fix: Clients limit exceeded route requires login

We should return an Unauthorized error when someone tries to access the clients limit exceeded route of a Cozy without a valid session (i.e. without being logged in).
cozy · Sep 27, 2023 · c3c0de0 · c3c0de0
1 parent c92b2de
commit c3c0de0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/web/settings/clients.go b/web/settings/clients.go
@@ -129,6 +129,10 @@ func (h *HTTPHandler) synchronized(c echo.Context) error {
 func (h *HTTPHandler) limitExceeded(c echo.Context) error {
 	inst := middlewares.GetInstance(c)
 
+	if !middlewares.IsLoggedIn(c) {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Error Must be authenticated")
+	}
+
 	redirect := c.QueryParam("redirect")
 	if redirect == "" {
 		redirect = inst.DefaultRedirection().String()

diff --git a/web/settings/settings_test.go b/web/settings/settings_test.go
@@ -41,8 +41,10 @@ func setupRouter(t *testing.T, inst *instance.Instance, svc csettings.Service) *
 	group := handler.Group("/settings", func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(context echo.Context) error {
 			context.Set("instance", inst)
-			sess, _ := session.New(inst, session.LongRun)
-			context.Set("session", sess)
+			if context.Request().Header.Get("Authorization") != "" {
+				sess, _ := session.New(inst, session.LongRun)
+				context.Set("session", sess)
+			}
 			return next(context)
 		}
 	})
@@ -883,6 +885,14 @@ func TestSettings(t *testing.T) {
 		attrs.ValueEqual("ratio_1", "context")
 	})
 
+	t.Run("ClientsLimitExceededWithoutSession", func(t *testing.T) {
+		e := testutils.CreateTestClient(t, tsURL)
+
+		e.GET("/settings/clients/limit-exceeded").
+			WithRedirectPolicy(httpexpect.DontFollowRedirects).
+			Expect().Status(401)
+	})
+
 	t.Run("ClientsLimitExceededWithoutLimit", func(t *testing.T) {
 		e := testutils.CreateTestClient(t, tsURL)