DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-01-12 22:37:28 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Handle workflow better for invalid users

Browse source 
Signed-off-by: snipe <snipe@snipe.net>
This commit is contained in:
snipe 2022-06-21 16:13:43 -07:00
parent a49ccf0863
commit f4f400ed87
1 changed files with 20 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
app/Http/Controllers/Auth/ResetPasswordController.php
View file

@ -72,15 +72,18 @@ class ResetPasswordController extends Controller
public function reset(Request $request) public function reset(Request $request)
{ {
$broker = $this->broker();
$messages = [ $messages = [
'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'), 'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'),
]; ];
$request->validate($this->rules(), $request->all(), $this->validationErrorMessages()); $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());
// Check to see if the user even exists \Log::debug('Checking if '.$request->input('username').' exists');
// Check to see if the user even exists - we'll treat the response the same to prevent user sniffing
if ($user = User::where('username', '=', $request->input('username'))->whereNotNull('email')->first()) { if ($user = User::where('username', '=', $request->input('username'))->whereNotNull('email')->first()) {
$broker = $this->broker(); \Log::debug($user->username.' exists');
// handle the password validation rules set by the admin settings // handle the password validation rules set by the admin settings
if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) { if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
@ -90,25 +93,29 @@ class ResetPasswordController extends Controller
], $messages); ], $messages);
} }
// send the reset // set the response
\Log::debug('Setting the broker and resetting the password');
$response = $broker->reset( $response = $broker->reset(
$this->credentials($request), function ($user, $password) { $this->credentials($request), function ($user, $password) {
$this->resetPassword($user, $password); $this->resetPassword($user, $password);
}); });
// Check if the password reset above actually worked
if ($response == \Password::PASSWORD_RESET) {
\Log::debug('Password reset for '.$user->username.' worked');
return redirect('/')->with('success', trans('passwords.reset'));
}
\Log::debug('Password reset for '.$user->username.' FAILED - this user exists but the token is not valid');
return redirect()->back()->withInput($request->only('email'))->with('error', trans('passwords.token'));
} }
// This is laravel magic - we override the sendResetFailedResponse further down to send a success message even if it failed
return $response == \Password::PASSWORD_RESET \Log::debug('Password reset for '.$request->input('username').' FAILED - user does not exist or does not have an email address - but make it look like it succeeded');
? $this->sendResetResponse($request, $response) return redirect()->route('login')->with('success', trans('passwords.sent'));
: $this->sendResetFailedResponse($request, $response);
} }
protected function sendResetFailedResponse(Request $request, $response)
{
return redirect()->back()
->withInput(['username'=> $request->input('username')])
->with('success', trans('passwords.sent'));
}
} }