From ee68bf10b87b53e19f678cdfe178a4a92b5eeb2e Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 19 Jan 2024 23:39:15 +0000 Subject: [PATCH 1/2] Don't require admin role to edit user profiles (otherwise techs/accountants can't edit their page) --- inc_all_user.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/inc_all_user.php b/inc_all_user.php index 614bfc4d..5ecd87d2 100644 --- a/inc_all_user.php +++ b/inc_all_user.php @@ -6,8 +6,6 @@ require_once "functions.php"; require_once "check_login.php"; -validateAdminRole(); - require_once "header.php"; require_once "top_nav.php"; From 1fcf559e13556a6ba847f4f76edbbd5d5788142a Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 19 Jan 2024 23:45:02 +0000 Subject: [PATCH 2/2] Prevent users setting/hashing an empty password --- post/profile.php | 5 +++++ user_security.php | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/post/profile.php b/post/profile.php index 90f75f36..38410fbf 100644 --- a/post/profile.php +++ b/post/profile.php @@ -92,6 +92,11 @@ if (isset($_POST['edit_your_user_password'])) { $new_password = trim($_POST['new_password']); + if (empty($new_password)) { + header('Location: user_security.php'); + exit; + } + // Email notification when password or email is changed $user_sql = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT user_name, user_email FROM users WHERE user_id = $session_user_id")); $name = sanitizeInput($user_sql['user_name']); diff --git a/user_security.php b/user_security.php index d0076403..542603ad 100644 --- a/user_security.php +++ b/user_security.php @@ -12,12 +12,12 @@ require_once "inc_all_user.php";
- +
- +