CVE-2022-4070: Block disabled user session auth · librenms/librenms@ce8e5f3

@@ -0,0 +1,30 @@

<?php

namespace App\Http\Middleware;

use Closure;

use Illuminate\Http\Request;

use Illuminate\Support\Facades\Auth;

class VerifyUserEnabled

{

/**

* Handle an incoming request.

*

* @param \Illuminate\Http\Request $request

* @param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse) $next

* @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse

*/

public function handle(Request $request, Closure $next)

{

if (Auth::check() && ! Auth::user()->enabled) {

Auth::logout();

$request->session()->invalidate();

$request->session()->regenerateToken();

return redirect()->route(‘login’)->withErrors([‘msg’ => __(‘auth.disabled’)]);

}

return $next($request);

}

}