Changeset 994

Timestamp:

04/07/06 17:19:15 (7 years ago)

Author:

joe

Message:

Correction d'un bogue de sécurité majeur. Permet aux admins de se connecter seulement aux membres qu'ils ont crées.

Location:

trunk/bureau/admin

Files:

• adm_list.php (modified) (2 diffs)
• adm_login.php (modified) (1 diff)

trunk/bureau/admin/adm_list.php

@@ -96 +96 @@
                         echo "<img src=\"icon/encrypted.png\" width=\"16\" height=\"16\" alt=\""._("Locked Account")."\" />";
                 else {
+                  if($admin->checkcreator($val['uid'])) {
                 ?>
                         <a href="adm_login.php?id=<?php echo $val["uid"];?>" target="_parent"><?php __("Connect as"); ?></a>
-                <?php } ?>
+                <?php } } ?>
                 </td>
                 <td <?php if ($val["su"]) echo "style=\"color: red\""; ?>><?php echo $val["login"] ?></td>
@@ -168 +169 @@
                         echo "<img src=\"icon/encrypted.png\" width=\"16\" height=\"16\" alt=\""._("Locked Account")."\">";
                 else {
+                  if($admin->checkcreator($val['uid'])) {
                 ?>
                         <a href="adm_login.php?id=<?php echo $val["uid"];?>" target="_parent"><?php __("C"); ?></a>
-                <?php } ?>
+                <?php } } ?>
                 </td>
                 <td style="padding-right: 2px; border-right: 1px solid; <?php if ($val["su"]) echo "color: red"; ?>"><?php echo $val["login"] ?></td>

trunk/bureau/admin/adm_login.php

@@ -34 +34 @@
         exit();
 }
-/*
+
+$id = $_GET['id'];
+
 if (!$admin->checkcreator($id)) {
   __("This page is restricted to authorized staff");
   exit();
 }
-*/
 
 if (!$r=$admin->get($id)) {