From f3192b7f12760d872a8c266d1db299f85332d9a0 Mon Sep 17 00:00:00 2001
From: katagia <katagia>
Date: Fri, 2 May 2003 07:59:13 +0000
Subject: [PATCH] Added security check

---
 lam/templates/delete.php | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/lam/templates/delete.php b/lam/templates/delete.php
index bd7cfe7e..2de37438 100644
--- a/lam/templates/delete.php
+++ b/lam/templates/delete.php
@@ -33,7 +33,7 @@ echo _('Delete Account');
 echo '</title>
 	</head><body>
 	<link rel="stylesheet" type="text/css" href="../style/delete.css">
-	<form action="account.php" method="get">
+	<form action="delete.php" method="post">
 	<meta http-equiv="pragma" content="no-cache">
 	<meta http-equiv="cache-control" content="no-cache">
 	<table rules="all" class="delete" width="100%">
@@ -41,10 +41,34 @@ echo '</title>
 
 
 if ($type) {
+	$DN2 = explode(";", str_replace("\'", '',$DN));
+	echo '<input name="type5" type="hidden" value="'.$type.'">';
+	echo '<input name="DN" type="hidden" value="'.$DN.'">';
+	switch ($type) {
+		case 'user':
+			echo _('Do you really want to delete user(s):');
+			break;
+		case 'host':
+			echo _('Do you really want to delete host(s):');
+			break;
+		case 'group':
+			echo _('Do you really want to delete group(s):');
+			break;
+		}
+	echo '</td></tr>';
+	foreach ($DN2 as $dn) echo '<tr><td>'.$dn.'</td></tr>';
+	echo '<br><tr><td>
+	<input name="delete_yes" type="submit" value="';
+	echo _('Commit'); echo '"></td><td></td><td>
+	<input name="delete_no" type="submit" value="';
+	echo _('Chancel'); echo '">';
+	}
+
+if ($delete_yes) {
 	$DN = str_replace("\'", '',$DN);
-	$DN2 = explode(";", $DN);
+	$DN2 = explode(";", str_replace("\\", '',$DN));
 	foreach ($DN2 as $dn) {
-		switch ($type) {
+		switch ($type5) {
 			case 'user':
 				$success = ldap_delete($_SESSION['ldap']->server(), $dn);
 				if (!$success) $error = _('Could not delete user: ').$dn;
@@ -70,6 +94,9 @@ if ($type) {
 		echo '</td></tr><tr><td>';
 		}
 	}
+
+if ($delete_no) echo _('Nothing was deleted.');
+
 echo '</td></tr>';
 echo '</form></body></html>';
 ?>

'.$dn.'
+		+ '; + } + +if ($delete_yes) { $DN = str_replace("\'", '',$DN); - $DN2 = explode(";", $DN); + $DN2 = explode(";", str_replace("\\", '',$DN)); foreach ($DN2 as $dn) { - switch ($type) { + switch ($type5) { case 'user': $success = ldap_delete($_SESSION['ldap']->server(), $dn); if (!$success) $error = _('Could not delete user: ').$dn; @@ -70,6 +94,9 @@ if ($type) { echo '
'; } } + +if ($delete_no) echo _('Nothing was deleted.'); + echo '