fix: check OIDC setting method via flow.MethodEnabledAndAllowed

OIDC setting will produce faulty "endpoint disabled" when request from another method, because it does not check if request method is matched with OIDC. Use flow.MethodEnabledAndAllowed could fix this problem.
ory · Feb 14, 2024 · 6aa545a · 6aa545a
1 parent cfa3074
commit 6aa545a
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/selfservice/strategy/oidc/strategy_settings.go b/selfservice/strategy/oidc/strategy_settings.go
@@ -18,7 +18,6 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/ory/kratos/continuity"
-	"github.com/ory/kratos/selfservice/strategy"
 	"github.com/ory/x/decoderx"
 
 	"github.com/ory/kratos/session"
@@ -255,8 +254,8 @@ func (s *Strategy) Settings(w http.ResponseWriter, r *http.Request, f *settings.
 
 	ctxUpdate, err := settings.PrepareUpdate(s.d, w, r, f, ss, settings.ContinuityKey(s.SettingsStrategyID()), &p)
 	if errors.Is(err, settings.ErrContinuePreviousAction) {
-		if !s.d.Config().SelfServiceStrategy(r.Context(), s.SettingsStrategyID()).Enabled {
-			return nil, errors.WithStack(herodot.ErrNotFound.WithReason(strategy.EndpointDisabledMessage))
+		if err := flow.MethodEnabledAndAllowed(r.Context(), flow.SettingsFlow, s.SettingsStrategyID(), p.Method, s.d); err != nil {
+			return nil, err
 		}
 
 		if l := len(p.Link); l > 0 {
@@ -282,8 +281,8 @@ func (s *Strategy) Settings(w http.ResponseWriter, r *http.Request, f *settings.
 		return nil, errors.WithStack(flow.ErrStrategyNotResponsible)
 	}
 
-	if !s.d.Config().SelfServiceStrategy(r.Context(), s.SettingsStrategyID()).Enabled {
-		return nil, errors.WithStack(herodot.ErrNotFound.WithReason(strategy.EndpointDisabledMessage))
+	if err := flow.MethodEnabledAndAllowed(r.Context(), flow.SettingsFlow, s.SettingsStrategyID(), p.Method, s.d); err != nil {
+		return nil, err
 	}
 
 	if l, u := len(p.Link), len(p.Unlink); l > 0 && u > 0 {