From b2dc9a123cd60c60ce36f1b026fe67a40748c04c Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 28 Dec 2023 22:25:57 -0500 Subject: [PATCH] Do not allow archived client contacts to reset their passwords --- portal/login_reset.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/portal/login_reset.php b/portal/login_reset.php index 604afcbb..702c83dd 100644 --- a/portal/login_reset.php +++ b/portal/login_reset.php @@ -53,7 +53,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") { $email = sanitizeInput($_POST['email']); - $sql = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_client_id FROM contacts WHERE contact_email = '$email' AND contact_auth_method = 'local' LIMIT 1"); + $sql = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_client_id FROM contacts WHERE contact_email = '$email' AND contact_auth_method = 'local' AND contact_archived_at IS NULL LIMIT 1"); $row = mysqli_fetch_assoc($sql); $id = intval($row['contact_id']); @@ -110,7 +110,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") { $client = intval($_POST['client']); // Query user - $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' LIMIT 1"); + $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' AND contact_archived_at IS NULL LIMIT 1"); $contact_row = mysqli_fetch_array($sql); $contact_id = intval($contact_row['contact_id']); $name = sanitizeInput($contact_row['contact_name']);