Update patch version

core/config.base.php

@@ -13,10 +13,10 @@ if(!defined('HOME_LINK_OTHERS')){
 }
 
 //Version
-define('VERSION', '23.0.0.OS');
-define('CACHE_VALUE', '23.0.0.OS');
-define('VERSION_NUMBER', '2300');
-define('VERSION_DATE', '21/05/2018');
+define('VERSION', '23.0.1.OS');
+define('CACHE_VALUE', '23.0.1.OS');
+define('VERSION_NUMBER', '2301');
+define('VERSION_DATE', '14/06/2018');
 
 if(!defined('CONTACT_EMAIL')){define('CONTACT_EMAIL','icehrm@gamonoid.com');}
 if(!defined('KEY_PREFIX')){define('KEY_PREFIX','IceHrm');}

core/header.php

@@ -25,9 +25,9 @@ if (!defined('MODULE_NAME')) {
 }
 include 'includes.inc.php';
 
-if(empty($user)){
-    $actualLink = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
-    header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLink));
+if(empty($user) || empty($user->email)){
+    $actualLinkArray = explode('/',$_SERVER['REQUEST_URI']);
+    header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLinkArray[count($actualLinkArray) - 1]));
     exit();
 }
 

core/login.com.inc.php

@@ -1,2 +0,0 @@
-<?php
-?>

core/login.php

@@ -9,8 +9,8 @@ if (isset($_REQUEST['logout'])) {
     $_COOKIE['icehrmLF'] = '';
     $user = null;
 }
-
-if (empty($user)) {
+$hashedPwd = null;
+if (empty($user) || empty($user->email)) {
 	if (!isset($_REQUEST['f']) && isset($_COOKIE['icehrmLF'])
 		&& $_REQUEST['login'] != 'no' && !isset($_REQUEST['username'])) {
 		$tempUser = new \Users\Common\Model\User();
@@ -20,8 +20,9 @@ if (empty($user)) {
 			sha1($tempUser->email."_".$tempUser->password) == $_COOKIE['icehrmLF']) {
 			$_REQUEST['username'] = $tempUser->username;
 			$_REQUEST['password'] = $tempUser->password;
-			$_REQUEST['hashedPwd'] = $tempUser->password;
+			$hashedPwd = $tempUser->password;
 			$_REQUEST['remember'] = true;
+            $cookieLogin = true;
 		}
 	}
 
@@ -47,22 +48,33 @@ if (empty($user)) {
 			}
 		}
 
-		if (!isset($_REQUEST['hashedPwd'])) {
-			$_REQUEST['hashedPwd'] = md5($_REQUEST['password']);
+		if (!isset($hashedPwd)) {
+			$hashedPwd = md5($_REQUEST['password']);
 		}
 
-
-		include 'login.com.inc.php';
-
 		if (empty($suser)) {
 			$suser = new \Users\Common\Model\User();
 			$suser->Load(
 				"(username = ? or email = ?) and password = ?",
-				array($_REQUEST['username'],$_REQUEST['username'],$_REQUEST['hashedPwd'])
+				array($_REQUEST['username'], $_REQUEST['username'], $hashedPwd)
 			);
 		}
 
-		if ($suser->password == $_REQUEST['hashedPwd'] || $ssoUserLoaded) {
+		if (empty($suser->username) || empty($suser->email)) {
+            $next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
+            header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
+            exit();
+        }
+
+        $loginCsrf = \Utils\SessionUtils::getSessionObject('csrf-login');
+
+        if (!$cookieLogin && ($_REQUEST['csrf'] != $loginCsrf || empty($_REQUEST['csrf']))) {
+            $next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
+            header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
+            exit();
+        }
+
+		if ($suser->password === $hashedPwd || $ssoUserLoaded) {
 			$user = $suser;
 			\Utils\SessionUtils::saveSessionObject('user', $user);
 			$suser->last_login = date("Y-m-d H:i:s");
@@ -88,7 +100,7 @@ if (empty($user)) {
 			}
 
 			if (!empty($_REQUEST['next']) && !empty(($loginRedirect = \Base64Url\Base64Url::decode($_REQUEST['next'])))) {
-			    header("Location:" . $loginRedirect);
+			    header("Location:" . CLIENT_BASE_URL.$loginRedirect);
 			    exit();
             } else {
 				if ($user->user_level == "Admin") {
@@ -147,6 +159,9 @@ if (empty($user)) {
 $tuser = \Utils\SessionUtils::getSessionObject('user');
 $logoFileUrl = \Classes\UIManager::getInstance()->getCompanyLogoUrl();
 
+$csrfToken = sha1(rand(4500, 100000) . time(). CLIENT_BASE_URL);
+\Utils\SessionUtils::saveSessionObject('csrf-login', $csrfToken);
+
 ?><!DOCTYPE html>
 <html lang="en">
 <head>
@@ -340,6 +355,7 @@ $logoFileUrl = \Classes\UIManager::getInstance()->getCompanyLogoUrl();
 				<?php if (!isset($_REQUEST['cp'])) {?>
 					<form id="loginForm" action="login.php" method="POST">
                         <input type="hidden" id="next" name="next" value="<?=$_REQUEST['next']?>"/>
+                        <input type="hidden" id="csrf" name="csrf" value="<?=$csrfToken?>"/>
 						<fieldset>
 							<div class="clearfix">
 								<div class="input-prepend">

core/migrations/v20180514_230002_add_conversation_tables.php

@@ -13,8 +13,8 @@ create table `Conversations` (
 	`attachment` varchar(100) NULL,
 	`employee` bigint(20) NOT NULL,
 	`target` bigint(20) NULL,
-	`created` DATETIME default '0000-00-00 00:00:00',
-	`updated` DATETIME default '0000-00-00 00:00:00',
+	`created` DATETIME default NULL,
+	`updated` DATETIME default NULL,
 	`timeint` BIGINT(20) NOT NULL,
 	primary key  (`id`),
 	unique key `KEY_Conversations_attachment` (`attachment`),
@@ -33,7 +33,7 @@ create table `ConversationUserStatus` (
     `id` bigint(20) NOT NULL AUTO_INCREMENT,
 	`employee` bigint(20) NOT NULL,
 	`status` varchar(15) NULL,
-	`seen_at` DATETIME default '0000-00-00 00:00:00',
+	`seen_at` DATETIME default NULL,
 	primary key  (`id`),
 	unique key `KEY_ConversationLastSeen_employee` (`employee`),
 	index `KEY_ConversationLastSeen_seen_at` (`seen_at`),

core/src/Utils/SessionUtils.php

@@ -28,7 +28,8 @@ class SessionUtils
         $names = [
             "user",
             "modulePath",
-            "admin_current_profile"
+            "admin_current_profile",
+            "csrf-login"
         ];
         session_start();
         setcookie('icehrmLF', '');