AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-01 03:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
3,239 Commits 7 Branches 16 Tags
3f2f40559689086e54dd6b49b69d99725b67db70
Commit Graph

106 Commits

Author SHA1 Message Date
johnnyq
6f6d737e64 Added meta no index to all headers so pages dont get indexed by Google this only affects people that dont have a robots.txt at HTRoot hence people that are running itflow in a subdir like example.com/itflow 2022-09-21 12:38:22 -04:00
Marcus Hill
7bb68a36d9 Add user role in PHP Session to remove dependency on check_login - will require you to logout & back in to take effect after the update 2022-05-07 17:44:04 +01:00
Marcus Hill
61777116a9 CSRF Token 
Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.)

Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
 2022-05-01 18:43:53 +01:00
Marcus Hill
edcdf9a0a8 Only set encryption/extension key if user is tech/admin 2022-04-24 12:35:14 +01:00
Marcus Hill
76b965ec20 Adjust brute force notification to be in notifications, not alerts 2022-04-24 10:52:05 +01:00
Marcus Hill
fca1627c33 Remove delete user post.php code. Deleting users means we'll lose all tickets/replies which isn't great. 
Correct user archive behaviour so when users are archived they can no longer login. Need to add ability for quick disable/enable of user accounts, as using archive as permanent.
Refactor "You are not permitted to do that!" wording into a constant instead.
 2022-04-15 13:29:27 +01:00
Marcus Hill
4b149edfd9 Fix client portal link 2022-03-21 21:12:57 +00:00
Marcus Hill
34d6caa016 Client portal updates 2022-03-20 16:02:58 +00:00
johnnyq
a7e8f8d2d8 Fixed current_code error on login page 2022-02-13 15:19:45 -05:00
johnnyq
278b243e7c Finished File Entity Renaming process 2022-02-05 13:24:57 -05:00
johnnyq
bb972e8de3 Store full user agent, we can always parse it later 2022-02-04 17:04:28 -05:00
johnnyq
270120c7fc Set login back to 10 failed attempts 2022-01-22 17:08:26 -05:00
johnnyq
efd0d28556 Used MySQL count function to count number of failed login attempts 2022-01-22 17:05:15 -05:00
Johnny
c47eac328d Merge pull request #320 from wrongecho/brute-force-login 
Add basic IP login brute force protection
 2022-01-22 16:45:36 -05:00
Marcus Hill
c819309fc4 Add basic IP login brute force protection 2022-01-22 19:54:39 +00:00
johnnyq
a3c63b0649 Added Export Expenses Records with custom from and to Date, Fixed Advanced Search under expenses some other minor code formatting fixups 2022-01-22 14:37:45 -05:00
Marcus Hill
2b3a7171b3 Session management 2022-01-15 21:26:22 +00:00
Marcus Hill
272bf52d62 Note re https 2022-01-15 21:17:31 +00:00
Marcus Hill
cee1faf082 Add extension key cookie to login. Add support for storing the php session id in DB so we can access it (without passing the session ID over a cross-domain query). 2022-01-15 20:54:56 +00:00
Marcus Hill
951b03f712 Allow for encryption scheme upgrade 2022-01-11 14:03:34 +00:00
Marcus Hill
13d83f6e3b Add session key setup 2022-01-10 21:47:12 +00:00
Marcus Hill
25b58c21c8 Add Secure flag (HTTPS only) to cookies 2022-01-09 13:56:45 +00:00
Marcus Hill
6609e5065a Set php session cookie to be httponly 2022-01-07 19:10:29 +00:00
johnnyq
cf3c0a6410 Fixed a vulnerability in the setup.php file and other code cleanups. Thanks to the person that wishes to remain anonymous for reporting and providing a patch Also added a notice to readme to not use this web app during beta for production use 2022-01-01 17:02:31 -05:00
johnnyq
e978cd142e More Audit Logging work, fixed a bunch of small bugs along the way 2021-12-31 15:33:41 -05:00
johnnyq
33400894d5 Updates and Fixings to Audit Logs, added client tag selection for mass email campaigns 2021-12-28 18:16:54 -05:00
johnnyq
25b5cb3d40 Moved Functions above check login so that check login can use some of the functions, Moved Fingerprinting to check login instead of in functions as its a more appropriate place 2021-12-22 17:24:54 -05:00
johnnyq
ba584a57e0 BREAKING CHANGES - Many DB Updates - NOT POSSIBLE TO EASILY UPGRADE TO THIS - Completely reworked User Company Access Permssions, started working on Client Role so Clients can access their data and a bunch of other small fixes 2021-12-22 13:08:24 -05:00
johnnyq
4604280efe This Update will break your login as we updated the password hash from MD5 to a salted hash using hash_password and password_verify techniques, fixed an unauthenticated persistent XSS Vulnerbility which would affect if someone spoofed their IP with a javascript code and then a logged in read the logs. The flaw was discovered by @bambilol #214 also fixed some other bugs. 2021-12-13 12:21:55 -05:00
johnnyq
f02e94d585 Started adding IP and User agent to audit logs, log when a user logs out, Merged logout into post.php 2021-12-09 16:12:57 -05:00
johnnyq
e36739297d Fixed broken TOTP 2FA 2021-12-04 17:59:40 -05:00
johnnyq
e9336c1866 Fix Recent Logins Log front not updating due to VAR name 2021-08-31 13:24:33 -04:00
johnnyq
f3053ffbd4 BREAKING CHANGES: Major Backend Code Changes Updated Foreign keys to prepend their table names ex invoice_client_id, switched most queries over to JOIN instead of = Combined contacts and location into client removed client email, phone etc fields, tons of small bug fixes, and other small UI changes all across the board 2021-08-27 23:14:06 -04:00
johnnyq
f1828a11a9 Added Boostrap Password Reveal Library and clipboardJS library added copy to clipboard to client logins 2021-08-08 15:04:39 -04:00
johnny@pittpc.com
f8166bdc81 Fixed more php errors empty vars updated more ui search headers 2021-02-04 17:42:21 -05:00
johnny@pittpc.com
abf7a3b381 updated UI of the login screen, app name. changed username to email changed button from back to blue 2020-03-31 17:42:15 -04:00
johnny@pittpc.com
f84e3c4b6b Refactored Login UI to reduce clutter, minimise and increase security also 2FA Box will appear when enabled 2020-01-04 23:44:04 -05:00
johnny@pittpc.com
e5036253ed Migrated from sbadmin to AdminLTE CSS framework 2019-11-19 18:29:02 -05:00
johnny@pittpc.com
bc61b59244 Fixed password issue causing SQL escape characters to add slashes remove mysqli_real_escape_string as its not needs, md5 produces no sql escape characters by default so it it does not need santized 2019-09-24 14:52:53 -04:00
johnny@pittpc.com
62b088e79d GUI Touchups in Invoice, Quote, clients, vendors, client. Added 2 new fields to client mobile and contact_name, added more pictyure extension in file jpeg anb JPEG and other fixesincluding a new DB dump 2019-09-14 20:40:22 -04:00
johnny@pittpc.com
ca427ab763 Updated User Settings Page and added logging to most functions 2019-09-06 03:03:16 -04:00
johnny@pittpc.com
d259d1b3dc Started Logs: Login attempts are now logged, created a logs list in the side nav 2019-09-06 00:16:19 -04:00
johnny@pittpc.com
2d5ac7c2e6 Security Mysql Escaped current_code POST var under login 2019-08-28 21:56:45 -04:00
johnny@pittpc.com
0e451056b4 Added get OS Browser Device and IP functions, added these functions to guest view invoice, also added invoice view alert and other minor fixes 2019-08-28 21:47:40 -04:00
root
2984f0ec6c Login and Top Nav Refinements 2019-08-16 00:28:54 -04:00
johnny@pittpc.com
5ca8d201b0 Remove some old files, updated guest urls to work with the new multi company features, and some other multi company update 2019-08-15 18:29:28 -04:00
johnny@pittpc.com
bc07fe0090 Started work on multi-company feature 2019-08-14 11:05:54 -04:00
johnny@pittpc.com
0c4021fd23 reworked transfers, added revenues to add income in other ways besides just invoices, reports now uses a compact table to see all data clearly and some other minor fixes. 2019-08-11 13:42:35 -04:00
johnny@pittpc.com
bf250cd1fe Fixed Login Software relation, fixed asset logins etc 2019-08-03 19:41:58 -04:00
root
b65739bfc3 Updated 2FA UI 2019-06-16 23:56:40 -04:00