[SECURITY] Deny login to a deleted account

This commit is contained in:
Ilya Prokopenko 2022-01-27 14:01:27 +03:00
parent 870653ccb1
commit 22157c7fa3
No known key found for this signature in database
GPG key ID: 7736BBBB05F14A56
2 changed files with 12 additions and 2 deletions

View file

@ -126,6 +126,10 @@ final class AuthPresenter extends OpenVKPresenter
if(!$this->authenticator->verifyCredentials($user->id, $this->postParam("password")))
$this->flashFail("err", tr("login_failed"), tr("invalid_username_or_password"));
$ovkUser = new User($user->related("profiles.user")->fetch());
if($ovkUser->isDeleted())
$this->flashFail("err", tr("login_failed"), tr("invalid_username_or_password"));
$secret = $user->related("profiles.user")->fetch()["2fa_secret"];
$code = $this->postParam("code");
if(!is_null($secret)) {
@ -136,7 +140,6 @@ final class AuthPresenter extends OpenVKPresenter
if(is_null($code))
return;
$ovkUser = new User($user->related("profiles.user")->fetch());
if(!($code === (new Totp)->GenerateToken(Base32::decode($secret)) || $ovkUser->use2faBackupCode((int) $code))) {
$this->flash("err", tr("login_failed"), tr("incorrect_2fa_code"));
return;
@ -229,7 +232,7 @@ final class AuthPresenter extends OpenVKPresenter
}
$user = $this->users->getByChandlerUser(new ChandlerUser($uRow));
if(!$user)
if(!$user || $user->isDeleted())
$this->flashFail("err", tr("error"), tr("password_reset_error"));
$request = $this->restores->getLatestByUser($user);

View file

@ -211,6 +211,13 @@ abstract class OpenVKPresenter extends SimplePresenter
$this->template->thisUser = $this->user->identity;
$this->template->userTainted = $user->isTainted();
if($this->user->identity->isDeleted()) {
Authenticator::i()->logout();
Session::i()->set("_su", NULL);
$this->flashFail("err", tr("error"), tr("profile_not_found"));
$this->redirect("/", static::REDIRECT_TEMPORARY);
}
if($this->user->identity->isBanned() && !$this->banTolerant) {
header("HTTP/1.1 403 Forbidden");
$this->getTemplatingEngine()->render(__DIR__ . "/templates/@banned.xml", [