From 4738ca851207f07bdfc409ecb16d3fc754e5bf48 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Mon, 8 Jul 2024 11:05:58 +0200 Subject: Fix for disabled logged-in users (#6612) fix https://github.com/FreshRSS/FreshRSS/issues/6611 Logged-in users were still able to use their account for some time despite having being disabled by admin --- app/Models/Auth.php | 17 +++++++++-------- p/api/query.php | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/app/Models/Auth.php b/app/Models/Auth.php index ecb8ead2f..416f3061d 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -31,15 +31,16 @@ class FreshRSS_Auth { ]); } - if (self::$login_ok) { - self::giveAccess(); - } elseif (self::accessControl() && self::giveAccess()) { + if (self::$login_ok && self::giveAccess()) { + return self::$login_ok; + } + if (self::accessControl() && self::giveAccess()) { FreshRSS_UserDAO::touch(); - } else { - // Be sure all accesses are removed! - self::removeAccess(); + return self::$login_ok; } - return self::$login_ok; + // Be sure all accesses are removed! + self::removeAccess(); + return false; } /** @@ -103,7 +104,7 @@ class FreshRSS_Auth { */ public static function giveAccess(): bool { FreshRSS_Context::initUser(); - if (!FreshRSS_Context::hasUserConf()) { + if (!FreshRSS_Context::hasUserConf() || !FreshRSS_Context::userConf()->enabled) { self::$login_ok = false; return false; } diff --git a/p/api/query.php b/p/api/query.php index c95a2bf43..7d74f2313 100644 --- a/p/api/query.php +++ b/p/api/query.php @@ -36,7 +36,7 @@ if (!FreshRSS_Context::hasSystemConf() || !FreshRSS_Context::systemConf()->api_e } FreshRSS_Context::initUser($user); -if (!FreshRSS_Context::hasUserConf()) { +if (!FreshRSS_Context::hasUserConf() || !FreshRSS_Context::userConf()->enabled) { usleep(rand(100, 10000)); //Primitive mitigation of scanning for users header('HTTP/1.1 404 Not Found'); header('Content-Type: text/plain; charset=UTF-8'); -- cgit v1.2.3