Got questions, comments, patches, etc.?
Contact Jason Woofenden
gitweb
/
wfpl-cms.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
define INC_WFPL, separate wfpl_main.php
[wfpl-cms.git]
/
admin_login.php
diff --git
a/admin_login.php
b/admin_login.php
index
a3d47ce
..
e68f86e
100644
(file)
--- a/
admin_login.php
+++ b/
admin_login.php
@@
-1,13
+1,13
@@
<?php
<?php
-# This form requires wfpl. See: http://jasonwoof.org/wfpl
+# This form requires wfpl. See: http://sametwice.com/wfpl
function admin_login_get_fields() {
$data = array();
$data['url'] = format_oneline($_REQUEST['url']);
$data['username'] = format_oneline($_REQUEST['username']);
function admin_login_get_fields() {
$data = array();
$data['url'] = format_oneline($_REQUEST['url']);
$data['username'] = format_oneline($_REQUEST['username']);
- $data['password'] = format_oneline($_REQUEST['password']);
+ $data['password'] = sha1(format_oneline($_REQUEST['password']));
return $data;
}
return $data;
}
@@
-18,14
+18,17
@@
function admin_login_main() {
$data = admin_login_get_fields();
if(strlen($data['username'])) {
$data = admin_login_get_fields();
if(strlen($data['username'])) {
- if($data['username'] == CMS_ADMIN_USER &&
- sha1($data['password']) == CMS_ADMIN_PASS) {
+ $row = db_get_assoc('admins', 'privs', 'where username=%" && password=%"', $data['username'], $data['password']);
+ if($row) {
session_new();
session_new();
- session_set('auth_username', $username);
- session_set('auth_admin', 'yes');
- require_once('code/wfpl/http.php');
+ session_set('auth_username', $data['username']);
+ session_set('auth_' . $row['privs'], 'yes');
if(!$data['url']) {
if(!$data['url']) {
- $data['url'] = './admin';
+ if ($row['privs'] == 'admin') {
+ $data['url'] = './admin';
+ } else {
+ $data['url'] = './';
+ }
} elseif(strpos(':', $data['url']) !== false) {
$data['url'] = "./$data[url]";
}
} elseif(strpos(':', $data['url']) !== false) {
$data['url'] = "./$data[url]";
}
@@
-37,12
+40,9
@@
function admin_login_main() {
}
}
}
}
- # Don't put (even failed) password back into the form
+ # make sure the hashed password doesn't make it back to the front end
$data['password'] = '';
$data['password'] = '';
- # include domain name in title (especially for bookmarks) and header
- tem_set('this_host', this_host());
-
# display the form [again]
tem_set('form', $data);
}
# display the form [again]
tem_set('form', $data);
}