AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Only set encryption/extension key if user is tech/admin

This commit is contained in:
Marcus Hill 2022-04-24 12:35:14 +01:00
parent 013b153078
commit edcdf9a0a8
1 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
login.php
View File

@ -54,7 +54,7 @@ if(isset($_POST['login'])){
$current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code'])); $current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code']));
} }
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users WHERE user_email = '$email' AND user_archived_at IS NULL")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_email = '$email' AND user_archived_at IS NULL"));
if (password_verify($password, $row['user_password'])) { if (password_verify($password, $row['user_password'])) {
$token = $row['user_token']; $token = $row['user_token'];
@ -64,11 +64,10 @@ if(isset($_POST['login'])){
$user_id = $row['user_id']; $user_id = $row['user_id'];
// Setup encryption session key // Setup encryption session key
if (isset($row['user_specific_encryption_ciphertext'])) { if (isset($row['user_specific_encryption_ciphertext']) && $row['user_role'] > 1) {
$user_encryption_ciphertext = $row['user_specific_encryption_ciphertext']; $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];
$site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password); $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
generateUserSessionKey($site_encryption_master_key); generateUserSessionKey($site_encryption_master_key);
}
// Setup extension // Setup extension
if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) { if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) {
@ -79,7 +78,7 @@ if(isset($_POST['login'])){
// Set PHP session in DB so we can access the session encryption data (above) // Set PHP session in DB so we can access the session encryption data (above)
$user_php_session = session_id(); $user_php_session = session_id();
mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'");
}
} }
if (empty($token)) { if (empty($token)) {