Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix oauth bypasses validation & banned checks #3103

Merged
merged 4 commits into from
Oct 10, 2022
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Fix oauth bypasses validation & banned checks
  • Loading branch information
partydragen committed Oct 8, 2022
commit 1c5de59d4253872ea6d80e4272cc9ccc6acfba45
11 changes: 11 additions & 0 deletions modules/Core/pages/oauth.php
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,17 @@
$user_id = NamelessOAuth::getInstance()->getUserIdFromProviderId($provider_name, $provider_id);
$user = new User($user_id);

// Make sure user is validated
Session::flash('oauth_error', $language->get('user', 'inactive_account'));
Redirect::to(URL::build('/login'));
}

// Make sure user is not banned
if (!$user->data()->banned == 1) {
Session::flash('oauth_error', $language->get('user', 'account_banned'));
Redirect::to(URL::build('/login'));
}

// If the user has 2FA enabled, ask for those credentials
if ($user->data()->tfa_enabled == 1 && $user->data()->tfa_complete == 1) {
$_SESSION['user_id'] = $user_id;
Expand Down