use random session key
This commit is contained in:
Roland Gruber
parent
5989df4a43
commit
5a9c4660e1
|
|
@ -1314,7 +1314,7 @@ class accountContainer {
|
|||
$passwordButton = new htmlButton('accountContainerPassword', _('Set password'));
|
||||
$passwordButton->setIconClass('passwordButton');
|
||||
$passwordButton->setOnClick('passwordShowChangeDialog(\'' . _('Set password') . '\', \'' . _('Ok') . '\', \''
|
||||
. _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange\',\''
|
||||
. _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange&editKey=' . htmlspecialchars($this->base) . '\',\''
|
||||
. getSecurityTokenName() . '\',\'' . getSecurityTokenValue() . '\');');
|
||||
$leftButtonGroup->addElement($passwordButton);
|
||||
}
|
||||
|
|
@ -1369,7 +1369,7 @@ class accountContainer {
|
|||
jQuery("#inputForm").validationEngine();
|
||||
});
|
||||
</script>';
|
||||
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
|
||||
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php?editKey=" . htmlspecialchars($this->base) . "\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -57,6 +57,14 @@ if (!isLoggedIn()) {
|
|||
// Set correct language, codepages, ....
|
||||
setlanguage();
|
||||
|
||||
$sessionAccountPrefix = 'editContainer';
|
||||
if (isset($_GET['editKey'])) {
|
||||
$sessionKey = htmlspecialchars($_GET['editKey']);
|
||||
}
|
||||
else {
|
||||
$sessionKey = $sessionAccountPrefix . (new \DateTime(null, getTimeZone()))->getTimestamp() . getRandomNumber();
|
||||
}
|
||||
|
||||
$typeManager = new LAM\TYPES\TypeManager();
|
||||
//load account
|
||||
if (isset($_GET['DN'])) {
|
||||
|
|
@ -80,8 +88,8 @@ if (isset($_GET['DN'])) {
|
|||
logNewMessage(LOG_ERR, 'User tried to access entry of type ' . $type->getId() . ' outside suffix ' . $suffix);
|
||||
die();
|
||||
}
|
||||
$_SESSION['account'] = new accountContainer($type, 'account');
|
||||
$result = $_SESSION['account']->load_account($DN);
|
||||
$_SESSION[$sessionKey] = new accountContainer($type, $sessionKey);
|
||||
$result = $_SESSION[$sessionKey]->load_account($DN);
|
||||
if (sizeof($result) > 0) {
|
||||
include __DIR__ . '/../../lib/adminHeader.inc';
|
||||
foreach ($result as $message) {
|
||||
|
|
@ -92,7 +100,7 @@ if (isset($_GET['DN'])) {
|
|||
}
|
||||
}
|
||||
// new account
|
||||
else if (count($_POST) == 0) {
|
||||
elseif (empty($_POST)) {
|
||||
$type = $typeManager->getConfiguredType($_GET['type']);
|
||||
if ($type->isHidden()) {
|
||||
logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type->getId());
|
||||
|
|
@ -102,11 +110,11 @@ else if (count($_POST) == 0) {
|
|||
logNewMessage(LOG_ERR, 'User tried to create entry of forbidden account type: ' . $type->getId());
|
||||
die();
|
||||
}
|
||||
$_SESSION['account'] = new accountContainer($type, 'account');
|
||||
$_SESSION['account']->new_account();
|
||||
$_SESSION[$sessionKey] = new accountContainer($type, $sessionKey);
|
||||
$_SESSION[$sessionKey]->new_account();
|
||||
}
|
||||
|
||||
// show account page
|
||||
$_SESSION['account']->continue_main();
|
||||
$_SESSION[$sessionKey]->continue_main();
|
||||
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -75,8 +75,12 @@ class Ajax {
|
|||
if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
|
||||
enforceUserIsLoggedIn();
|
||||
if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
|
||||
if (!isset($_SESSION['account'])) die();
|
||||
$module = $_SESSION['account']->getAccountModule($_GET['module']);
|
||||
$sessionKey = htmlspecialchars($_GET['editKey']);
|
||||
if (!isset($_SESSION[$sessionKey])) {
|
||||
logNewMessage(LOG_ERR, 'Unable to find account container');
|
||||
die();
|
||||
}
|
||||
$module = $_SESSION[$sessionKey]->getAccountModule($_GET['module']);
|
||||
$module->handleAjaxRequest();
|
||||
}
|
||||
else {
|
||||
|
|
@ -157,7 +161,8 @@ class Ajax {
|
|||
* @param array $input input parameters
|
||||
*/
|
||||
private static function managePasswordChange($input) {
|
||||
$return = $_SESSION['account']->setNewPassword($input);
|
||||
$sessionKey = htmlspecialchars($_GET['editKey']);
|
||||
$return = $_SESSION[$sessionKey]->setNewPassword($input);
|
||||
echo json_encode($return);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue