auth modules = imapauth and saslauth
Some code in CWebAdminSock::OnLogin() is skipped if a module handles auth
and thus m_pUser stays NULL. Most checks for admin rights only check for
m_pUser being NULL and thus any user WHO ALREADY HAS A VALID LOGIN can edit
other users if they know their user name.
(=Change the password of an admin and log in using this info)
One of the major excpeptions are the templates which use m_bAdmin instead of
m_pUser for checking the privieleges, thus users still see the normal pages
and this bug stayed unnoticed for a while.
This patch now moves the code that sets m_pUser to some code which is executed
in both cases, when an auth module is in effect and when one isn't.
(Well, technically this isn't a move, but code duplication, but executing this
twice won't hurt and one of the follow-up patches cleans this up.)
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1113
726aef4b-f618-498e-8847-
2d620e286838
}
// Setters
- void SetSessionUser(CUser* p) { m_pSessionUser = p; m_bAdmin = p->IsAdmin(); }
- void SetAdmin(bool b) { m_bAdmin = b; }
+ void SetSessionUser(CUser* p) {
+ m_pSessionUser = p;
+ m_bAdmin = p->IsAdmin();
+
+ // If m_pUser is not NULL, only that user can be edited.
+ if (m_bAdmin) {
+ m_pUser = NULL;
+ } else {
+ m_pUser = m_pSessionUser;
+ }
+ }
// !Setters
virtual Csock* GetSockObj(const CString& sHost, unsigned short uPort);