Merge pull request #29752 from nextcloud/fix/allow-some-pages-without-two-factor

Explicitly allow access on some (public) routes also without 2FA
2026-06-08 16:26:59 -04:00 · 2021-11-18 10:43:28 +01:00 · 2021-11-18 10:43:28 +01:00 · 2df7ea7dae
commit 2df7ea7dae
parent 69ab7b4a27 c8caba265f
2 changed files with 7 additions and 0 deletions
--- a/core/Controller/OCJSController.php
+++ b/core/Controller/OCJSController.php
@ -98,6 +98,7 @@ class OCJSController extends Controller {

 	/**
 	 * @NoCSRFRequired
+	 * @NoTwoFactorRequired
 	 * @PublicPage
 	 *
 	 * @return DataDisplayResponse
--- a/core/Middleware/TwoFactorMiddleware.php
+++ b/core/Middleware/TwoFactorMiddleware.php
@ -83,6 +83,12 @@ class TwoFactorMiddleware extends Middleware {
 	 * @param string $methodName
 	 */
 	public function beforeController($controller, $methodName) {
+		if ($this->reflector->hasAnnotation('NoTwoFactorRequired')) {
+			// Route handler explicitly marked to work without finished 2FA are
+			// not blocked
+			return;
+		}
+
 		if ($controller instanceof APIController && $methodName === 'poll') {
 			// Allow polling the twofactor nextcloud notifications state
 			return;