mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-26 06:04:08 -08:00
Merge pull request #13932 from snipe/features/use_allowlist_for_user_logging
Use allowlist for user observer logging
This commit is contained in:
snipe
GitHub
commit
bb0ba0bebe
|
|
@ -56,7 +56,6 @@ class LoginController extends Controller
|
||||||
parent::__construct();
|
parent::__construct();
|
||||||
$this->middleware('guest', ['except' => ['logout', 'postTwoFactorAuth', 'getTwoFactorAuth', 'getTwoFactorEnroll']]);
|
$this->middleware('guest', ['except' => ['logout', 'postTwoFactorAuth', 'getTwoFactorAuth', 'getTwoFactorEnroll']]);
|
||||||
Session::put('backUrl', \URL::previous());
|
Session::put('backUrl', \URL::previous());
|
||||||
// $this->ldap = $ldap;
|
|
||||||
$this->saml = $saml;
|
$this->saml = $saml;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -82,7 +81,6 @@ class LoginController extends Controller
|
||||||
}
|
}
|
||||||
|
|
||||||
if (Setting::getSettings()->login_common_disabled == '1') {
|
if (Setting::getSettings()->login_common_disabled == '1') {
|
||||||
\Log::debug('login_common_disabled is set to 1 - return a 403');
|
|
||||||
return view('errors.403');
|
return view('errors.403');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -134,6 +134,7 @@ class ProfileController extends Controller
|
||||||
];
|
];
|
||||||
|
|
||||||
$validator = \Validator::make($request->all(), $rules);
|
$validator = \Validator::make($request->all(), $rules);
|
||||||
|
|
||||||
$validator->after(function ($validator) use ($request, $user) {
|
$validator->after(function ($validator) use ($request, $user) {
|
||||||
if (! Hash::check($request->input('current_password'), $user->password)) {
|
if (! Hash::check($request->input('current_password'), $user->password)) {
|
||||||
$validator->errors()->add('current_password', trans('validation.custom.hashed_pass'));
|
$validator->errors()->add('current_password', trans('validation.custom.hashed_pass'));
|
||||||
|
|
@ -159,12 +160,14 @@ class ProfileController extends Controller
|
||||||
});
|
});
|
||||||
|
|
||||||
if (! $validator->fails()) {
|
if (! $validator->fails()) {
|
||||||
|
|
||||||
$user->password = Hash::make($request->input('password'));
|
$user->password = Hash::make($request->input('password'));
|
||||||
$user->save();
|
// We have to use saveQuietly here because for some reason this method was calling the User Oserver twice :(
|
||||||
|
$user->saveQuietly();
|
||||||
|
|
||||||
// Log the user out of other devices
|
// Log the user out of other devices
|
||||||
Auth::logoutOtherDevices($request->input('password'));
|
Auth::logoutOtherDevices($request->input('password'));
|
||||||
return redirect()->route('account.password.index')->with('success', 'Password updated!');
|
return redirect()->route('account')->with('success', trans('passwords.password_change'));
|
||||||
|
|
||||||
}
|
}
|
||||||
return redirect()->back()->withInput()->withErrors($validator);
|
return redirect()->back()->withInput()->withErrors($validator);
|
||||||
|
|
|
||||||
|
|
@ -17,9 +17,49 @@ class UserObserver
|
||||||
public function updating(User $user)
|
public function updating(User $user)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
// ONLY allow these fields to be stored
|
||||||
|
$allowed_fields = [
|
||||||
|
'email',
|
||||||
|
'activated',
|
||||||
|
'first_name',
|
||||||
|
'last_name',
|
||||||
|
'website',
|
||||||
|
'country',
|
||||||
|
'gravatar',
|
||||||
|
'location_id',
|
||||||
|
'phone',
|
||||||
|
'jobtitle',
|
||||||
|
'manager_id',
|
||||||
|
'employee_num',
|
||||||
|
'username',
|
||||||
|
'notes',
|
||||||
|
'company_id',
|
||||||
|
'ldap_import',
|
||||||
|
'locale',
|
||||||
|
'two_factor_enrolled',
|
||||||
|
'two_factor_optin',
|
||||||
|
'department_id',
|
||||||
|
'address',
|
||||||
|
'address2',
|
||||||
|
'city',
|
||||||
|
'state',
|
||||||
|
'zip',
|
||||||
|
'remote',
|
||||||
|
'start_date',
|
||||||
|
'end_date',
|
||||||
|
'autoassign_licenses',
|
||||||
|
'vip',
|
||||||
|
'password'
|
||||||
|
];
|
||||||
|
|
||||||
$changed = [];
|
$changed = [];
|
||||||
|
|
||||||
foreach ($user->getRawOriginal() as $key => $value) {
|
foreach ($user->getRawOriginal() as $key => $value) {
|
||||||
|
|
||||||
|
// Make sure the info is in the allow fields array
|
||||||
|
if (in_array($key, $allowed_fields)) {
|
||||||
|
|
||||||
|
// Check and see if the value changed
|
||||||
if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {
|
if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {
|
||||||
|
|
||||||
$changed[$key]['old'] = $user->getRawOriginal()[$key];
|
$changed[$key]['old'] = $user->getRawOriginal()[$key];
|
||||||
|
|
@ -31,24 +71,12 @@ class UserObserver
|
||||||
$changed['password']['new'] = '*************';
|
$changed['password']['new'] = '*************';
|
||||||
}
|
}
|
||||||
|
|
||||||
// Do not store last login in changes
|
|
||||||
if ($key == 'last_login') {
|
|
||||||
unset($changed['last_login']);
|
|
||||||
unset($changed['last_login']);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($key == 'permissions') {
|
|
||||||
unset($changed['permissions']);
|
|
||||||
unset($changed['permissions']);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($key == 'remember_token') {
|
|
||||||
unset($changed['remember_token']);
|
|
||||||
unset($changed['remember_token']);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if (count($changed) > 0) {
|
||||||
$logAction = new Actionlog();
|
$logAction = new Actionlog();
|
||||||
$logAction->item_type = User::class;
|
$logAction->item_type = User::class;
|
||||||
$logAction->item_id = $user->id;
|
$logAction->item_id = $user->id;
|
||||||
|
|
@ -60,6 +88,9 @@ class UserObserver
|
||||||
$logAction->logaction('update');
|
$logAction->logaction('update');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Listen to the User created event, and increment
|
* Listen to the User created event, and increment
|
||||||
* the next_auto_tag_base value in the settings table when i
|
* the next_auto_tag_base value in the settings table when i
|
||||||
|
|
|
||||||
|
|
@ -5,4 +5,5 @@ return [
|
||||||
'user' => 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.',
|
'user' => 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.',
|
||||||
'token' => 'This password reset token is invalid or expired, or does not match the username provided.',
|
'token' => 'This password reset token is invalid or expired, or does not match the username provided.',
|
||||||
'reset' => 'Your password has been reset!',
|
'reset' => 'Your password has been reset!',
|
||||||
|
'password_change' => 'Your password has been updated!',
|
||||||
];
|
];
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@
|
||||||
@section('content')
|
@section('content')
|
||||||
|
|
||||||
@if ($acceptances = \App\Models\CheckoutAcceptance::forUser(Auth::user())->pending()->count())
|
@if ($acceptances = \App\Models\CheckoutAcceptance::forUser(Auth::user())->pending()->count())
|
||||||
|
<div class="row">
|
||||||
<div class="col-md-12">
|
<div class="col-md-12">
|
||||||
<div class="alert alert alert-warning fade in">
|
<div class="alert alert alert-warning fade in">
|
||||||
<i class="fas fa-exclamation-triangle faa-pulse animated"></i>
|
<i class="fas fa-exclamation-triangle faa-pulse animated"></i>
|
||||||
|
|
@ -21,6 +22,7 @@
|
||||||
</strong>
|
</strong>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
</div>
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
<div class="row">
|
<div class="row">
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue