From 7bb68a36d9e1e8c99e42b757a6de79748c8cf0cf Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 7 May 2022 17:44:04 +0100
Subject: [PATCH] Add user role in PHP Session to remove dependency on
 check_login - will require you to logout & back in to take effect after the
 update

---
 functions.php | 6 +++---
 login.php     | 8 +++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/functions.php b/functions.php
index 334dad0f..17225768 100644
--- a/functions.php
+++ b/functions.php
@@ -443,7 +443,7 @@ function validateCSRFToken($token){
  */
 
 function validateAdminRole(){
-  if($session_user_role != 3){
+  if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] != 3){
     $_SESSION['alert_type'] = "danger";
     $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
     header("Location: " . $_SERVER["HTTP_REFERER"]);
@@ -452,7 +452,7 @@ function validateAdminRole(){
 }
 
 function validateTechRole(){
-  if($session_user_role == 1){
+  if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] == 1){
     $_SESSION['alert_type'] = "danger";
     $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
     header("Location: " . $_SERVER["HTTP_REFERER"]);
@@ -461,7 +461,7 @@ function validateTechRole(){
 }
 
 function validateAccountantRole(){
-  if($session_user_role == 2){
+  if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] == 2){
     $_SESSION['alert_type'] = "danger";
     $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
     header("Location: " . $_SERVER["HTTP_REFERER"]);
diff --git a/login.php b/login.php
index 3f013a72..adc8feb3 100644
--- a/login.php
+++ b/login.php
@@ -57,13 +57,15 @@ if(isset($_POST['login'])){
         $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_email = '$email' AND user_archived_at IS NULL"));
         if (password_verify($password, $row['user_password'])) {
 
+            // User variables
             $token = $row['user_token'];
-            $_SESSION['user_id'] = $row['user_id'];
-            $_SESSION['user_name'] = $row['user_name'];
             $user_name = $row['user_name'];
             $user_id = $row['user_id'];
 
-            // CSRF Token
+            // Session info
+            $_SESSION['user_id'] = $row['user_id'];
+            $_SESSION['user_name'] = $row['user_name'];
+            $_SESSION['user_role'] = $row['user_role'];
             $_SESSION['csrf_token'] = keygen();
 
             // Setup encryption session key