From 292d933f88e25132c13f030cd5396c3285f00e4a Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sat, 12 Dec 2020 13:48:51 +0100
Subject: [PATCH] Preventing admin to do loginas action without token

This is useless issue and useless fix too.
---
 web/login/index.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/web/login/index.php b/web/login/index.php
index 87aa6f1ab..bf3f2c283 100644
--- a/web/login/index.php
+++ b/web/login/index.php
@@ -16,6 +16,12 @@ if (isset($_GET['logout'])) {
 
 // Login as someone else
 if (isset($_SESSION['user'])) {
+    if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+        session_destroy();
+        session_start();
+        header('Location: /login/');
+        exit();
+    }
     if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
         exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
         if ( $return_var == 0 ) {