- Validate user email before sending welcome message

- Remove old code from edit_user - we now enforce admin role properly
- Users may only edit their own profiles - enforced via session id rather than role
- Rem ticket views deletion comment - ticket views are cleaned up daily via cron
- Require CSRF Token when adding/removing 2FA and backing up master key

post.php

@@ -115,10 +115,10 @@ if(isset($_POST['add_user'])){
     mysqli_query($mysqli,"INSERT INTO user_companies SET user_id = $user_id, company_id = $default_company");
 
     // Send user e-mail, if specified
-    if(isset($_POST['send_email']) && !empty($config_smtp_host)){
+    if(isset($_POST['send_email']) && !empty($config_smtp_host) && filter_var($email, FILTER_VALIDATE_EMAIL)){
 
         $subject = "Your new $session_company_name ITFlow account";
-        $body = "Hello, $name<br><br>An ITFlow account has been setup for you. Please change your password upon login. <br><br>Username: $email <br>Password: $_POST[password]<br>Login URL: $config_base_url<br><br>~<br>$session_company_name<br>Support Department<br>$config_ticket_from_email";
+        $body = "Hello, $name<br><br>An ITFlow account has been setup for you. Please change your password upon login. <br><br>Username: $email <br>Password: $_POST[password]<br>Login URL: https://$config_base_url<br><br>~<br>$session_company_name<br>Support Department<br>$config_ticket_from_email";
 
         $mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
           $config_ticket_from_email, $config_ticket_from_name,
@@ -145,13 +145,6 @@ if(isset($_POST['edit_user'])){
 
     validateAdminRole();
 
-    if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){
-      $_SESSION['alert_type'] = "error";
-      $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
-      header("Location: " . $_SERVER["HTTP_REFERER"]);
-      exit();
-    }
-
     // CSRF Check
     validateCSRFToken($_POST['csrf_token']);
 
@@ -246,17 +239,10 @@ if(isset($_POST['edit_user'])){
 
 if(isset($_POST['edit_profile'])){
 
-    if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){
-      $_SESSION['alert_type'] = "error";
-      $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
-      header("Location: " . $_SERVER["HTTP_REFERER"]);
-      exit();
-    }
-
     // CSRF Check
     validateCSRFToken($_POST['csrf_token']);
 
-    $user_id = intval($_POST['user_id']);
+    $user_id = $session_user_id;
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
     $new_password = trim($_POST['new_password']);
@@ -741,9 +727,6 @@ if(isset($_GET['delete_company'])){
     mysqli_query($mysqli,"DELETE FROM tickets WHERE company_id = $company_id");
     mysqli_query($mysqli,"DELETE FROM ticket_replies WHERE company_id = $company_id");
     
-    // TODO ticket views is missing company_id
-    // mysqli_query($mysqli,"DELETE FROM ticket_views WHERE company_id = $company_id");
-    
     mysqli_query($mysqli,"DELETE FROM transfers WHERE company_id = $company_id");
     mysqli_query($mysqli,"DELETE FROM trips WHERE company_id = $company_id");
     mysqli_query($mysqli,"DELETE FROM user_companies WHERE company_id = $company_id");
@@ -1047,6 +1030,9 @@ if(isset($_POST['edit_module_settings'])){
 
 if(isset($_POST['enable_2fa'])){
 
+    // CSRF Check
+    validateCSRFToken($_POST['csrf_token']);
+
     $token = mysqli_real_escape_string($mysqli,$_POST['token']);
 
     mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
@@ -1062,6 +1048,9 @@ if(isset($_POST['enable_2fa'])){
 
 if(isset($_POST['disable_2fa'])){
 
+    // CSRF Check
+    validateCSRFToken($_POST['csrf_token']);
+
     mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id");
 
     //Logging
@@ -1155,6 +1144,7 @@ if(isset($_GET['download_database'])){
 
 if(isset($_POST['backup_master_key'])){
 
+    validateCSRFToken($_POST['csrf_token']);
     validateAdminRole();
 
     $password = $_POST['password'];

settings_backup.php

@@ -18,6 +18,7 @@
     <div class="card-body">
         <center>
             <form action="post.php" method="POST">
+                <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
                 <div class="input-group col-4">
                     <div class="input-group-prepend">
                         <input type="password" class="form-control" placeholder="Enter your account password" name="password" autocomplete="new-password" required>

user_profile.php

@@ -22,7 +22,6 @@ $sql_recent_logs = mysqli_query($mysqli,"SELECT * FROM logs
 
         <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
           <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
-          <input type="hidden" name="user_id" value="<?php echo $session_user_id; ?>">
           <input type="hidden" name="existing_file_name" value="<?php echo $session_avatar; ?>">
 
           <center class="mb-3 p-4">
@@ -96,6 +95,7 @@ $sql_recent_logs = mysqli_query($mysqli,"SELECT * FROM logs
         <h3>2-Factor Authentication</h3>
 
         <form class="p-3" action="post.php" method="post" autocomplete="off">
+            <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
           <?php if(empty($session_token)){ ?>
             <p>You have not setup 2FA, click on enable to setup 2FA.</p>