gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2024-11-26 15:32:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pass formkey when substituting user

Browse Source
This commit is contained in:
Uwe Steinmann 2015-07-15 08:24:15 +02:00
parent 9fee411f3f
commit 0351305995
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
op/op.SubstituteUser.php
View File

@ -25,14 +25,20 @@ include("../inc/inc.DBInit.php");
include("../inc/inc.ClassUI.php");
include("../inc/inc.Authentication.php");
if (!$user->isAdmin()) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
/* Check if the form data comes for a trusted request */
if(!checkFormKey('substituteuser', 'GET')) {
UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
}
if (!isset($_GET["userid"])) {
UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
}
/* Check if user is allowed to switch to a different user */
if (!$user->isAdmin()) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
}
$session->setSu($_GET['userid']);
$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_substituted_user')));

2
views/bootstrap/class.SubstituteUser.php
View File

@ -68,7 +68,7 @@ class SeedDMS_View_SubstituteUser extends SeedDMS_Bootstrap_Style {
echo "</td>";
echo "<td>";
if($currUser->getID() != $user->getID()) {
echo "<a class=\"btn\" href=\"../op/op.SubstituteUser.php?userid=".$currUser->getID()."\"><i class=\"icon-exchange\"></i> ".getMLText('substitute_user')."</a> ";
echo "<a class=\"btn\" href=\"../op/op.SubstituteUser.php?userid=".$currUser->getID()."&formtoken=".createFormKey('substituteuser')."\"><i class=\"icon-exchange\"></i> ".getMLText('substitute_user')."</a> ";
}
echo "</td>";
echo "</tr>";