Thread: SF.net SVN: postfixadmin: [105] trunk/admin/edit-admin.php
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
postfixadmin-svn
|
From: <Gin...@us...> - 2007-09-28 20:35:22
|
Revision: 105
http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=105&view=rev
Author: GingerDog
Date: 2007-09-28 13:35:19 -0700 (Fri, 28 Sep 2007)
Log Message:
-----------
edit-admin.php: it should work now - if you are a super admin, the domain list is unhighlighted; note domains that are inactive or backupmx records will appear unhighlighted all the time
Modified Paths:
--------------
trunk/admin/edit-admin.php
Modified: trunk/admin/edit-admin.php
===================================================================
--- trunk/admin/edit-admin.php 2007-09-28 20:28:18 UTC (rev 104)
+++ trunk/admin/edit-admin.php 2007-09-28 20:35:19 UTC (rev 105)
@@ -11,11 +11,10 @@
//
// Template Variables:
//
-// tDescription
-// tAliases
-// tMailboxes
-// tMaxquota
+// tAllDomains
+// tDomains
// tActive
+// tSadmin
//
// Form POST \ GET Variables:
//
@@ -30,115 +29,98 @@
authentication_require_role('global-admin');
-if ($_SERVER['REQUEST_METHOD'] == "GET")
-{
- if (isset ($_GET['username'])) $username = escape_string ($_GET['username']);
- $list_domains = list_domains ();
- isset ($_GET['username']) ? $tDomains = list_domains_for_admin ($username) : $tDomains = "";
-
- $result = db_query ("SELECT * FROM $table_domain_admins WHERE username='$username'");
- if ($result['rows'] == 1)
- {
- $row = db_array ($result['result']);
- if ($row['domain'] == 'ALL') $tSadmin = '1';
- }
-
- $result = db_query ("SELECT * FROM $table_admin WHERE username='$username'");
- if ($result['rows'] == 1)
- {
- $row = db_array ($result['result']);
- $tActive = $row['active'];
- if ('pgsql'==$CONF['database_type']) $tActive=('t'==$tActive) ? TRUE:FALSE;
- }
-
- include ("../templates/header.tpl");
- include ("../templates/admin_menu.tpl");
- include ("../templates/admin_edit-admin.tpl");
- include ("../templates/footer.tpl");
-}
-
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
- if (isset ($_GET['username'])) $username = escape_string ($_GET['username']);
-
- if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
- if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
+ $fPassword = 'x';
+ $fPassword = 'y';
+ if(isset ($_GET['username'])) $username = escape_string ($_GET['username']);
+ if(isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
+ if(isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
+
$fActive=(isset($_POST['fActive'])) ? escape_string ($_POST['fActive']) : FALSE;
$fSadmin=(isset($_POST['fSadmin'])) ? escape_string ($_POST['fSadmin']) : FALSE;
+ $fDomains = false;
if (isset ($_POST['fDomains'])) $fDomains = $_POST['fDomains'];
- $list_domains = list_domains ();
-
- if ($fPassword != $fPassword2)
- {
- $error = 1;
- $tActive = $fActive;
- $tDomains = escape_string ($_POST['fDomains']);
- $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
+ $tAllDomains = list_domains ();
+
+ $result = db_query("SELECT * FROM $table_admin WHERE username = '$username'");
+ if($result['rows'] != 1) {
+ die("Invalid username for admin user");
}
+ $admin_details = db_array($result['result']);
+ $originalPassword = $admin_details['password'];
+ // has the password changed?
+ if($fPassword != $originalPassword) {
+ if(!empty($_POST['fPassword2'])) {
+ if ($fPassword != $fPassword2)
+ {
+ $error = 1;
+ $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
+ }
+ else {
+ $fPassword = pacrypt($fPassword);
+ }
+ }
+ }
+ $tActive = $fActive;
+ $tDomains = escape_string ($_POST['fDomains']);
if ($error != 1)
{
- if ($fActive == "on") $fActive = 1;
- $sqlActive=$fActive;
- if ('pgsql'==$CONF['database_type']) $sqlActive=($fActive) ? 'true' : 'false';
+ if ($fActive == "on") {
+ $sqlActive = db_get_boolean(True);
+ }
+ else {
+ $sqlActive = db_get_boolean(False);
+ }
+
+ $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive', password='$fPassword' WHERE username='$username'");
+
if ($fSadmin == "on") $fSadmin = 'ALL';
- if (empty ($fPassword) and empty ($fPassword2))
- {
- $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive' WHERE username='$username'");
+ // delete everything, and put it back later on..
+ db_query("DELETE FROM $table_domain_admins WHERE username = '$username'");
+ if($fSadmin == 'ALL') {
+ $fDomains = array('ALL');
}
- else
+
+ foreach($fDomains as $domain)
{
- $password = pacrypt ($fPassword);
- $result = db_query ("UPDATE $table_admin SET password='$password',modified=NOW(),active='$sqlActive' WHERE username='$username'");
+ $result = db_query ("INSERT INTO $table_domain_admins (username,domain,created) VALUES ('$username','$domain',NOW())");
}
+ flash_info($PALANG['pAdminEdit_admin_result_success']);
+ }
+ else {
+ flash_error($PALANG['pAdminEdit_admin_result_error']);
+ }
+ header("Location: list-admin.php");
+}
+else { // GET request.
+ if (isset($_GET['username'])) $username = escape_string ($_GET['username']);
- if (sizeof ($fDomains) > 0)
- {
- for ($i = 0; $i < sizeof ($fDomains); $i++)
- {
- $domain = $fDomains[$i];
- $result_domains = db_query ("INSERT INTO $table_domain_admins (username,domain,created) VALUES ('$username','$domain',NOW())");
- }
+ $tAllDomains = list_domains();
+ $tDomains = list_domains_for_admin ($username);
+
+ $tSadmin = '0';
+ $result = db_query ("SELECT * FROM $table_domain_admins WHERE username='$username'");
+ // could/should be multiple matches to query;
+ if ($result['rows'] >= 1) {
+ $result = $result['result'];
+ while($row = db_array($result)) {
+ if ($row['domain'] == 'ALL') {
+ $tSadmin = '1';
+ $tDomains = array(); /* empty the list, they're an admin */
+ }
}
+ }
- if ($result['rows'] == 1)
- {
- if (isset ($fDomains[0]))
- {
- $result = db_query ("DELETE FROM $table_domain_admins WHERE username='$username'");
- if ($fSadmin == 'ALL')
- {
- $result = db_query ("INSERT INTO $table_domain_admins (username,domain,created) VALUES ('$username','ALL',NOW())");
- }
- else
- {
- if ($fDomains[0] != '')
- for ($i = 0; $i < sizeof ($fDomains); $i++)
- {
- $domain = $fDomains[$i];
- $result = db_query ("INSERT INTO $table_domain_admins (username,domain,created) VALUES ('$username','$domain',NOW())");
- }
- }
- }
- header ("Location: list-admin.php");
- exit;
- }
- else
- {
- $tMessage = $PALANG['pAdminEdit_admin_result_error'];
- }
- }
-
include ("../templates/header.tpl");
include ("../templates/admin_menu.tpl");
include ("../templates/admin_edit-admin.tpl");
include ("../templates/footer.tpl");
}
-/* vim: set expandtab softtabstop=3 tabstop=3 shiftwidth=3: */
-?>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <chr...@us...> - 2007-10-03 22:40:58
|
Revision: 123
http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=123&view=rev
Author: christian_boltz
Date: 2007-10-03 15:41:01 -0700 (Wed, 03 Oct 2007)
Log Message:
-----------
fix password handling:
- always check if password == password2 (even if password2 is empty)
- skip changing password if new password is empty. Reasons:
- empty passwords are insecure
- editing an admin does not always mean to edit the password. One might
edit the allowed domains without even knowing the password of the
edited admin.
Modified Paths:
--------------
trunk/admin/edit-admin.php
Modified: trunk/admin/edit-admin.php
===================================================================
--- trunk/admin/edit-admin.php 2007-10-03 00:55:55 UTC (rev 122)
+++ trunk/admin/edit-admin.php 2007-10-03 22:41:01 UTC (rev 123)
@@ -40,13 +40,19 @@
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
- $fPassword = 'x';
- $fPassword = 'y';
+ $fPassword = '';
+ $fPassword2 = '';
if(isset ($_GET['username'])) $username = escape_string ($_GET['username']);
if(isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
if(isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
+ if ($fPassword != $fPassword2)
+ {
+ $error = 1;
+ $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
+ }
+
$fActive=(isset($_POST['fActive'])) ? escape_string ($_POST['fActive']) : FALSE;
$fSadmin=(isset($_POST['fSadmin'])) ? escape_string ($_POST['fSadmin']) : FALSE;
@@ -64,19 +70,13 @@
// has the password changed?
if($fPassword != $originalPassword) {
if(!empty($_POST['fPassword2'])) {
- if ($fPassword != $fPassword2)
- {
- $error = 1;
- $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
- }
- else {
- $fPassword = pacrypt($fPassword);
- }
+ $fPassword = pacrypt($fPassword);
}
}
$tActive = $fActive;
- $tDomains = escape_string ($_POST['fDomains']);
+ $fDomains = array();
+ if (array_key_exists('fDomains', $_POST)) $tDomains = escape_string ($_POST['fDomains']);
if ($error != 1)
{
if ($fActive == "on") {
@@ -86,9 +86,12 @@
$sqlActive = db_get_boolean(False);
}
+ $password_query = '';
+ if ($fPassword != '') { # do not change password to empty one
+ $password_query = ", password='$fPassword'";
+ }
+ $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive' $password_query WHERE username='$username'");
- $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive', password='$fPassword' WHERE username='$username'");
-
if ($fSadmin == "on") $fSadmin = 'ALL';
// delete everything, and put it back later on..
@@ -111,6 +114,8 @@
else { // GET request.
if (isset($_GET['username'])) $username = escape_string ($_GET['username']);
+ # TODO: read "active" state from database and tick on the checkbox for active admins
+
$tAllDomains = list_domains();
$tDomains = list_domains_for_admin ($username);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <Gin...@us...> - 2007-10-04 14:57:05
|
Revision: 129
http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=129&view=rev
Author: GingerDog
Date: 2007-10-04 07:57:04 -0700 (Thu, 04 Oct 2007)
Log Message:
-----------
edit-admin.php: i think this fixes the outstanding problems, but I get horrible problems if firefox is allowed to remember passwords etc - is there a good way of disabling this behaviour beyond autocomplete="off" ?
Modified Paths:
--------------
trunk/admin/edit-admin.php
Modified: trunk/admin/edit-admin.php
===================================================================
--- trunk/admin/edit-admin.php 2007-10-04 13:53:45 UTC (rev 128)
+++ trunk/admin/edit-admin.php 2007-10-04 14:57:04 UTC (rev 129)
@@ -37,103 +37,115 @@
authentication_require_role('global-admin');
+$error = 1;
+if(isset($_GET['username'])) {
+ $username = escape_string ($_GET['username']);
+ $result = db_query("SELECT * FROM $table_admin WHERE username = '$username'");
+ if($result['rows'] == 1) {
+ $admin_details = db_array($result['result']);
+ $error = 0;
+ }
+}
+if($error == 1){
+ flash_error($PALANG['pAdminEdit_admin_result_error']);
+ header("Location: list-admin.php");
+ exit(0);
+}
+// we aren't ensuring the password is longer than x characters, should we?
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
- $fPassword = '';
- $fPassword2 = '';
- if(isset ($_GET['username'])) $username = escape_string ($_GET['username']);
+ $fPassword = '';
+ $fPassword2 = '';
+ if(isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
+ if(isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
- if(isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
- if(isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
- if ($fPassword != $fPassword2)
- {
- $error = 1;
- $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
- }
+ $fActive=(isset($_POST['fActive'])) ? escape_string ($_POST['fActive']) : FALSE;
+ $fSadmin=(isset($_POST['fSadmin'])) ? escape_string ($_POST['fSadmin']) : FALSE;
- $fActive=(isset($_POST['fActive'])) ? escape_string ($_POST['fActive']) : FALSE;
- $fSadmin=(isset($_POST['fSadmin'])) ? escape_string ($_POST['fSadmin']) : FALSE;
+ $fDomains = false;
+ if (isset ($_POST['fDomains'])) $fDomains = $_POST['fDomains'];
- $fDomains = false;
- if (isset ($_POST['fDomains'])) $fDomains = $_POST['fDomains'];
+ $tAllDomains = list_domains ();
- $tAllDomains = list_domains ();
+ // has the password changed?
+ $originalPassword = $admin_details['password'];
+ if($fPassword != $originalPassword) {
+ // if it has, ensure both fields are the same...
+ if ($fPassword == $fPassword2)
+ {
+ if(strlen($fPassword) >= $CONF['min_password_length']) {
+ $fPassword = pacrypt($fPassword);
+ }
+ else {
+ $error = 1;
+ flash_error(sprintf($PALANG['pPasswordTooShort'], $CONF['min_password_length']));
+ }
+ }
+ else {
+ $error = 1;
+ $pAdminEdit_admin_password_text = $PALANG['pAdminEdit_admin_password_text_error'];
+ }
+ }
- $result = db_query("SELECT * FROM $table_admin WHERE username = '$username'");
- if($result['rows'] != 1) {
- die("Invalid username for admin user");
- }
- $admin_details = db_array($result['result']);
- $originalPassword = $admin_details['password'];
- // has the password changed?
- if($fPassword != $originalPassword) {
- if(!empty($_POST['fPassword2'])) {
- $fPassword = pacrypt($fPassword);
- }
- }
+ $fDomains = array();
+ if (array_key_exists('fDomains', $_POST)) $fDomains = escape_string ($_POST['fDomains']);
+ if ($error != 1)
+ {
+ if ($fActive == "on") {
+ $sqlActive = db_get_boolean(True);
+ }
+ else {
+ $sqlActive = db_get_boolean(False);
+ }
- $tActive = $fActive;
- $fDomains = array();
- if (array_key_exists('fDomains', $_POST)) $tDomains = escape_string ($_POST['fDomains']);
- if ($error != 1)
- {
- if ($fActive == "on") {
- $sqlActive = db_get_boolean(True);
- }
- else {
- $sqlActive = db_get_boolean(False);
- }
+ $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive',password='$fPassword' WHERE username='$username'");
- $password_query = '';
- if ($fPassword != '') { # do not change password to empty one
- $password_query = ", password='$fPassword'";
- }
- $result = db_query ("UPDATE $table_admin SET modified=NOW(),active='$sqlActive' $password_query WHERE username='$username'");
+ if ($fSadmin == "on") $fSadmin = 'ALL';
- if ($fSadmin == "on") $fSadmin = 'ALL';
+ // delete everything, and put it back later on..
+ db_query("DELETE FROM $table_domain_admins WHERE username = '$username'");
+ if($fSadmin == 'ALL') {
+ $fDomains = array('ALL');
+ }
- // delete everything, and put it back later on..
- db_query("DELETE FROM $table_domain_admins WHERE username = '$username'");
- if($fSadmin == 'ALL') {
- $fDomains = array('ALL');
- }
-
- foreach($fDomains as $domain)
- {
- $result = db_query ("INSERT INTO $table_domain_admins (username,domain,created) VALUES ('$username','$domain',NOW())");
- }
- flash_info($PALANG['pAdminEdit_admin_result_success']);
- }
- else {
- flash_error($PALANG['pAdminEdit_admin_result_error']);
- }
- header("Location: list-admin.php");
+ foreach($fDomains as $domain)
+ {
+ $result = db_query ("INSERT INTO $table_domain_admins (username,domain,created) VALUES ('$username','$domain',NOW())");
+ }
+ flash_info($PALANG['pAdminEdit_admin_result_success']);
+ header("Location: list-admin.php");
+ exit(0);
+ }
+ else {
+ flash_error($PALANG['pAdminEdit_admin_result_error']);
+ }
}
-else { // GET request.
- if (isset($_GET['username'])) $username = escape_string ($_GET['username']);
+if (isset($_GET['username'])) $username = escape_string ($_GET['username']);
- # TODO: read "active" state from database and tick on the checkbox for active admins
+$tAllDomains = list_domains();
+$tDomains = list_domains_for_admin ($username);
+$tActive = '';
+$tPassword = $admin_details['password'];
- $tAllDomains = list_domains();
- $tDomains = list_domains_for_admin ($username);
+if($admin_details['active'] == 't' || $admin_details['active'] == 1) {
+ $tActive = $admin_details['active'];
+}
+$tSadmin = '0';
+$result = db_query ("SELECT * FROM $table_domain_admins WHERE username='$username'");
+// could/should be multiple matches to query;
+if ($result['rows'] >= 1) {
+ $result = $result['result'];
+ while($row = db_array($result)) {
+ if ($row['domain'] == 'ALL') {
+ $tSadmin = '1';
+ $tDomains = array(); /* empty the list, they're an admin */
+ }
+ }
+}
- $tSadmin = '0';
- $result = db_query ("SELECT * FROM $table_domain_admins WHERE username='$username'");
- // could/should be multiple matches to query;
- if ($result['rows'] >= 1) {
- $result = $result['result'];
- while($row = db_array($result)) {
- if ($row['domain'] == 'ALL') {
- $tSadmin = '1';
- $tDomains = array(); /* empty the list, they're an admin */
- }
- }
- }
-
- include ("../templates/header.tpl");
- include ("../templates/admin_menu.tpl");
- include ("../templates/admin_edit-admin.tpl");
- include ("../templates/footer.tpl");
-}
+include ("../templates/header.tpl");
+include ("../templates/admin_menu.tpl");
+include ("../templates/admin_edit-admin.tpl");
+include ("../templates/footer.tpl");
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X