From 75b42a68ff3cc25d567bf4b87570b18cbb1bd177 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Mon, 16 Feb 2015 19:54:21 +0000
Subject: [PATCH] check if accounts are edited in multiple browser tabs

---
 lam/lib/lists.inc              |  5 ++++-
 lam/lib/modules.inc            | 16 +++++++++++++---
 lam/templates/account/edit.php |  7 ++++---
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/lam/lib/lists.inc b/lam/lib/lists.inc
index 621392dd..6fa649d3 100644
--- a/lam/lib/lists.inc
+++ b/lam/lib/lists.inc
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2014  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1078,6 +1078,9 @@ class lamList {
 				StatusMessage('INFO', sprintf(_('You can download your PDF files {link=%s}{color=#d2131a}here{endcolor}{endlink}.'), '../' . $_SESSION['mass_pdf']['file']));
 			}
 		}
+		elseif (isset($_GET['accountEditInvalidID'])) {
+			StatusMessage('WARN', _('Please do not edit multiple accounts in parallel in multiple browser tabs.'));
+		}
 		if (isset($_SESSION['listRedirectMessages'])) {
 			for ($i = 0; $i < sizeof($_SESSION['listRedirectMessages']); $i++) {
 				call_user_func_array('StatusMessage', $_SESSION['listRedirectMessages'][$i]);
diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc
index f6795dcd..ee0dc19b 100644
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@@ -683,8 +683,9 @@ class accountContainer {
 	*
 	* @param string $type account type
 	* @param string $base key in $_SESSION where this object is saved
+	* @param integer $randomID random ID to avoid parallel editing (default: null)
 	*/
-	function __construct($type, $base) {
+	function __construct($type, $base, $randomID = null) {
 		/* Set the type of account. Valid
 		* types are: user, group, host
 		*/
@@ -698,8 +699,9 @@ class accountContainer {
 		$this->current_page=0;
 		$this->subpage='attributes';
 		$this->isNewAccount = false;
+		$this->randomID = $randomID;
 		return 0;
-		}
+	}
 
 	/**
 	* Array of all used attributes
@@ -760,6 +762,9 @@ class accountContainer {
 	private $sendPasswordViaMail = null;
 	/** send password via mail to this alternate address */
 	private $sendPasswordViaMailAlternateAddress = null;
+	
+	/** random ID number to avoid parallel editing of accounts in multiple browser tabs */
+	private $randomID = null;
 
 	/**
 	 * Returns the account module with the given class name
@@ -799,6 +804,10 @@ class accountContainer {
 	* It prints the HTML code of each account page.
 	*/
 	function continue_main() {
+		if (!empty($_POST['account_randomID']) && ($this->randomID != $_POST['account_randomID'])) {
+			metaRefresh("../lists/list.php?type=" . $this->type . '&amp;accountEditInvalidID=true');
+			exit();
+		}
 		$oldPage = $this->current_page;
 		$oldSubpage = $this->subpage;
 		$post = $_POST;
@@ -1294,7 +1303,8 @@ class accountContainer {
 					jQuery("#inputForm").validationEngine();
 				});
 			</script>';
-		echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";		
+		echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
+		echo '<input type="hidden" name="account_randomID" value="' . $this->randomID . '">';		
 	}
 	
 	/**
diff --git a/lam/templates/account/edit.php b/lam/templates/account/edit.php
index f04bca01..b256cdad 100644
--- a/lam/templates/account/edit.php
+++ b/lam/templates/account/edit.php
@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Tilo Lutz
-                2005 - 2014  Roland Gruber
+                2005 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -57,6 +57,7 @@ if (!isLoggedIn()) {
 // Set correct language, codepages, ....
 setlanguage();
 
+
 //load account
 if (isset($_GET['DN'])) {
 	$DN = str_replace("\\'", '', $_GET['DN']);
@@ -80,7 +81,7 @@ if (isset($_GET['DN'])) {
 		logNewMessage(LOG_ERR, 'User tried to access entry of type ' . $type . ' outside suffix ' . $suffix);
 		die();
 	}
-	$_SESSION['account'] = new accountContainer($type, 'account');
+	$_SESSION['account'] = new accountContainer($type, 'account', getRandomNumber());
 	$result = $_SESSION['account']->load_account($DN);
 	if (sizeof($result) > 0) {
 		include '../main_header.php';
@@ -103,7 +104,7 @@ else if (count($_POST)==0) {
 		logNewMessage(LOG_ERR, 'User tried to create entry of forbidden account type: ' . $type);
 		die();
 	}
-	$_SESSION['account'] = new accountContainer($type, 'account');
+	$_SESSION['account'] = new accountContainer($type, 'account', getRandomNumber());
 	$_SESSION['account']->new_account();
 }