Fix: don't accept password login requests if password auth is disabled (#5693)

redash/handlers/authentication.py

@@ -198,7 +198,8 @@ def login(org_slug=None):
     if current_user.is_authenticated:
         return redirect(next_path)
 
-    if request.method == "POST":
+
+    if request.method == "POST" and current_org.get_setting("auth_password_login_enabled"):
         try:
             org = current_org._get_current_object()
             user = models.User.get_by_email_and_org(request.form["email"], org)
@@ -214,6 +215,10 @@ def login(org_slug=None):
                 flash("Wrong email or password.")
         except NoResultFound:
             flash("Wrong email or password.")
+    elif request.method == "POST" and not current_org.get_setting("auth_password_login_enabled"):
+        flash("Password login is not enabled for your organization.")
+
+
 
     google_auth_url = get_google_auth_url(next_path)
 

tests/test_handlers.py

@@ -230,6 +230,22 @@ class TestLogin(BaseTestCase):
             self.assertEqual(rv.status_code, 302)
             self.assertFalse(login_user_mock.called)
 
+    def test_correct_user_and_password_when_password_login_disabled(self):
+        user = self.factory.user
+        user.hash_password("password")
+
+        self.db.session.add(user)
+        self.db.session.commit()
+
+        self.factory.org.set_setting("auth_password_login_enabled", False)
+
+        with patch("redash.handlers.authentication.login_user") as login_user_mock:
+            rv = self.client.post(
+                "/default/login", data={"email": user.email, "password": "password"}
+            )
+            self.assertEqual(rv.status_code, 200)
+            self.assertIn("Password login is not enabled for your organization", str(rv.data))
+
 
 class TestLogout(BaseTestCase):
     def test_logout_when_not_loggedin(self):