From d6e8d36bec2dfb4c1c528afb5fb1600ca486585e Mon Sep 17 00:00:00 2001
From: Joe <joe.hunt.consulting@gmail.com>
Date: Tue, 25 Oct 2022 19:06:00 +0200
Subject: [PATCH] Bug. Add instruction if Login from unsecure server. Fixed.

---
 access/login.php | 50 +++++++++++++++++++++++++++++-------------------
 1 file changed, 30 insertions(+), 20 deletions(-)

diff --git a/access/login.php b/access/login.php
index df2cc695..c1d1ebf9 100644
--- a/access/login.php
+++ b/access/login.php
@@ -81,6 +81,7 @@ function defaultCompany()
 	br();br();
 	start_form(false, false, $_SESSION['timeout']['uri'], "loginform");
 	start_table(false, "class='login'");
+
 	start_row();
 	echo "<td align='center' colspan=2>";
 	if (!$login_timeout) { // FA logo
@@ -95,36 +96,45 @@ function defaultCompany()
 
 	$value = $login_timeout ? $_SESSION['wa_current_user']->loginname : ($SysPrefs->allow_demo_mode ? "demouser":"");
 
-	text_row(_("User name"), "user_name_entry_field", $value, 20, 30);
+	$allow = SECURE_ONLY !== true ? true : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_NAME'] === "localhost";
+
+	if ($allow) {
+
+		text_row(_("User name"), "user_name_entry_field", $value, 20, 30);
 
-	$password = $SysPrefs->allow_demo_mode ? "password":"";
+		$password = $SysPrefs->allow_demo_mode ? "password":"";
 
-	password_row(_("Password:"), 'password', $password);
+		password_row(_("Password:"), 'password', $password);
 
-	if ($login_timeout) {
-		hidden('company_login_name', user_company());
-	} else {
-		$coy =  user_company();
-		if (!isset($coy))
-			$coy = $def_coy;
-		if (!@$SysPrefs->text_company_selection) {
-			echo "<tr><td>"._("Company")."</td><td><select name='company_login_name'>\n";
-			for ($i = 0; $i < count($db_connections); $i++)
-				echo "<option value=$i ".($i==$coy ? 'selected':'') .">" . $db_connections[$i]["name"] . "</option>";
-			echo "</select>\n";
-			echo "</td></tr>";
+		if ($login_timeout) {
+			hidden('company_login_name', user_company());
 		} else {
-			text_row(_("Company"), "company_login_nickname", "", 20, 50);
+			$coy =  user_company();
+			if (!isset($coy))
+				$coy = $def_coy;
+			if (!@$SysPrefs->text_company_selection) {
+				echo "<tr><td>"._("Company")."</td><td><select name='company_login_name'>\n";
+				for ($i = 0; $i < count($db_connections); $i++)
+					echo "<option value=$i ".($i==$coy ? 'selected':'') .">" . $db_connections[$i]["name"] . "</option>";
+				echo "</select>\n";
+				echo "</td></tr>";
+			} else {
+				text_row(_("Company"), "company_login_nickname", "", 20, 50);
+			}
 		}
-	}; 
+	}
+ 	else {
+		$demo_text = '<span class="redfg">'._("HTTP access is not allowed on this site. This is unsecure. If you really want to access this unsecure site then set the SECURE_ONLY to false in /includes/session.inc file.").'</span>';
+	}
 	start_row();
 	label_cell($demo_text, "colspan=2 align='center' id='log_msg'");
 	end_row();
 	end_table(1);
 	echo "<input type='hidden' id=ui_mode name='ui_mode' value='".!fallback_mode()."' >\n";
-	echo "<center><input type='submit' value='&nbsp;&nbsp;"._("Login -->")."&nbsp;&nbsp;' name='SubmitUser'"
-		." onclick='".(in_ajax() ? 'retry();': 'set_fullmode();')."'".(isset($blocked) ? " disabled" : '')." ></center>\n";
-
+	if ($allow) {
+		echo "<center><input type='submit' value='&nbsp;&nbsp;"._("Login -->")."&nbsp;&nbsp;' name='SubmitUser'"
+			." onclick='".(in_ajax() ? 'retry();': 'set_fullmode();')."'".(isset($blocked) ? " disabled" : '')." ></center>\n";
+	}		
 	foreach($_SESSION['timeout']['post'] as $p => $val) {
 		// add all request variables to be resend together with login data
 		if (!in_array($p, array('ui_mode', 'user_name_entry_field', 
-- 
2.30.2