kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-10-15 16:57:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6850 from firefly-iii/fix-auth-issue

Browse Source 
Expand authentication validation in API.
This commit is contained in:
James Cole
2023-01-14 07:55:11 +01:00
committed by GitHub
parent 89d4a34acf 23bbebb80e
commit db0500dcf0
3 changed files with 44 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Api/V1/Controllers/System/UserController.php
View File

@@ -33,6 +33,7 @@ use FireflyIII\Transformers\UserTransformer;
use FireflyIII\User; use FireflyIII\User;
use Illuminate\Http\JsonResponse; use Illuminate\Http\JsonResponse;
use Illuminate\Pagination\LengthAwarePaginator; use Illuminate\Pagination\LengthAwarePaginator;
use Illuminate\Support\Facades\Log;
use League\Fractal\Pagination\IlluminatePaginatorAdapter; use League\Fractal\Pagination\IlluminatePaginatorAdapter;
use League\Fractal\Resource\Collection as FractalCollection; use League\Fractal\Resource\Collection as FractalCollection;
use League\Fractal\Resource\Item; use League\Fractal\Resource\Item;
@@ -191,6 +192,13 @@ class UserController extends Controller
public function update(UserUpdateRequest $request, User $user): JsonResponse public function update(UserUpdateRequest $request, User $user): JsonResponse
{ {
$data = $request->getAll(); $data = $request->getAll();
// can only update 'blocked' when user is admin.
if(!$this->repository->hasRole(auth()->user(), 'owner')) {
Log::debug('Quietly drop fields "blocked" and "blocked_code" from request.');
unset($data['blocked'], $data['blocked_code']);
}
$user = $this->repository->update($user, $data); $user = $this->repository->update($user, $data);
$manager = $this->getManager(); $manager = $this->getManager();
// make resource // make resource

55
app/Http/Middleware/Authenticate.php
View File

@@ -87,7 +87,7 @@ class Authenticate
*/ */
protected function authenticate($request, array $guards) protected function authenticate($request, array $guards)
{ {
// Log::debug(sprintf('Now in %s', __METHOD__)); Log::debug(sprintf('Now in %s', __METHOD__));
if (0 === count($guards)) { if (0 === count($guards)) {
// Log::debug('No guards present.'); // Log::debug('No guards present.');
// go for default guard: // go for default guard:
@@ -98,22 +98,7 @@ class Authenticate
/** @noinspection PhpUndefinedMethodInspection */ /** @noinspection PhpUndefinedMethodInspection */
/** @var User $user */ /** @var User $user */
$user = $this->auth->authenticate(); $user = $this->auth->authenticate();
if (null === $user) { $this->validateBlockedUser($user, $guards);
Log::warning('User is null, throw exception?');
}
if (null !== $user) {
// Log::debug(get_class($user));
if (1 === (int)$user->blocked) {
$message = (string)trans('firefly.block_account_logout');
if ('email_changed' === $user->blocked_code) {
$message = (string)trans('firefly.email_changed_logout');
}
app('session')->flash('logoutMessage', $message);
$this->auth->logout(); // @phpstan-ignore-line (thinks function is undefined)
throw new AuthenticationException('Blocked account.', $guards);
}
}
} }
return $this->auth->authenticate(); // @phpstan-ignore-line (thinks function returns void) return $this->auth->authenticate(); // @phpstan-ignore-line (thinks function returns void)
@@ -121,13 +106,15 @@ class Authenticate
// Log::debug('Guard array is not empty.'); // Log::debug('Guard array is not empty.');
foreach ($guards as $guard) { foreach ($guards as $guard) {
// Log::debug(sprintf('Now in guard loop, guard is "%s"', $guard)); Log::debug(sprintf('Now in guard loop, guard is "%s"', $guard));
if('api' !== $guard) { if ('api' !== $guard) {
$this->auth->guard($guard)->authenticate(); $this->auth->guard($guard)->authenticate();
} }
$result = $this->auth->guard($guard)->check(); $result = $this->auth->guard($guard)->check();
// Log::debug(sprintf('Result is %s', var_export($result, true))); Log::debug(sprintf('Result is %s', var_export($result, true)));
if ($result) { if ($result) {
$user = $this->auth->guard($guard)->user();
$this->validateBlockedUser($user, $guards);
// According to PHPstan the method returns void, but we'll see. // According to PHPstan the method returns void, but we'll see.
return $this->auth->shouldUse($guard); // @phpstan-ignore-line return $this->auth->shouldUse($guard); // @phpstan-ignore-line
} }
@@ -135,4 +122,32 @@ class Authenticate
throw new AuthenticationException('Unauthenticated.', $guards); throw new AuthenticationException('Unauthenticated.', $guards);
} }
/**
* @param User|null $user
* @param array $guards
* @return void
* @throws AuthenticationException
*/
private function validateBlockedUser(?User $user, array $guards): void
{
Log::debug(sprintf('Now in %s', __METHOD__));
if (null === $user) {
Log::warning('User is null, throw exception?');
}
if (null !== $user) {
// Log::debug(get_class($user));
if (1 === (int)$user->blocked) {
$message = (string)trans('firefly.block_account_logout');
if ('email_changed' === $user->blocked_code) {
$message = (string)trans('firefly.email_changed_logout');
}
Log::warning('User is blocked, cannot use authentication method.');
app('session')->flash('logoutMessage', $message);
$this->auth->logout(); // @phpstan-ignore-line (thinks function is undefined)
throw new AuthenticationException('Blocked account.', $guards);
}
}
}
} }

3
changelog.md
View File

@@ -6,8 +6,7 @@ Alpha 2
- Data import: when you submit a transaction but give the ID of an account of the wrong type, Firefly III will try to create an account of the right type. For example: you submit a deposit but the source account is an expense account: Firefly III will try to create a revenue account instead. - Data import: when you submit a transaction but give the ID of an account of the wrong type, Firefly III will try to create an account of the right type. For example: you submit a deposit but the source account is an expense account: Firefly III will try to create a revenue account instead.
- Security: blocked users can access API, users can unblock themselves using the API.
## 5.8.0-alpha.1 - 2023-01-08 ## 5.8.0-alpha.1 - 2023-01-08