From 15e729e65a2566caf62493f56903667624cf9c79 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 29 Feb 2024 15:51:26 -0500 Subject: [PATCH] Removed old Remember me token, update revoke remember me function --- admin_users.php | 20 +++++++++----------- database_updates.php | 12 +++++++++--- database_version.php | 2 +- db.sql | 3 +-- post/user.php | 8 ++++---- 5 files changed, 24 insertions(+), 21 deletions(-) diff --git a/admin_users.php b/admin_users.php index d8a3c393..78a56e51 100644 --- a/admin_users.php +++ b/admin_users.php @@ -70,7 +70,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Role Status MFA - Remember Me Last Login Action @@ -93,16 +92,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $user_avatar = nullable_htmlentities($row['user_avatar']); $user_token = nullable_htmlentities($row['user_token']); if(empty($user_token)) { - $mfa_status_display = "-"; + $mfa_status_display = ""; } else { - $mfa_status_display = ""; - } - if (empty($row['user_config_remember_me_token'])) { - $remember_me_active = 0; - $remember_me_display = "-"; - } else { - $remember_me_active = 1; - $remember_me_display = "Enabled,
Revoke?"; + $mfa_status_display = ""; } $user_config_force_mfa = intval($row['user_config_force_mfa']); $user_role = $row['user_role']; @@ -133,6 +125,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $last_login = "$log_created_at
$log_user_os
$log_user_browser
$log_ip"; } + $sql_remember_tokens = mysqli_query($mysqli, "SELECT * FROM remember_tokens WHERE remember_token_user_id = $user_id"); + $remember_token_count = mysqli_num_rows($sql_remember_tokens); + ?> @@ -154,7 +149,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); - @@ -166,6 +160,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Edit + 0) { ?> + Revoke Remember Tokens + + Activate diff --git a/database_updates.php b/database_updates.php index ad500c0e..30527bcc 100644 --- a/database_updates.php +++ b/database_updates.php @@ -1615,10 +1615,16 @@ if (LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION) { mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.7'"); } - // if (CURRENT_DATABASE_VERSION == '1.0.7') { - // // Insert queries here required to update to DB version 1.0.8 + if (CURRENT_DATABASE_VERSION == '1.0.7') { + mysqli_query($mysqli, "ALTER TABLE `user_settings` DROP `user_config_remember_me_token`"); + + mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.8'"); + } + + // if (CURRENT_DATABASE_VERSION == '1.0.8') { + // // Insert queries here required to update to DB version 1.0.9 // // Then, update the database to the next sequential version - // mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.8'"); + // mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.9'"); // } } else { diff --git a/database_version.php b/database_version.php index c1dcafe2..eb2233d5 100644 --- a/database_version.php +++ b/database_version.php @@ -5,5 +5,5 @@ * It is used in conjunction with database_updates.php */ -DEFINE("LATEST_DATABASE_VERSION", "1.0.7"); +DEFINE("LATEST_DATABASE_VERSION", "1.0.8"); diff --git a/db.sql b/db.sql index 16b440e2..2a6a57ea 100644 --- a/db.sql +++ b/db.sql @@ -1667,7 +1667,6 @@ DROP TABLE IF EXISTS `user_settings`; CREATE TABLE `user_settings` ( `user_id` int(11) NOT NULL, `user_role` int(11) NOT NULL, - `user_config_remember_me_token` varchar(255) DEFAULT NULL, `user_config_force_mfa` tinyint(1) NOT NULL DEFAULT 0, `user_config_records_per_page` int(11) NOT NULL DEFAULT 10, `user_config_dashboard_financial_enable` tinyint(1) NOT NULL DEFAULT 0, @@ -1784,4 +1783,4 @@ CREATE TABLE `vendors` ( /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2024-02-23 23:44:31 +-- Dump completed on 2024-02-29 15:50:30 diff --git a/post/user.php b/post/user.php index 60515059..0b900cfb 100644 --- a/post/user.php +++ b/post/user.php @@ -220,7 +220,7 @@ if (isset($_GET['disable_user'])) { if (isset($_GET['revoke_remember_me'])) { validateAdminRole(); - //validateCSRFToken($_GET['csrf_token']); + validateCSRFToken($_GET['csrf_token']); $user_id = intval($_GET['revoke_remember_me']); @@ -229,13 +229,13 @@ if (isset($_GET['revoke_remember_me'])) { $row = mysqli_fetch_array($sql); $user_name = sanitizeInput($row['user_name']); - mysqli_query($mysqli, "UPDATE user_settings SET user_config_remember_me_token = NULL WHERE user_id = $user_id"); + mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $user_id"); //Logging - mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name revoked remember me token', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id"); + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name revoked all remember me tokens', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id"); $_SESSION['alert_type'] = "error"; - $_SESSION['alert_message'] = "User $user_name remember me token revoked"; + $_SESSION['alert_message'] = "User $user_name remember me tokens revoked"; header("Location: " . $_SERVER["HTTP_REFERER"]);