$data['url'] = format_oneline($_REQUEST['url']);
$data['username'] = format_oneline($_REQUEST['username']);
- $data['password'] = format_oneline($_REQUEST['password']);
+ $data['password'] = sha1(format_oneline($_REQUEST['password']));
return $data;
}
$data = admin_login_get_fields();
if(strlen($data['username'])) {
- if($data['username'] == CMS_ADMIN_USER &&
- sha1($data['password']) == CMS_ADMIN_PASS) {
+ $row = db_get_assoc('admins', 'privs', 'where username=%" && password=%"', $data['username'], $data['password']);
+ if($row) {
session_new();
- session_set('auth_username', $username);
- session_set('auth_admin', 'yes');
- require_once('code/wfpl/http.php');
+ session_set('auth_username', $data['username']);
+ switch($row['privs']) {
+ case 'admin':
+ session_set('auth_admin', 'yes');
+ if(!$data['url']) {
+ $data['url'] = 'admin';
+ }
+ break;
+ }
if(!$data['url']) {
- $data['url'] = './admin';
+ $data['url'] = './';
} elseif(strpos(':', $data['url']) !== false) {
$data['url'] = "./$data[url]";
}
}
}
- # Don't put (even failed) password back into the form
+ # make sure the hashed password doesn't make it back to the front end
$data['password'] = '';
# display the form [again]