diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc index bcce009f..4d887095 100644 --- a/lam/lib/modules.inc +++ b/lam/lib/modules.inc @@ -1314,7 +1314,7 @@ class accountContainer { $passwordButton = new htmlButton('accountContainerPassword', _('Set password')); $passwordButton->setIconClass('passwordButton'); $passwordButton->setOnClick('passwordShowChangeDialog(\'' . _('Set password') . '\', \'' . _('Ok') . '\', \'' - . _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange\',\'' + . _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange&editKey=' . htmlspecialchars($this->base) . '\',\'' . getSecurityTokenName() . '\',\'' . getSecurityTokenValue() . '\');'); $leftButtonGroup->addElement($passwordButton); } @@ -1369,7 +1369,7 @@ class accountContainer { jQuery("#inputForm").validationEngine(); }); '; - echo "
\n"; + echo "base) . "\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n"; echo ''; } diff --git a/lam/templates/account/edit.php b/lam/templates/account/edit.php index 0c5b4a01..02ba8be3 100644 --- a/lam/templates/account/edit.php +++ b/lam/templates/account/edit.php @@ -57,6 +57,14 @@ if (!isLoggedIn()) { // Set correct language, codepages, .... setlanguage(); +$sessionAccountPrefix = 'editContainer'; +if (isset($_GET['editKey'])) { + $sessionKey = htmlspecialchars($_GET['editKey']); +} +else { + $sessionKey = $sessionAccountPrefix . (new \DateTime(null, getTimeZone()))->getTimestamp() . getRandomNumber(); +} + $typeManager = new LAM\TYPES\TypeManager(); //load account if (isset($_GET['DN'])) { @@ -80,8 +88,8 @@ if (isset($_GET['DN'])) { logNewMessage(LOG_ERR, 'User tried to access entry of type ' . $type->getId() . ' outside suffix ' . $suffix); die(); } - $_SESSION['account'] = new accountContainer($type, 'account'); - $result = $_SESSION['account']->load_account($DN); + $_SESSION[$sessionKey] = new accountContainer($type, $sessionKey); + $result = $_SESSION[$sessionKey]->load_account($DN); if (sizeof($result) > 0) { include __DIR__ . '/../../lib/adminHeader.inc'; foreach ($result as $message) { @@ -92,7 +100,7 @@ if (isset($_GET['DN'])) { } } // new account -else if (count($_POST) == 0) { +elseif (empty($_POST)) { $type = $typeManager->getConfiguredType($_GET['type']); if ($type->isHidden()) { logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type->getId()); @@ -102,11 +110,11 @@ else if (count($_POST) == 0) { logNewMessage(LOG_ERR, 'User tried to create entry of forbidden account type: ' . $type->getId()); die(); } - $_SESSION['account'] = new accountContainer($type, 'account'); - $_SESSION['account']->new_account(); + $_SESSION[$sessionKey] = new accountContainer($type, $sessionKey); + $_SESSION[$sessionKey]->new_account(); } // show account page -$_SESSION['account']->continue_main(); +$_SESSION[$sessionKey]->continue_main(); ?> diff --git a/lam/templates/misc/ajax.php b/lam/templates/misc/ajax.php index aba76cf3..eff89675 100644 --- a/lam/templates/misc/ajax.php +++ b/lam/templates/misc/ajax.php @@ -75,8 +75,12 @@ class Ajax { if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) { enforceUserIsLoggedIn(); if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) { - if (!isset($_SESSION['account'])) die(); - $module = $_SESSION['account']->getAccountModule($_GET['module']); + $sessionKey = htmlspecialchars($_GET['editKey']); + if (!isset($_SESSION[$sessionKey])) { + logNewMessage(LOG_ERR, 'Unable to find account container'); + die(); + } + $module = $_SESSION[$sessionKey]->getAccountModule($_GET['module']); $module->handleAjaxRequest(); } else { @@ -157,7 +161,8 @@ class Ajax { * @param array $input input parameters */ private static function managePasswordChange($input) { - $return = $_SESSION['account']->setNewPassword($input); + $sessionKey = htmlspecialchars($_GET['editKey']); + $return = $_SESSION[$sessionKey]->setNewPassword($input); echo json_encode($return); }