"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "interface/web/login/index.php" between
ISPConfig-3.2.6.tar.gz and ISPConfig-3.2.7.tar.gz

About: ISPConfig is an ISP management and Hosting Control Panel (for different Managed Services).

[ To the main ISPConfig source changes report ]

index.php  (ISPConfig-3.2.6):index.php  (ISPConfig-3.2.7)
skipping to change at line 99 skipping to change at line 99
* if he is reseller, we need to check if he logs in to one of his clients * if he is reseller, we need to check if he logs in to one of his clients
*/ */
if($_SESSION['s_old']['user']['typ'] != ' admin') { if($_SESSION['s_old']['user']['typ'] != ' admin') {
/* this is the one currently logg ed in (normal user) */ /* this is the one currently logg ed in (normal user) */
$old_client_group_id = $app->func tions->intval($_SESSION["s"]["user"]["default_group"]); $old_client_group_id = $app->func tions->intval($_SESSION["s"]["user"]["default_group"]);
$old_client = $app->db->queryOneR ecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client W HERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $old_cli ent_group_id); $old_client = $app->db->queryOneR ecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client W HERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $old_cli ent_group_id);
/* this is the reseller, that sha ll be re-logged in */ /* this is the reseller, that sha ll be re-logged in */
$sql = "SELECT * FROM sys_user WH ERE USERNAME = ? and PASSWORT = ?"; $sql = "SELECT * FROM sys_user WH ERE USERNAME = ? and PASSWORT = ?";
$tmp = $app->db->queryOneRecord($ sql, $username, $password); $tmp = $app->db->queryOneRecord($ sql, (string)$username, (string)$password);
$client_group_id = $app->function s->intval($tmp['default_group']); $client_group_id = $app->function s->intval($tmp['default_group']);
$tmp_client = $app->db->queryOneR ecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $tmp_client = $app->db->queryOneR ecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
if(!$tmp_client || $old_client["p arent_client_id"] != $tmp_client["client_id"] || $tmp["default_group"] != $_SESS ION["s_old"]["user"]["default_group"] ) { if(!$tmp_client || $old_client["p arent_client_id"] != $tmp_client["client_id"] || $tmp["default_group"] != $_SESS ION["s_old"]["user"]["default_group"] ) {
die("You don't have the r ight to 'login as' this user!"); die("You don't have the r ight to 'login as' this user!");
} }
unset($old_client); unset($old_client);
unset($tmp_client); unset($tmp_client);
unset($tmp); unset($tmp);
} }
skipping to change at line 121 skipping to change at line 121
else { else {
die("You don't have the right to 'login a s'!"); die("You don't have the right to 'login a s'!");
} }
} elseif($_SESSION['s']['user']['typ'] != 'admin' && (!is set($_SESSION['s_old']['user']) || $_SESSION['s_old']['user']['typ'] != 'admin') ) { } elseif($_SESSION['s']['user']['typ'] != 'admin' && (!is set($_SESSION['s_old']['user']) || $_SESSION['s_old']['user']['typ'] != 'admin') ) {
/* a reseller wants to 'login as', we need to che ck if he is allowed to */ /* a reseller wants to 'login as', we need to che ck if he is allowed to */
$res_client_group_id = $app->functions->intval($_ SESSION["s"]["user"]["default_group"]); $res_client_group_id = $app->functions->intval($_ SESSION["s"]["user"]["default_group"]);
$res_client = $app->db->queryOneRecord("SELECT cl ient.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_ id and sys_group.groupid = ?", $res_client_group_id); $res_client = $app->db->queryOneRecord("SELECT cl ient.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_ id and sys_group.groupid = ?", $res_client_group_id);
/* this is the user the reseller wants to 'login as' */ /* this is the user the reseller wants to 'login as' */
$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?"; $sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
$tmp = $app->db->queryOneRecord($sql, $username, $password); $tmp = $app->db->queryOneRecord($sql, (string)$us ername, (string)$password);
$tmp_client = $app->db->queryOneRecord("SELECT cl ient.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.c lient_id = client.client_id and sys_group.groupid = ?", $tmp["default_group"]); $tmp_client = $app->db->queryOneRecord("SELECT cl ient.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.c lient_id = client.client_id and sys_group.groupid = ?", $tmp["default_group"]);
if(!$tmp || $tmp_client["parent_client_id"] != $r es_client["client_id"]) { if(!$tmp || $tmp_client["parent_client_id"] != $r es_client["client_id"]) {
die("You don't have the right to login as this user!"); die("You don't have the right to login as this user!");
} }
unset($res_client); unset($res_client);
unset($tmp); unset($tmp);
unset($tmp_client); unset($tmp_client);
} }
$loginAs = true; $loginAs = true;
skipping to change at line 149 skipping to change at line 149
$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_ time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_ time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
$alreadyfailed = $app->db->queryOneRecord($sql, $ip); $alreadyfailed = $app->db->queryOneRecord($sql, $ip);
//* too many failedlogins //* too many failedlogins
if($alreadyfailed['times'] > 5) { if($alreadyfailed['times'] > 5) {
$error = $app->lng('error_user_too_many_logins'); $error = $app->lng('error_user_too_many_logins');
} else { } else {
if ($loginAs){ if ($loginAs){
$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?"; $sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
$user = $app->db->queryOneRecord($sql, $username, $password); $user = $app->db->queryOneRecord($sql, (string)$u sername, (string)$password);
} else { } else {
if(stristr($username, '@')) { if(stristr($username, '@')) {
//* mailuser login //* mailuser login
$sql = "SELECT * FROM mail_user WHERE log in = ? or email = ?"; $sql = "SELECT * FROM mail_user WHERE log in = ? or email = ?";
$mailuser = $app->db->queryOneRecord($sql , $username, $app->functions->idn_encode($username)); $mailuser = $app->db->queryOneRecord($sql , (string)$username, $app->functions->idn_encode($username));
$user = false; $user = false;
if($mailuser) { if($mailuser) {
$saved_password = stripslashes($m ailuser['password']); $saved_password = stripslashes($m ailuser['password']);
//* Check if mailuser password is correct //* Check if mailuser password is correct
if(crypt(stripslashes($password), $saved_password) == $saved_password) { if(crypt(stripslashes($password), $saved_password) == $saved_password) {
//* Get the sys_user lang uage of the client of the mailuser //* Get the sys_user lang uage of the client of the mailuser
$sys_user_lang = $app->db ->queryOneRecord("SELECT language FROM sys_user WHERE default_group = ?", $mailu ser['sys_groupid'] ); $sys_user_lang = $app->db ->queryOneRecord("SELECT language FROM sys_user WHERE default_group = ?", $mailu ser['sys_groupid'] );
//* we build a fake user here which has access to the mailuser module only and userid 0 //* we build a fake user here which has access to the mailuser module only and userid 0
$user = array(); $user = array();
skipping to change at line 187 skipping to change at line 187
} }
$user['theme'] = $conf['t heme']; $user['theme'] = $conf['t heme'];
$user['app_theme'] = $con f['theme']; $user['app_theme'] = $con f['theme'];
$user['mailuser_id'] = $m ailuser['mailuser_id']; $user['mailuser_id'] = $m ailuser['mailuser_id'];
$user['default_group'] = $mailuser['sys_groupid']; $user['default_group'] = $mailuser['sys_groupid'];
} }
} }
} else { } else {
//* normal cp user login //* normal cp user login
$sql = "SELECT * FROM sys_user WHERE USER NAME = ?"; $sql = "SELECT * FROM sys_user WHERE USER NAME = ?";
$user = $app->db->queryOneRecord($sql, $u sername); $user = $app->db->queryOneRecord($sql, (s tring)$username);
if($user) { if($user) {
$saved_password = stripslashes($u ser['passwort']); $saved_password = stripslashes($u ser['passwort']);
if(substr($saved_password, 0, 1) == '$') { if(substr($saved_password, 0, 1) == '$') {
//* The password is encry pted with crypt //* The password is encry pted with crypt
if(crypt(stripslashes($pa ssword), $saved_password) != $saved_password) { if(crypt(stripslashes($pa ssword), $saved_password) != $saved_password) {
$user = false; $user = false;
} }
} else { } else {
//* The password is md5 e ncrypted //* The password is md5 e ncrypted
if(md5($password) != $sav ed_password) { if(md5($password) != $sav ed_password) {
$user = false; $user = false;
} else { } else {
// update passwor d with secure algo // update passwor d with secure algo
$sql = 'UPDATE `s ys_user` SET `passwort` = ? WHERE `username` = ?'; $sql = 'UPDATE `s ys_user` SET `passwort` = ? WHERE `username` = ?';
$app->db->query($ sql, $app->auth->crypt_password($password), $username); $app->db->query($ sql, $app->auth->crypt_password($password), (string)$username);
} }
} }
} else { } else {
$user = false; $user = false;
} }
} }
} }
if($user) { if($user) {
if($user['active'] == 1) { if($user['active'] == 1) {
 End of changes. 6 change blocks. 
6 lines changed or deleted 6 lines changed or added
To the PHP Programs section of the ISPConfig source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)