Merge pull request hestiacp#2167 from jaapmarcus/fix/disable-reset-endpoint

ScIT-Raphael · web-flow · commit 1689c2e86c37 · 2021-10-03T14:33:10.000+02:00
Disable /reset/ endpoint when POLICY_SYSTEM_PASSWORD_RESET = no
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ All notable changes to this project will be documented in this file.
 
 ### Bugfixes
 
+- Disable /reset/ endpoint when POLICY_SYSTEM_PASSWORD_RESET = no
+
 ## [1.4.17] - Service release 
 
 ### Bugfixes
diff --git a/web/reset/index.php b/web/reset/index.php
@@ -11,6 +11,11 @@
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+if ($_SESSION['POLICY_SYSTEM_PASSWORD_RESET'] == 'no') {
+    header('Location: /login/');
+    exit();
+}
+
 if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
     // Check token
     verify_csrf($_POST);
