Was done for convenience but could potentially be exploited by an
attacker using signing up via one of these routes, then forwarding
an email confirmation to another user so they unknowingly utilise
an account someone else controls.
Tweaks the flow of confirming email, and the user invite flow.
For #3050
$this->emailConfirmationService->deleteByUser($user);
$this->showSuccessNotification(trans('auth.email_confirm_success'));
$this->emailConfirmationService->deleteByUser($user);
$this->showSuccessNotification(trans('auth.email_confirm_success'));
- $this->loginService->login($user, auth()->getDefaultDriver());
+ return redirect('/login');
namespace BookStack\Http\Controllers\Auth;
namespace BookStack\Http\Controllers\Auth;
-use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\UserInviteService;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\UserTokenExpiredException;
use BookStack\Auth\Access\UserInviteService;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\UserTokenExpiredException;
class UserInviteController extends Controller
{
protected $inviteService;
class UserInviteController extends Controller
{
protected $inviteService;
- protected $loginService;
protected $userRepo;
/**
* Create a new controller instance.
*/
protected $userRepo;
/**
* Create a new controller instance.
*/
- public function __construct(UserInviteService $inviteService, LoginService $loginService, UserRepo $userRepo)
+ public function __construct(UserInviteService $inviteService, UserRepo $userRepo)
{
$this->middleware('guest');
$this->middleware('guard:standard');
$this->inviteService = $inviteService;
{
$this->middleware('guest');
$this->middleware('guard:standard');
$this->inviteService = $inviteService;
- $this->loginService = $loginService;
$this->userRepo = $userRepo;
}
$this->userRepo = $userRepo;
}
$user->save();
$this->inviteService->deleteByUser($user);
$user->save();
$this->inviteService->deleteByUser($user);
- $this->showSuccessNotification(trans('auth.user_invite_success', ['appName' => setting('app-name')]));
- $this->loginService->login($user, auth()->getDefaultDriver());
+ $this->showSuccessNotification(trans('auth.user_invite_success_login', ['appName' => setting('app-name')]));
+ return redirect('/login');
'email_confirm_text' => 'Please confirm your email address by clicking the button below:',
'email_confirm_action' => 'Confirm Email',
'email_confirm_send_error' => 'Email confirmation required but the system could not send the email. Contact the admin to ensure email is set up correctly.',
'email_confirm_text' => 'Please confirm your email address by clicking the button below:',
'email_confirm_action' => 'Confirm Email',
'email_confirm_send_error' => 'Email confirmation required but the system could not send the email. Contact the admin to ensure email is set up correctly.',
- 'email_confirm_success' => 'Your email has been confirmed!',
+ 'email_confirm_success' => 'Your email has been confirmed! You should now be able to login using this email address.',
'email_confirm_resent' => 'Confirmation email resent, Please check your inbox.',
'email_not_confirmed' => 'Email Address Not Confirmed',
'email_confirm_resent' => 'Confirmation email resent, Please check your inbox.',
'email_not_confirmed' => 'Email Address Not Confirmed',
'user_invite_page_welcome' => 'Welcome to :appName!',
'user_invite_page_text' => 'To finalise your account and gain access you need to set a password which will be used to log-in to :appName on future visits.',
'user_invite_page_confirm_button' => 'Confirm Password',
'user_invite_page_welcome' => 'Welcome to :appName!',
'user_invite_page_text' => 'To finalise your account and gain access you need to set a password which will be used to log-in to :appName on future visits.',
'user_invite_page_confirm_button' => 'Confirm Password',
- 'user_invite_success' => 'Password set, you now have access to :appName!',
+ 'user_invite_success_login' => 'Password set, you should now be able to login using your set password to access :appName!',
// Multi-factor Authentication
'mfa_setup' => 'Setup Multi-Factor Authentication',
// Multi-factor Authentication
'mfa_setup' => 'Setup Multi-Factor Authentication',
});
// Check confirmation email confirmation activation.
});
// Check confirmation email confirmation activation.
- $this->get('/register/confirm/' . $emailConfirmation->token)->assertRedirect('/');
- $this->get('/')->assertSee($user->name);
+ $this->get('/register/confirm/' . $emailConfirmation->token)->assertRedirect('/login');
+ $this->get('/login')->assertSee('Your email has been confirmed! You should now be able to login using this email address.');
$this->assertDatabaseMissing('email_confirmations', ['token' => $emailConfirmation->token]);
$this->assertDatabaseHas('users', ['name' => $dbUser->name, 'email' => $dbUser->email, 'email_confirmed' => true]);
}
$this->assertDatabaseMissing('email_confirmations', ['token' => $emailConfirmation->token]);
$this->assertDatabaseHas('users', ['name' => $dbUser->name, 'email' => $dbUser->email, 'email_confirmed' => true]);
}
$setPasswordResp = $this->followingRedirects()->post('/register/invite/' . $token, [
'password' => 'my test password',
]);
$setPasswordResp = $this->followingRedirects()->post('/register/invite/' . $token, [
'password' => 'my test password',
]);
- $setPasswordResp->assertSee('Password set, you now have access to BookStack!');
+ $setPasswordResp->assertSee('Password set, you should now be able to login using your set password to access BookStack!');
$newPasswordValid = auth()->validate([
'email' => $user->email,
'password' => 'my test password',
$newPasswordValid = auth()->validate([
'email' => $user->email,
'password' => 'my test password',
projects / bookstack / commitdiff