search

itflow-org / itflow

Free and open-source web application for MSPs. Unifies IT documentation, ticketing, invoicing.
https://itflow.org
GNU General Public License v3.0
544 stars 141 forks source link

Bugfix: credentials #1001

Closed wrongecho closed 3 weeks ago

wrongecho commented 3 weeks ago

Fix an edge-case bug causing the user_encryption_session_key session cookie to not be set due to error output (when display PHP errors in browser is enabled). This means login credentials are still encrypted but cannot be decrypted properly by other users.

As a failsafe, prevent users creating new credentials if they do not have the correct cookie set.

This is the first time in 2+ years I've run into this, and only because I've setup a new dev env. I don't think it's a common issue by any means but doesn't hurt to fix.

sonarcloud[bot] commented 3 weeks ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

wrongecho commented 3 weeks ago

Test these changes at: https://credfix1001.pr-review.itflow.org
(automatic message)

johnnyq commented 3 weeks ago

nice catch, yeah deff a rare RACE condition