Falha ao conceder direitos de administrador para nomes de usuário com caracteres especiais quando a conta de administrador tem 2FA ativado

Bug
1

Conceder direitos de administrador a um usuário cujo nome de usuário contém caracteres especiais com uma conta de administrador que tenha autenticação de dois fatores ativada não funciona.

Funciona para usuários cujos nomes de usuário não contêm caracteres especiais e com uma conta de administrador sem autenticação de dois fatores (a verificação por e-mail funciona).

Passos:

  1. Configure a 2FA em uma conta de administrador
  2. Ative unicode usernames e adicione algo como [äöüßÄÖÜẞ] a allowed unicode username characters (esta é a configuração padrão em fóruns alemães).
  3. Crie um usuário usando um ou mais desses caracteres no nome de usuário, como Anführerin
  4. Tente conceder direitos de administrador a este usuário

Esperado:

  • Você vê a página para inserir o código 2FA

Resultado real:

Message (4 copies reported)

ActionController::UrlGenerationError (No route matches {:action=>"show", :controller=>"admin/users", :id=>5, :username=>"Anführerin"}, possible unmatched constraints: [:username])
lib/second_factor/actions/grant_admin.rb:19:in `second_factor_auth_required!'
lib/second_factor/auth_manager.rb:187:in `initiate_second_factor_auth'
lib/second_factor/auth_manager.rb:179:in `run!'
app/controllers/application_controller.rb:979:in `run_second_factor!'
app/controllers/admin/users_controller.rb:177:in `grant_admin'
app/controllers/application_controller.rb:428:in `block in with_resolved_locale'
app/controllers/application_controller.rb:428:in `with_resolved_locale'
lib/middleware/omniauth_bypass_middleware.rb:35:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:415:in `call'
lib/middleware/csp_script_nonce_injector.rb:12:in `call'
config/initializers/008-rack-cors.rb:26:in `call'
lib/middleware/default_headers.rb:13:in `call'
config/initializers/100-quiet_logger.rb:20:in `call'
config/initializers/100-silence_logger.rb:29:in `call'
lib/middleware/enforce_hostname.rb:23:in `call'
lib/middleware/processing_request.rb:12:in `call'
lib/middleware/request_tracker.rb:410:in `call'


Backtrace

actionpack (8.0.2) lib/action_dispatch/journey/formatter.rb:46:in `path'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:880:in `url_for'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:289:in `call'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:345:in `block in define_url_helper'
lib/second_factor/actions/grant_admin.rb:19:in `second_factor_auth_required!'
lib/second_factor/auth_manager.rb:187:in `initiate_second_factor_auth'
lib/second_factor/auth_manager.rb:179:in `run!'
app/controllers/application_controller.rb:979:in `run_second_factor!'
app/controllers/admin/users_controller.rb:177:in `grant_admin'
actionpack (8.0.2) lib/action_controller/metal/basic_implicit_render.rb:8:in `send_action'
actionpack (8.0.2) lib/abstract_controller/base.rb:226:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/rendering.rb:193:in `process_action'
actionpack (8.0.2) lib/abstract_controller/callbacks.rb:261:in `block in process_action'
activesupport (8.0.2) lib/active_support/callbacks.rb:120:in `block in run_callbacks'
app/controllers/application_controller.rb:428:in `block in with_resolved_locale'
app/controllers/application_controller.rb:428:in `with_resolved_locale'
activesupport (8.0.2) lib/active_support/callbacks.rb:129:in `block in run_callbacks'
activesupport (8.0.2) lib/active_support/callbacks.rb:140:in `run_callbacks'
actionpack (8.0.2) lib/abstract_controller/callbacks.rb:260:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/rescue.rb:27:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/instrumentation.rb:76:in `block in process_action'
activesupport (8.0.2) lib/active_support/notifications.rb:210:in `block in instrument'
activesupport (8.0.2) lib/active_support/notifications/instrumenter.rb:58:in `instrument'
activesupport (8.0.2) lib/active_support/notifications.rb:210:in `instrument'
actionpack (8.0.2) lib/action_controller/metal/instrumentation.rb:75:in `process_action'
actionpack (8.0.2) lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
activerecord (8.0.2) lib/active_record/railties/controller_runtime.rb:39:in `process_action'
actionpack (8.0.2) lib/abstract_controller/base.rb:163:in `process'
actionview (8.0.2) lib/action_view/rendering.rb:40:in `process'
rack-mini-profiler (4.0.1) lib/mini_profiler/profiling_methods.rb:90:in `block in profile_method'
actionpack (8.0.2) lib/action_controller/metal.rb:252:in `dispatch'
actionpack (8.0.2) lib/action_controller/metal.rb:335:in `dispatch'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:67:in `dispatch'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:50:in `serve'
actionpack (8.0.2) lib/action_dispatch/routing/mapper.rb:32:in `block in <class:Constraints>'
actionpack (8.0.2) lib/action_dispatch/routing/mapper.rb:62:in `serve'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:53:in `block in serve'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:133:in `block in find_routes'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:126:in `each'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:126:in `find_routes'
actionpack (8.0.2) lib/action_dispatch/journey/router.rb:34:in `serve'
actionpack (8.0.2) lib/action_dispatch/routing/route_set.rb:908:in `call'
lib/middleware/omniauth_bypass_middleware.rb:35:in `call'
rack (2.2.17) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.17) lib/rack/conditional_get.rb:40:in `call'
rack (2.2.17) lib/rack/head.rb:12:in `call'
actionpack (8.0.2) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:415:in `call'
lib/middleware/csp_script_nonce_injector.rb:12:in `call'
config/initializers/008-rack-cors.rb:26:in `call'
rack (2.2.17) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.17) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/cookies.rb:706:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/callbacks.rb:31:in `block in call'
activesupport (8.0.2) lib/active_support/callbacks.rb:100:in `run_callbacks'
actionpack (8.0.2) lib/action_dispatch/middleware/callbacks.rb:30:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/debug_exceptions.rb:31:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/show_exceptions.rb:32:in `call'
logster (2.20.1) lib/logster/middleware/reporter.rb:40:in `call'
lib/middleware/default_headers.rb:13:in `call'
lograge (0.14.0) lib/lograge/rails_ext/rack/logger.rb:18:in `call_app'
railties (8.0.2) lib/rails/rack/logger.rb:29:in `call'
config/initializers/100-quiet_logger.rb:20:in `call'
config/initializers/100-silence_logger.rb:29:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/request_id.rb:34:in `call'
lib/middleware/enforce_hostname.rb:23:in `call'
rack (2.2.17) lib/rack/method_override.rb:24:in `call'
rack (2.2.17) lib/rack/sendfile.rb:110:in `call'
plugins/discourse-prometheus/lib/middleware/metrics.rb:14:in `call'
rack-mini-profiler (4.0.1) lib/mini_profiler.rb:191:in `call'
lib/middleware/processing_request.rb:12:in `call'
message_bus (4.4.1) lib/message_bus/rack/middleware.rb:60:in `call'
lib/middleware/request_tracker.rb:410:in `call'
actionpack (8.0.2) lib/action_dispatch/middleware/remote_ip.rb:96:in `call'
rails_failover (2.3.0) lib/rails_failover/active_record/middleware.rb:67:in `block in call'
activerecord (8.0.2) lib/active_record/connection_handling.rb:398:in `with_role_and_shard'
activerecord (8.0.2) lib/active_record/connection_handling.rb:149:in `connected_to'
rails_failover (2.3.0) lib/rails_failover/active_record/middleware.rb:64:in `call'
rails_multisite (7.0.0) lib/rails_multisite/middleware.rb:26:in `call'
railties (8.0.2) lib/rails/engine.rb:535:in `call'
railties (8.0.2) lib/rails/railtie.rb:226:in `public_send'
railties (8.0.2) lib/rails/railtie.rb:226:in `method_missing'
rack (2.2.17) lib/rack/urlmap.rb:74:in `block in call'
rack (2.2.17) lib/rack/urlmap.rb:58:in `each'
rack (2.2.17) lib/rack/urlmap.rb:58:in `call'
unicorn (6.1.0) lib/unicorn/http_server.rb:634:in `process_client'
unicorn (6.1.0) lib/unicorn/http_server.rb:739:in `worker_loop'
unicorn (6.1.0) lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
unicorn (6.1.0) lib/unicorn/http_server.rb:143:in `start'
unicorn (6.1.0) bin/unicorn:128:in `<top (required)>'
vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `load'
vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `<main>'

Nota lateral: Mesmo no primeiro exemplo em que conceder permissões de administrador funciona, um erro aparece no console do navegador ao clicar no botão:

PUT https://{my-forum}/admin/users/4/grant_admin 403 (Forbidden)

7 curtidas
2

Uau, obrigado pelo relatório detalhado de bugs, a equipe analisará isso nas próximas semanas.

1 curtida
5

Aprendi que isso é esperado

6

Obrigado por relatar este problema. Ele foi corrigido com este PR

2 curtidas
7

Este tópico foi fechado automaticamente após 4 dias. Novas respostas não são mais permitidas.