Project

General

Profile

« Previous | Next » 

Revision 1398

Added by FrankH almost 15 years ago

  1. Security fix in admin/admintools and admin/groups

View differences:

groups.php
43 43 
if($_POST['action'] == 'modify') {
44 44 
	// Create new admin object
45 45 
	$admin = new admin('Access', 'groups_modify', false);
46 

  		




  
  47
  
    
	if (!$admin->checkFTAN())


  		




  
  48
  
    
	{


  		




  
  49
  
    
		$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL);


  		




  
  50
  
    
		exit();


  		




  
  51
  
    
	}


  		




  46
  52
  
    
	// Print header


  		




  47
  53
  
    
	$admin->print_header();


  		




  48
  54
  
    
	// Get existing values


  		




  ......




  53
  59
  
    
	$template->set_file('page', 'groups_form.htt');


  		




  54
  60
  
    
	$template->set_block('page', 'main_block', 'main');


  		




  55
  61
  
    
	$template->set_var(	array(


  		




  56
  
  
    
										'ACTION_URL' => ADMIN_URL.'/groups/save.php',


  		




  57
  
  
    
										'SUBMIT_TITLE' => $TEXT['SAVE'],


  		




  58
  
  
    
										'GROUP_ID' => $group['group_id'],


  		




  59
  
  
    
										'GROUP_NAME' => $group['name'],


  		




  60
  
  
    
										'ADVANCED_ACTION' => 'groups.php'


  		




  61
  
  
    
										)


  		




  62
  
  
    
							);


  		




  
  62
  
    
							'ACTION_URL' => ADMIN_URL.'/groups/save.php',


  		




  
  63
  
    
							'SUBMIT_TITLE' => $TEXT['SAVE'],


  		




  
  64
  
    
							'GROUP_ID' => $group['group_id'],


  		




  
  65
  
    
							'GROUP_NAME' => $group['name'],


  		




  
  66
  
    
							'ADVANCED_ACTION' => 'groups.php',


  		




  
  67
  
    
							'FTAN' => $admin->getFTAN()


  		




  
  68
  
    
						));


  		




  63
  69
  
    
	// Tell the browser whether or not to show advanced options


  		




  64
  70
  
    
	if( true == (isset( $_POST['advanced']) AND ( strpos( $_POST['advanced'], ">>") > 0 ) ) ) {


  		




  65
  71
  
    
		$template->set_var('DISPLAY_ADVANCED', '');


  		




  ......




  118
  124
  
    
		


  		




  119
  125
  
    
	// Insert language text and messages


  		




  120
  126
  
    
	$template->set_var(array(


  		




  121
  
  
    
									'TEXT_RESET' => $TEXT['RESET'],


  		




  122
  
  
    
									'TEXT_ACTIVE' => $TEXT['ACTIVE'],


  		




  123
  
  
    
									'TEXT_DISABLED' => $TEXT['DISABLED'],


  		




  124
  
  
    
									'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'],


  		




  125
  
  
    
									'TEXT_USERNAME' => $TEXT['USERNAME'],


  		




  126
  
  
    
									'TEXT_PASSWORD' => $TEXT['PASSWORD'],


  		




  127
  
  
    
									'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'],


  		




  128
  
  
    
									'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'],


  		




  129
  
  
    
									'TEXT_EMAIL' => $TEXT['EMAIL'],


  		




  130
  
  
    
									'TEXT_GROUP' => $TEXT['GROUP'],


  		




  131
  
  
    
									'TEXT_SYSTEM_PERMISSIONS' => $TEXT['SYSTEM_PERMISSIONS'],


  		




  132
  
  
    
									'TEXT_MODULE_PERMISSIONS' => $TEXT['MODULE_PERMISSIONS'],


  		




  133
  
  
    
									'TEXT_TEMPLATE_PERMISSIONS' => $TEXT['TEMPLATE_PERMISSIONS'],


  		




  134
  
  
    
									'TEXT_NAME' => $TEXT['NAME'],


  		




  135
  
  
    
									'SECTION_PAGES' => $MENU['PAGES'],


  		




  136
  
  
    
									'SECTION_MEDIA' => $MENU['MEDIA'],


  		




  137
  
  
    
									'SECTION_MODULES' => $MENU['MODULES'],


  		




  138
  
  
    
									'SECTION_TEMPLATES' => $MENU['TEMPLATES'],


  		




  139
  
  
    
									'SECTION_LANGUAGES' => $MENU['LANGUAGES'],


  		




  140
  
  
    
									'SECTION_SETTINGS' => $MENU['SETTINGS'],


  		




  141
  
  
    
									'SECTION_USERS' => $MENU['USERS'],


  		




  142
  
  
    
									'SECTION_GROUPS' => $MENU['GROUPS'],


  		




  143
  
  
    
									'SECTION_ADMINTOOLS' => $MENU['ADMINTOOLS'],


  		




  144
  
  
    
									'TEXT_VIEW' => $TEXT['VIEW'],


  		




  145
  
  
    
									'TEXT_ADD' => $TEXT['ADD'],


  		




  146
  
  
    
									'TEXT_LEVEL' => $TEXT['LEVEL'],


  		




  147
  
  
    
									'TEXT_MODIFY' => $TEXT['MODIFY'],


  		




  148
  
  
    
									'TEXT_DELETE' => $TEXT['DELETE'],


  		




  149
  
  
    
									'TEXT_MODIFY_CONTENT' => $TEXT['MODIFY_CONTENT'],


  		




  150
  
  
    
									'TEXT_MODIFY_SETTINGS' => $TEXT['MODIFY_SETTINGS'],


  		




  151
  
  
    
									'HEADING_MODIFY_INTRO_PAGE' => $HEADING['MODIFY_INTRO_PAGE'],


  		




  152
  
  
    
									'TEXT_CREATE_FOLDER' => $TEXT['CREATE_FOLDER'],


  		




  153
  
  
    
									'TEXT_RENAME' => $TEXT['RENAME'],


  		




  154
  
  
    
									'TEXT_UPLOAD_FILES' => $TEXT['UPLOAD_FILES'],


  		




  155
  
  
    
									'TEXT_BASIC' => $TEXT['BASIC'],


  		




  156
  
  
    
									'TEXT_ADVANCED' => $TEXT['ADVANCED'],


  		




  157
  
  
    
									'CHANGING_PASSWORD' => $MESSAGE['USERS']['CHANGING_PASSWORD'],


  		




  158
  
  
    
									'HEADING_MODIFY_GROUP' => $HEADING['MODIFY_GROUP']


  		




  159
  
  
    
									)


  		




  160
  
  
    
							);


  		




  
  127
  
    
				'TEXT_RESET' => $TEXT['RESET'],


  		




  
  128
  
    
				'TEXT_ACTIVE' => $TEXT['ACTIVE'],


  		




  
  129
  
    
				'TEXT_DISABLED' => $TEXT['DISABLED'],


  		




  
  130
  
    
				'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'],


  		




  
  131
  
    
				'TEXT_USERNAME' => $TEXT['USERNAME'],


  		




  
  132
  
    
				'TEXT_PASSWORD' => $TEXT['PASSWORD'],


  		




  
  133
  
    
				'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'],


  		




  
  134
  
    
				'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'],


  		




  
  135
  
    
				'TEXT_EMAIL' => $TEXT['EMAIL'],


  		




  
  136
  
    
				'TEXT_GROUP' => $TEXT['GROUP'],


  		




  
  137
  
    
				'TEXT_SYSTEM_PERMISSIONS' => $TEXT['SYSTEM_PERMISSIONS'],


  		




  
  138
  
    
				'TEXT_MODULE_PERMISSIONS' => $TEXT['MODULE_PERMISSIONS'],


  		




  
  139
  
    
				'TEXT_TEMPLATE_PERMISSIONS' => $TEXT['TEMPLATE_PERMISSIONS'],


  		




  
  140
  
    
				'TEXT_NAME' => $TEXT['NAME'],


  		




  
  141
  
    
				'SECTION_PAGES' => $MENU['PAGES'],


  		




  
  142
  
    
				'SECTION_MEDIA' => $MENU['MEDIA'],


  		




  
  143
  
    
				'SECTION_MODULES' => $MENU['MODULES'],


  		




  
  144
  
    
				'SECTION_TEMPLATES' => $MENU['TEMPLATES'],


  		




  
  145
  
    
				'SECTION_LANGUAGES' => $MENU['LANGUAGES'],


  		




  
  146
  
    
				'SECTION_SETTINGS' => $MENU['SETTINGS'],


  		




  
  147
  
    
				'SECTION_USERS' => $MENU['USERS'],


  		




  
  148
  
    
				'SECTION_GROUPS' => $MENU['GROUPS'],


  		




  
  149
  
    
				'SECTION_ADMINTOOLS' => $MENU['ADMINTOOLS'],


  		




  
  150
  
    
				'TEXT_VIEW' => $TEXT['VIEW'],


  		




  
  151
  
    
				'TEXT_ADD' => $TEXT['ADD'],


  		




  
  152
  
    
				'TEXT_LEVEL' => $TEXT['LEVEL'],


  		




  
  153
  
    
				'TEXT_MODIFY' => $TEXT['MODIFY'],


  		




  
  154
  
    
				'TEXT_DELETE' => $TEXT['DELETE'],


  		




  
  155
  
    
				'TEXT_MODIFY_CONTENT' => $TEXT['MODIFY_CONTENT'],


  		




  
  156
  
    
				'TEXT_MODIFY_SETTINGS' => $TEXT['MODIFY_SETTINGS'],


  		




  
  157
  
    
				'HEADING_MODIFY_INTRO_PAGE' => $HEADING['MODIFY_INTRO_PAGE'],


  		




  
  158
  
    
				'TEXT_CREATE_FOLDER' => $TEXT['CREATE_FOLDER'],


  		




  
  159
  
    
				'TEXT_RENAME' => $TEXT['RENAME'],


  		




  
  160
  
    
				'TEXT_UPLOAD_FILES' => $TEXT['UPLOAD_FILES'],


  		




  
  161
  
    
				'TEXT_BASIC' => $TEXT['BASIC'],


  		




  
  162
  
    
				'TEXT_ADVANCED' => $TEXT['ADVANCED'],


  		




  
  163
  
    
				'CHANGING_PASSWORD' => $MESSAGE['USERS']['CHANGING_PASSWORD'],


  		




  
  164
  
    
				'HEADING_MODIFY_GROUP' => $HEADING['MODIFY_GROUP'],


  		




  
  165
  
    
			));


  		




  161
  166
  
    
	


  		




  162
  167
  
    
	// Parse template object


  		




  163
  168
  
    
	$template->parse('main', 'main_block', false);


  		




  ......




  165
  170
  
    
} elseif($_POST['action'] == 'delete') {


  		




  166
  171
  
    
	// Create new admin object


  		




  167
  172
  
    
	$admin = new admin('Access', 'groups_delete', false);


  		




  
  173
  
    

  		




  
  174
  
    
	if (!$admin->checkFTAN())


  		




  
  175
  
    
	{


  		




  
  176
  
    
		$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL);


  		




  
  177
  
    
		exit();


  		




  
  178
  
    
	}


  		




  
  179
  
    

  		




  168
  180
  
    
	// Print header


  		




  169
  181
  
    
	$admin->print_header();


  		




  170
  182
  
    
	// Delete the group


  		












Also available in:  Unified diff