ENH Disable temporary sudo mode after login

silverstripe · Feb 18, 2025 · a9768b8 · a9768b8
1 parent 506aef4
commit a9768b8
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 1 deletion.
diff --git a/behat.yml b/behat.yml
@@ -15,6 +15,8 @@ default:
         - SilverStripe\Framework\Tests\Behaviour\CmsUiContext
         - SilverStripe\BehatExtension\Context\BasicContext
         - SilverStripe\BehatExtension\Context\EmailContext
+        - SilverStripe\BehatExtension\Context\FixtureContext:
+            - '%paths.modules.mfa%/tests/Behat/features/files/'
         - SilverStripe\MFA\Tests\Behat\Context\LoginContext
         - SilverStripe\CMS\Tests\Behaviour\ThemeContext
   extensions:

diff --git a/composer.json b/composer.json
@@ -36,6 +36,7 @@
         "phpunit/phpunit": "^9.6",
         "squizlabs/php_codesniffer": "^3",
         "silverstripe/documentation-lint": "^1",
+        "silverstripe/frameworktest": "^1",
         "silverstripe/standards": "^1",
         "phpstan/extension-installer": "^1.3"
     },

diff --git a/src/Authenticator/LoginHandler.php b/src/Authenticator/LoginHandler.php
@@ -26,6 +26,7 @@
 use SilverStripe\Security\MemberAuthenticator\LoginHandler as BaseLoginHandler;
 use SilverStripe\Security\MemberAuthenticator\MemberLoginForm;
 use SilverStripe\Security\Security;
+use SilverStripe\Core\ClassInfo;
 
 class LoginHandler extends BaseLoginHandler
 {
@@ -576,6 +577,13 @@ public function jsonResponse(array $response, int $code = 200): HTTPResponse
      */
     protected function doPerformLogin(HTTPRequest $request, Member $member)
     {
+        // Deactivate sudo mode that was activated in doLogin()
+        $service = $this->getSudoModeService();
+        // Check if the service has a deactivate method, because it is not defined on the interface
+        if (ClassInfo::hasMethod($service, 'deactivate')) {
+            call_user_func([$service, 'deactivate'], $this->getRequest()->getSession());
+        }
+
         // Load the previously stored data from session and perform the login using it...
         $data = $request->getSession()->get(static::SESSION_KEY . '.additionalData') ?: [];
 

diff --git a/tests/Behat/features/files/blank.txt b/tests/Behat/features/files/blank.txt
diff --git a/tests/Behat/features/mfa-enabled.feature b/tests/Behat/features/mfa-enabled.feature
@@ -4,7 +4,8 @@ Feature: MFA is enabled for the site
   So that my site will be more secure
 
   Background:
-    Given I am logged in with "ADMIN" permissions
+    Given I add an extension "SilverStripe\FrameworkTest\SudoMode\ActivateSudoModeServiceExtension" to the "SilverStripe\Security\SudoMode\SudoModeService" class
+    And I am logged in with "ADMIN" permissions
     And I go to "/admin"
     Then I should see the CMS