harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remote control - if auth'd visitor is in config system remote_admins (array), become superuser. Literally. Full control. Untested.

Browse Source
This commit is contained in:
friendica 2013-07-22 14:34:26 -07:00
parent 05612a8a77
commit f9e61fe075
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
include/auth.php
View File

@ -67,6 +67,21 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
} }
if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) { if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) {
// if our authenticated guest is allowed to take control of the admin channel, make it so.
$admins = get_config('system','remote_admin');
if($admins && is_array($admins) && in_array($_SESSION['visitor_id'],$admins)) {
$x = q("select * from account where account_email = '%s' and account_email != '' and ( account_flags & %d ) limit 1",
dbesc(get_config('system','admin_email')),
intval(ACCOUNT_ROLE_ADMIN)
);
if($x) {
new_cookie(60*60*24); // one day
$_SESSION['last_login_date'] = datetime_convert();
unset($_SESSION['visitor_id']); // no longer a visitor
authenticate_success($x[0], true, true);
}
}
$r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_hash = '%s' limit 1", $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_hash = '%s' limit 1",
dbesc($_SESSION['visitor_id']) dbesc($_SESSION['visitor_id'])
); );

2
version.inc
View File

@ -1 +1 @@
2013-07-21.381 2013-07-22.382