Prevented auto-login from direct email confirmation actions

Was done for convenience but could potentially be exploited by an attacker using signing up via one of these routes, then forwarding an email confirmation to another user so they unknowingly utilise an account someone else controls. Tweaks the flow of confirming email, and the user invite flow. For #3050
2025-06-05 01:24:38 +08:00 · 2021-11-15 10:50:28 +00:00
parent e29d03ae76
commit 88e6f93abf
5 changed files with 9 additions and 14 deletions
--- a/app/Http/Controllers/Auth/ConfirmEmailController.php
+++ b/app/Http/Controllers/Auth/ConfirmEmailController.php
@ -79,9 +79,8 @@ class ConfirmEmailController extends Controller

        $this->emailConfirmationService->deleteByUser($user);
        $this->showSuccessNotification(trans('auth.email_confirm_success'));
-        $this->loginService->login($user, auth()->getDefaultDriver());

-        return redirect('/');
+        return redirect('/login');
    }

    /**
--- a/app/Http/Controllers/Auth/UserInviteController.php
+++ b/app/Http/Controllers/Auth/UserInviteController.php
@ -2,7 +2,6 @@

 namespace BookStack\Http\Controllers\Auth;

-use BookStack\Auth\Access\LoginService;
 use BookStack\Auth\Access\UserInviteService;
 use BookStack\Auth\UserRepo;
 use BookStack\Exceptions\UserTokenExpiredException;
@ -16,19 +15,17 @@ use Illuminate\Routing\Redirector;
 class UserInviteController extends Controller
 {
    protected $inviteService;
-    protected $loginService;
    protected $userRepo;

    /**
     * Create a new controller instance.
     */
-    public function __construct(UserInviteService $inviteService, LoginService $loginService, UserRepo $userRepo)
+    public function __construct(UserInviteService $inviteService, UserRepo $userRepo)
    {
        $this->middleware('guest');
        $this->middleware('guard:standard');

        $this->inviteService = $inviteService;
-        $this->loginService = $loginService;
        $this->userRepo = $userRepo;
    }

@ -73,10 +70,9 @@ class UserInviteController extends Controller
        $user->save();

        $this->inviteService->deleteByUser($user);
-        $this->showSuccessNotification(trans('auth.user_invite_success', ['appName' => setting('app-name')]));
-        $this->loginService->login($user, auth()->getDefaultDriver());
+        $this->showSuccessNotification(trans('auth.user_invite_success_login', ['appName' => setting('app-name')]));

-        return redirect('/');
+        return redirect('/login');
    }

    /**