diff options
author | Mario <mario@mariovavti.com> | 2023-03-11 20:24:56 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2023-03-11 20:24:56 +0000 |
commit | ac9c33fb3b31f4a3801fbdf7c723b923d699964d (patch) | |
tree | edc1f7bad40238e4150709bc5cd6f58cdc012443 | |
parent | 641b1c2e1b5be0d5b7b94ea6566238baa830ebe4 (diff) | |
download | volse-hubzilla-ac9c33fb3b31f4a3801fbdf7c723b923d699964d.tar.gz volse-hubzilla-ac9c33fb3b31f4a3801fbdf7c723b923d699964d.tar.bz2 volse-hubzilla-ac9c33fb3b31f4a3801fbdf7c723b923d699964d.zip |
check form security token and require password to enable/diable mfa
-rw-r--r-- | Zotlabs/Module/Settings/Multifactor.php | 15 | ||||
-rw-r--r-- | view/tpl/totp_setup.tpl | 1 |
2 files changed, 16 insertions, 0 deletions
diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php index 191055e2c..4df718c6a 100644 --- a/Zotlabs/Module/Settings/Multifactor.php +++ b/Zotlabs/Module/Settings/Multifactor.php @@ -12,10 +12,24 @@ use ParagonIE\ConstantTime\Base32; class Multifactor { public function post() { + check_form_security_token_redirectOnErr('/settings/multifactor', 'settings_mfa'); + $account = App::get_account(); if (!$account) { return; } + + if (empty($_POST['password'])) { + notice(t('Password is required') . EOL); + return; + } + + $password = trim($_POST['password']); + if(!account_verify_password($account['account_email'], $password)) { + notice(t('The provided password is not correct') . EOL); + return; + } + $enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false; AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa); if ($enable_mfa) { @@ -67,6 +81,7 @@ class Multifactor { t('Logging in will require you to be in possession of your smartphone with an authenticator app'), [t('No'), t('Yes')] ], + '$password' => ['password', t('Please enter your password'), '', t('Required')], '$submit' => t('Submit'), '$test' => t('Test') ] diff --git a/view/tpl/totp_setup.tpl b/view/tpl/totp_setup.tpl index 2ee79fae9..1301d0001 100644 --- a/view/tpl/totp_setup.tpl +++ b/view/tpl/totp_setup.tpl @@ -28,6 +28,7 @@ <div id="mfa-submit-wrapper" class="{{if !$enable_mfa.2}}d-none{{/if}}"> <form action="settings/multifactor" method="post"> <input type='hidden' name='form_security_token' value='{{$form_security_token}}'> + {{include file="field_password.tpl" field=$password}} {{include file="field_checkbox.tpl" field=$enable_mfa}} <div class="settings-submit-wrapper" > <button id="otp-enable-submit" type="b" name="submit" class="btn btn-primary"> |