From 441591d39e294fd3c96d1e89de05d8af7e42ebd2 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Tue, 29 Mar 2022 21:16:02 +0100
Subject: [PATCH 1/6] Allow client to close ticket from portal

---
 portal/index.php           |  2 +-
 portal/ticket.php          | 30 ++++--------------------------
 portal/ticket_view_all.php |  2 ++
 3 files changed, 7 insertions(+), 27 deletions(-)

diff --git a/portal/index.php b/portal/index.php
index e38f42ff..9f2a3638 100644
--- a/portal/index.php
+++ b/portal/index.php
@@ -89,7 +89,7 @@ $total_tickets = $row['total_tickets'];
             <?php
             while($ticket = mysqli_fetch_array($contact_tickets)){
               echo "<tr>";
-              echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_number]</a></td>";
+              echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_number]</a></td>";
               echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
               echo "<td>$ticket[ticket_status]</td>";
               echo "</tr>";
diff --git a/portal/ticket.php b/portal/ticket.php
index 89d04fea..13bcfa56 100644
--- a/portal/ticket.php
+++ b/portal/ticket.php
@@ -23,34 +23,16 @@ if(isset($_GET['id']) && intval($_GET['id'])) {
     
   <nav class="navbar navbar-dark bg-dark">
     
-   <i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand" href="#">Ticket number # <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a>
- 
-
+   <i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand">Ticket <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a>
       
     <span class="navbar-text">
       <?php
-    if($ticket_status !== "Closed"){
-    ?>
-
-     
-   <button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i>  Close ticket</a></button>
-
-    
-
-    
-    
-    <?php
-    }
-    ?>
+    if($ticket_status !== "Closed"){ ?>
+      <button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i>  Close ticket</a></button>
+    <?php } ?>
     </span>
   
   </nav>
-    
-    
-
-    
-
-    
 
     <div class="card">
       <div class="card-header">
@@ -66,9 +48,6 @@ if(isset($_GET['id']) && intval($_GET['id'])) {
       </div>
     </div>
 
-
-
-          
           
     <!-- Either show the reply comments box, ticket smiley feedback, or thanks for feedback -->
 
@@ -170,7 +149,6 @@ if(isset($_GET['id']) && intval($_GET['id'])) {
 
     ?>
 
-
     <?php
   }
   else{
diff --git a/portal/ticket_view_all.php b/portal/ticket_view_all.php
index 668d20c2..06f46e9c 100644
--- a/portal/ticket_view_all.php
+++ b/portal/ticket_view_all.php
@@ -46,6 +46,7 @@ $all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts O
   <table class="table">
     <thead>
     <tr>
+      <th scope="col">#</th>
       <th scope="col">Subject</th>
       <th scope="col">Contact</th>
       <th scope="col">Status</th>
@@ -56,6 +57,7 @@ $all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts O
     <?php
     while($ticket = mysqli_fetch_array($all_tickets)){
       echo "<tr>";
+        echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_id]</a></td>";
         echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
         echo "<td>$ticket[contact_name]</td>";
         echo "<td>$ticket[ticket_status]</td>";

From cbcb31a70569c1a26cf0d92ceb2bc61da9c6c124 Mon Sep 17 00:00:00 2001
From: wrongecho <32306651+wrongecho@users.noreply.github.com>
Date: Tue, 29 Mar 2022 21:42:21 +0100
Subject: [PATCH 2/6] Update issue templates

As discussed, feature requests & support should go to the forum leaving GitHub for actual issues/bugs with the code.

Related to #338
---
 .github/ISSUE_TEMPLATE/bug_report.md      | 32 +++++++++++++++++++++++
 .github/ISSUE_TEMPLATE/feature_request.md | 12 +++++++++
 .github/ISSUE_TEMPLATE/support.md         | 18 +++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md
 create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md
 create mode 100644 .github/ISSUE_TEMPLATE/support.md

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 00000000..5ab9f3b4
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: Something not working quite right? Create a report to help us improve!
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**Can you reproduce this on the demo at demo.itflow.org**
+Yes/No/NA
+
+**Are you on the latest available version of ITFlow, with an up-to-date database structure?**
+Yes/No
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen, if not obvious.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 00000000..d45e9b7b
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,12 @@
+---
+name: Feature request
+about: Please discuss new features on the Forum @ https://forum.itflow.org/t/features
+title: ''
+labels: Support
+assignees: ''
+
+---
+
+Please discuss feature requests on the forum @ https://forum.itflow.org/t/features - Thanks :)
+
+New feature requests here will be closed.
diff --git a/.github/ISSUE_TEMPLATE/support.md b/.github/ISSUE_TEMPLATE/support.md
new file mode 100644
index 00000000..101c4fdf
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/support.md
@@ -0,0 +1,18 @@
+---
+name: Support
+about: Please visit the Forum or Discord for support
+title: ''
+labels: Support
+assignees: ''
+
+---
+
+Please visit the Forum or Discord for support
+
+Forum - https://forum.itflow.org/
+
+Discord - https://discord.gg/ZjCcBzTUDr
+
+--
+
+To discuss a security issue, please see: https://i.imgur.com/P03o0Sy.png

From 6840939860adbcaefea9c59a941eba358ead4d7a Mon Sep 17 00:00:00 2001
From: wrongecho <32306651+wrongecho@users.noreply.github.com>
Date: Tue, 29 Mar 2022 22:12:17 +0100
Subject: [PATCH 3/6] Create SECURITY.md

---
 SECURITY.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..2ea30098
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## In Beta
+
+ITFlow is currently in early beta and is a work in progress. 
+We currently advise against storing confidential data in ITFlow for this reason.
+
+That said, in order to eventually be useful, ITFlow **must** be secure and take security seriously.
+We attempt to follow best security practices where possible, including [automated code scanning](https://sonarcloud.io/component_measures?id=itflow-org_itflow&metric=security_rating&view=list).
+
+## Supported Versions
+
+ITFlow is in Beta. 
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Beta    | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you have discovered a security issue, please report it to us in as much detail as possible so we can fix it. 
+You should expect to receive an initial acknowledgement within 72 hours. If you do not, please get in touch discretely via GitHub issues/Forum/Discord to ensure we received your e-mail.
+
+Security contact:
+![image](https://user-images.githubusercontent.com/32306651/160704188-763e6763-429e-41b9-9007-6a09bcfdba2b.png)

From cf739accc991468ec369bcfaac8702d6cca88449 Mon Sep 17 00:00:00 2001
From: wrongecho <32306651+wrongecho@users.noreply.github.com>
Date: Fri, 1 Apr 2022 13:06:03 +0100
Subject: [PATCH 4/6] Update README docs link

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bba10639..a3a3c3da 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@
     Username: <b>demo@demo</b> | Password: <b>demo</b>
     <br />
     <br />
-    <a href="https://github.com/itflow-org/itflow">Docs</a>
+    <a href="https://itflow.org/docs.php">Docs</a>
     ·
     <a href="https://forum.itflow.org/">Forum</a>
     ·

From ab770512998b82acbb9b5c8bf053ea892fe5bc99 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Fri, 1 Apr 2022 19:36:01 +0100
Subject: [PATCH 5/6] Add a line break / heading between main settings and 2FA
 to prevent mis-clicks

---
 settings-user.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/settings-user.php b/settings-user.php
index 809a8a82..33869c51 100644
--- a/settings-user.php
+++ b/settings-user.php
@@ -86,12 +86,18 @@ $sql_recent_logs = mysqli_query($mysqli,"SELECT * FROM logs
           
         </form>
 
+        <hr>
+
+        <h3>2-Factor Authentication</h3>
+
         <form class="p-3" action="post.php" method="post" autocomplete="off">
         
           <?php if(empty($session_token)){ ?>
-            <button type="submit" name="enable_2fa" class="btn btn-primary mt-3 float-right"><i class="fa fa-fw fa-lock"></i> Enable 2FA</button>
+            <p>You have not setup 2FA, click on enable to setup 2FA.</p>
+            <button type="submit" name="enable_2fa" class="btn btn-primary mt-3"><i class="fa fa-fw fa-lock"></i> Enable 2FA</button>
           <?php }else{ ?>
-            <button type="submit" name="disable_2fa" class="btn btn-danger mt-3 float-right"><i class="fa fa-fw fa-unlock"></i> Disable 2FA</button> 
+            <p>You have setup 2FA. Your QR code is below.</p>
+            <button type="submit" name="disable_2fa" class="btn btn-danger mt-3"><i class="fa fa-fw fa-unlock"></i> Disable 2FA</button>
           <?php } ?>        
 
         <center>
@@ -124,7 +130,7 @@ $sql_recent_logs = mysqli_query($mysqli,"SELECT * FROM logs
             <div class="input-group-prepend">
               <span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
             </div>
-            <input type="text" class="form-control" name="code" placeholder="Verify Code" required>
+            <input type="text" class="form-control" name="code" placeholder="Verify 2FA Code" required>
             <div class="input-group-append">
               <button type="submit" name="verify" class="btn btn-primary">Verify</button>
             </div>

From 51a6ba6084e38662c00f7ee1eda5cad1a6a60c59 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Fri, 1 Apr 2022 19:53:49 +0100
Subject: [PATCH 6/6] Allow admins to disable 2FA for users

---
 post.php            |  6 ++++++
 user_edit_modal.php | 17 +++++++++++++++++
 users.php           |  1 +
 3 files changed, 24 insertions(+)

diff --git a/post.php b/post.php
index 9e563c69..1b6b9bb0 100644
--- a/post.php
+++ b/post.php
@@ -148,6 +148,7 @@ if(isset($_POST['edit_user'])){
     $role = intval($_POST['role']);
     $existing_file_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['existing_file_name'])));
     $extended_log_description = '';
+    $two_fa = $_POST['2fa'];
 
     if(!file_exists("uploads/users/$user_id/")) {
         mkdir("uploads/users/$user_id");
@@ -211,6 +212,11 @@ if(isset($_POST['edit_user'])){
         $extended_log_description .= ", password changed";
     }
 
+    if(!empty($two_fa) && $two_fa == 'disable'){
+      mysqli_query($mysqli, "UPDATE users SET user_token = '' WHERE user_id = '$user_id'");
+      mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name disabled 2FA for $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id");
+    }
+
     //Update User Settings
     mysqli_query($mysqli,"UPDATE user_settings SET user_role = $role, user_default_company = $default_company WHERE user_id = $user_id");
 
diff --git a/user_edit_modal.php b/user_edit_modal.php
index a15df457..c158b4fd 100644
--- a/user_edit_modal.php
+++ b/user_edit_modal.php
@@ -99,6 +99,23 @@
             <label>Avatar</label>
             <input type="file" class="form-control-file" accept="image/*;capture=camera" name="file">
           </div>
+
+          <?php if(!empty($user_token)) { ?>
+
+            <div class="form-group">
+              <label>2FA</label>
+              <div class="input-group">
+                <div class="input-group-prepend">
+                  <span class="input-group-text"><i class="fa fa-fw fa-id-card"></i></span>
+                </div>
+                <select class="form-control" name="2fa">
+                  <option value="">Keep enabled</option>
+                  <option value="disable">Disable</option>
+                </select>
+              </div>
+            </div>
+
+          <?php } ?>
                    
         </div>
         <div class="modal-footer bg-white">
diff --git a/users.php b/users.php
index 9af2c4cc..f493e73e 100644
--- a/users.php
+++ b/users.php
@@ -85,6 +85,7 @@
             $user_name = $row['user_name'];
             $user_email = $row['user_email'];
             $user_avatar = $row['user_avatar'];
+            $user_token = $row['user_token'];
             $user_default_company = $row['user_default_company'];
             $user_role = $row['user_role'];
             if($user_role == 3){