From 2d8b928e0312acc24853894af96d5c1a1bb68025 Mon Sep 17 00:00:00 2001 From: s22 Tech <59073912+s22-tech@users.noreply.github.com> Date: Mon, 29 Jun 2026 09:49:09 -0700 Subject: [PATCH 1/3] Refactor administrator fetch logic in login.inc.php Refactor administrator fetching logic to process known IPs and fingerprints _after_ fetching the administrator record. Those were not arrays outside the fetch block. --- public_html/backend/pages/login.inc.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php index 27ab262..96bf271 100644 --- a/public_html/backend/pages/login.inc.php +++ b/public_html/backend/pages/login.inc.php @@ -30,10 +30,10 @@ where username = '". database::input(strtolower($_POST['username'])) ."' or email = '". database::input(strtolower($_POST['username'])) ."' limit 1;" - )->fetch(function($administrator){ - $administrator['known_ips'] = f::string_split($administrator['known_ips']); - $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); - }); + )->fetch(); + + $administrator['known_ips'] = f::string_split($administrator['known_ips']); + $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); if (!$administrator) { throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database')); @@ -159,7 +159,7 @@ unset(session::$data['security.administrator']['verification']); - // TOTP (opt-in per administrator). When enrolled, always challenge — + // TOTP (opt-in per administrator). When enrolled, always challenge // independent of the known-IP check below. Email OTP remains the // fallback for admins who haven't enrolled. if (!empty($administrator['totp_secret'])) { @@ -383,4 +383,4 @@ }); }); }); - \ No newline at end of file + From 623965012f469afcb30dc65da14b618801817434 Mon Sep 17 00:00:00 2001 From: s22 Tech <59073912+s22-tech@users.noreply.github.com> Date: Mon, 29 Jun 2026 09:58:10 -0700 Subject: [PATCH 2/3] Revert "Refactor administrator fetch logic in login.inc.php" This reverts commit 2d8b928e0312acc24853894af96d5c1a1bb68025. Restores the original fetch callback pattern where known_ips and known_fingerprints processing happened inside the fetch block, ensuring they are properly treated as arrays at the time of assignment. --- public_html/backend/pages/login.inc.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php index 96bf271..7401482 100644 --- a/public_html/backend/pages/login.inc.php +++ b/public_html/backend/pages/login.inc.php @@ -30,10 +30,10 @@ where username = '". database::input(strtolower($_POST['username'])) ."' or email = '". database::input(strtolower($_POST['username'])) ."' limit 1;" - )->fetch(); - - $administrator['known_ips'] = f::string_split($administrator['known_ips']); - $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); + )->fetch(function($administrator){ + $administrator['known_ips'] = f::string_split($administrator['known_ips']); + $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); + }); if (!$administrator) { throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database')); @@ -126,7 +126,7 @@ } if (!empty($administrator['last_ip_address']) && $administrator['last_ip_address'] != $_SERVER['REMOTE_ADDR']) { - notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then your login credentials might be compromised.'), [ + notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then y[...] '{username}' => $administrator['username'], '{ip_address}' => $administrator['last_ip_address'], '{hostname}' => $administrator['last_hostname'], @@ -159,7 +159,7 @@ unset(session::$data['security.administrator']['verification']); - // TOTP (opt-in per administrator). When enrolled, always challenge + // TOTP (opt-in per administrator). When enrolled, always challenge ✓ // independent of the known-IP check below. Email OTP remains the // fallback for admins who haven't enrolled. if (!empty($administrator['totp_secret'])) { @@ -241,7 +241,7 @@ if (!empty($_POST['remember_me']) && defined('HMAC_KEY_REMEMBER_ME')) { $token = f::token_create_remember($administrator['id'], $administrator['password_hash']); - header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''), false); + header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''),[...] } else if (!empty($_COOKIE['remember_me'])) { header('Set-Cookie: remember_me=; Path='. WS_DIR_APP .'; Max-Age=-1; HttpOnly; SameSite=Lax', false); } From ca7418b0077f2264d017880bbcabaadd7ed6e2d0 Mon Sep 17 00:00:00 2001 From: s22 Tech <59073912+s22-tech@users.noreply.github.com> Date: Mon, 29 Jun 2026 15:46:19 -0700 Subject: [PATCH 3/3] Add permissions column to administrators table --- install/structure.sql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/structure.sql b/install/structure.sql index 3775ee0..637dbc4 100644 --- a/install/structure.sql +++ b/install/structure.sql @@ -7,6 +7,7 @@ CREATE TABLE IF NOT EXISTS `lc_administrators` ( `email` VARCHAR(128) NOT NULL DEFAULT '', `password_hash` VARCHAR(255) NOT NULL DEFAULT '', `apps` VARCHAR(4096) NOT NULL DEFAULT '', + `permissions` CHAR(3) NOT NULL DEFAULT '', `widgets` VARCHAR(512) NOT NULL DEFAULT '', `two_factor_auth` TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', `login_attempts` INT(10) UNSIGNED NOT NULL DEFAULT '0', @@ -242,4 +243,4 @@ CREATE TABLE `lc_translations` ( KEY `frontend` (`frontend`), KEY `backend` (`backend`), KEY `created_at` (`created_at`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE utf8mb4_general_ci; \ No newline at end of file +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE utf8mb4_general_ci;