diff --git a/api.php b/api.php index 02679e8..12658a6 100644 --- a/api.php +++ b/api.php @@ -43,10 +43,10 @@ switch ($VARS['action']) { case "auth": $errmsg = ""; if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) { - insertAuthLog(12, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(12, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "OK", "msg" => lang("login successful", false)])); } else { - insertAuthLog(13, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(13, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); if (!is_empty($errmsg)) { exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)])); } @@ -70,7 +70,7 @@ switch ($VARS['action']) { case "userinfo": if (!is_empty($VARS['username'])) { if (user_exists_local($VARS['username'])) { - $data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => $VARS['username']])[0]; + $data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => strtolower($VARS['username'])])[0]; exit(json_encode(["status" => "OK", "data" => $data])); } else { exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)])); @@ -112,7 +112,7 @@ switch ($VARS['action']) { if (verifyTOTP($VARS['username'], $VARS['code'])) { exit(json_encode(["status" => "OK", "valid" => true])); } else { - insertAuthLog(7, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(7, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "ERROR", "msg" => lang("2fa incorrect", false), "valid" => false])); } break; @@ -123,30 +123,30 @@ switch ($VARS['action']) { // simulate a login, checking account status and alerts $errmsg = ""; if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) { - $uid = $database->select('accounts', 'uid', ['username' => $VARS['username']])[0]; + $uid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])])[0]; switch (get_account_status($VARS['username'])) { case "LOCKED_OR_DISABLED": - insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "ERROR", "msg" => lang("account locked", false)])); case "TERMINATED": - insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "ERROR", "msg" => lang("account terminated", false)])); case "CHANGE_PASSWORD": - insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "ERROR", "msg" => lang("password expired", false)])); case "NORMAL": - insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "OK"])); case "ALERT_ON_ACCESS": sendLoginAlertEmail($VARS['username']); - insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "OK", "alert" => true])); default: - insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); exit(json_encode(["status" => "ERROR", "msg" => lang("account state error", false)])); } } else { - insertAuthLog(5, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey()); + insertAuthLog(5, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey()); if (!is_empty($errmsg)) { exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)])); } @@ -168,13 +168,13 @@ switch ($VARS['action']) { } else { if (user_exists_local($VARS['manager'])) { if (user_exists_local($VARS['employee'])) { - $managerid = $database->select('accounts', 'uid', ['username' => $VARS['manager']]); - $employeeid = $database->select('accounts', 'uid', ['username' => $VARS['employee']]); + $managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['manager'])]); + $employeeid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['employee'])]); } else { - exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['employee']])); + exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['employee'])])); } } else { - exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['manager']])); + exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['manager'])])); } } if ($database->has('managers', ['AND' => ['managerid' => $managerid, 'employeeid' => $employeeid]])) { @@ -191,8 +191,8 @@ switch ($VARS['action']) { exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)])); } } else if ($VARS['username']) { - if ($database->has("accounts", ['username' => $VARS['username']])) { - $managerid = $database->select('accounts', 'uid', ['username' => $VARS['username']]); + if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) { + $managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]); } else { exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)])); } @@ -211,8 +211,8 @@ switch ($VARS['action']) { exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)])); } } else if ($VARS['username']) { - if ($database->has("accounts", ['username' => $VARS['username']])) { - $empid = $database->select('accounts', 'uid', ['username' => $VARS['username']]); + if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) { + $empid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]); } else { exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)])); } @@ -243,7 +243,7 @@ switch ($VARS['action']) { exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)])); } } else if ($VARS['username']) { - if ($database->has("accounts", ['username' => $VARS['username']])) { + if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) { $user = $VARS['username']; } else { exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)])); @@ -262,7 +262,8 @@ switch ($VARS['action']) { http_response_code(400); die("\"400 Bad Request\""); } - $user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['code'], 'accounts.username' => $VARS['username']]]); + $code = strtoupper($VARS['code']); + $user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $code, 'accounts.username' => strtolower($VARS['username'])]]); exit(json_encode(["status" => "OK", "valid" => $user_key_valid])); case "alertemail": engageRateLimit(); diff --git a/apps/inventory_link.php b/apps/inventory_link.php index f8d33c4..df41d70 100644 --- a/apps/inventory_link.php +++ b/apps/inventory_link.php @@ -10,6 +10,6 @@ $APPS["inventory_link"]["i18n"] = TRUE; $APPS["inventory_link"]["title"] = "inventory"; $APPS["inventory_link"]["icon"] = "cubes"; $APPS["inventory_link"]["type"] = "teal"; -$content = "
" . lang("open inventory system", false) . '
' . lang("open app", false) . ' '; +$content = "" . lang("open inventory system", false) . '
' . lang("open app", false) . ' '; $APPS["inventory_link"]["content"] = $content; ?> \ No newline at end of file diff --git a/apps/qwikclock_inout.php b/apps/qwikclock_inout.php index 14b6363..5458891 100644 --- a/apps/qwikclock_inout.php +++ b/apps/qwikclock_inout.php @@ -38,6 +38,6 @@ $content .= <<