Merge pull request #2167 from jaapmarcus/fix/disable-reset-endpoint

Disable /reset/ endpoint when POLICY_SYSTEM_PASSWORD_RESET = no

CHANGELOG.md

@@ -7,6 +7,8 @@ All notable changes to this project will be documented in this file.
 
 ### Bugfixes
 
+- Disable /reset/ endpoint when POLICY_SYSTEM_PASSWORD_RESET = no
+
 ## [1.4.17] - Service release 
 
 ### Bugfixes

web/reset/index.php

@@ -11,6 +11,11 @@ if (isset($_SESSION['user'])) {
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+if ($_SESSION['POLICY_SYSTEM_PASSWORD_RESET'] == 'no') {
+    header('Location: /login/');
+    exit();
+}
+
 if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
     // Check token
     verify_csrf($_POST);