Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix Insufficient Granularity of Access Control
  • Loading branch information
JC5 committed Oct 3, 2021
1 parent e60444c commit 0af2fd8
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 5 deletions.
7 changes: 5 additions & 2 deletions app/Http/Controllers/Auth/ForgotPasswordController.php
Expand Up @@ -92,9 +92,12 @@ public function sendResetLinkEmail(Request $request, UserRepositoryInterface $re
// We will send the password reset link to this user. Once we have attempted
// to send the link, we will examine the response then see the message we
// need to show to the user. Finally, we'll send out a proper response.
$this->broker()->sendResetLink($request->only('email'));
$result = $this->broker()->sendResetLink($request->only('email'));
if('passwords.throttled' === $result) {
Log::error(sprintf('Cowardly refuse to send a password reset message to user #%d because the reset button has been throttled.', $user->id));
}

// always send the same response:
// always send the same response to the user:
$response = trans('firefly.forgot_password_response');

return back()->with('status', trans($response));
Expand Down
7 changes: 4 additions & 3 deletions config/auth.php
Expand Up @@ -98,8 +98,8 @@

'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => FireflyIII\User::class,
'driver' => 'eloquent',
'model' => FireflyIII\User::class,
],
'remote_user_provider' => [
'driver' => 'remote_user_provider',
Expand All @@ -111,7 +111,7 @@
//'model' => LdapRecord\Models\ActiveDirectory\User::class,
'model' => LdapRecord\Models\OpenLDAP\User::class,
'rules' => [
UserDefinedRule::class
UserDefinedRule::class,
],
'database' => [
'model' => FireflyIII\User::class,
Expand Down Expand Up @@ -141,6 +141,7 @@
'provider' => 'users',
'table' => 'password_resets',
'expire' => 60,
'throttle' => 300, // Allows a user to request 1 token per 300 seconds
],
],
/*
Expand Down

0 comments on commit 0af2fd8

Please sign in to comment.