From 1ff5208968bdf9224f622a5ec26e533b809c52ed Mon Sep 17 00:00:00 2001
From: Anton Reutov <a.reutov@outlook.com>
Date: Tue, 27 Jul 2021 20:58:34 +0300
Subject: [PATCH] Preventing admin to do loginas action without token

---
 web/login/index.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/web/login/index.php b/web/login/index.php
index 08074b3ef..acb68e561 100644
--- a/web/login/index.php
+++ b/web/login/index.php
@@ -16,6 +16,13 @@ if (isset($_GET['logout'])) {
 
 // Login as someone else
 if (isset($_SESSION['user'])) {
+    if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+        session_destroy();
+        session_start();
+        header('Location: /login/');
+        exit();
+    }
+    
     if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
         exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
         if ( $return_var == 0 ) {