MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [password reset] required current password for token based reset

pull/9438/head
iglocska 2023-12-07 10:31:50 +01:00
parent 805f91daed
commit c124df0e47
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Controller/UsersController.php
View File

@ -266,12 +266,12 @@ class UsersController extends AppController
$this->set('canFetchPgpKey', $this->__canFetchPgpKey());
}
private function __pw_change($user, $source, &$abortPost, $token = false)
private function __pw_change($user, $source, &$abortPost, $token = false, $skip_password_confirmation = false)
{
if (!isset($this->request->data['User'])) {
$this->request->data = array('User' => $this->request->data);
}
if (Configure::read('Security.require_password_confirmation')) {
if (Configure::read('Security.require_password_confirmation') && !$skip_password_confirmation) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
if (!$hashed) {
@ -3305,7 +3305,7 @@ class UsersController extends AppController
}
if ($this->request->is('post') || $this->request->is('put')) {
$abortPost = false;
return $this->__pw_change(['User' => $user], 'password_reset', $abortPost, $token);
return $this->__pw_change(['User' => $user], 'password_reset', $abortPost, $token, true);
}
}