leonardo/yii2-usuario
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check user session before displaying two factor seed

Browse Source 
Two factor seed page was not properly checking for user session, allowing an authenticated user to see everyone's 2fa seed
This commit is contained in:
Pietro Tarenzi
2022-09-16 17:14:53 +02:00
committed by GitHub
parent 66ba1e18bb
commit 24d5d5744f
2 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -31,6 +31,7 @@ There's a change in flash messages handling, please see #391
- Enh #458: Multiple 2FA channels (email, sms) (acordeddu) - Enh #458: Multiple 2FA channels (email, sms) (acordeddu)
- Fix #432: Fix documentation overlap by shortening page names (cgsmith) - Fix #432: Fix documentation overlap by shortening page names (cgsmith)
- Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson) - Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson)
- Fix: check user before accessing 2FA code
## 1.5.1 April 5, 2020 ## 1.5.1 April 5, 2020

4
src/User/Controller/SettingsController.php
View File

@ -453,6 +453,10 @@ class SettingsController extends Controller
public function actionTwoFactor($id) public function actionTwoFactor($id)
{ {
if($id != Yii::$app->user->id) {
throw new ForbiddenHttpException();
}
$choice = Yii::$app->request->post('choice'); $choice = Yii::$app->request->post('choice');
/** @var User $user */ /** @var User $user */
$user = $this->userQuery->whereId($id)->one(); $user = $this->userQuery->whereId($id)->one();