From 283299bf36e81acc2c582035a6135992c49ab496 Mon Sep 17 00:00:00 2001 From: iglocska Date: Sat, 19 Feb 2022 01:34:07 +0100 Subject: [PATCH] fix: [security] flood protection control enabled by default - as reported by Dawid Czarnecki from Zigrin Security --- src/Controller/UsersController.php | 2 +- src/Model/Table/SettingProviders/CerebrateSettingsProvider.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index 5f4e8eb..272b1ba 100644 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -317,7 +317,7 @@ class UsersController extends AppController if (empty(Configure::read('security.registration.self-registration'))) { throw new UnauthorizedException(__('User self-registration is not open.')); } - if (!empty(Configure::read('security.registration.floodProtection'))) { + if (!Configure::check('security.registration.floodProtection') || Configure::read('security.registration.floodProtection')) { $this->FloodProtection->check('register'); } if ($this->request->is('post')) { diff --git a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php index 330e589..a2102e5 100644 --- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php +++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php @@ -301,7 +301,7 @@ class CerebrateSettingsProvider extends BaseSettingsProvider 'name' => __('Enable registration flood-protection'), 'type' => 'boolean', 'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'), - 'default' => false, + 'default' => true, ], ] ],