diff options
| author |  Inverle <inverle@proton.me>
| 2025-07-31 13:53:14 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-07-31 13:53:14 +0200 |
| commit | 3ce64d271b2b470bd6c9f7294946347dcdfed9b9 (patch) | |
| tree | 56b5a0928f1ce2b0486e866abd5456bc43ea8ed9 /app/Controllers/userController.php | |
| parent | d0425f8c3ab14e72142b1a4f946d57b408f26c88 (diff) | |
Implement sudo mode / reauthentication (#7753)
* Implement sudo mode / reauthentication
* i18n: fr
* generate flags
* Improvements
* Remove HMAC check
* Don't require reauth to access logs when signed in as admin
* Notify user of bad login via notification instead
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Diffstat (limited to 'app/Controllers/userController.php')
| -rw-r--r-- | app/Controllers/userController.php | 57 |
1 files changed, 50 insertions, 7 deletions
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 05d73f971..c4c3c00a8 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -72,6 +72,10 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { } if (Minz_Request::isPost()) { + if (self::reauthRedirect()) { + return; + } + $username = Minz_Request::paramString('username'); $newPasswordPlain = Minz_User::name() !== $username ? Minz_Request::paramString('newPasswordPlain', true) : ''; @@ -190,21 +194,41 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { } } + public static function reauthRedirect(): bool { + $url_redirect = [ + 'c' => 'user', + 'a' => 'manage', + 'params' => [], + ]; + $username = Minz_Request::paramStringNull('username'); + if ($username !== null) { + $url_redirect['a'] = 'details'; + $url_redirect['params']['username'] = $username; + } + return FreshRSS_Auth::requestReauth($url_redirect); + } + public function purgeAction(): void { if (!FreshRSS_Auth::hasAccess('admin')) { Minz_Error::error(403); } - if (Minz_Request::isPost()) { - $username = Minz_Request::paramString('username'); + if (!Minz_Request::isPost()) { + Minz_Error::error(403); + } - if (!FreshRSS_UserDAO::exists($username)) { - Minz_Error::error(404); - } + if (self::reauthRedirect()) { + return; + } + + $username = Minz_Request::paramString('username'); - $feedDAO = FreshRSS_Factory::createFeedDao($username); - $feedDAO->purge(); + if (!FreshRSS_UserDAO::exists($username)) { + Minz_Error::error(404); } + + $feedDAO = FreshRSS_Factory::createFeedDao($username); + $feedDAO->purge(); } /** @@ -215,6 +239,10 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { Minz_Error::error(403); } + if (self::reauthRedirect()) { + return; + } + FreshRSS_View::prependTitle(_t('admin.user.title') . ' ยท '); if (Minz_Request::isPost()) { @@ -337,6 +365,10 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { Minz_Error::error(403); } + if (self::reauthRedirect()) { + return; + } + if (Minz_Request::isPost()) { $new_user_name = Minz_Request::paramString('new_user_name'); $email = Minz_Request::paramString('new_user_email'); @@ -602,7 +634,10 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { $username, FreshRSS_Context::userConf()->passwordHash, $nonce, $challenge ); + } elseif (self::reauthRedirect()) { + return; } + if ($ok) { $ok &= self::deleteUser($username); } @@ -647,6 +682,10 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { Minz_Error::error(403); } + if (self::reauthRedirect()) { + return; + } + $username = Minz_Request::paramString('username'); if (!FreshRSS_UserDAO::exists($username)) { Minz_Error::error(404); @@ -682,6 +721,10 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { Minz_Error::error(403); } + if (self::reauthRedirect()) { + return; + } + $username = Minz_Request::paramString('username'); if (!FreshRSS_UserDAO::exists($username)) { Minz_Error::error(404); |