passwords: don't allow the portus user to reset

This commit disallows someone knowing the portus email from attempting
to reset the password through the "I forgot my password" feature. This
attack wouldn't work anyways because of the change introduced in
16a7b11, where updating the portus user
is explicitly disabled (except when changing the secret for the
password).

See #1878

Signed-off-by: Miquel Sabaté Solà <[email protected]>

app/controllers/passwords_controller.rb

@@ -5,6 +5,8 @@
 class PasswordsController < Devise::PasswordsController
   layout "authentication"
 
+  before_action :check_portus, only: %i[create]
+
   include CheckLDAP
 
   # Re-implemented from Devise to respond with a proper message on error.
@@ -55,4 +57,14 @@ def update_success
   def after_resetting_password_path_for(resource)
     signed_in_root_path(resource)
   end
+
+  # Prevents the portus user from resetting the password.
+  def check_portus
+    user = User.find_by(email: resource_params["email"])
+    return if user.nil? || !user.portus?
+
+    redirect_to new_user_session_path,
+                alert: "Action not allowed on this user",
+                float: true
+  end
 end

spec/features/forgotten_password_spec.rb

@@ -3,7 +3,8 @@
 require "rails_helper"
 
 describe "Forgotten password support" do
-  let!(:user) { create(:admin) }
+  let!(:user)   { create(:admin) }
+  let!(:portus) { create(:admin, username: "portus", email: "[email protected]") }
 
   before do
     APP_CONFIG["signup"] = { "enabled" => true }
@@ -21,6 +22,14 @@
     expect(page).to have_content("I forgot my password")
   end
 
+  it "prevents the portus user from resetting the password" do
+    visit new_user_password_path
+
+    fill_in "Email", with: "[email protected]"
+    click_button "Reset password"
+    expect(page).to have_content("Action not allowed on this user")
+  end
+
   it "sends the reset email when appropiate" do
     visit new_user_password_path