Check user session before displaying two factor seed
Two factor seed page was not properly checking for user session, allowing an authenticated user to see everyone's 2fa seed
This commit is contained in:
Pietro Tarenzi
GitHub
@ -31,6 +31,7 @@ There's a change in flash messages handling, please see #391
|
||||
- Enh #458: Multiple 2FA channels (email, sms) (acordeddu)
|
||||
- Fix #432: Fix documentation overlap by shortening page names (cgsmith)
|
||||
- Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson)
|
||||
- Fix: check user before accessing 2FA code
|
||||
|
||||
## 1.5.1 April 5, 2020
|
||||
|
||||
|
||||
@ -453,6 +453,10 @@ class SettingsController extends Controller
|
||||
|
||||
public function actionTwoFactor($id)
|
||||
{
|
||||
if($id != Yii::$app->user->id) {
|
||||
throw new ForbiddenHttpException();
|
||||
}
|
||||
|
||||
$choice = Yii::$app->request->post('choice');
|
||||
/** @var User $user */
|
||||
$user = $this->userQuery->whereId($id)->one();
|
||||
|
||||
Reference in New Issue
Block a user