فشل منح حقوق المسؤول لمستخدم يحتوي اسمه على أحرف خاصة باستخدام حساب مسؤول تم تمكين المصادقة الثنائية له.
يعمل هذا للمستخدمين الذين لا تحتوي أسماؤهم على أحرف خاصة ومع حساب مسؤول بدون مصادقة ثنائية (التحقق عبر البريد الإلكتروني يعمل).
الخطوات:
- قم بإعداد المصادقة الثنائية لحساب مسؤول.
- قم بتمكين
unicode usernamesوأضف شيئًا مثل[äöüßÄÖÜẞ]إلىallowed unicode username characters(هذا هو التكوين الافتراضي في المنتديات الألمانية). - قم بإنشاء مستخدم باستخدام حرف واحد أو أكثر من هذه الأحرف في اسم المستخدم مثل
Anführerin. - حاول منح حقوق المسؤول لهذا المستخدم.
متوقع:
- ترى صفحة إدخال رمز المصادقة الثنائية.
النتيجة الفعلية:
- لا يحدث شيء.
- يوجد خطأ في وحدة تحكم المتصفح:
- ويوجد إدخال في
/logs:
Message (4 copies reported)
ActionController::UrlGenerationError (No route matches {:action=>"show", :controller=>"admin/users", :id=>5, :username=>"Anführerin"}, possible unmatched constraints: [:username])
lib/second_factor/actions/grant_admin.rb:19:in `second_factor_auth_required!'
lib/second_factor/auth_manager.rb:187:in `initiate_second_factor_auth'
lib/second_factor/auth_manager.rb:179:in `run!'
app/controllers/application_controller.rb:979:in `run_second_factor!'
app/controllers/admin/users_controller.rb:177:in `grant_admin'
app/controllers/application_controller.rb:428:in `block in with_resolved_locale'
app/controllers/application_controller.rb:428:in `with_resolved_locale'
lib/middleware/omniauth_bypass_middleware.rb:35:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:415:in `call'
lib/middleware/csp_script_nonce_injector.rb:12:in `call'
config/initializers/008-rack-cors.rb:26:in `call'
lib/middleware/default_headers.rb:13:in `call'
config/initializers/100-quiet_logger.rb:20:in `call'
config/initializers/100-silence_logger.rb:29:in `call'
lib/middleware/enforce_hostname.rb:23:in `call'
lib/middleware/processing_request.rb:12:in `call'
lib/middleware/request_tracker.rb:410:in `call'
Backtrace
actionpack (8.0.2) lib/action_dispatch/journey/formatter.rb:46:in `path'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:880:in `url_for'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:289:in `call'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:345:in `block in define_url_helper'
lib/second_factor/actions/grant_admin.rb:19:in `second_factor_auth_required!'
lib/second_factor/auth_manager.rb:187:in `initiate_second_factor_auth'
lib/second_factor/auth_manager.rb:179:in `run!'
app/controllers/application_controller.rb:979:in `run_second_factor!'
app/controllers/admin/users_controller.rb:177:in `grant_admin'
actionpack (8.0.2) lib/action_controller/metal/basic_implicit_render.rb:8:in `send_action'
actionpack (8.0.2) lib/abstract_controller/base.rb:226:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/rendering.rb:193:in `process_action'
actionpack (8.0.2) lib/abstract_controller/callbacks.rb:261:in `block in process_action'
activesupport (8.0.2) lib/active_support/callbacks.rb:120:in `block in run_callbacks'
app/controllers/application_controller.rb:428:in `block in with_resolved_locale'
app/controllers/application_controller.rb:428:in `with_resolved_locale'
activesupport (8.0.2) lib/active_support/callbacks.rb:129:in `block in run_callbacks'
activesupport (8.0.2) lib/active_support/callbacks.rb:140:in `run_callbacks'
actionpack (8.0.2) lib/abstract_controller/callbacks.rb:260:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/rescue.rb:27:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/instrumentation.rb:76:in `block in process_action'
activesupport (8.0.2) lib/active_support/notifications.rb:210:in `block in instrument'
activesupport (8.0.2) lib/active_support/notifications/instrumenter.rb:58:in `instrument'
activesupport (8.0.2) lib/active_support/notifications.rb:210:in `instrument'
actionpack (8.0.2) lib/action_controller/metal/instrumentation.rb:75:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
activerecord (8.0.2) lib/active_record/railties/controller_runtime.rb:39:in `process_action'
actionpack (8.0.2) lib/abstract_controller/base.rb:163:in `process'
actionview (8.0.2) lib/action_view/rendering.rb:40:in `process'
rack-mini-profiler (4.0.1) lib/mini_profiler/profiling_methods.rb:90:in `block in profile_method'
actionpack (8.0.2) lib/action_controller/metal.rb:252:in `dispatch'
actionpack (8.0.2) lib/action_controller/metal.rb:335:in `dispatch'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:67:in `dispatch'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:50:in `serve'
actionpack (8.0.2) lib/action_dispatch/routing/mapper.rb:32:in `block in <class:Constraints>'
actionpack (8.0.2) lib/action_dispatch/routing/mapper.rb:62:in `serve'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:53:in `block in serve'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:133:in `block in find_routes'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:126:in `each'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:126:in `find_routes'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:34:in `serve'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:908:in `call'
lib/middleware/omniauth_bypass_middleware.rb:35:in `call'
rack (2.2.17) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.17) lib/rack/conditional_get.rb:40:in `call'
rack (2.2.17) lib/rack/head.rb:12:in `call'
actionpack (8.0.2) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:415:in `call'
lib/middleware/csp_script_nonce_injector.rb:12:in `call'
config/initializers/008-rack-cors.rb:26:in `call'
rack (2.2.17) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.17) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/cookies.rb:706:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/callbacks.rb:31:in `block in call'
activesupport (8.0.2) lib/active_support/callbacks.rb:100:in `run_callbacks'
actionpack (8.0.2) lib/action_dispatch/middleware/callbacks.rb:30:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/debug_exceptions.rb:31:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/show_exceptions.rb:32:in `call'
logster (2.20.1) lib/logster/middleware/reporter.rb:40:in `call'
lib/middleware/default_headers.rb:13:in `call'
lograge (0.14.0) lib/lograge/rails_ext/rack/logger.rb:18:in `call_app'
railties (8.0.2) lib/rails/rack/logger.rb:29:in `call'
config/initializers/100-quiet_logger.rb:20:in `call'
config/initializers/100-silence_logger.rb:29:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/request_id.rb:34:in `call'
lib/middleware/enforce_hostname.rb:23:in `call'
rack (2.2.17) lib/rack/method_override.rb:24:in `call'
rack (2.2.17) lib/rack/sendfile.rb:110:in `call'
plugins/discourse-prometheus/lib/middleware/metrics.rb:14:in `call'
rack-mini-profiler (4.0.1) lib/mini_profiler.rb:191:in `call'
lib/middleware/processing_request.rb:12:in `call'
message_bus (4.4.1) lib/message_bus/rack/middleware.rb:60:in `call'
lib/middleware/request_tracker.rb:410:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/remote_ip.rb:96:in `call'
rails_failover (2.3.0) lib/rails_failover/active_record/middleware.rb:67:in `block in call'
activerecord (8.0.2) lib/active_record/connection_handling.rb:398:in `with_role_and_shard'
activerecord (8.0.2) lib/active_record/connection_handling.rb:149:in `connected_to'
rails_failover (2.3.0) lib/rails_failover/active_record/middleware.rb:64:in `call'
rails_multisite (7.0.0) lib/rails_multisite/middleware.rb:26:in `call'
railties (8.0.2) lib/rails/engine.rb:535:in `call'
railties (8.0.2) lib/rails/railtie.rb:226:in `public_send'
railties (8.0.2) lib/rails/railtie.rb:226:in `method_missing'
rack (2.2.17) lib/rack/urlmap.rb:74:in `block in call'
rack (2.2.17) lib/rack/urlmap.rb:58:in `each'
rack (2.2.17) lib/rack/urlmap.rb:58:in `call'
unicorn (6.1.0) lib/unicorn/http_server.rb:634:in `process_client'
unicorn (6.1.0) lib/unicorn/http_server.rb:739:in `worker_loop'
unicorn (6.1.0) lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
unicorn (6.1.0) lib/unicorn/http_server.rb:143:in `start'
unicorn (6.1.0) bin/unicorn:128:in `<top (required)>'
vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `load'
vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `<main>'
ملاحظة جانبية: حتى في المثال الأول حيث يعمل منح صلاحيات المسؤول، يظهر خطأ في وحدة تحكم المتصفح عند النقر على الزر:
PUT https://{my-forum}/admin/users/4/grant_admin 403 (Forbidden)