diff --git a/authz/authz.go b/authz/authz.go index 878ca20ab62b..b52c13bd9819 100644 --- a/authz/authz.go +++ b/authz/authz.go @@ -150,7 +150,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool { if method == "POST" { - if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" { + if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") { return true } else if urlPath == "/api/update-user" { // Allow ordinary users to update their own information