gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-16 14:41:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pass formkey when substituting user

Browse Source
This commit is contained in:
Uwe Steinmann 2015-07-15 08:24:15 +02:00
parent 9fee411f3f
commit 0351305995
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
op/op.SubstituteUser.php
View File

@ -25,14 +25,20 @@ include("../inc/inc.DBInit.php");
include("../inc/inc.ClassUI.php"); include("../inc/inc.ClassUI.php");
include("../inc/inc.Authentication.php"); include("../inc/inc.Authentication.php");
if (!$user->isAdmin()) { /* Check if the form data comes for a trusted request */
UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); if(!checkFormKey('substituteuser', 'GET')) {
UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
} }
if (!isset($_GET["userid"])) { if (!isset($_GET["userid"])) {
UI::exitError(getMLText("admin_tools"),getMLText("unknown_id")); UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
} }
/* Check if user is allowed to switch to a different user */
if (!$user->isAdmin()) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
}
$session->setSu($_GET['userid']); $session->setSu($_GET['userid']);
$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_substituted_user'))); $session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_substituted_user')));

2
views/bootstrap/class.SubstituteUser.php
View File

@ -68,7 +68,7 @@ class SeedDMS_View_SubstituteUser extends SeedDMS_Bootstrap_Style {
echo "</td>"; echo "</td>";
echo "<td>"; echo "<td>";
if($currUser->getID() != $user->getID()) { if($currUser->getID() != $user->getID()) {
echo "<a class=\"btn\" href=\"../op/op.SubstituteUser.php?userid=".$currUser->getID()."\"><i class=\"icon-exchange\"></i> ".getMLText('substitute_user')."</a> "; echo "<a class=\"btn\" href=\"../op/op.SubstituteUser.php?userid=".$currUser->getID()."&formtoken=".createFormKey('substituteuser')."\"><i class=\"icon-exchange\"></i> ".getMLText('substitute_user')."</a> ";
} }
echo "</td>"; echo "</td>";
echo "</tr>"; echo "</tr>";