Skip to content

N
nexpie-grafana-theme
Commit d16fd58b by Oleg Gaidarenko Committed by GitHub
Options

Auth: do not expose disabled user disabled status (#18229) 

Fixes #17947
parent 4b16cd6c
Showing with 11 additions and 4 deletions
pkg/api/login.go
......@@ -81,7 +81,7 @@ func tryOAuthAutoLogin(c *models.ReqContext) bool {
}
oauthInfos := setting.OAuthService.OAuthInfos
if len(oauthInfos) != 1 {
log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured.")
log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured")
return false
}
for key := range setting.OAuthService.OAuthInfos {
......@@ -114,12 +114,16 @@ func (hs *HTTPServer) LoginPost(c *models.ReqContext, cmd dtos.LoginCommand) Res
}
if err := bus.Dispatch(authQuery); err != nil {
e401 := Error(401, "Invalid username or password", err)
if err == login.ErrInvalidCredentials || err == login.ErrTooManyLoginAttempts {
return Error(401, "Invalid username or password", err)
return e401
}
// Do not expose disabled status,
// just show incorrect user credentials error (see #17947)
if err == login.ErrUserDisabled {
return Error(401, "User is disabled", err)
hs.log.Warn("User is disabled", "user", cmd.User)
return e401
}
return Error(500, "Error while trying to authenticate user", err)
......
pkg/api/login_oauth.go
......@@ -191,8 +191,11 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
return
}
// Do not expose disabled status,
// just show incorrect user credentials error (see #17947)
if cmd.Result.IsDisabled {
hs.redirectWithError(ctx, login.ErrUserDisabled)
oauthLogger.Warn("User is disabled", "user", cmd.Result.Login)
hs.redirectWithError(ctx, login.ErrInvalidCredentials)
return
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment