From db5994b0edc91f68a2b9b729dd0dd6c75d3fe599 Mon Sep 17 00:00:00 2001 From: Matthew Hilton Date: Fri, 5 Jun 2026 09:02:06 +1000 Subject: [PATCH] bugfix: verify user in email factor --- factor/email/email.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/factor/email/email.php b/factor/email/email.php index 5ee788b6..eb12a6aa 100644 --- a/factor/email/email.php +++ b/factor/email/email.php @@ -44,6 +44,9 @@ // If pass is set, require login to force $SESSION and user, and pass for that session. if (!empty($instance) && $pass != 0 && $secret != 0) { require_login(); + if ((int)$instance->userid !== (int)$USER->id) { + throw new moodle_exception('error:parameters', 'factor_email'); + } if ($factor->get_state() === \tool_mfa\plugininfo\factor::STATE_LOCKED) { // Redirect through to auth, this will bounce them to the next factor. redirect(new moodle_url('/admin/tool/mfa/auth.php'));