AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 19:04:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,874 Commits 7 Branches 16 Tags
c0399a2c420c15434af2cef3d8063787311bf225
Commit Graph

62 Commits

Author SHA1 Message Date
johnnyq
c0399a2c42 Added Disable and Activate Users, fixes #539 2023-01-13 18:24:50 -05:00
Johnny
b91ead19ce Revert "removed warning" 2023-01-08 14:00:16 -05:00
chandachewe10
e0b314e5a9 removed warning 2023-01-08 00:01:52 +00:00
Marcus Hill
24f825ca08 SQL Escape tech username in session. The username is added to most log entries meaning that a simple apostrophe in the name breaks all logging for the user 2023-01-02 19:22:21 +00:00
Marcus Hill
07986954f5 Redirect/show techs to technical dashboard on login/navbar 2023-01-01 13:41:29 +00:00
johnnyq
29a9d6ef8f Generate longer more secure Key for logins 2022-12-29 18:23:11 -05:00
johnnyq
6f6d737e64 Added meta no index to all headers so pages dont get indexed by Google this only affects people that dont have a robots.txt at HTRoot hence people that are running itflow in a subdir like example.com/itflow 2022-09-21 12:38:22 -04:00
Marcus Hill
7bb68a36d9 Add user role in PHP Session to remove dependency on check_login - will require you to logout & back in to take effect after the update 2022-05-07 17:44:04 +01:00
Marcus Hill
61777116a9 CSRF Token 
Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.)

Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
 2022-05-01 18:43:53 +01:00
Marcus Hill
edcdf9a0a8 Only set encryption/extension key if user is tech/admin 2022-04-24 12:35:14 +01:00
Marcus Hill
76b965ec20 Adjust brute force notification to be in notifications, not alerts 2022-04-24 10:52:05 +01:00
Marcus Hill
fca1627c33 Remove delete user post.php code. Deleting users means we'll lose all tickets/replies which isn't great. 
Correct user archive behaviour so when users are archived they can no longer login. Need to add ability for quick disable/enable of user accounts, as using archive as permanent.
Refactor "You are not permitted to do that!" wording into a constant instead.
 2022-04-15 13:29:27 +01:00
Marcus Hill
4b149edfd9 Fix client portal link 2022-03-21 21:12:57 +00:00
Marcus Hill
34d6caa016 Client portal updates 2022-03-20 16:02:58 +00:00
johnnyq
a7e8f8d2d8 Fixed current_code error on login page 2022-02-13 15:19:45 -05:00
johnnyq
278b243e7c Finished File Entity Renaming process 2022-02-05 13:24:57 -05:00
johnnyq
bb972e8de3 Store full user agent, we can always parse it later 2022-02-04 17:04:28 -05:00
johnnyq
270120c7fc Set login back to 10 failed attempts 2022-01-22 17:08:26 -05:00
johnnyq
efd0d28556 Used MySQL count function to count number of failed login attempts 2022-01-22 17:05:15 -05:00
Johnny
c47eac328d Merge pull request #320 from wrongecho/brute-force-login 
Add basic IP login brute force protection
 2022-01-22 16:45:36 -05:00
Marcus Hill
c819309fc4 Add basic IP login brute force protection 2022-01-22 19:54:39 +00:00
johnnyq
a3c63b0649 Added Export Expenses Records with custom from and to Date, Fixed Advanced Search under expenses some other minor code formatting fixups 2022-01-22 14:37:45 -05:00
Marcus Hill
2b3a7171b3 Session management 2022-01-15 21:26:22 +00:00
Marcus Hill
272bf52d62 Note re https 2022-01-15 21:17:31 +00:00
Marcus Hill
cee1faf082 Add extension key cookie to login. Add support for storing the php session id in DB so we can access it (without passing the session ID over a cross-domain query). 2022-01-15 20:54:56 +00:00
Marcus Hill
951b03f712 Allow for encryption scheme upgrade 2022-01-11 14:03:34 +00:00
Marcus Hill
13d83f6e3b Add session key setup 2022-01-10 21:47:12 +00:00
Marcus Hill
25b58c21c8 Add Secure flag (HTTPS only) to cookies 2022-01-09 13:56:45 +00:00
Marcus Hill
6609e5065a Set php session cookie to be httponly 2022-01-07 19:10:29 +00:00
johnnyq
cf3c0a6410 Fixed a vulnerability in the setup.php file and other code cleanups. Thanks to the person that wishes to remain anonymous for reporting and providing a patch Also added a notice to readme to not use this web app during beta for production use 2022-01-01 17:02:31 -05:00
johnnyq
e978cd142e More Audit Logging work, fixed a bunch of small bugs along the way 2021-12-31 15:33:41 -05:00
johnnyq
33400894d5 Updates and Fixings to Audit Logs, added client tag selection for mass email campaigns 2021-12-28 18:16:54 -05:00
johnnyq
25b5cb3d40 Moved Functions above check login so that check login can use some of the functions, Moved Fingerprinting to check login instead of in functions as its a more appropriate place 2021-12-22 17:24:54 -05:00
johnnyq
ba584a57e0 BREAKING CHANGES - Many DB Updates - NOT POSSIBLE TO EASILY UPGRADE TO THIS - Completely reworked User Company Access Permssions, started working on Client Role so Clients can access their data and a bunch of other small fixes 2021-12-22 13:08:24 -05:00
johnnyq
4604280efe This Update will break your login as we updated the password hash from MD5 to a salted hash using hash_password and password_verify techniques, fixed an unauthenticated persistent XSS Vulnerbility which would affect if someone spoofed their IP with a javascript code and then a logged in read the logs. The flaw was discovered by @bambilol #214 also fixed some other bugs. 2021-12-13 12:21:55 -05:00
johnnyq
f02e94d585 Started adding IP and User agent to audit logs, log when a user logs out, Merged logout into post.php 2021-12-09 16:12:57 -05:00
johnnyq
e36739297d Fixed broken TOTP 2FA 2021-12-04 17:59:40 -05:00
johnnyq
e9336c1866 Fix Recent Logins Log front not updating due to VAR name 2021-08-31 13:24:33 -04:00
johnnyq
f3053ffbd4 BREAKING CHANGES: Major Backend Code Changes Updated Foreign keys to prepend their table names ex invoice_client_id, switched most queries over to JOIN instead of = Combined contacts and location into client removed client email, phone etc fields, tons of small bug fixes, and other small UI changes all across the board 2021-08-27 23:14:06 -04:00
johnnyq
f1828a11a9 Added Boostrap Password Reveal Library and clipboardJS library added copy to clipboard to client logins 2021-08-08 15:04:39 -04:00
johnny@pittpc.com
f8166bdc81 Fixed more php errors empty vars updated more ui search headers 2021-02-04 17:42:21 -05:00
johnny@pittpc.com
abf7a3b381 updated UI of the login screen, app name. changed username to email changed button from back to blue 2020-03-31 17:42:15 -04:00
johnny@pittpc.com
f84e3c4b6b Refactored Login UI to reduce clutter, minimise and increase security also 2FA Box will appear when enabled 2020-01-04 23:44:04 -05:00
johnny@pittpc.com
e5036253ed Migrated from sbadmin to AdminLTE CSS framework 2019-11-19 18:29:02 -05:00
johnny@pittpc.com
bc61b59244 Fixed password issue causing SQL escape characters to add slashes remove mysqli_real_escape_string as its not needs, md5 produces no sql escape characters by default so it it does not need santized 2019-09-24 14:52:53 -04:00
johnny@pittpc.com
62b088e79d GUI Touchups in Invoice, Quote, clients, vendors, client. Added 2 new fields to client mobile and contact_name, added more pictyure extension in file jpeg anb JPEG and other fixesincluding a new DB dump 2019-09-14 20:40:22 -04:00
johnny@pittpc.com
ca427ab763 Updated User Settings Page and added logging to most functions 2019-09-06 03:03:16 -04:00
johnny@pittpc.com
d259d1b3dc Started Logs: Login attempts are now logged, created a logs list in the side nav 2019-09-06 00:16:19 -04:00
johnny@pittpc.com
2d5ac7c2e6 Security Mysql Escaped current_code POST var under login 2019-08-28 21:56:45 -04:00
johnny@pittpc.com
0e451056b4 Added get OS Browser Device and IP functions, added these functions to guest view invoice, also added invoice view alert and other minor fixes 2019-08-28 21:47:40 -04:00