Fix user role and other definitions

itflow-org · Feb 22, 2024 · 5d620d0 · 5d620d0
1 parent 1d4271d
commit 5d620d0
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/login.php b/login.php
@@ -111,6 +111,9 @@
         $user_email = sanitizeInput($row['user_email']);
         $token = sanitizeInput($row['user_token']);
         $force_mfa = intval($row['user_config_force_mfa']);
+        $user_role = intval($row['user_role']);
+        $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];
+        $user_extension_key = $row['user_extension_key'];
         if($force_mfa == 1 && $token == NULL) {
             $config_start_page = "user_security.php";
         }
@@ -178,21 +181,20 @@
             // Session info
             $_SESSION['user_id'] = $user_id;
             $_SESSION['user_name'] = $user_name;
-            $_SESSION['user_role'] = intval($row['user_role']);
+            $_SESSION['user_role'] = $user_role;
             $_SESSION['csrf_token'] = randomString(156);
             $_SESSION['logged'] = true;
 
             // Setup encryption session key
-            if (isset($row['user_specific_encryption_ciphertext']) && $row['user_role'] > 1) {
-                $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];
+            if (is_null($user_encryption_ciphertext) && $user_role > 1) {
                 $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
                 generateUserSessionKey($site_encryption_master_key);
 
                 // Setup extension
-                if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) {
+                if (is_null($user_extension_key)) {
                     // Extension cookie
                     // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS.
-                    setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']);
+                    setcookie("user_extension_key", "$user_extension_key", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']);
 
                     // Set PHP session in DB, so we can access the session encryption data (above)
                     $user_php_session = session_id();