Przeglądaj źródła

Require user to be fully authenticated before changing 2FA settings

Colin O'Dell 5 lat temu
rodzic
commit
607f663f42

+ 2 - 0
src/Packagist/WebBundle/Controller/UserController.php

@@ -299,6 +299,7 @@ class UserController extends Controller
      */
     public function enableTwoFactorAuthAction(Request $req, User $user)
     {
+        $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
         if ($user->getId() !== $this->getUser()->getId()) {
             throw new AccessDeniedException('You cannot change this user\'s two-factor authentication settings');
         }
@@ -342,6 +343,7 @@ class UserController extends Controller
      */
     public function disableTwoFactorAuthAction(Request $req, User $user)
     {
+        $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
         if (!($this->isGranted('ROLE_DISABLE_2FA') || $user->getId() === $this->getUser()->getId())) {
             throw new AccessDeniedException('You cannot change this user\'s two-factor authentication settings');
         }