X-Git-Url: https://jasonwoof.com/gitweb/?a=blobdiff_plain;f=admin_login.php;fp=admin_login.php;h=b0a89c442df3aabfe046bee7f4c004609bf004bb;hb=29ed335dfc3b57c6b5ee8ade2ea5cbdc8fa7d47c;hp=92d3ab60c9e877ad65b22b79454888569abbb791;hpb=04a7c00830ce59943da1200a82fd385008f24038;p=wfpl-cms.git

diff --git a/admin_login.php b/admin_login.php
index 92d3ab6..b0a89c4 100644
--- a/admin_login.php
+++ b/admin_login.php
@@ -7,7 +7,7 @@ function admin_login_get_fields() {
 
 	$data['url'] = format_oneline($_REQUEST['url']);
 	$data['username'] = format_oneline($_REQUEST['username']);
-	$data['password'] = format_oneline($_REQUEST['password']);
+	$data['password'] = sha1(format_oneline($_REQUEST['password']));
 
 	return $data;
 }
@@ -18,14 +18,20 @@ function admin_login_main() {
 	$data = admin_login_get_fields();
 
 	if(strlen($data['username'])) {
-		if($data['username'] == CMS_ADMIN_USER &&
-		   sha1($data['password']) == CMS_ADMIN_PASS) {
+		$row = db_get_assoc('admins', 'privs', 'where username=%" && password=%"', $data['username'], $data['password']);
+		if($row) {
 			session_new();
-			session_set('auth_username', $username);
-			session_set('auth_admin', 'yes');
-			require_once('code/wfpl/http.php');
+			session_set('auth_username', $data['username']);
+			switch($row['privs']) {
+				case 'admin':
+					session_set('auth_admin', 'yes');
+					if(!$data['url']) {
+						$data['url'] = 'admin';
+					}
+				break;
+			}
 			if(!$data['url']) {
-				$data['url'] = './admin';
+				$data['url'] = './';
 			} elseif(strpos(':', $data['url']) !== false) {
 				$data['url'] = "./$data[url]";
 			}
@@ -37,7 +43,7 @@ function admin_login_main() {
 		}
 	}
 
-	# Don't put (even failed) password back into the form
+	# make sure the hashed password doesn't make it back to the front end
 	$data['password'] = '';
 
 	# display the form [again]