mirror of
https://github.com/tuxis-ie/nsedit.git
synced 2025-04-19 20:09:14 +03:00
Fix updating the password, and store if we have local auth, we can't change passwords if we don't have local auth
This commit is contained in:
Mark Schouten
parent
f67fa04d85
commit
6be5f2f29c
2 changed files with 22 additions and 5 deletions
|
|
@ -9,11 +9,13 @@ global $current_user;
|
||||||
$current_user = false;
|
$current_user = false;
|
||||||
|
|
||||||
// session startup
|
// session startup
|
||||||
function _set_current_user($username, $is_admin = false, $has_csrf_token = false, $is_api = false) {
|
function _set_current_user($username, $userid, $localauth = true, $is_admin = false, $has_csrf_token = false, $is_api = false) {
|
||||||
global $current_user;
|
global $current_user;
|
||||||
|
|
||||||
$current_user = array(
|
$current_user = array(
|
||||||
'username' => $username,
|
'username' => $username,
|
||||||
|
'id' => $userid,
|
||||||
|
'localauth' => $localauth,
|
||||||
'is_admin' => $is_admin,
|
'is_admin' => $is_admin,
|
||||||
'has_csrf_token' => $has_csrf_token,
|
'has_csrf_token' => $has_csrf_token,
|
||||||
'is_api' => $is_api,
|
'is_api' => $is_api,
|
||||||
|
|
@ -177,7 +179,7 @@ function _try_login($username, $password) {
|
||||||
writelog("Failed to find user!", $username);
|
writelog("Failed to find user!", $username);
|
||||||
return false;
|
return false;
|
||||||
} else {
|
} else {
|
||||||
_set_current_user($username, (bool) $user['isadmin']);
|
_set_current_user($username, $user['id'], (bool) $do_local_auth, (bool) $user['isadmin']);
|
||||||
|
|
||||||
if (session_id()) {
|
if (session_id()) {
|
||||||
session_unset();
|
session_unset();
|
||||||
|
|
@ -187,6 +189,8 @@ function _try_login($username, $password) {
|
||||||
session_regenerate_id(true) or die('session failure: regenerated id failed');
|
session_regenerate_id(true) or die('session failure: regenerated id failed');
|
||||||
session_unset();
|
session_unset();
|
||||||
$_SESSION['username'] = $username;
|
$_SESSION['username'] = $username;
|
||||||
|
$_SESSION['localauth'] = $do_local_auth;
|
||||||
|
$_SESSION['userid'] = $user['id'];
|
||||||
|
|
||||||
# requires session:
|
# requires session:
|
||||||
_check_csrf_token($user);
|
_check_csrf_token($user);
|
||||||
|
|
@ -206,7 +210,7 @@ function _check_session() {
|
||||||
and $_POST['adminapikey'] === $adminapikey)
|
and $_POST['adminapikey'] === $adminapikey)
|
||||||
{
|
{
|
||||||
# Allow this request, fake that we're logged in as user.
|
# Allow this request, fake that we're logged in as user.
|
||||||
return _set_current_user('admin', true, true, true);
|
return _set_current_user('admin', 1, false, true, true, true);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
@ -222,7 +226,7 @@ function _check_session() {
|
||||||
session_destroy();
|
session_destroy();
|
||||||
session_unset();
|
session_unset();
|
||||||
} else {
|
} else {
|
||||||
_set_current_user($_SESSION['username'], (bool) $user['isadmin']);
|
_set_current_user($_SESSION['username'], $_SESSION['userid'], (bool) $_SESSION['localauth'], (bool) $user['isadmin']);
|
||||||
_check_csrf_token($user);
|
_check_csrf_token($user);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
@ -281,6 +285,16 @@ function get_sess_user() {
|
||||||
return $current_user ? $current_user['username'] : null;
|
return $current_user ? $current_user['username'] : null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function get_sess_userid() {
|
||||||
|
global $current_user;
|
||||||
|
return $current_user ? $current_user['id'] : null;
|
||||||
|
}
|
||||||
|
|
||||||
|
function has_local_auth() {
|
||||||
|
global $current_user;
|
||||||
|
return $current_user ? $current_user['localauth'] : null;
|
||||||
|
}
|
||||||
|
|
||||||
function logout() {
|
function logout() {
|
||||||
@session_destroy();
|
@session_destroy();
|
||||||
@session_unset();
|
@session_unset();
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ if (!is_logged_in() and isset($_POST['formname']) and $_POST['formname'] === "lo
|
||||||
|
|
||||||
if (is_logged_in() and isset($_POST['formname']) and $_POST['formname'] === "changepwform") {
|
if (is_logged_in() and isset($_POST['formname']) and $_POST['formname'] === "changepwform") {
|
||||||
if (get_sess_user() == $_POST['username']) {
|
if (get_sess_user() == $_POST['username']) {
|
||||||
if (!update_user(get_sess_user(), is_adminuser(), $_POST['password'])) {
|
if (!update_user(get_sess_userid(), is_adminuser(), $_POST['password'])) {
|
||||||
$errormsg = "Unable to update password!\n";
|
$errormsg = "Unable to update password!\n";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -208,6 +208,7 @@ if ($blocklogin === TRUE) {
|
||||||
</div>
|
</div>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
|
|
||||||
|
<?php if (has_local_auth()) { ?>
|
||||||
<div id="AboutMe">
|
<div id="AboutMe">
|
||||||
<div class="tables">
|
<div class="tables">
|
||||||
<p>Hi <?php echo get_sess_user(); ?>. You can change your password here.</p>
|
<p>Hi <?php echo get_sess_user(); ?>. You can change your password here.</p>
|
||||||
|
|
@ -232,9 +233,11 @@ if ($blocklogin === TRUE) {
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
<input type="hidden" name="formname" value="changepwform">
|
<input type="hidden" name="formname" value="changepwform">
|
||||||
|
<input type="hidden" name="id" value="<?php echo get_sess_userid(); ?>">
|
||||||
</form>
|
</form>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
<?php } ?>
|
||||||
</div>
|
</div>
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
window.csrf_token = '<?php echo CSRF_TOKEN ?>';
|
window.csrf_token = '<?php echo CSRF_TOKEN ?>';
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue