Add missing permissions for TOTP login

src/controllers/userController.php

@@ -872,7 +872,7 @@ class UserController
          header('Content-Type: application/json');
          header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';");
      
-        // Rate‑limit
+         // Rate-limit
          if (!isset($_SESSION['totp_failures'])) {
              $_SESSION['totp_failures'] = 0;
          }
@@ -883,7 +883,7 @@ class UserController
          }
      
          // Must be authenticated OR pending login
-        if (!((!empty($_SESSION['authenticated'])) || isset($_SESSION['pending_login_user']))) {
+         if (empty($_SESSION['authenticated']) && !isset($_SESSION['pending_login_user'])) {
              http_response_code(403);
              echo json_encode(['status' => 'error', 'message' => 'Not authenticated']);
              exit;
@@ -898,7 +898,7 @@ class UserController
              exit;
          }
      
-        // Parse and validate input
+         // Parse & validate input
          $inputData = json_decode(file_get_contents("php://input"), true);
          $code = trim($inputData['totp_code'] ?? '');
          if (!preg_match('/^\d{6}$/', $code)) {
@@ -910,13 +910,10 @@ class UserController
          // TFA helper
          $tfa = new \RobThree\Auth\TwoFactorAuth(
              new \RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider(),
-            'FileRise',
+             'FileRise', 6, 30, \RobThree\Auth\Algorithm::Sha1
-            6,
-            30,
-            \RobThree\Auth\Algorithm::Sha1
          );
      
-        // Pending‑login flow (first password step passed)
+         // === Pending-login flow (we just came from auth and need to finish login) ===
          if (isset($_SESSION['pending_login_user'])) {
              $username    = $_SESSION['pending_login_user'];
              $pendingSecret = $_SESSION['pending_login_secret'] ?? null;
@@ -929,54 +926,45 @@ class UserController
                  exit;
              }
      
-            // === Issue “remember me” token if requested ===
+             // Issue “remember me” token if requested
              if ($rememberMe) {
                  $tokFile = USERS_DIR . 'persistent_tokens.json';
                  $token = bin2hex(random_bytes(32));
                  $expiry = time() + 30 * 24 * 60 * 60;
                  $all = [];
-
                  if (file_exists($tokFile)) {
                      $dec = decryptData(file_get_contents($tokFile), $GLOBALS['encryptionKey']);
                      $all = json_decode($dec, true) ?: [];
                  }
-                $isAdmin = ((int)userModel::getUserRole($username) === 1);
                  $all[$token] = [
                      'username'     => $username,
                      'expiry'       => $expiry,
-                    'isAdmin'  => $isAdmin
+                     'isAdmin'      => ((int)userModel::getUserRole($username) === 1),
+                     'folderOnly'   => loadUserPermissions($username)['folderOnly']   ?? false,
+                     'readOnly'     => loadUserPermissions($username)['readOnly']     ?? false,
+                     'disableUpload'=> loadUserPermissions($username)['disableUpload']?? false
                  ];
                  file_put_contents(
                      $tokFile,
                      encryptData(json_encode($all, JSON_PRETTY_PRINT), $GLOBALS['encryptionKey']),
                      LOCK_EX
                  );
-
                  $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
-
-                // Persistent cookie
                  setcookie('remember_me_token', $token, $expiry, '/', '', $secure, true);
-
+                 setcookie(session_name(), session_id(), $expiry, '/', '', $secure, true);
-                // Re‑issue PHP session cookie
-                setcookie(
-                    session_name(),
-                    session_id(),
-                    $expiry,
-                    '/',
-                    '',
-                    $secure,
-                    true
-                );
              }
      
-            // Finalize login
+             // === Finalize login into session exactly as finalizeLogin() would ===
              session_regenerate_id(true);
              $_SESSION['authenticated']   = true;
              $_SESSION['username']        = $username;
-            $_SESSION['isAdmin']       = $isAdmin;
+             $_SESSION['isAdmin']         = ((int)userModel::getUserRole($username) === 1);
-            $_SESSION['folderOnly']    = loadUserPermissions($username);
+             $perms = loadUserPermissions($username);
+             $_SESSION['folderOnly']      = $perms['folderOnly']    ?? false;
+             $_SESSION['readOnly']        = $perms['readOnly']      ?? false;
+             $_SESSION['disableUpload']   = $perms['disableUpload'] ?? false;
      
-            // Clean up
+             // Clean up pending markers
              unset(
                  $_SESSION['pending_login_user'],
                  $_SESSION['pending_login_secret'],
@@ -984,7 +972,16 @@ class UserController
                  $_SESSION['totp_failures']
              );
      
-            echo json_encode(['status' => 'ok', 'message' => 'Login successful']);
+             // Send back full login payload
+             echo json_encode([
+                 'status'        => 'ok',
+                 'success'       => 'Login successful',
+                 'isAdmin'       => $_SESSION['isAdmin'],
+                 'folderOnly'    => $_SESSION['folderOnly'],
+                 'readOnly'      => $_SESSION['readOnly'],
+                 'disableUpload' => $_SESSION['disableUpload'],
+                 'username'      => $_SESSION['username']
+             ]);
              exit;
          }