Merge pull request from GHSA-j3gf-rm9h-mqvf

bugfix: fix capability check for guests
catalyst · Feb 17, 2023 · c511822 · c511822
2 parents ae6413f + db06a13
commit c511822
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/classes/manager.php b/classes/manager.php
@@ -599,6 +599,12 @@ public static function require_auth($courseorid = null, $autologinguest = null,
     $setwantsurltome = null, $preventredirect = null) {
         global $PAGE, $SESSION, $FULLME;
 
+        // Guest user should never interact with MFA,
+        // And $SESSION->tool_mfa_authenticated should never be set in a guest session.
+        if (isguestuser()) {
+            return;
+        }
+
         if (!self::is_ready()) {
             // Set session var so if MFA becomes ready, you dont get locked from session.
             $SESSION->tool_mfa_authenticated = true;
@@ -685,7 +691,7 @@ public static function is_ready() {
 
         // Check if user can interact with MFA.
         $usercontext = \context_user::instance($USER->id);
-        if (!has_capability('tool/mfa:mfaaccess', $usercontext, $USER)) {
+        if (!has_capability('tool/mfa:mfaaccess', $usercontext)) {
             return false;
         }