From 24d5d5744fe03f3173ea180f106865ffaf4f48a4 Mon Sep 17 00:00:00 2001
From: Pietro Tarenzi <101387720+taarenz@users.noreply.github.com>
Date: Fri, 16 Sep 2022 17:14:53 +0200
Subject: [PATCH] Check user session before displaying two factor seed

Two factor seed page was not properly checking for user session, allowing an authenticated user to see everyone's 2fa seed
---
 CHANGELOG.md                               | 1 +
 src/User/Controller/SettingsController.php | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0512a3f..dc5b5d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ There's a change in flash messages handling, please see #391
 - Enh #458: Multiple 2FA channels (email, sms) (acordeddu)
 - Fix #432: Fix documentation overlap by shortening page names (cgsmith)
 - Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson)
+- Fix: check user before accessing 2FA code
 
 ## 1.5.1 April 5, 2020
 
diff --git a/src/User/Controller/SettingsController.php b/src/User/Controller/SettingsController.php
index 3e53979..d218626 100755
--- a/src/User/Controller/SettingsController.php
+++ b/src/User/Controller/SettingsController.php
@@ -453,6 +453,10 @@ class SettingsController extends Controller
 
     public function actionTwoFactor($id)
     {
+        if($id != Yii::$app->user->id) {
+            throw new ForbiddenHttpException();
+        } 
+        
         $choice = Yii::$app->request->post('choice');
         /** @var User $user */
         $user = $this->userQuery->whereId($id)->one();