fix: Clients limit exceeded route requires login

We should return an Unauthorized error when someone tries to access the clients limit exceeded route of a Cozy without a valid session (i.e. without being logged in).
cozy · Sep 27, 2023 · fbf61b0 · fbf61b0
1 parent 8297054
commit fbf61b0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/web/settings/clients.go b/web/settings/clients.go
@@ -129,6 +129,10 @@ func (h *HTTPHandler) synchronized(c echo.Context) error {
 func (h *HTTPHandler) limitExceeded(c echo.Context) error {
 	inst := middlewares.GetInstance(c)
 
+	if !middlewares.IsLoggedIn(c) {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Error Must be authenticated")
+	}
+
 	redirect := c.QueryParam("redirect")
 	if redirect == "" {
 		redirect = inst.DefaultRedirection().String()

diff --git a/web/settings/settings_test.go b/web/settings/settings_test.go
@@ -935,6 +935,14 @@ func TestSettings(t *testing.T) {
 		attrs.ValueEqual("ratio_1", "context")
 	})
 
+	t.Run("ClientsLimitExceededWithoutSession", func(t *testing.T) {
+		e := testutils.CreateTestClient(t, tsURL)
+
+		e.GET("/settings/clients/limit-exceeded").
+			WithRedirectPolicy(httpexpect.DontFollowRedirects).
+			Expect().Status(401)
+	})
+
 	t.Run("ClientsLimitExceededWithoutLimit", func(t *testing.T) {
 		e := testutils.CreateTestClient(t, tsURL)