From ac3a02baea21a3cf1be8d2cf84f59b75f46b1acc Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Tue, 10 Jun 2025 09:19:29 +0100
Subject: [PATCH] Disallow turning on login key without a secret

---
 post/admin/admin_settings_security.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/post/admin/admin_settings_security.php b/post/admin/admin_settings_security.php
index 4862cbf1..7d60c52f 100644
--- a/post/admin/admin_settings_security.php
+++ b/post/admin/admin_settings_security.php
@@ -12,6 +12,11 @@ if (isset($_POST['edit_security_settings'])) {
     $config_login_remember_me_expire = intval($_POST['config_login_remember_me_expire']);
     $config_log_retention = intval($_POST['config_log_retention']);
 
+    // Disallow turning on login key without a secret
+    if (empty($config_login_key_secret)) {
+        $config_login_key_required = 0;
+    }
+
     mysqli_query($mysqli,"UPDATE settings SET config_login_message = '$config_login_message', config_login_key_required = '$config_login_key_required', config_login_key_secret = '$config_login_key_secret', config_login_remember_me_expire = $config_login_remember_me_expire, config_log_retention = $config_log_retention WHERE company_id = 1");
 
     // Logging