Allow remote boxes to execute stuff, eventhough they don't really login

2025-06-07 00:47:00 +03:00 · 2014-09-26 13:47:52 +02:00 · 2014-09-26 13:47:52 +02:00 · 262e3c76a8
commit 262e3c76a8
parent f047f60712
2 changed files with 18 additions and 0 deletions
--- a/includes/session.inc.php
+++ b/includes/session.inc.php
@ -10,6 +10,19 @@ function is_logged_in() {
    if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] == "true") {
        return TRUE;
    } else {
+        global $adminapikey;
+        global $adminapiips;
+
+        if (isset($adminapikey) && isset($allowedips)) {
+            if (array_search($_SERVER['REMOTE_ADDR'], $adminapiips) !== FALSE) {
+                if ($_POST['adminapikey'] == $adminapikey) {
+                    # Allow this request, fake that we're logged in.
+                    set_logged_in('admin');
+                    set_is_adminuser();
+                    return TRUE;
+                }
+            }
+        }
        return FALSE;
    }
 }