From bf019f374ae1a7ce86dafb08231c2f861c56f6d1 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Wed, 29 Jan 2025 21:19:26 +0000
Subject: [PATCH 1/2] Minor changelog wording tweaks

---
 CHANGELOG.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b02e7372..b64080bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,16 +5,16 @@ This file documents all notable changes made to ITFlow.
 ## [25.01.01]
 
 ### Added / Changed
-- Completely redesigned the Multi-Factor Authentication (MFA) Setup and Enforcement Flow UI/UX for a more intuitive user experience.
-- Added a "Member" column in the roles listing for improved visibility.
+- Redesigned the Multi-Factor Authentication (MFA) Setup and Enforcement Flow UI/UX for a more intuitive user experience.
+- Added a "Member" column in the user roles listing for improved visibility.
 - General UI/UX improvements, along with minor performance optimizations and cleanups.
 
 ### Fixed
-- Fixed an issue where Stripe was not appearing as a payment option in the "Add Recurring Payment" modal.
+- Fixed an issue where Stripe was not appearing as a recurring payment option.
 - Corrected inaccurate Quarter 2 Expense results in the Profit & Loss Report.
-- Resolved the issue where OTP was not displaying correctly on hover in the Contact or Asset Details sections.
+- Resolved TOTP code not displaying correctly on hover in the Contact or Asset Details sections.
 - Archived contacts no longer appear in the Bulk Mail section.
-- Fixed an issue where the Ticket Assign Modal was showing both Itflow and client users.
+- Fixed an issue where the Ticket Assign Modal was showing both ITFlow and client users.
 - Fixed issue with login key redirecting to legacy client portal page.
 
 ## [25.01]

From badda0924507264de2aa780f934c6f3d635004f1 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Wed, 29 Jan 2025 21:29:04 +0000
Subject: [PATCH 2/2] Prevent users disabling MFA when it is enforced

---
 post/user/profile.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/post/user/profile.php b/post/user/profile.php
index e5c14de4..94138779 100644
--- a/post/user/profile.php
+++ b/post/user/profile.php
@@ -261,13 +261,20 @@ if (isset($_POST['enable_mfa'])) {
 
 if (isset($_GET['disable_mfa'])){
 
+    if ($session_user_config_force_mfa) {
+        $_SESSION['alert_type'] = "error";
+        $_SESSION['alert_message'] = "Multi-Factor authentication cannot be disabled for your account";
+        header("Location: " . $_SERVER["HTTP_REFERER"]);
+        exit();
+    }
+
     // CSRF Check
     validateCSRFToken($_GET['csrf_token']);
 
     mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id");
 
     // Delete any existing MFA tokens - these browsers should be re-validated
-        mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
+    mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
 
     // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
     $config_mail_from_name = sanitizeInput($config_mail_from_name);