From fcfe5b0dbd33fd628031fe60ae3f2acc5164eed8 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Thu, 29 May 2025 11:27:32 +0200
Subject: [PATCH] Do not allow access to tools/ folder after install

---
 common.php                   |  2 +-
 install/index.php            |  3 ---
 install/steps/7-finish.php   |  9 ---------
 install/tools/5-database.php |  5 +++++
 install/tools/7-finish.php   | 12 +++++++++++-
 5 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/common.php b/common.php
index f316f6ef..c52e04ef 100644
--- a/common.php
+++ b/common.php
@@ -100,7 +100,7 @@ for($i = 1; $i < $size; $i++)
 $basedir = str_replace(array('/admin', '/install', '/tools'), '', $basedir);
 define('BASE_DIR', $basedir);
 
-if (file_exists(BASE . 'config.local.php') && !defined('MYAAC_INSTALL')) {
+if (file_exists(BASE . 'config.local.php')) {
 	require BASE . 'config.local.php';
 }
 
diff --git a/install/index.php b/install/index.php
index 8226b385..6c31813b 100644
--- a/install/index.php
+++ b/install/index.php
@@ -13,9 +13,6 @@ require BASE . 'install/includes/functions.php';
 require BASE . 'install/includes/locale.php';
 require SYSTEM . 'clients.conf.php';
 
-if(file_exists(BASE . 'config.local.php'))
-	require BASE . 'config.local.php';
-
 // ignore undefined index from Twig autoloader
 $config['env'] = 'prod';
 
diff --git a/install/steps/7-finish.php b/install/steps/7-finish.php
index c9424d8b..1664dd91 100644
--- a/install/steps/7-finish.php
+++ b/install/steps/7-finish.php
@@ -139,14 +139,5 @@ else {
 			}
 			$_SESSION['installed'] = true;
 		}
-
-		foreach($_SESSION as $key => $value) {
-			if(strpos($key, 'var_') !== false)
-				unset($_SESSION[$key]);
-		}
-		unset($_SESSION['saved']);
-		if(file_exists(CACHE . 'install.txt')) {
-			unlink(CACHE . 'install.txt');
-		}
 	}
 }
diff --git a/install/tools/5-database.php b/install/tools/5-database.php
index b7db001a..00833b97 100644
--- a/install/tools/5-database.php
+++ b/install/tools/5-database.php
@@ -7,6 +7,11 @@ require SYSTEM . 'functions.php';
 require BASE . 'install/includes/functions.php';
 require BASE . 'install/includes/locale.php';
 
+if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['saved'])) {
+	warning($locale['already_installed']);
+	return;
+}
+
 $error = false;
 require BASE . 'install/includes/config.php';
 
diff --git a/install/tools/7-finish.php b/install/tools/7-finish.php
index ab04a1e4..4c9c37b9 100644
--- a/install/tools/7-finish.php
+++ b/install/tools/7-finish.php
@@ -97,8 +97,18 @@ require_once SYSTEM . 'migrations/22.php';
 require_once SYSTEM . 'migrations/27.php';
 require_once SYSTEM . 'migrations/30.php';
 
+// cleanup
+foreach($_SESSION as $key => $value) {
+	if(strpos($key, 'var_') !== false)
+		unset($_SESSION[$key]);
+}
+unset($_SESSION['saved']);
+if(file_exists(CACHE . 'install.txt')) {
+	unlink(CACHE . 'install.txt');
+}
+
 $locale['step_finish_desc'] = str_replace('$ADMIN_PANEL$', generateLink(str_replace('tools/', '',ADMIN_URL), $locale['step_finish_admin_panel'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$HOMEPAGE$', generateLink(str_replace('tools/', '', BASE_URL), $locale['step_finish_homepage'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$LINK$', generateLink('https://my-aac.org', 'https://my-aac.org', true), $locale['step_finish_desc']);
 
-success($locale['step_finish_desc']);
\ No newline at end of file
+success($locale['step_finish_desc']);