I am preventing users who do not have a role of 'admin' from logging in to the dashboard in a Laravel 5.5 app like this in app/http/Controllers/auth/LoginController.php..
protected function credentials(\Illuminate\Http\Request $request)
{
$credentials = $request->only($this->username(), 'password');
return array_add($credentials, 'type', 'admin');
}
This works well, but if somebody resets their password using the forgotten password function then it bypasses this function and lets them in to the dashboard.
How can I lock the dashboard down to prevent this happening?
Should I disable auto login after password reset, will this be enough?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire