webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-28 17:02:04 +03:00
Code Activity

Prevented auto-login from direct email confirmation actions

Browse Source 
Was done for convenience but could potentially be exploited by an
attacker using signing up via one of these routes, then forwarding
an email confirmation to another user so they unknowingly utilise
an account someone else controls.

Tweaks the flow of confirming email, and the user invite flow.

For #3050
This commit is contained in:
Dan Brown
2021-11-15 10:50:28 +00:00
parent e29d03ae76
commit 88e6f93abf
5 changed files with 9 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/Auth/AuthTest.php
View File

@ -131,8 +131,8 @@ class AuthTest extends TestCase
});
// Check confirmation email confirmation activation.
$this->get('/register/confirm/' . $emailConfirmation->token)->assertRedirect('/');
$this->get('/')->assertSee($user->name);
$this->get('/register/confirm/' . $emailConfirmation->token)->assertRedirect('/login');
$this->get('/login')->assertSee('Your email has been confirmed! You should now be able to login using this email address.');
$this->assertDatabaseMissing('email_confirmations', ['token' => $emailConfirmation->token]);
$this->assertDatabaseHas('users', ['name' => $dbUser->name, 'email' => $dbUser->email, 'email_confirmed' => true]);
}