remove obsolete type="text/javascript" from script tags

[wfpl-cms.git] / admin_login.php

diff --git a/admin_login.php b/admin_login.php
index a3d47ce..e68f86e 100644 (file)
--- a/admin_login.php
+++ b/admin_login.php
@@ -1,13 +1,13 @@
 <?php
 
-# This form requires wfpl. See: http://jasonwoof.org/wfpl
+# This form requires wfpl. See: http://sametwice.com/wfpl
 
 function admin_login_get_fields() {
        $data = array();
 
        $data['url'] = format_oneline($_REQUEST['url']);
        $data['username'] = format_oneline($_REQUEST['username']);
-       $data['password'] = format_oneline($_REQUEST['password']);
+       $data['password'] = sha1(format_oneline($_REQUEST['password']));
 
        return $data;
 }
@@ -18,14 +18,17 @@ function admin_login_main() {
        $data = admin_login_get_fields();
 
        if(strlen($data['username'])) {
-               if($data['username'] == CMS_ADMIN_USER &&
-                  sha1($data['password']) == CMS_ADMIN_PASS) {
+               $row = db_get_assoc('admins', 'privs', 'where username=%" && password=%"', $data['username'], $data['password']);
+               if($row) {
                        session_new();
-                       session_set('auth_username', $username);
-                       session_set('auth_admin', 'yes');
-                       require_once('code/wfpl/http.php');
+                       session_set('auth_username', $data['username']);
+                       session_set('auth_' . $row['privs'], 'yes');
                        if(!$data['url']) {
-                               $data['url'] = './admin';
+                               if ($row['privs'] == 'admin') {
+                                       $data['url'] = './admin';
+                               } else {
+                                       $data['url'] = './';
+                               }
                        } elseif(strpos(':', $data['url']) !== false) {
                                $data['url'] = "./$data[url]";
                        }
@@ -37,12 +40,9 @@ function admin_login_main() {
                }
        }
 
-       # Don't put (even failed) password back into the form
+       # make sure the hashed password doesn't make it back to the front end
        $data['password'] = '';
 
-       # include domain name in title (especially for bookmarks) and header
-       tem_set('this_host', this_host());
-
        # display the form [again]
        tem_set('form', $data);
 }