Skip to content

Commit 3f615a6

Browse files
TheSerapherTheSerapher
committed
Merge pull request #2116 from MPOS/development
[SECURITY] Fixed 2FA on the account edit page
2 parents d77b679 + 554742c commit 3f615a6

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

public/include/pages/account/edit.inc.php

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
$wf_editable = $user->token->isTokenValid($_SESSION['USERDATA']['id'], $oldtoken_wf, 7);
3131
$wf_sent = $user->token->doesTokenExist('withdraw_funds', $_SESSION['USERDATA']['id']);
3232
}
33-
33+
3434
// get the status of a token if set
3535
$message_tokensent_invalid = 'A token was sent to your e-mail that will allow you to ';
3636
$message_tokensent_valid = 'You can currently ';
@@ -61,7 +61,7 @@
6161
$_SESSION['POPUP'][] = array('CONTENT' => $popupmsg, 'TYPE' => 'alert alert-warning');
6262
}
6363
}
64-
64+
6565
if (isset($_POST['do']) && $_POST['do'] == 'genPin') {
6666
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
6767
if ($user->generatePin($_SESSION['USERDATA']['id'], $_POST['currentPassword'])) {
@@ -100,6 +100,8 @@
100100
$dBalance = $aBalance['confirmed'];
101101
if ($setting->getValue('disable_payouts') == 1 || $setting->getValue('disable_manual_payouts') == 1) {
102102
$_SESSION['POPUP'][] = array('CONTENT' => 'Manual payouts are disabled.', 'TYPE' => 'alert alert-warning');
103+
} else if ($config['twofactor']['enabled'] && $config['twofactor']['options']['withdraw'] && !$wf_editable) {
104+
$_SESSION['POPUP'][] = array('CONTENT' => 'You have not yet unlocked account withdrawls.', 'TYPE' => 'alert alert-danger');
103105
} else if ($aBalance['confirmed'] < $config['mp_threshold']) {
104106
$_SESSION['POPUP'][] = array('CONTENT' => 'Payout must be greater or equal than ' . $config['mp_threshold'] . '.', 'TYPE' => 'info');
105107
} else if (!$user->getCoinAddress($_SESSION['USERDATA']['id'])) {
@@ -127,7 +129,9 @@
127129
break;
128130

129131
case 'updateAccount':
130-
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
132+
if ($config['twofactor']['enabled'] && $config['twofactor']['options']['details'] && !$ea_editable) {
133+
$_SESSION['POPUP'][] = array('CONTENT' => 'You have not yet unlocked account updates.', 'TYPE' => 'alert alert-danger');
134+
} else if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
131135
if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'], $_POST['email'], $_POST['is_anonymous'], $oldtoken_ea)) {
132136
$_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'alert alert-success');
133137
} else {
@@ -139,7 +143,9 @@
139143
break;
140144

141145
case 'updatePassword':
142-
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
146+
if ($config['twofactor']['enabled'] && $config['twofactor']['options']['changepw'] && !$cp_editable) {
147+
$_SESSION['POPUP'][] = array('CONTENT' => 'You have not yet unlocked password updates.', 'TYPE' => 'alert alert-danger');
148+
} else if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
143149
if ($user->updatePassword($_SESSION['USERDATA']['id'], $_POST['currentPassword'], $_POST['newPassword'], $_POST['newPassword2'], $oldtoken_cp)) {
144150
$_SESSION['POPUP'][] = array('CONTENT' => 'Password updated', 'TYPE' => 'alert alert-success');
145151
} else {

0 commit comments

Comments
 (0)