From 5c4970210d62fb6b5c8b6a4e59c6648d80939c7a Mon Sep 17 00:00:00 2001 From: vogelor <vogelor@ispconfig3> Date: Sun, 14 Dec 2008 07:31:52 -0500 Subject: [PATCH] It is now possible to "login as" as admin from the user-list It is now possible to redirect to a different url as result of the loadContent AJAX function --- interface/web/login/index.php | 44 +++++++++++++++++++++++++++++++++++++++++--- 1 files changed, 41 insertions(+), 3 deletions(-) diff --git a/interface/web/login/index.php b/interface/web/login/index.php index df30e3b..5e9eb68 100644 --- a/interface/web/login/index.php +++ b/interface/web/login/index.php @@ -41,8 +41,11 @@ global $app, $conf; - if(isset($_SESSION['s']['user']) && is_array($_SESSION['s']['user']) && is_array($_SESSION['s']['module'])) { - die('HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']); + /* Redirect to page, if login form was NOT send */ + if(count($_POST) == 0) { + if(isset($_SESSION['s']['user']) && is_array($_SESSION['s']['user']) && is_array($_SESSION['s']['module'])) { + die('HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']); + } } $app->uses('tpl'); @@ -60,6 +63,34 @@ $passwort = $app->db->quote($_POST['passwort']); if($username != '' and $passwort != '') { + /* + * Check, if there is a "login as" instead of a "normal" login + */ + if (isset($_SESSION['s']['user'])){ + /* + * only the admin can "login as" so if the user is NOT a admin, we + * open the startpage (after killing the old session), so the user + * is logout and has to start again! + */ + if ($_SESSION['s']['user']['typ'] != 'admin') { + /* + * The actual user is NOT a admin, but maybe the admin + * has logged in as "normal" user bevore... + */ + if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin')){ + /* The "old" user is admin, so everything is ok */ + } + else { + die("You don't have the right to 'login as'!"); + } + } + $loginAs = true; + } + else { + /* normal login */ + $loginAs = false; + } + //* Check if there already wrong logins $sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND `login_time` < NOW() + INTERVAL 15 MINUTE LIMIT 1"; $alreadyfailed = $app->db->queryOneRecord($sql); @@ -67,7 +98,12 @@ if($alreadyfailed['times'] > 5) { $error = $app->lng(1004); } else { - $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )"; + if ($loginAs){ + $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; + } + else { + $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )"; + } $user = $app->db->queryOneRecord($sql); if($user) { if($user['active'] == 1) { @@ -75,7 +111,9 @@ $sql = "DELETE FROM `attempts_login` WHERE `ip`='{$ip}'"; $app->db->query($sql); $user = $app->db->toLower($user); + if ($loginAs) $oldSession = $_SESSION['s_old']; $_SESSION = array(); + if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back! $_SESSION['s']['user'] = $user; $_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default'; $_SESSION['s']['language'] = $user['language']; -- Gitblit v1.9.1