SF.net SVN: postfixadmin: [123] trunk/admin/edit-admin.php

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 123
          http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=123&view=rev
Author:   christian_boltz
Date:     2007-10-03 15:41:01 -0700 (Wed, 03 Oct 2007)

Log Message:
-----------
fix password handling:
- always check if password == password2 (even if password2 is empty)
- skip changing password if new password is empty. Reasons:
  - empty passwords are insecure
  - editing an admin does not always mean to edit the password. One might 
    edit the allowed domains without even knowing the password of the 
	edited admin.

Modified Paths:
--------------
    trunk/admin/edit-admin.php

Modified: trunk/admin/edit-admin.php
===================================================================

--- trunk/admin/edit-admin.php	2007-10-03 00:55:55 UTC (rev 122)
+++ trunk/admin/edit-admin.php	2007-10-03 22:41:01 UTC (rev 123)
@@ -40,13 +40,19 @@
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
-   $fPassword = 'x';
-   $fPassword = 'y';
+   $fPassword = '';
+   $fPassword2 = '';
    if(isset ($_GET['username'])) $username = escape_string ($_GET['username']);
 
    if(isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
    if(isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
 
+   if ($fPassword != $fPassword2)
+   {
+      $error = 1;
+      $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
+   }
+
    $fActive=(isset($_POST['fActive'])) ? escape_string ($_POST['fActive']) : FALSE;
    $fSadmin=(isset($_POST['fSadmin'])) ? escape_string ($_POST['fSadmin']) : FALSE;
 
@@ -64,19 +70,13 @@
    // has the password changed?
    if($fPassword != $originalPassword) { 
       if(!empty($_POST['fPassword2'])) {
-         if ($fPassword != $fPassword2)
-         {
-            $error = 1;
-            $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
-         }
-         else {
-            $fPassword = pacrypt($fPassword);
-         }
+         $fPassword = pacrypt($fPassword);
       }
    }
 
    $tActive = $fActive;
-   $tDomains = escape_string ($_POST['fDomains']);
+   $fDomains = array();
+   if (array_key_exists('fDomains', $_POST)) $tDomains = escape_string ($_POST['fDomains']);
    if ($error != 1)
    {
       if ($fActive == "on")  {
@@ -86,9 +86,12 @@
          $sqlActive = db_get_boolean(False);
       }
 
+      $password_query = '';
+      if ($fPassword != '') { # do not change password to empty one
+         $password_query = ", password='$fPassword'";
+      }
+      $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive' $password_query WHERE username='$username'");
 
-      $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive', password='$fPassword' WHERE username='$username'");
-
       if ($fSadmin == "on") $fSadmin = 'ALL';
 
       // delete everything, and put it back later on..
@@ -111,6 +114,8 @@
 else { // GET request.
    if (isset($_GET['username'])) $username = escape_string ($_GET['username']);
 
+   # TODO: read "active" state from database and tick on the checkbox for active admins
+
    $tAllDomains = list_domains();
    $tDomains = list_domains_for_admin ($username);
 


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


