req->param('otp');
|
||||
|
|
|
@ -105,9 +105,27 @@ sub createNotification {
|
|||
}
|
||||
|
||||
sub allowedUpdateSfa {
|
||||
my ( $self, $req ) = @_;
|
||||
my ( $self, $req, $action ) = @_;
|
||||
my $user = $req->userData->{ $self->conf->{whatToTrace} };
|
||||
my $res = 1;
|
||||
my $res = 1;
|
||||
if ( $action eq 'delete' ) {
|
||||
my $module = lc ref $self;
|
||||
$module = ( $module =~ /2f::register::(\w+)$/ )[0];
|
||||
$module =~ s/2f//;
|
||||
$self->logger->debug("$user request to delete ${module}2f device");
|
||||
if ( $self->{conf}->{"${module}2fAuthnLevel"}
|
||||
&& $req->userData->{authenticationLevel} <
|
||||
$self->{conf}->{"${module}2fAuthnLevel"} )
|
||||
{
|
||||
$self->userLogger->warn(
|
||||
"$user request to delete ${module}2f device rejected due to insufficient authentication level!"
|
||||
);
|
||||
$self->logger->debug(
|
||||
"authLevel: $req->{userData}->{authenticationLevel} < requiredLevel: "
|
||||
. $self->{conf}->{"${module}2fAuthnLevel"} );
|
||||
undef $res;
|
||||
}
|
||||
}
|
||||
if ( $self->conf->{impersonationRule} ) {
|
||||
$self->logger->debug('Impersonation plugin is enabled!');
|
||||
if ( $req->userData->{"$self->{conf}->{impersonationPrefix}_user"}
|
||||
|
|
Loading…
Reference in New Issue
Block a user