Fix updating the password, and store if we have local auth, we can't change passwords if we don't have local auth

includes/session.inc.php

@@ -9,11 +9,13 @@ global $current_user;
 $current_user = false;
 
 // session startup
-function _set_current_user($username, $is_admin = false, $has_csrf_token = false, $is_api = false) {
+function _set_current_user($username, $userid, $localauth = true, $is_admin = false, $has_csrf_token = false, $is_api = false) {
     global $current_user;
 
     $current_user = array(
         'username' => $username,
+        'id' => $userid,
+        'localauth' => $localauth,
         'is_admin' => $is_admin,
         'has_csrf_token' => $has_csrf_token,
         'is_api' => $is_api,
@@ -177,7 +179,7 @@ function _try_login($username, $password) {
         writelog("Failed to find user!", $username);
         return false;
     } else {
-        _set_current_user($username, (bool) $user['isadmin']);
+        _set_current_user($username, $user['id'], (bool) $do_local_auth, (bool) $user['isadmin']);
 
         if (session_id()) {
             session_unset();
@@ -187,6 +189,8 @@ function _try_login($username, $password) {
         session_regenerate_id(true) or die('session failure: regenerated id failed');
         session_unset();
         $_SESSION['username'] = $username;
+        $_SESSION['localauth'] = $do_local_auth;
+        $_SESSION['userid'] = $user['id'];
 
         # requires session:
         _check_csrf_token($user);
@@ -206,7 +210,7 @@ function _check_session() {
             and $_POST['adminapikey'] === $adminapikey)
         {
             # Allow this request, fake that we're logged in as user.
-            return _set_current_user('admin', true, true, true);
+            return _set_current_user('admin', 1, false, true, true, true);
         }
         else
         {
@@ -222,7 +226,7 @@ function _check_session() {
                 session_destroy();
                 session_unset();
             } else {
-                _set_current_user($_SESSION['username'], (bool) $user['isadmin']);
+                _set_current_user($_SESSION['username'], $_SESSION['userid'], (bool) $_SESSION['localauth'], (bool) $user['isadmin']);
                 _check_csrf_token($user);
                 return;
             }
@@ -281,6 +285,16 @@ function get_sess_user() {
     return $current_user ? $current_user['username'] : null;
 }
 
+function get_sess_userid() {
+    global $current_user;
+    return $current_user ? $current_user['id'] : null;
+}
+
+function has_local_auth() {
+    global $current_user;
+    return $current_user ? $current_user['localauth'] : null;
+}
+
 function logout() {
     @session_destroy();
     @session_unset();

index.php

@@ -20,7 +20,7 @@ if (!is_logged_in() and isset($_POST['formname']) and $_POST['formname'] === "lo
 
 if (is_logged_in() and isset($_POST['formname']) and $_POST['formname'] === "changepwform") {
     if (get_sess_user() == $_POST['username']) {
-        if (!update_user(get_sess_user(), is_adminuser(), $_POST['password'])) {
+        if (!update_user(get_sess_userid(), is_adminuser(), $_POST['password'])) {
             $errormsg = "Unable to update password!\n";
         }
     } else {
@@ -208,6 +208,7 @@ if ($blocklogin === TRUE) {
     </div>
     <?php } ?>
 
+    <?php if (has_local_auth()) { ?>
     <div id="AboutMe">
         <div class="tables">
             <p>Hi <?php echo get_sess_user(); ?>. You can change your password here.</p>
@@ -232,9 +233,11 @@ if ($blocklogin === TRUE) {
                     </tr>
                 </table>
                 <input type="hidden" name="formname" value="changepwform">
+                <input type="hidden" name="id" value="<?php echo get_sess_userid(); ?>">
             </form>
         </div>
     </div>
+    <?php } ?>
 </div>
 <script type="text/javascript">
 window.csrf_token = '<?php echo CSRF_TOKEN ?>';