AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Prevent users disabling MFA when it is enforced

This commit is contained in:
wrongecho 2025-01-29 21:29:04 +00:00
parent bf019f374a
commit badda09245
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
post/user/profile.php
View File

@ -261,13 +261,20 @@ if (isset($_POST['enable_mfa'])) {
if (isset($_GET['disable_mfa'])){
if ($session_user_config_force_mfa) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Multi-Factor authentication cannot be disabled for your account";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
// CSRF Check
validateCSRFToken($_GET['csrf_token']);
mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id");
// Delete any existing MFA tokens - these browsers should be re-validated
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);