From 03513059951f6436b6daca7c2d033b73240d2533 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 15 Jul 2015 08:24:15 +0200 Subject: [PATCH] pass formkey when substituting user --- op/op.SubstituteUser.php | 10 ++++++++-- views/bootstrap/class.SubstituteUser.php | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/op/op.SubstituteUser.php b/op/op.SubstituteUser.php index f67498b74..b47f286f2 100644 --- a/op/op.SubstituteUser.php +++ b/op/op.SubstituteUser.php @@ -25,14 +25,20 @@ include("../inc/inc.DBInit.php"); include("../inc/inc.ClassUI.php"); include("../inc/inc.Authentication.php"); -if (!$user->isAdmin()) { - UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); +/* Check if the form data comes for a trusted request */ +if(!checkFormKey('substituteuser', 'GET')) { + UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token")); } if (!isset($_GET["userid"])) { UI::exitError(getMLText("admin_tools"),getMLText("unknown_id")); } +/* Check if user is allowed to switch to a different user */ +if (!$user->isAdmin()) { + UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); +} + $session->setSu($_GET['userid']); $session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_substituted_user'))); diff --git a/views/bootstrap/class.SubstituteUser.php b/views/bootstrap/class.SubstituteUser.php index b94cbfedb..69657d666 100644 --- a/views/bootstrap/class.SubstituteUser.php +++ b/views/bootstrap/class.SubstituteUser.php @@ -68,7 +68,7 @@ class SeedDMS_View_SubstituteUser extends SeedDMS_Bootstrap_Style { echo ""; echo ""; if($currUser->getID() != $user->getID()) { - echo "getID()."\"> ".getMLText('substitute_user')." "; + echo "getID()."&formtoken=".createFormKey('substituteuser')."\"> ".getMLText('substitute_user')." "; } echo ""; echo "";