Files
TijdVoorDeTest/templates/reset_password/email.html.twig
T
Marijn b290620cf9 Declare ext-intl/ext-zip requirements and fix security audit findings (#213)
* Declare ext-intl and ext-zip as explicit composer requirements

DataExportService uses ZipArchive directly and the Dutch-locale
format_datetime Twig filter needs real ext-intl (the polyfill only
supports en), but composer.json only declared ext-ctype/ext-iconv.
Adding them lets `composer check-platform-reqs` catch a missing
extension before a runtime crash.

* Add authorization checks to PrepareEliminationController

index and viewElimination had no IsGranted guard, unlike every other
backoffice/elimination controller, so any authenticated user could
prepare or overwrite another season's elimination screens.

* Prevent formula injection in spreadsheet exports

Answer/candidate text starting with =, +, -, or @ was written to XLSX
exports as a live formula rather than plain text. Since seasons can
have multiple owners, a co-owner could plant a formula that runs (and
can exfiltrate data) when another owner opens the export in Excel.

* Add rate limiting to login and season-code entry points

Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.

* Add unique constraint to prevent double-submit score inflation

A candidate could submit two concurrent POSTs for the same question
before either committed, since GivenAnswer had no unique constraint
and the "next question" check was subject to a TOCTOU race — each
insert was then counted as a correct answer.

* Address CodeRabbit review findings

Include a Retry-After header on the season-code rate limit, correct
stale line references in the security audit doc, and fix a stray
comma in the reset-password email.
2026-07-13 22:58:29 +02:00

28 lines
1.1 KiB
Twig

{% extends 'emails/layout.html.twig' %}
{% block preheader %}Je hebt om een nieuw wachtwoord gevraagd voor Tijd voor de test.{% endblock %}
{% block heading %}Tijd voor een nieuw wachtwoord{% endblock %}
{% block body %}
<p class="text">Beste speler,</p>
<p class="text">
Je hebt aangegeven dat je wachtwoord opnieuw moet worden ingesteld. Voordat je verder mag, is er nog één
opdracht: klik op de knop hieronder.
</p>
<center><button href="{{ url('tvdt_reset_password', {token: resetToken.token}) }}">Stel wachtwoord opnieuw in</button></center>
<p class="text">
Werkt de knop niet? Kopieer dan deze link naar je browser:<br>
<a href="{{ url('tvdt_reset_password', {token: resetToken.token}) }}">{{ url('tvdt_reset_password', {token: resetToken.token}) }}</a>
</p>
<p class="text">
Let op: deze link is niet eeuwig geldig. Hij verloopt over
{{ resetToken.expirationMessageKey|trans(resetToken.expirationMessageData, 'ResetPasswordBundle') }}.
</p>
<p class="text">Veel succes!</p>
{% endblock %}