Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-05-24 02:14:21 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fixes for password protection route - always check if a password is presented!

Browse Source
This commit is contained in:
David Bomba 2021-08-31 14:09:12 +10:00
parent ded9e25c02
commit 700fd6bf99
3 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Http/Controllers/CompanyController.php
View File

@ -69,11 +69,12 @@ class CompanyController extends BaseController
*/ */
public function __construct(CompanyRepository $company_repo) public function __construct(CompanyRepository $company_repo)
{ {
parent::__construct(); parent::__construct();
$this->company_repo = $company_repo; $this->company_repo = $company_repo;
// $this->middleware('password_protected')->only(['destroy']); $this->middleware('password_protected')->only(['destroy']);
} }

3
app/Http/Middleware/PasswordProtection.php
View File

@ -52,7 +52,8 @@ class PasswordProtection
$x_api_password = base64_decode($request->header('X-API-PASSWORD-BASE64')); $x_api_password = base64_decode($request->header('X-API-PASSWORD-BASE64'));
} }
if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in')) { // If no password supplied - then we just check if their authentication is in cache //
if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in') && !$x_api_password) {
Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout); Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);

2
routes/api.php
View File

@ -47,7 +47,9 @@ Route::group(['middleware' => ['api_db', 'token_auth', 'locale'], 'prefix' => 'a
Route::post('companies/purge/{company}', 'MigrationController@purgeCompany')->middleware('password_protected'); Route::post('companies/purge/{company}', 'MigrationController@purgeCompany')->middleware('password_protected');
Route::post('companies/purge_save_settings/{company}', 'MigrationController@purgeCompanySaveSettings')->middleware('password_protected'); Route::post('companies/purge_save_settings/{company}', 'MigrationController@purgeCompanySaveSettings')->middleware('password_protected');
Route::resource('companies', 'CompanyController'); // name = (companies. index / create / show / update / destroy / edit Route::resource('companies', 'CompanyController'); // name = (companies. index / create / show / update / destroy / edit
Route::put('companies/{company}/upload', 'CompanyController@upload'); Route::put('companies/{company}/upload', 'CompanyController@upload');
Route::get('company_ledger', 'CompanyLedgerController@index')->name('company_ledger.index'); Route::get('company_ledger', 'CompanyLedgerController@index')->name('company_ledger.index');