From fbf61b0328ad26685a8753369d3d7e83c435e1bb Mon Sep 17 00:00:00 2001 From: Erwan Guyader Date: Wed, 27 Sep 2023 10:36:16 +0200 Subject: [PATCH] fix: Clients limit exceeded route requires login We should return an Unauthorized error when someone tries to access the clients limit exceeded route of a Cozy without a valid session (i.e. without being logged in). --- web/settings/clients.go | 4 ++++ web/settings/settings_test.go | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/web/settings/clients.go b/web/settings/clients.go index b1098c41615..b458f6d54fc 100644 --- a/web/settings/clients.go +++ b/web/settings/clients.go @@ -129,6 +129,10 @@ func (h *HTTPHandler) synchronized(c echo.Context) error { func (h *HTTPHandler) limitExceeded(c echo.Context) error { inst := middlewares.GetInstance(c) + if !middlewares.IsLoggedIn(c) { + return echo.NewHTTPError(http.StatusUnauthorized, "Error Must be authenticated") + } + redirect := c.QueryParam("redirect") if redirect == "" { redirect = inst.DefaultRedirection().String() diff --git a/web/settings/settings_test.go b/web/settings/settings_test.go index 95317056e6a..712e19ac30a 100644 --- a/web/settings/settings_test.go +++ b/web/settings/settings_test.go @@ -935,6 +935,14 @@ func TestSettings(t *testing.T) { attrs.ValueEqual("ratio_1", "context") }) + t.Run("ClientsLimitExceededWithoutSession", func(t *testing.T) { + e := testutils.CreateTestClient(t, tsURL) + + e.GET("/settings/clients/limit-exceeded"). + WithRedirectPolicy(httpexpect.DontFollowRedirects). + Expect().Status(401) + }) + t.Run("ClientsLimitExceededWithoutLimit", func(t *testing.T) { e := testutils.CreateTestClient(t, tsURL)