X-Git-Url: https://jasonwoof.com/gitweb/?a=blobdiff_plain;f=admin_login.php;h=b0a89c442df3aabfe046bee7f4c004609bf004bb;hb=5973e59831d9ec141ece84eaa3b3ad35da385c69;hp=a3d47ce6a2607619a2bc743bcb731ff05a938dde;hpb=059569fef59006c2ab9af689c582fc3e9b0d7e6e;p=wfpl-cms.git

diff --git a/admin_login.php b/admin_login.php
index a3d47ce..b0a89c4 100644
--- a/admin_login.php
+++ b/admin_login.php
@@ -7,7 +7,7 @@ function admin_login_get_fields() {
 
 	$data['url'] = format_oneline($_REQUEST['url']);
 	$data['username'] = format_oneline($_REQUEST['username']);
-	$data['password'] = format_oneline($_REQUEST['password']);
+	$data['password'] = sha1(format_oneline($_REQUEST['password']));
 
 	return $data;
 }
@@ -18,14 +18,20 @@ function admin_login_main() {
 	$data = admin_login_get_fields();
 
 	if(strlen($data['username'])) {
-		if($data['username'] == CMS_ADMIN_USER &&
-		   sha1($data['password']) == CMS_ADMIN_PASS) {
+		$row = db_get_assoc('admins', 'privs', 'where username=%" && password=%"', $data['username'], $data['password']);
+		if($row) {
 			session_new();
-			session_set('auth_username', $username);
-			session_set('auth_admin', 'yes');
-			require_once('code/wfpl/http.php');
+			session_set('auth_username', $data['username']);
+			switch($row['privs']) {
+				case 'admin':
+					session_set('auth_admin', 'yes');
+					if(!$data['url']) {
+						$data['url'] = 'admin';
+					}
+				break;
+			}
 			if(!$data['url']) {
-				$data['url'] = './admin';
+				$data['url'] = './';
 			} elseif(strpos(':', $data['url']) !== false) {
 				$data['url'] = "./$data[url]";
 			}
@@ -37,12 +43,9 @@ function admin_login_main() {
 		}
 	}
 
-	# Don't put (even failed) password back into the form
+	# make sure the hashed password doesn't make it back to the front end
 	$data['password'] = '';
 
-	# include domain name in title (especially for bookmarks) and header
-	tem_set('this_host', this_host());
-
 	# display the form [again]
 	tem_set('form', $data);
 }