This change annoys me, however this endpoint was anyway problematic:
- it was vulnerable to a CSRF attack, see GHSA-56fm-hfp3-x3w3
- it is useless as we don't really handle a two-steps validation
Still, if you send an incorrect code during the "activation" phase a
flash error will pop up but the 2fa will stay enabled. This need rework
when possible.
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This PR is based on 2.5.x branch.
We fix the improper authorization by retrieving the annotation using id
and user id.
We also replace the ParamConverter used to get the requested Annotation
on put and delete actions with an explicit call to AnnotationRepository
in order to prevent a resource enumeration through response discrepancy.
Fixes GHSA-mrqx-mjc4-vfh3
Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com>
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().
We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.
Fixes GHSA-qwx8-mxxx-mg96
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
Mostly using autowiring to inject deps.
The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case.
Usually:
- if a controller has a constructor, it means injected services are at least re-used once in actions
- otherwise, service are injected per action
Also update these deps to be compatible with latest Doctrine version:
- `friendsofsymfony/oauth-server-bundle`
- `lexik/form-filter-bundle`
- `dama/doctrine-test-bundle`
Looks like parameter for the `->dispatch(` have been flipped (event first then event name).
Define events should now extends `Symfony\Contracts\EventDispatcher\Event`
- disable autowiring for Event (because the Entry entity was injected)
- rename `getClient()` for test to `getTestClient()` to avoid error while overriding (from `BrowserKitAssertionsTrait`)
As baggy theme was removed and material is the only remaining theme, we don't need a theme switched anymore.
So:
- move all `*.twig` files from the material theme folder to the root
- remove useless translations
