Skip to content

N
nexpie-grafana-theme
Commit d16fd58b by Oleg Gaidarenko Committed by GitHub
Options

Auth: do not expose disabled user disabled status (#18229) 

Fixes #17947
parent 4b16cd6c
Showing with 11 additions and 4 deletions
pkg/api/login.go
...@@ -81,7 +81,7 @@ func tryOAuthAutoLogin(c *models.ReqContext) bool { ...@@ -81,7 +81,7 @@ func tryOAuthAutoLogin(c *models.ReqContext) bool {
} }
oauthInfos := setting.OAuthService.OAuthInfos oauthInfos := setting.OAuthService.OAuthInfos
if len(oauthInfos) != 1 { if len(oauthInfos) != 1 {
log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured.") log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured")
return false return false
} }
for key := range setting.OAuthService.OAuthInfos { for key := range setting.OAuthService.OAuthInfos {
...@@ -114,12 +114,16 @@ func (hs *HTTPServer) LoginPost(c *models.ReqContext, cmd dtos.LoginCommand) Res ...@@ -114,12 +114,16 @@ func (hs *HTTPServer) LoginPost(c *models.ReqContext, cmd dtos.LoginCommand) Res
} }
if err := bus.Dispatch(authQuery); err != nil { if err := bus.Dispatch(authQuery); err != nil {
e401 := Error(401, "Invalid username or password", err)
if err == login.ErrInvalidCredentials || err == login.ErrTooManyLoginAttempts { if err == login.ErrInvalidCredentials || err == login.ErrTooManyLoginAttempts {
return Error(401, "Invalid username or password", err) return e401
} }
// Do not expose disabled status,
// just show incorrect user credentials error (see #17947)
if err == login.ErrUserDisabled { if err == login.ErrUserDisabled {
return Error(401, "User is disabled", err) hs.log.Warn("User is disabled", "user", cmd.User)
return e401
} }
return Error(500, "Error while trying to authenticate user", err) return Error(500, "Error while trying to authenticate user", err)
......
pkg/api/login_oauth.go
...@@ -191,8 +191,11 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) { ...@@ -191,8 +191,11 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
return return
} }
// Do not expose disabled status,
// just show incorrect user credentials error (see #17947)
if cmd.Result.IsDisabled { if cmd.Result.IsDisabled {
hs.redirectWithError(ctx, login.ErrUserDisabled) oauthLogger.Warn("User is disabled", "user", cmd.Result.Login)
hs.redirectWithError(ctx, login.ErrInvalidCredentials)
return return
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment