From 987b4ff0ce4e4ebd6b44a52603bcede93602148e Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@jrenslin.de>
Date: Sat, 23 Jun 2018 11:48:01 +0200
Subject: [PATCH] Added check to set permissions and ensure user-related data
 is stored in files with 0644 permissions.

---
 edit/password_protect.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/edit/password_protect.php b/edit/password_protect.php
index 7aab606..f9890cb 100644
--- a/edit/password_protect.php
+++ b/edit/password_protect.php
@@ -8,7 +8,12 @@
 // Load settings
 
 // Demand HTTPS
-if (!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] != 'on') header("Location: ../");
+if (!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] != 'on') {
+    header("Location: ../"); exit;
+}
+
+// Ensure file for user settings is 0644.
+if (substr(sprintf('%o', fileperms(__DIR__ . '/../data/users.json')), -4) != 0600) chmod(__DIR__ . '/../data/users.json', 0600);
 
 // Get available login information
 
@@ -72,6 +77,8 @@ function logout() {
  */
 function logLogin() {
     file_put_contents(loginLogFile, $_SESSION['username'].'|'.date("Y-m-d H:i:s").PHP_EOL, FILE_APPEND | LOCK_EX);
+    // Ensure file for user settings is 0644.
+    if (substr(sprintf('%o', fileperms(loginLogFile)), -4) != 0600) chmod(loginLogFile, 0600);
 }
 
 /**