Fixed totp isAdmin when session is missing but remember_me_token cookie present

CHANGELOG.md

@@ -16,6 +16,9 @@
   - Repopulates `$_SESSION['authenticated']`, `username`, `isAdmin`, `folderOnly`, `readOnly`, `disableUpload` from payload  
   - Regenerates session ID and CSRF token, then immediately returns JSON and exits
   
+  - **Updated** `userController.php`
+    - Fixed totp isAdmin when session is missing but `remember_me_token` cookie present
+
 ## Changes 4/22/2025 v1.2.3
 
 - Support for custom PUID/PGID via `PUID`/`PGID` environment variables, replacing the need to run the container with `--user`  

src/controllers/userController.php

@@ -917,10 +917,11 @@ class UserController
                      $dec = decryptData(file_get_contents($tokFile), $GLOBALS['encryptionKey']);
                      $all = json_decode($dec, true) ?: [];
                  }
+                 $isAdmin = ((int)userModel::getUserRole($username) === 1);
                  $all[$token] = [
                      'username' => $username,
                      'expiry'   => $expiry,
-                     'isAdmin'  => $_SESSION['isAdmin']
+                     'isAdmin'  => $isAdmin
                  ];
                  file_put_contents(
                      $tokFile,
@@ -949,7 +950,7 @@ class UserController
              session_regenerate_id(true);
              $_SESSION['authenticated'] = true;
              $_SESSION['username']      = $username;
-             $_SESSION['isAdmin']       = (userModel::getUserRole($username) === "1");
+             $_SESSION['isAdmin']       = $isAdmin;
              $_SESSION['folderOnly']    = loadUserPermissions($username);
      
              // Clean up