WebSVN – Moodle – Diff – /admin/tool/mfa/factor/email/email.php

 $PAGE->set_title(get_string('unauthemail', 'factor_email'));
 $PAGE->set_cacheable(false);
 $instance = $DB->get_record('tool_mfa', ['id' => $instanceid]);
 $factor = \tool_mfa\plugininfo\factor::get_factor('email');
+// If pass is set, do checks and pass for this session.
-// If pass is set, require login to force $SESSION and user, and pass for that session.
+// Require login to force $SESSION and user, and pass for that session.
 if (!empty($instance) && $pass != 0 && $secret != 0) {
     require_login();
     if ($factor->get_state() === \tool_mfa\plugininfo\factor::STATE_LOCKED) {
         // Redirect through to auth, this will bounce them to the next factor.
 $form = new \factor_email\form\email($url);
+if ($form->is_cancelled()) {
+    redirect(new moodle_url('/'));
+}
-if ($form->is_cancelled()) {
+// If submitted without the pass param, is a cancel request - do checks and revoke email factor.
-    redirect(new moodle_url('/'));
+if ($fromform = $form->get_data()) {
-} else if ($fromform = $form->get_data()) {
+    // Only allow revoke attempts from requests with a valid instance and secret.
-    if (empty($instance)) {
+    if (empty($instance) || empty($secret) || $instance->secret != $secret) {
         $message = get_string('error:badcode', 'factor_email');
     } else {
         $user = $DB->get_record('user', ['id' => $instance->userid]);
         // Stop attacker from using email factor at all, by revoking all email until admin fixes.
         $DB->set_field('tool_mfa', 'revoked', 1, ['userid' => $user->id, 'factor' => 'email']);
         // Remotely logout all sessions for user.
-        $manager = \core\session\manager::kill_user_sessions($instance->userid);
+        \core\session\manager::destroy_user_sessions($instance->userid);

Proyectos de Subversion Moodle

(root)/admin/tool/mfa/factor/email/email.php – Rev 1 → 1441