mirror of
https://github.com/flarum/core.git
synced 2025-07-26 03:01:22 +02:00
Remove sudo mode and add password confirmation when changing email address
closes #674
This commit is contained in:
Toby Zerner
@@ -10,63 +10,21 @@
|
||||
|
||||
namespace Flarum\Admin\Middleware;
|
||||
|
||||
use Exception;
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Forum\Controller\LogInController;
|
||||
use Illuminate\Contracts\View\Factory;
|
||||
use Psr\Http\Message\ResponseInterface as Response;
|
||||
use Psr\Http\Message\ServerRequestInterface as Request;
|
||||
use Zend\Diactoros\Response\HtmlResponse;
|
||||
use Zend\Stratigility\MiddlewareInterface;
|
||||
|
||||
class RequireAdministrateAbility implements MiddlewareInterface
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var LogInController
|
||||
*/
|
||||
private $logInController;
|
||||
|
||||
/**
|
||||
* @var Factory
|
||||
*/
|
||||
private $view;
|
||||
|
||||
/**
|
||||
* @param LogInController $logInController
|
||||
* @param Factory $view
|
||||
*/
|
||||
public function __construct(LogInController $logInController, Factory $view)
|
||||
{
|
||||
$this->logInController = $logInController;
|
||||
$this->view = $view;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
public function __invoke(Request $request, Response $response, callable $out = null)
|
||||
{
|
||||
try {
|
||||
$this->assertAdminAndSudo($request);
|
||||
} catch (Exception $e) {
|
||||
if ($request->getMethod() === 'POST') {
|
||||
$response = $this->logInController->handle($request);
|
||||
|
||||
if ($response->getStatusCode() === 200) {
|
||||
return $response
|
||||
->withStatus(302)
|
||||
->withHeader('location', app('Flarum\Admin\UrlGenerator')->toRoute('index'));
|
||||
}
|
||||
}
|
||||
|
||||
return new HtmlResponse(
|
||||
$this->view->make('flarum.admin::login')
|
||||
->with('token', $request->getAttribute('session')->get('csrf_token'))
|
||||
->render()
|
||||
);
|
||||
}
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
|
||||
return $out ? $out($request, $response) : $response;
|
||||
}
|
||||
|
||||
@@ -10,15 +10,12 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeleteDiscussion;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeleteDiscussionController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -41,8 +38,6 @@ class DeleteDiscussionController extends AbstractDeleteController
|
||||
$actor = $request->getAttribute('actor');
|
||||
$input = $request->getParsedBody();
|
||||
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeleteDiscussion($id, $actor, $input)
|
||||
);
|
||||
|
||||
@@ -10,15 +10,12 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeleteGroup;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeleteGroupController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -37,8 +34,6 @@ class DeleteGroupController extends AbstractDeleteController
|
||||
*/
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeleteGroup(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
|
||||
);
|
||||
|
||||
@@ -10,15 +10,12 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeletePost;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeletePostController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -37,8 +34,6 @@ class DeletePostController extends AbstractDeleteController
|
||||
*/
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeletePost(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
|
||||
);
|
||||
|
||||
@@ -10,15 +10,12 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeleteUser;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeleteUserController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -37,8 +34,6 @@ class DeleteUserController extends AbstractDeleteController
|
||||
*/
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeleteUser(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
|
||||
);
|
||||
|
||||
@@ -25,7 +25,7 @@ class SetPermissionController implements ControllerInterface
|
||||
*/
|
||||
public function handle(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdminAndSudo($request);
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
|
||||
$body = $request->getParsedBody();
|
||||
$permission = array_get($body, 'permission');
|
||||
|
||||
@@ -47,7 +47,7 @@ class SetSettingsController implements ControllerInterface
|
||||
*/
|
||||
public function handle(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdminAndSudo($request);
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
|
||||
$settings = $request->getParsedBody();
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ class UninstallExtensionController extends AbstractDeleteController
|
||||
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdminAndSudo($request);
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
|
||||
$name = array_get($request->getQueryParams(), 'name');
|
||||
|
||||
|
||||
@@ -37,7 +37,7 @@ class UpdateExtensionController implements ControllerInterface
|
||||
*/
|
||||
public function handle(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdminAndSudo($request);
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
|
||||
$enabled = array_get($request->getParsedBody(), 'enabled');
|
||||
$name = array_get($request->getQueryParams(), 'name');
|
||||
|
||||
@@ -10,16 +10,14 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\EditUser;
|
||||
use Flarum\Core\Exception\PermissionDeniedException;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
use Tobscure\JsonApi\Document;
|
||||
|
||||
class UpdateUserController extends AbstractResourceController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
@@ -52,7 +50,15 @@ class UpdateUserController extends AbstractResourceController
|
||||
$actor = $request->getAttribute('actor');
|
||||
$data = array_get($request->getParsedBody(), 'data', []);
|
||||
|
||||
$this->assertSudo($request);
|
||||
// Require the user's current password if they are attempting to change
|
||||
// their own email address.
|
||||
if (isset($data['attributes']['email']) && $actor->id == $id) {
|
||||
$password = array_get($request->getParsedBody(), 'meta.password');
|
||||
|
||||
if (! $actor->checkPassword($password)) {
|
||||
throw new PermissionDeniedException;
|
||||
}
|
||||
}
|
||||
|
||||
return $this->bus->dispatch(
|
||||
new EditUser($id, $actor, $data)
|
||||
|
||||
@@ -10,11 +10,9 @@
|
||||
|
||||
namespace Flarum\Core\Access;
|
||||
|
||||
use DateTime;
|
||||
use Flarum\Api\Exception\InvalidAccessTokenException;
|
||||
use Flarum\Core\Exception\PermissionDeniedException;
|
||||
use Flarum\Core\User;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
trait AssertPermissionTrait
|
||||
{
|
||||
@@ -66,28 +64,4 @@ trait AssertPermissionTrait
|
||||
{
|
||||
$this->assertCan($actor, 'administrate');
|
||||
}
|
||||
|
||||
/**
|
||||
* @param ServerRequestInterface $request
|
||||
* @throws InvalidAccessTokenException
|
||||
*/
|
||||
protected function assertSudo(ServerRequestInterface $request)
|
||||
{
|
||||
$session = $request->getAttribute('session');
|
||||
|
||||
if ($session && $session->get('sudo_expiry') < new DateTime) {
|
||||
throw new InvalidAccessTokenException;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param ServerRequestInterface $request
|
||||
* @throws PermissionDeniedException
|
||||
*/
|
||||
protected function assertAdminAndSudo(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
|
||||
$this->assertSudo($request);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -23,7 +23,6 @@ class SessionAuthenticator
|
||||
{
|
||||
$session->migrate();
|
||||
$session->set('user_id', $userId);
|
||||
$session->set('sudo_expiry', new DateTime('+30 minutes'));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user