Do not confuse recent two-factor converts

jazzband · Jan 15, 2014 · 18a0eb7 · 18a0eb7
1 parent 9357415
commit 18a0eb7
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/tests/tests.py b/tests/tests.py
@@ -319,10 +319,19 @@ def test_unverified_explanation(self):
         self.assertContains(response, 'Enable Two-Factor Authentication',
                             status_code=403)
 
+    def test_unverified_need_login(self):
+        user = User.objects.create_superuser('bouke', None, 'secret')
+        self.client.login(username='bouke', password='secret')
+        user.totpdevice_set.create(name='default')
+        url = '/secure/'
+        response = self.client.get(url)
+        redirect_to = '%s?%s' % (settings.LOGIN_URL, urlencode({'next': url}))
+        self.assertRedirects(response, redirect_to)
+
     def test_verified(self):
         user = User.objects.create_superuser('bouke', None, 'secret')
         self.client.login(username='bouke', password='secret')
-        device = user.totpdevice_set.create()
+        device = user.totpdevice_set.create(name='default')
         session = self.client.session
         session[DEVICE_ID_SESSION_KEY] = device.persistent_id
         session.save()

diff --git a/two_factor/views/mixins.py b/two_factor/views/mixins.py
@@ -1,4 +1,5 @@
 from django.template.response import TemplateResponse
+from two_factor.utils import default_device
 
 try:
     from urllib.parse import urlencode
@@ -64,7 +65,14 @@ def get_verification_url(self):
         return self.verification_url and str(self.verification_url)
 
     def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_authenticated():
+        if not request.user.is_authenticated() or \
+                (not request.user.is_verified() and default_device(request.user)):
+            # If the user has not authenticated raise or redirect to the login
+            # page. Also if the user just enabled two-factor authentication and
+            # has not yet logged in since should also have the same result. If
+            # the user receives a 'you need to enable TFA' by now, he gets
+            # confuses as TFA has just been enabled. So we either raise or
+            # redirect to the login page.
             if self.raise_anonymous:
                 raise PermissionDenied()
             else: