WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

use random session key

This commit is contained in:
Roland Gruber 2019-05-23 22:09:05 +02:00
parent 5989df4a43
commit 5a9c4660e1
3 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lam/lib/modules.inc
View File

@ -1314,7 +1314,7 @@ class accountContainer {
$passwordButton = new htmlButton('accountContainerPassword', _('Set password')); $passwordButton = new htmlButton('accountContainerPassword', _('Set password'));
$passwordButton->setIconClass('passwordButton'); $passwordButton->setIconClass('passwordButton');
$passwordButton->setOnClick('passwordShowChangeDialog(\'' . _('Set password') . '\', \'' . _('Ok') . '\', \'' $passwordButton->setOnClick('passwordShowChangeDialog(\'' . _('Set password') . '\', \'' . _('Ok') . '\', \''
. _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange\',\'' . _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange&editKey=' . htmlspecialchars($this->base) . '\',\''
. getSecurityTokenName() . '\',\'' . getSecurityTokenValue() . '\');'); . getSecurityTokenName() . '\',\'' . getSecurityTokenValue() . '\');');
$leftButtonGroup->addElement($passwordButton); $leftButtonGroup->addElement($passwordButton);
} }
@ -1369,7 +1369,7 @@ class accountContainer {
jQuery("#inputForm").validationEngine(); jQuery("#inputForm").validationEngine();
}); });
</script>'; </script>';
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n"; echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php?editKey=" . htmlspecialchars($this->base) . "\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">'; echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
} }

20
lam/templates/account/edit.php
View File

@ -57,6 +57,14 @@ if (!isLoggedIn()) {
// Set correct language, codepages, .... // Set correct language, codepages, ....
setlanguage(); setlanguage();
$sessionAccountPrefix = 'editContainer';
if (isset($_GET['editKey'])) {
$sessionKey = htmlspecialchars($_GET['editKey']);
}
else {
$sessionKey = $sessionAccountPrefix . (new \DateTime(null, getTimeZone()))->getTimestamp() . getRandomNumber();
}
$typeManager = new LAM\TYPES\TypeManager(); $typeManager = new LAM\TYPES\TypeManager();
//load account //load account
if (isset($_GET['DN'])) { if (isset($_GET['DN'])) {
@ -80,8 +88,8 @@ if (isset($_GET['DN'])) {
logNewMessage(LOG_ERR, 'User tried to access entry of type ' . $type->getId() . ' outside suffix ' . $suffix); logNewMessage(LOG_ERR, 'User tried to access entry of type ' . $type->getId() . ' outside suffix ' . $suffix);
die(); die();
} }
$_SESSION['account'] = new accountContainer($type, 'account'); $_SESSION[$sessionKey] = new accountContainer($type, $sessionKey);
$result = $_SESSION['account']->load_account($DN); $result = $_SESSION[$sessionKey]->load_account($DN);
if (sizeof($result) > 0) { if (sizeof($result) > 0) {
include __DIR__ . '/../../lib/adminHeader.inc'; include __DIR__ . '/../../lib/adminHeader.inc';
foreach ($result as $message) { foreach ($result as $message) {
@ -92,7 +100,7 @@ if (isset($_GET['DN'])) {
} }
} }
// new account // new account
else if (count($_POST) == 0) { elseif (empty($_POST)) {
$type = $typeManager->getConfiguredType($_GET['type']); $type = $typeManager->getConfiguredType($_GET['type']);
if ($type->isHidden()) { if ($type->isHidden()) {
logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type->getId()); logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type->getId());
@ -102,11 +110,11 @@ else if (count($_POST) == 0) {
logNewMessage(LOG_ERR, 'User tried to create entry of forbidden account type: ' . $type->getId()); logNewMessage(LOG_ERR, 'User tried to create entry of forbidden account type: ' . $type->getId());
die(); die();
} }
$_SESSION['account'] = new accountContainer($type, 'account'); $_SESSION[$sessionKey] = new accountContainer($type, $sessionKey);
$_SESSION['account']->new_account(); $_SESSION[$sessionKey]->new_account();
} }
// show account page // show account page
$_SESSION['account']->continue_main(); $_SESSION[$sessionKey]->continue_main();
?> ?>

11
lam/templates/misc/ajax.php
View File

@ -75,8 +75,12 @@ class Ajax {
if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) { if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
enforceUserIsLoggedIn(); enforceUserIsLoggedIn();
if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) { if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
if (!isset($_SESSION['account'])) die(); $sessionKey = htmlspecialchars($_GET['editKey']);
$module = $_SESSION['account']->getAccountModule($_GET['module']); if (!isset($_SESSION[$sessionKey])) {
logNewMessage(LOG_ERR, 'Unable to find account container');
die();
}
$module = $_SESSION[$sessionKey]->getAccountModule($_GET['module']);
$module->handleAjaxRequest(); $module->handleAjaxRequest();
} }
else { else {
@ -157,7 +161,8 @@ class Ajax {
* @param array $input input parameters * @param array $input input parameters
*/ */
private static function managePasswordChange($input) { private static function managePasswordChange($input) {
$return = $_SESSION['account']->setNewPassword($input); $sessionKey = htmlspecialchars($_GET['editKey']);
$return = $_SESSION[$sessionKey]->setNewPassword($input);
echo json_encode($return); echo json_encode($return);
} }