Fixed a post-login vulnerability.

CHANGELOG.md

@@ -1,6 +1,10 @@
 Changelog
 ==================
 
+## 3.3.2 - 2023-10-02
+### Fixed
+- Fixed a post-login vulnerability.
+
 ## 3.3.1 - 2023-08-29
 ### Fixed
 - Use `isTwoFactorEnabled` on settings screen.

src/controllers/SettingsController.php

@@ -9,6 +9,7 @@
 use craft\helpers\UrlHelper;
 use born05\twofactorauthentication\Plugin as TwoFactorAuth;
 use born05\twofactorauthentication\web\assets\verify\VerifyAsset;
+use yii\web\ForbiddenHttpException;
 
 class SettingsController extends Controller
 {
@@ -20,7 +21,7 @@ public function actionIndex()
         Craft::$app->getView()->registerAssetBundle(VerifyAsset::class);
         return $this->renderTemplate('two-factor-authentication/index', [], View::TEMPLATE_MODE_CP);
     }
-    
+
     /**
      * Show the settings form.
      */
@@ -47,7 +48,7 @@ public function actionTurnOn()
         $userSession = Craft::$app->getUser();
         $user = $userSession->getIdentity();
         $request = Craft::$app->getRequest();
-  
+
         $authenticationCode = $request->getBodyParam('authenticationCode');
 
         if (TwoFactorAuth::$plugin->verify->verify($user, $authenticationCode)) {
@@ -92,6 +93,11 @@ public function actionTurnOff()
         $this->requirePostRequest();
 
         $user = Craft::$app->getUser()->getIdentity();
+
+        if (!TwoFactorAuth::$plugin->verify->isVerified($user)) {
+            throw new ForbiddenHttpException('User is not permitted to perform this action.');
+        }
+
         TwoFactorAuth::$plugin->verify->disableUser($user);
 
         if (Craft::$app->getRequest()->getIsCpRequest() && Craft::$app->getUser()->checkPermission('accessCp')) {