mirror of
https://github.com/invoiceninja/invoiceninja.git
synced 2025-05-24 02:14:21 -04:00
Fixes for password protection route - always check if a password is presented!
This commit is contained in:
David Bomba
parent
ded9e25c02
commit
700fd6bf99
@ -69,11 +69,12 @@ class CompanyController extends BaseController
|
||||
*/
|
||||
public function __construct(CompanyRepository $company_repo)
|
||||
{
|
||||
|
||||
parent::__construct();
|
||||
|
||||
$this->company_repo = $company_repo;
|
||||
|
||||
// $this->middleware('password_protected')->only(['destroy']);
|
||||
$this->middleware('password_protected')->only(['destroy']);
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -52,7 +52,8 @@ class PasswordProtection
|
||||
$x_api_password = base64_decode($request->header('X-API-PASSWORD-BASE64'));
|
||||
}
|
||||
|
||||
if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in')) {
|
||||
// If no password supplied - then we just check if their authentication is in cache //
|
||||
if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in') && !$x_api_password) {
|
||||
|
||||
Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
|
||||
|
||||
|
||||
@ -47,7 +47,9 @@ Route::group(['middleware' => ['api_db', 'token_auth', 'locale'], 'prefix' => 'a
|
||||
|
||||
Route::post('companies/purge/{company}', 'MigrationController@purgeCompany')->middleware('password_protected');
|
||||
Route::post('companies/purge_save_settings/{company}', 'MigrationController@purgeCompanySaveSettings')->middleware('password_protected');
|
||||
|
||||
Route::resource('companies', 'CompanyController'); // name = (companies. index / create / show / update / destroy / edit
|
||||
|
||||
Route::put('companies/{company}/upload', 'CompanyController@upload');
|
||||
|
||||
Route::get('company_ledger', 'CompanyLedgerController@index')->name('company_ledger.index');
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user