From 45d911973309ac0f5bb1ad61045f770b2d1bd2ad Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 22 Nov 2023 22:32:34 +0000
Subject: [PATCH 1/5] Removed debugging/comments

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Auth/LoginController.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index fb0a00e10c..100eed12b9 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -56,7 +56,6 @@ class LoginController extends Controller
         parent::__construct();
         $this->middleware('guest', ['except' => ['logout', 'postTwoFactorAuth', 'getTwoFactorAuth', 'getTwoFactorEnroll']]);
         Session::put('backUrl', \URL::previous());
-        // $this->ldap = $ldap;
         $this->saml = $saml;
     }
 
@@ -82,7 +81,6 @@ class LoginController extends Controller
         }
 
         if (Setting::getSettings()->login_common_disabled == '1') {
-            \Log::debug('login_common_disabled is set to 1 - return a 403');
             return view('errors.403');
         }
 

From f922d0518e9735f132578155a6e7001cf53f134c Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 22 Nov 2023 22:35:34 +0000
Subject: [PATCH 2/5] Added allow list - quiet the observer down for magical
 laravel things

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Observers/UserObserver.php | 91 +++++++++++++++++++++++-----------
 1 file changed, 61 insertions(+), 30 deletions(-)

diff --git a/app/Observers/UserObserver.php b/app/Observers/UserObserver.php
index 257d4e844b..5c565768d3 100644
--- a/app/Observers/UserObserver.php
+++ b/app/Observers/UserObserver.php
@@ -17,47 +17,78 @@ class UserObserver
     public function updating(User $user)
     {
 
+        // ONLY allow these fields to be stored
+        $allowed_fields = [
+            'email',
+            'activated',
+            'first_name',
+            'last_name',
+            'website',
+            'country',
+            'gravatar',
+            'location_id',
+            'phone',
+            'jobtitle',
+            'manager_id',
+            'employee_num',
+            'username',
+            'notes',
+            'company_id',
+            'ldap_import',
+            'locale',
+            'two_factor_enrolled',
+            'two_factor_optin',
+            'department_id',
+            'address',
+            'address2',
+            'city',
+            'state',
+            'zip',
+            'remote',
+            'start_date',
+            'end_date',
+            'autoassign_licenses',
+            'vip',
+            'password'
+        ];
+        
         $changed = [];
+
         foreach ($user->getRawOriginal() as $key => $value) {
 
-            if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {
+            // Make sure the info is in the allow fields array
+            if (in_array($key, $allowed_fields)) {
 
-                $changed[$key]['old'] = $user->getRawOriginal()[$key];
-                $changed[$key]['new'] = $user->getAttributes()[$key];
+                // Check and see if the value changed
+                if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {
 
-                // Do not store the hashed password in changes
-                if ($key == 'password') {
-                    $changed['password']['old'] = '*************';
-                    $changed['password']['new'] = '*************';
-                }
+                    $changed[$key]['old'] = $user->getRawOriginal()[$key];
+                    $changed[$key]['new'] = $user->getAttributes()[$key];
 
-                // Do not store last login in changes
-                if ($key == 'last_login') {
-                    unset($changed['last_login']);
-                    unset($changed['last_login']);
-                }
+                    // Do not store the hashed password in changes
+                    if ($key == 'password') {
+                        $changed['password']['old'] = '*************';
+                        $changed['password']['new'] = '*************';
+                    }
 
-                if ($key == 'permissions') {
-                    unset($changed['permissions']);
-                    unset($changed['permissions']);
-                }
-
-                if ($key == 'remember_token') {
-                    unset($changed['remember_token']);
-                    unset($changed['remember_token']);
                 }
             }
+
         }
 
-        $logAction = new Actionlog();
-        $logAction->item_type = User::class;
-        $logAction->item_id = $user->id;
-        $logAction->target_type = User::class; // can we instead say $logAction->item = $asset ?
-        $logAction->target_id = $user->id;
-        $logAction->created_at = date('Y-m-d H:i:s');
-        $logAction->user_id = Auth::id();
-        $logAction->log_meta = json_encode($changed);
-        $logAction->logaction('update');
+        if (count($changed) > 0) {
+            $logAction = new Actionlog();
+            $logAction->item_type = User::class;
+            $logAction->item_id = $user->id;
+            $logAction->target_type = User::class; // can we instead say $logAction->item = $asset ?
+            $logAction->target_id = $user->id;
+            $logAction->created_at = date('Y-m-d H:i:s');
+            $logAction->user_id = Auth::id();
+            $logAction->log_meta = json_encode($changed);
+            $logAction->logaction('update');
+        }
+
+
     }
 
     /**

From 3929c8f26042b2bbeef66e4f20b1788ae41341e1 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 22 Nov 2023 22:57:54 +0000
Subject: [PATCH 3/5] Nicer alert layout

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/account/view-assets.blade.php | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/resources/views/account/view-assets.blade.php b/resources/views/account/view-assets.blade.php
index 81011175a6..500937de43 100755
--- a/resources/views/account/view-assets.blade.php
+++ b/resources/views/account/view-assets.blade.php
@@ -10,15 +10,17 @@
 @section('content')
 
 @if ($acceptances = \App\Models\CheckoutAcceptance::forUser(Auth::user())->pending()->count())
-  <div class="col-md-12">
-    <div class="alert alert alert-warning fade in">
-      <i class="fas fa-exclamation-triangle faa-pulse animated"></i>
+  <div class="row">
+    <div class="col-md-12">
+      <div class="alert alert alert-warning fade in">
+        <i class="fas fa-exclamation-triangle faa-pulse animated"></i>
 
-      <strong>
-        <a href="{{ route('account.accept') }}" style="color: white;">
-          {{ trans('general.unaccepted_profile_warning', array('count' => $acceptances)) }}
-        </a>
-        </strong>
+        <strong>
+          <a href="{{ route('account.accept') }}" style="color: white;">
+            {{ trans('general.unaccepted_profile_warning', array('count' => $acceptances)) }}
+          </a>
+          </strong>
+      </div>
     </div>
   </div>
 @endif

From c6178bd619500cf2f4c980c787518b51b838b41c Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 22 Nov 2023 22:59:59 +0000
Subject: [PATCH 4/5] Added translation for success password save

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/lang/en/passwords.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resources/lang/en/passwords.php b/resources/lang/en/passwords.php
index 25633b4581..41a87f98ed 100644
--- a/resources/lang/en/passwords.php
+++ b/resources/lang/en/passwords.php
@@ -5,4 +5,5 @@ return [
     'user'			=> 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.',
     'token'         => 'This password reset token is invalid or expired, or does not match the username provided.',
     'reset'         => 'Your password has been reset!',
+    'password_change'  => 'Your password has been updated!',
 ];

From ba127be34423493893eaa8514bb454f2755627a7 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 22 Nov 2023 23:00:30 +0000
Subject: [PATCH 5/5] Use saveQuietly to prevent double entries

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/ProfileController.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/ProfileController.php b/app/Http/Controllers/ProfileController.php
index d67d673a21..f3900eff25 100755
--- a/app/Http/Controllers/ProfileController.php
+++ b/app/Http/Controllers/ProfileController.php
@@ -134,6 +134,7 @@ class ProfileController extends Controller
         ];
 
         $validator = \Validator::make($request->all(), $rules);
+
         $validator->after(function ($validator) use ($request, $user) {
             if (! Hash::check($request->input('current_password'), $user->password)) {
                 $validator->errors()->add('current_password', trans('validation.custom.hashed_pass'));
@@ -159,12 +160,14 @@ class ProfileController extends Controller
         });
 
         if (! $validator->fails()) {
-            $user->password = Hash::make($request->input('password'));
-            $user->save();
 
+            $user->password = Hash::make($request->input('password'));
+            // We have to use saveQuietly here because for some reason this method was calling the User Oserver twice :(
+            $user->saveQuietly();
+            
             // Log the user out of other devices
             Auth::logoutOtherDevices($request->input('password'));
-            return redirect()->route('account.password.index')->with('success', 'Password updated!');
+            return redirect()->route('account')->with('success', trans('passwords.password_change'));
 
         }
         return redirect()->back()->withInput()->withErrors($validator);