Commit d0da46c1 authored by Arnaud Pauget's avatar Arnaud Pauget Committed by Arnaud Pauget
Browse files

fix (13838) : prevent account stealing by way of a javascript function


(cherry picked from commit 7cd05e79)
parent ea881f02
Pipeline #8029 failed with stage
......@@ -182,7 +182,13 @@ class userAuthentication
*/
public function definePassword($userName, $oldPassword, $newPassword, $requestPath)
{
if ($userAccount = $this->sdoFactory->read('auth/account', array('accountName' => $userName))) {
$tempToken = \laabs::getToken('TEMP-AUTH');
if ($this->sdoFactory->exists('auth/account', array('accountName' => $userName))
&& $userAccount = $this->sdoFactory->read('auth/account', array('accountName' => $userName))
&& !is_null($tempToken)
&& $tempToken->accountId == $userAccount->accountId) {
$this->checkPasswordPolicies($newPassword);
$encryptedPassword = $newPassword;
......
......@@ -116,7 +116,12 @@ class authentication
public function definePassword($requestPath)
{
$json = $this->json;
$json->status = true;
$json->message = "Password changed.";
if ($requestPath === false) {
$json->status = false;
$json->message = "Password not changed.";
}
$json->requestPath = $requestPath;
return $json->save();
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment