IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2024-11-24 09:50:45 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix Insufficient Granularity of Access Control

Browse Source
This commit is contained in:
James Cole 2021-10-03 18:18:44 +02:00
parent e60444cf65
commit 0af2fd845d
No known key found for this signature in database
GPG Key ID: BDE6667570EADBD5
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Http/Controllers/Auth/ForgotPasswordController.php
View File

@ -92,9 +92,12 @@ class ForgotPasswordController extends Controller
// We will send the password reset link to this user. Once we have attempted // We will send the password reset link to this user. Once we have attempted
// to send the link, we will examine the response then see the message we // to send the link, we will examine the response then see the message we
// need to show to the user. Finally, we'll send out a proper response. // need to show to the user. Finally, we'll send out a proper response.
$this->broker()->sendResetLink($request->only('email')); $result = $this->broker()->sendResetLink($request->only('email'));
if('passwords.throttled' === $result) {
Log::error(sprintf('Cowardly refuse to send a password reset message to user #%d because the reset button has been throttled.', $user->id));
}
// always send the same response: // always send the same response to the user:
$response = trans('firefly.forgot_password_response'); $response = trans('firefly.forgot_password_response');
return back()->with('status', trans($response)); return back()->with('status', trans($response));

7
config/auth.php
View File

@ -98,8 +98,8 @@ return [
'providers' => [ 'providers' => [
'users' => [ 'users' => [
'driver' => 'eloquent', 'driver' => 'eloquent',
'model' => FireflyIII\User::class, 'model' => FireflyIII\User::class,
], ],
'remote_user_provider' => [ 'remote_user_provider' => [
'driver' => 'remote_user_provider', 'driver' => 'remote_user_provider',
@ -111,7 +111,7 @@ return [
//'model' => LdapRecord\Models\ActiveDirectory\User::class, //'model' => LdapRecord\Models\ActiveDirectory\User::class,
'model' => LdapRecord\Models\OpenLDAP\User::class, 'model' => LdapRecord\Models\OpenLDAP\User::class,
'rules' => [ 'rules' => [
UserDefinedRule::class UserDefinedRule::class,
], ],
'database' => [ 'database' => [
'model' => FireflyIII\User::class, 'model' => FireflyIII\User::class,
@ -141,6 +141,7 @@ return [
'provider' => 'users', 'provider' => 'users',
'table' => 'password_resets', 'table' => 'password_resets',
'expire' => 60, 'expire' => 60,
'throttle' => 300, // Allows a user to request 1 token per 300 seconds
], ],
], ],
/* /*