From 2d8b928e0312acc24853894af96d5c1a1bb68025 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 09:49:09 -0700
Subject: [PATCH 1/3] Refactor administrator fetch logic in login.inc.php

Refactor administrator fetching logic to process known IPs and fingerprints _after_ fetching the administrator record.

Those were not arrays outside the fetch block.
---
 public_html/backend/pages/login.inc.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php
index 27ab262..96bf271 100644
--- a/public_html/backend/pages/login.inc.php
+++ b/public_html/backend/pages/login.inc.php
@@ -30,10 +30,10 @@
 				where username = '". database::input(strtolower($_POST['username'])) ."'
 				or email = '". database::input(strtolower($_POST['username'])) ."'
 				limit 1;"
-			)->fetch(function($administrator){
-				$administrator['known_ips'] = f::string_split($administrator['known_ips']);
-				$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
-			});
+			)->fetch();
+
+			$administrator['known_ips'] = f::string_split($administrator['known_ips']);
+			$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
 
 			if (!$administrator) {
 				throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database'));
@@ -159,7 +159,7 @@
 
 			unset(session::$data['security.administrator']['verification']);
 
-			// TOTP (opt-in per administrator). When enrolled, always challenge Ч
+			// TOTP (opt-in per administrator). When enrolled, always challenge
 			// independent of the known-IP check below. Email OTP remains the
 			// fallback for admins who haven't enrolled.
 			if (!empty($administrator['totp_secret'])) {
@@ -383,4 +383,4 @@
 			});
 		});
 	});
-</script>
\ No newline at end of file
+</script>

From 623965012f469afcb30dc65da14b618801817434 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 09:58:10 -0700
Subject: [PATCH 2/3] Revert "Refactor administrator fetch logic in
 login.inc.php"

This reverts commit 2d8b928e0312acc24853894af96d5c1a1bb68025.

Restores the original fetch callback pattern where known_ips and
known_fingerprints processing happened inside the fetch block, ensuring
they are properly treated as arrays at the time of assignment.
---
 public_html/backend/pages/login.inc.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php
index 96bf271..7401482 100644
--- a/public_html/backend/pages/login.inc.php
+++ b/public_html/backend/pages/login.inc.php
@@ -30,10 +30,10 @@
 				where username = '". database::input(strtolower($_POST['username'])) ."'
 				or email = '". database::input(strtolower($_POST['username'])) ."'
 				limit 1;"
-			)->fetch();
-
-			$administrator['known_ips'] = f::string_split($administrator['known_ips']);
-			$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
+			)->fetch(function($administrator){
+				$administrator['known_ips'] = f::string_split($administrator['known_ips']);
+				$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
+			});
 
 			if (!$administrator) {
 				throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database'));
@@ -126,7 +126,7 @@
 			}
 
 			if (!empty($administrator['last_ip_address']) && $administrator['last_ip_address'] != $_SERVER['REMOTE_ADDR']) {
-				notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then your login credentials might be compromised.'), [
+				notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then y[...]
 					'{username}' => $administrator['username'],
 					'{ip_address}' => $administrator['last_ip_address'],
 					'{hostname}' => $administrator['last_hostname'],
@@ -159,7 +159,7 @@
 
 			unset(session::$data['security.administrator']['verification']);
 
-			// TOTP (opt-in per administrator). When enrolled, always challenge
+			// TOTP (opt-in per administrator). When enrolled, always challenge тЬУ
 			// independent of the known-IP check below. Email OTP remains the
 			// fallback for admins who haven't enrolled.
 			if (!empty($administrator['totp_secret'])) {
@@ -241,7 +241,7 @@
 
 			if (!empty($_POST['remember_me']) && defined('HMAC_KEY_REMEMBER_ME')) {
 				$token = f::token_create_remember($administrator['id'], $administrator['password_hash']);
-				header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''), false);
+				header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''),[...]
 			} else if (!empty($_COOKIE['remember_me'])) {
 				header('Set-Cookie: remember_me=; Path='. WS_DIR_APP .'; Max-Age=-1; HttpOnly; SameSite=Lax', false);
 			}

From 908af0d266f6a92b4e97d213ad6a6f5cd0994377 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 15:22:10 -0700
Subject: [PATCH 3/3] Fix implode usage for known IPs and fingerprints

These variables were not arrays on this page.
---
 .../apps/administrators/edit_administrator.inc.php        | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/public_html/backend/apps/administrators/edit_administrator.inc.php b/public_html/backend/apps/administrators/edit_administrator.inc.php
index 056bc72..e09e0ba 100644
--- a/public_html/backend/apps/administrators/edit_administrator.inc.php
+++ b/public_html/backend/apps/administrators/edit_administrator.inc.php
@@ -18,7 +18,7 @@
 	breadcrumbs::add(t('title_administrators', 'Administrators'), document::href_ilink(__APP__.'/administrators'));
 	breadcrumbs::add(!empty($administrator->data['username']) ? t('title_edit_administrator', 'Edit Administrator') : t('title_create_new_administrator', 'Create New Administrator'));
 
-	// TOTP enroll/confirm/disable Ч handled before the main save so the sub-form
+	// TOTP enroll/confirm/disable тАФ handled before the main save so the sub-form
 	// buttons (totp_setup, totp_confirm, totp_disable) don't have to go through
 	// the generic save validation.
 	if (!empty($administrator->data['id']) && (!empty($_POST['totp_setup']) || !empty($_POST['totp_confirm']) || !empty($_POST['totp_disable']))) {
@@ -341,14 +341,14 @@
 							<label class="form-group">
 								<div class="form-label"><?php echo t('title_known_ip_addresses', 'Known IP Addresses'); ?></div>
 								<div class="form-input" readonly style="height: 80px;">
-							<?php echo implode(', ', $administrator->data['known_ips']); ?>
+							<?php echo implode(', ', [$administrator->data['known_ips']]); ?>
 								</div>
 							</label>
 
 					<label class="form-group">
 						<div class="form-label"><?php echo t('title_known_fingerprints', 'Known Fingerprints'); ?></div>
 						<div class="form-input" readonly style="height: 80px;">
-							<?php echo implode(', ', $administrator->data['known_fingerprints']); ?>
+							<?php echo implode(', ', [$administrator->data['known_fingerprints']]); ?>
 					</div>
 					</label>
 					<?php } ?>
@@ -476,4 +476,4 @@
 			$(this).closest('ul').closest('[data-mcp-toolset-id]').children().not('ul').find(':input').prop('checked', true);
 		}
 	});
-</script>
\ No newline at end of file
+</script>
