github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-07-05 20:41:53 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Preventing admin to do loginas action without token

Browse source 
This is useless issue and useless fix too.
This commit is contained in:
myvesta 2020-12-12 13:48:51 +01:00 committed by GitHub
parent 00b4267afd
commit 292d933f88
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
web/login/index.php
View file

@ -16,6 +16,12 @@ if (isset($_GET['logout'])) {
// Login as someone else
if (isset($_SESSION['user'])) {
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
session_destroy();
session_start();
header('Location: /login/');
exit();
}
if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
if ( $return_var == 0 ) {