Fix some vulns in User.php
This commit is contained in:
parent
5679ac6640
commit
b4d045d8aa
@ -1,15 +1,18 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
// TODO:
|
// TODO: ...
|
||||||
class User
|
class User
|
||||||
{
|
{
|
||||||
private Session $session;
|
private Session $session;
|
||||||
private Database $database;
|
private Database $database;
|
||||||
|
|
||||||
|
// Always initialized
|
||||||
public bool $loggedIn;
|
public bool $loggedIn;
|
||||||
public int $powerLevel; // Set to 0 when not logged in
|
|
||||||
public string $username; // Username and password is only initalized if logged in
|
// Initialized only if logged in
|
||||||
|
public string $username;
|
||||||
public string $password;
|
public string $password;
|
||||||
|
public int $powerLevel;
|
||||||
|
|
||||||
public function __construct(Session $session, Database $database)
|
public function __construct(Session $session, Database $database)
|
||||||
{
|
{
|
||||||
@ -17,37 +20,34 @@ class User
|
|||||||
$this->database = $database;
|
$this->database = $database;
|
||||||
|
|
||||||
$user = $this->session->get('user');
|
$user = $this->session->get('user');
|
||||||
if ($user)
|
|
||||||
|
// Check if user session has been set
|
||||||
|
if (!$user)
|
||||||
{
|
{
|
||||||
// User session was set previously
|
|
||||||
$this->loggedIn = $user['loggedIn'];
|
|
||||||
$this->username = $user['username'];
|
|
||||||
$this->password = $user['password'];
|
|
||||||
} else {
|
|
||||||
// User session has not been set yet
|
|
||||||
$this->loggedIn = FALSE;
|
$this->loggedIn = FALSE;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if username and password matches
|
// Check if username and password match
|
||||||
if ($this->loggedIn && !$this->authenticate($this->username, $this->password))
|
if (!$this->authenticate($user['username'], $user['password']))
|
||||||
{
|
{
|
||||||
$this->logout();
|
$this->logout();
|
||||||
$this->session->flash('Kontodetaljer endret, vennligst logg inn igjen', 'warning');
|
$this->session->flash('Kontodetaljer er blitt endret, vennligst logg inn igjen', 'warning');
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// All is good, we should be logged in now! (hopefully)
|
||||||
|
$this->username = $user['username'];
|
||||||
|
$this->password = $user['password'];
|
||||||
|
$this->loggedIn = TRUE;
|
||||||
|
|
||||||
// Set powerLevel
|
// Set powerLevel
|
||||||
if ($this->loggedIn)
|
$sth = $this->database->conn->prepare(
|
||||||
{
|
'SELECT * FROM brukertabell WHERE Navn = ? AND Passord = ?'
|
||||||
$sth = $this->database->conn->prepare(
|
);
|
||||||
'SELECT * FROM brukertabell WHERE Navn = ? AND Passord = ?'
|
$sth->execute([$this->username, $this->password]);
|
||||||
);
|
$row = $sth->fetch(PDO::FETCH_ASSOC);
|
||||||
$sth->execute([$this->username, $this->password]);
|
$this->powerLevel = $row['Nivå'];
|
||||||
$row = $sth->fetch(PDO::FETCH_ASSOC);
|
|
||||||
|
|
||||||
$this->powerLevel = $row['Nivå'];
|
|
||||||
} else {
|
|
||||||
$this->powerLevel = 0;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set session if user and password match
|
// Set session if user and password match
|
||||||
|
|||||||
Reference in New Issue
Block a user