beenull/ctrlpanel
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix: 🐛 Fix infinite credit exploit when checking email several times.

Browse source
This commit is contained in:
Ferks-FK 2023-09-16 13:20:31 -04:00
parent f9a102509b
commit 7ecc29487e
5 changed files with 33 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
app/Http/Controllers/Auth/RegisterController.php
View file

@ -22,6 +22,7 @@ use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Validator; use Illuminate\Support\Facades\Validator;
use Illuminate\Support\Str; use Illuminate\Support\Str;
use Illuminate\Validation\ValidationException; use Illuminate\Validation\ValidationException;
use Spatie\Permission\Models\Role;
class RegisterController extends Controller class RegisterController extends Controller
{ {
@ -139,7 +140,7 @@ class RegisterController extends Controller
]); ]);
$user->syncRoles(4); $user->syncRoles(Role::findByName('User'));
$response = $this->pterodactyl->application->post('/application/users', [ $response = $this->pterodactyl->application->post('/application/users', [
'external_id' => null, 'external_id' => null,
@ -151,15 +152,11 @@ class RegisterController extends Controller
'root_admin' => false, 'root_admin' => false,
'language' => 'en', 'language' => 'en',
]); ]);
$user->update([ $user->update([
'pterodactyl_id' => $response->json()['attributes']['id'], 'pterodactyl_id' => $response->json()['attributes']['id'],
]); ]);
if ($response->failed()) { if ($response->failed()) {
$user->delete(); $user->delete();
Log::error('Pterodactyl Registration Error: ' . $response->json()['errors'][0]['detail']); Log::error('Pterodactyl Registration Error: ' . $response->json()['errors'][0]['detail']);

6
app/Models/User.php
View file

@ -66,6 +66,7 @@ class User extends Authenticatable implements MustVerifyEmail
'avatar', 'avatar',
'suspended', 'suspended',
'referral_code', 'referral_code',
'email_verified_reward',
]; ];
/** /**
@ -88,6 +89,7 @@ class User extends Authenticatable implements MustVerifyEmail
'last_seen' => 'datetime', 'last_seen' => 'datetime',
'credits' => 'float', 'credits' => 'float',
'server_limit' => 'float', 'server_limit' => 'float',
'email_verified_reward' => 'boolean'
]; ];
public function __construct() public function __construct()
@ -280,9 +282,8 @@ class User extends Authenticatable implements MustVerifyEmail
public function verifyEmail() public function verifyEmail()
{ {
$this->forceFill([ $this->forceFill([
'email_verified_at' => now(), 'email_verified_at' => now()
])->save(); ])->save();
} }
@ -290,6 +291,7 @@ class User extends Authenticatable implements MustVerifyEmail
{ {
$this->forceFill([ $this->forceFill([
'email_verified_at' => null, 'email_verified_at' => null,
'email_verified_reward' => true
])->save(); ])->save();
} }

7
app/Providers/EventServiceProvider.php
View file

@ -9,9 +9,10 @@ use App\Listeners\CouponUsed;
use App\Listeners\CreateInvoice; use App\Listeners\CreateInvoice;
use App\Listeners\UnsuspendServers; use App\Listeners\UnsuspendServers;
use App\Listeners\UserPayment; use App\Listeners\UserPayment;
use App\Listeners\Verified; use App\Listeners\Verified as ListenerVerified;
use Illuminate\Auth\Events\Registered; use Illuminate\Auth\Events\Registered;
use Illuminate\Auth\Listeners\SendEmailVerificationNotification; use Illuminate\Auth\Listeners\SendEmailVerificationNotification;
use Illuminate\Auth\Events\Verified;
use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider; use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider;
use SocialiteProviders\Manager\SocialiteWasCalled; use SocialiteProviders\Manager\SocialiteWasCalled;
@ -40,8 +41,8 @@ class EventServiceProvider extends ServiceProvider
// ... other providers // ... other providers
'SocialiteProviders\\Discord\\DiscordExtendSocialite@handle', 'SocialiteProviders\\Discord\\DiscordExtendSocialite@handle',
], ],
'Illuminate\Auth\Events\Verified' => [ Verified::class => [
Verified::class, ListenerVerified::class,
], ],
]; ];

2
config/view.php
View file

@ -14,7 +14,7 @@ return [
*/ */
'paths' => [ 'paths' => [
resource_path('views'), base_path('themes'),
], ],
/* /*

42
themes/default/views/profile/index.blade.php
View file

@ -4,7 +4,7 @@
<!-- CONTENT HEADER --> <!-- CONTENT HEADER -->
<section class="content-header"> <section class="content-header">
<div class="container-fluid"> <div class="container-fluid">
<div class="row mb-2"> <div class="mb-2 row">
<div class="col-sm-6"> <div class="col-sm-6">
<h1>{{ __('Profile') }}</h1> <h1>{{ __('Profile') }}</h1>
</div> </div>
@ -26,9 +26,9 @@
<div class="container-fluid"> <div class="container-fluid">
<div class="row"> <div class="row">
<div class="col-lg-12 px-0"> <div class="px-0 col-lg-12">
@if (!Auth::user()->hasVerifiedEmail() && strtolower($force_email_verification) == 'true') @if (!Auth::user()->hasVerifiedEmail() && $force_email_verification)
<div class="alert alert-warning p-2 m-2"> <div class="p-2 m-2 alert alert-warning">
<h5><i class="icon fas fa-exclamation-circle"></i>{{ __('Required Email verification!') }} <h5><i class="icon fas fa-exclamation-circle"></i>{{ __('Required Email verification!') }}
</h5> </h5>
{{ __('You have not yet verified your email address') }} {{ __('You have not yet verified your email address') }}
@ -40,9 +40,9 @@
</div> </div>
@endif @endif
@if (is_null(Auth::user()->discordUser) && strtolower($force_discord_verification) == 'true') @if (is_null(Auth::user()->discordUser) && $force_discord_verification)
@if (!empty($discord_client_id) && !empty($discord_client_secret)) @if (!empty($discord_client_id) && !empty($discord_client_secret))
<div class="alert alert-warning p-2 m-2"> <div class="p-2 m-2 alert alert-warning">
<h5> <h5>
<i class="icon fas fa-exclamation-circle"></i>{{ __('Required Discord verification!') }} <i class="icon fas fa-exclamation-circle"></i>{{ __('Required Discord verification!') }}
</h5> </h5>
@ -52,7 +52,7 @@
{{ __('Please contact support If you face any issues.') }} {{ __('Please contact support If you face any issues.') }}
</div> </div>
@else @else
<div class="alert alert-danger p-2 m-2"> <div class="p-2 m-2 alert alert-danger">
<h5> <h5>
<i class="icon fas fa-exclamation-circle"></i>{{ __('Required Discord verification!') }} <i class="icon fas fa-exclamation-circle"></i>{{ __('Required Discord verification!') }}
</h5> </h5>
@ -72,8 +72,8 @@
<div class="card-body"> <div class="card-body">
<div class="e-profile"> <div class="e-profile">
<div class="row"> <div class="row">
<div class="col-12 col-sm-auto mb-4"> <div class="mb-4 col-12 col-sm-auto">
<div class="slim rounded-circle border-secondary border text-gray-dark" <div class="border slim rounded-circle border-secondary text-gray-dark"
data-label="Change your avatar" data-max-file-size="3" data-label="Change your avatar" data-max-file-size="3"
data-save-initial-image="true" data-save-initial-image="true"
style="width: 140px;height:140px; cursor: pointer" style="width: 140px;height:140px; cursor: pointer"
@ -81,9 +81,9 @@
<img src="{{ $user->getAvatar() }}" alt="avatar"> <img src="{{ $user->getAvatar() }}" alt="avatar">
</div> </div>
</div> </div>
<div class="col d-flex flex-column flex-sm-row justify-content-between mb-3"> <div class="mb-3 col d-flex flex-column flex-sm-row justify-content-between">
<div class="text-center text-sm-left mb-2 mb-sm-0"> <div class="mb-2 text-center text-sm-left mb-sm-0">
<h4 class="pt-sm-2 pb-1 mb-0 text-nowrap">{{ $user->name }}</h4> <h4 class="pb-1 mb-0 pt-sm-2 text-nowrap">{{ $user->name }}</h4>
<p class="mb-0">{{ $user->email }} <p class="mb-0">{{ $user->email }}
@if ($user->hasVerifiedEmail()) @if ($user->hasVerifiedEmail())
<i data-toggle="popover" data-trigger="hover" data-content="Verified" <i data-toggle="popover" data-trigger="hover" data-content="Verified"
@ -97,21 +97,21 @@
</p> </p>
<div class="mt-1"> <div class="mt-1">
<span class="badge badge-primary"><i <span class="badge badge-primary"><i
class="fa fa-coins mr-2"></i>{{ $user->Credits() }}</span> class="mr-2 fa fa-coins"></i>{{ $user->Credits() }}</span>
</div> </div>
@if($referral_enabled) @if($referral_enabled)
@can("user.referral") @can("user.referral")
<div class="mt-1"> <div class="mt-1">
<span class="badge badge-success"><i <span class="badge badge-success"><i
class="fa fa-user-check mr-2"></i> class="mr-2 fa fa-user-check"></i>
{{__("Referral URL")}} : {{__("Referral URL")}} :
<span onclick="onClickCopy()" id="RefLink" style="cursor: pointer;"> <span onclick="onClickCopy()" id="RefLink" style="cursor: pointer;">
{{route("register")}}?ref={{$user->referral_code}}</span> {{route("register")}}?ref={{$user->referral_code}}</span>
</span> </span>
@else @else
<span class="badge badge-warning"><i <span class="badge badge-warning"><i
class="fa fa-user-check mr-2"></i> class="mr-2 fa fa-user-check"></i>
{{__("You can not see your Referral Code")}}</span> {{__("You can not see your Referral Code")}}</span>
@endcan @endcan
</div> </div>
@ -138,7 +138,7 @@
class="active nav-link">{{ __('Settings') }}</a> class="active nav-link">{{ __('Settings') }}</a>
</li> </li>
</ul> </ul>
<div class="tab-content pt-3"> <div class="pt-3 tab-content">
<div class="tab-pane active"> <div class="tab-pane active">
<div class="row"> <div class="row">
<div class="col"> <div class="col">
@ -189,7 +189,7 @@
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="col-12 col-sm-6 mb-3"> <div class="mb-3 col-12 col-sm-6">
<div class="mb-3"><b>{{ __('Change Password') }}</b></div> <div class="mb-3"><b>{{ __('Change Password') }}</b></div>
<div class="row"> <div class="row">
<div class="col"> <div class="col">
@ -242,7 +242,7 @@
</div> </div>
</div> </div>
@if (!empty($discord_client_id) && !empty($discord_client_secret)) @if (!empty($discord_client_id) && !empty($discord_client_secret))
<div class="col-12 col-sm-5 offset-sm-1 mb-3"> <div class="mb-3 col-12 col-sm-5 offset-sm-1">
@if (is_null(Auth::user()->discordUser)) @if (is_null(Auth::user()->discordUser))
<b>{{ __('Link your discord account!') }}</b> <b>{{ __('Link your discord account!') }}</b>
<div class="verify-discord"> <div class="verify-discord">
@ -255,7 +255,7 @@
</div> </div>
<a class="btn btn-light" href="{{ route('auth.redirect') }}"> <a class="btn btn-light" href="{{ route('auth.redirect') }}">
<i class="fab fa-discord mr-2"></i>{{ __('Login with Discord') }} <i class="mr-2 fab fa-discord"></i>{{ __('Login with Discord') }}
</a> </a>
@else @else
<div class="verified-discord"> <div class="verified-discord">
@ -263,7 +263,7 @@
<p>{{ __('You are verified!') }}</p> <p>{{ __('You are verified!') }}</p>
</div> </div>
</div> </div>
<div class="row pl-2"> <div class="pl-2 row">
<div class="small-box bg-dark"> <div class="small-box bg-dark">
<div class="d-flex justify-content-between"> <div class="d-flex justify-content-between">
<div class="p-3"> <div class="p-3">
@ -282,7 +282,7 @@
<div class="small-box-footer"> <div class="small-box-footer">
<a href="{{ route('auth.redirect') }}"> <a href="{{ route('auth.redirect') }}">
<i <i
class="fab fa-discord mr-1"></i>{{ __('Re-Sync Discord') }} class="mr-1 fab fa-discord"></i>{{ __('Re-Sync Discord') }}
</a> </a>
</div> </div>
</div> </div>