From 8d0ee9e531620d98f528ee1604d0de0270935885 Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 20 Mar 2019 01:21:34 -0700 Subject: [PATCH] Moar comments --- app/Http/Controllers/Auth/LoginController.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index b5353b643..3eb4e95b0 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -223,7 +223,7 @@ class LoginController extends Controller // but let's check check anyway in case there's a browser history or back button thing. // While you can access this page directly, enrolling a device when 2FA isn't enforced // won't cause any harm. - + if (($user->two_factor_secret!='') && ($user->two_factor_enrolled==1)) { return redirect()->route('two-factor')->with('error', trans('auth/message.two_factor.already_enrolled')); } @@ -247,12 +247,16 @@ class LoginController extends Controller */ public function getTwoFactorAuth() { + // Check that the user is logged in if (!Auth::check()) { return redirect()->route('login')->with('error', trans('auth/general.login_prompt')); } $user = Auth::user(); + // Check whether there is a device enrolled. + // This *should* be handled viaq the \App\Http\Middleware\CheckForTwoFactor middleware + // but we're just making sure (in case someone edited the database directly, etc) if (($user->two_factor_secret=='') || ($user->two_factor_enrolled!=1)) { return redirect()->route('two-factor-enroll'); }