From c3c0de08ae58f3a78514dd042566146d45f9f3a7 Mon Sep 17 00:00:00 2001
From: Erwan Guyader <erwan.guyader@cozycloud.cc>
Date: Tue, 26 Sep 2023 19:41:41 +0200
Subject: [PATCH] fix: Clients limit exceeded route requires login

  We should return an Unauthorized error when someone tries to access
  the clients limit exceeded route of a Cozy without a valid session
  (i.e. without being logged in).
---
 web/settings/clients.go       |  4 ++++
 web/settings/settings_test.go | 14 ++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/web/settings/clients.go b/web/settings/clients.go
index b1098c41615..b458f6d54fc 100644
--- a/web/settings/clients.go
+++ b/web/settings/clients.go
@@ -129,6 +129,10 @@ func (h *HTTPHandler) synchronized(c echo.Context) error {
 func (h *HTTPHandler) limitExceeded(c echo.Context) error {
 	inst := middlewares.GetInstance(c)
 
+	if !middlewares.IsLoggedIn(c) {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Error Must be authenticated")
+	}
+
 	redirect := c.QueryParam("redirect")
 	if redirect == "" {
 		redirect = inst.DefaultRedirection().String()
diff --git a/web/settings/settings_test.go b/web/settings/settings_test.go
index 6705d5c1da1..f970a4e50eb 100644
--- a/web/settings/settings_test.go
+++ b/web/settings/settings_test.go
@@ -41,8 +41,10 @@ func setupRouter(t *testing.T, inst *instance.Instance, svc csettings.Service) *
 	group := handler.Group("/settings", func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(context echo.Context) error {
 			context.Set("instance", inst)
-			sess, _ := session.New(inst, session.LongRun)
-			context.Set("session", sess)
+			if context.Request().Header.Get("Authorization") != "" {
+				sess, _ := session.New(inst, session.LongRun)
+				context.Set("session", sess)
+			}
 			return next(context)
 		}
 	})
@@ -883,6 +885,14 @@ func TestSettings(t *testing.T) {
 		attrs.ValueEqual("ratio_1", "context")
 	})
 
+	t.Run("ClientsLimitExceededWithoutSession", func(t *testing.T) {
+		e := testutils.CreateTestClient(t, tsURL)
+
+		e.GET("/settings/clients/limit-exceeded").
+			WithRedirectPolicy(httpexpect.DontFollowRedirects).
+			Expect().Status(401)
+	})
+
 	t.Run("ClientsLimitExceededWithoutLimit", func(t *testing.T) {
 		e := testutils.CreateTestClient(t, tsURL)