Skip to content

Commit 75a4b58

Browse files
author
Kristan Kenney
committed
Fix viewing and deletion of user logs without requiring impersonation
1 parent 99a28eb commit 75a4b58

File tree

7 files changed

+49
-15
lines changed

7 files changed

+49
-15
lines changed

web/delete/log/auth/index.php

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,12 @@
1010
exit();
1111
}
1212

13+
// Check if administrator is viewing system log (currently 'admin' user)
14+
if (($_SESSION['userContext'] === "admin") && (isset($_GET['user']))) {
15+
$user=$_GET['user'];
16+
$token=$_SESSION['token'];
17+
}
18+
1319
// Clear log
1420
$v_username = escapeshellarg($user);
1521
exec (HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var);
@@ -38,7 +44,11 @@
3844
unset($_SESSION['error_msg']);
3945
unset($_SESSION['ok_msg']);
4046

41-
// Return to authentication history
42-
header("Location: /list/log/auth/");
47+
// Set correct page reload target
48+
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
49+
header("Location: /list/log/auth/?user=$user&token=$token");
50+
} else {
51+
header("Location: /list/log/auth/");
52+
}
4353

4454
exit;

web/delete/log/index.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,13 @@
1111
}
1212

1313
// Check if administrator is viewing system log (currently 'admin' user)
14-
if (($_SESSION['userContext'] === "admin") && ($_GET['user']) === 'admin') {
14+
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
1515
$user=$_GET['user'];
1616
$token=$_SESSION['token'];
1717
}
1818

1919
// Set correct page reload target
20-
if (($_SESSION['userContext'] === "admin") && ($_GET['user']) === 'admin') {
20+
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
2121
header("Location: /list/log/?user=$user&token=$token");
2222
} else {
2323
header("Location: /list/log/");

web/list/log/auth/index.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@
99
// Edit as someone else?
1010
if (($_SESSION['userContext'] === 'admin') && (isset($_SESSION['look']))) {
1111
$v_username = escapeshellarg($_SESSION['look']);
12+
} else if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
13+
$v_username = escapeshellarg($_GET['user']);
1214
} else {
1315
$v_username = escapeshellarg($_SESSION['user']);
1416
}

web/list/log/index.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
77

88
// Data
9-
if (($_SESSION['userContext'] === "admin") && ($_GET['user'])) {
9+
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
1010
// Check token
1111
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
1212
header('location: /login/');

web/templates/admin/edit_user.html

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,16 @@
22
<div class="l-sort clearfix">
33
<div class="l-unit-toolbar__buttonstrip">
44
<a class="ui-button cancel" dir="ltr" id="btn-back" href="/list/user/"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
5-
<? if (($_SESSION['user'] == $v_username) || (isset($_SESSION['look']))) {?>
6-
<a href="/list/key/" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Manage SSH keys');?>"><i class="fas fa-key status-icon orange"></i><?=_('Manage SSH keys')?></a>
7-
<a href="/list/log/" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Logs');?>"><i class="fas fa-history status-icon maroon"></i><?=_('Logs')?></a>
8-
<? } ?>
5+
<?php if (($_SESSION['userContext'] === 'admin') && (!isset($_SESSION['look'])) && ($_SESSION['user'] !== $v_username)) {
6+
$ssh_key_url = "/list/key/?user=".$user."&token=".$_SESSION['token']."";
7+
$log_url = "/list/log/?user=".$user."&token=".$_SESSION['token']."";
8+
} else {
9+
$ssh_key_url = "/list/key/";
10+
$log_url = "/list/log/";
11+
} ?>
12+
<a href="<?php echo $ssh_key_url; ?>" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Manage SSH keys');?>"><i class="fas fa-key status-icon orange"></i><?=_('Manage SSH keys')?></a>
13+
<a href="<?php echo $log_url; ?>" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Logs');?>"><i class="fas fa-history status-icon maroon"></i><?=_('Logs')?></a>
14+
915
</div>
1016
<div class="l-unit-toolbar__buttonstrip float-right">
1117
<? if (($_SESSION['user'] == $v_username) || (isset($_SESSION['look']))) {?>

web/templates/admin/list_log.html

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,18 @@
66
<? } else if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] === 'admin')) { ?>
77
<a href="/list/server/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
88
<? } else {?>
9-
<a href="/edit/user/?user=<?php echo $user; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
9+
<? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
10+
<a href="/edit/user/?user=<?php echo $_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
11+
<? } else { ?>
12+
<a href="/edit/user/?user=<?php echo $user;?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
13+
<? } ?>
1014
<? } ?>
1115
<? if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] !== 'admin')) { ?>
12-
<a href="/list/log/auth/" id="btn-list" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history')?></a>
16+
<? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
17+
<a href="/list/log/auth/?user=<?php echo $_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history')?></a>
18+
<? } else { ?>
19+
<a href="/list/log/auth/" id="btn-back" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history')?></a>
20+
<? } ?>
1321
<? } ?>
1422
</div>
1523
<div class="l-unit-toolbar__buttonstrip float-right">
@@ -21,8 +29,8 @@
2129
<div class="actions-panel display-inline-block" key-action="js">
2230
<a class="data-controls do_delete ui-button danger cancel">
2331
<i class="do_delete fas fa-times-circle status-icon red"></i><?=_('Delete')?>
24-
<? if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] === 'admin')) {?>
25-
<input type="hidden" name="delete_url" value="/delete/log/?user=admin&token=<?=$_SESSION['token']?>" />
32+
<? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user']))) {?>
33+
<input type="hidden" name="delete_url" value="/delete/log/?user=<?=$_GET['user'];?>&token=<?=$_SESSION['token']?>" />
2634
<? } else { ?>
2735
<input type="hidden" name="delete_url" value="/delete/log/?token=<?=$_SESSION['token']?>" />
2836
<? } ?>

web/templates/admin/list_log_auth.html

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,11 @@
11
<div class="l-center">
22
<div class="l-sort clearfix noselect">
33
<div class="l-unit-toolbar__buttonstrip">
4-
<a href="/list/log/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
4+
<? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
5+
<a href="/list/log/?user=<?php echo $_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
6+
<? } else { ?>
7+
<a href="/list/log/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
8+
<? } ?>
59
</div>
610
<div class="l-unit-toolbar__buttonstrip float-right">
711
<a href="javascript:location.reload();" class="ui-button cancel" dir="ltr"><i class="fas fa-redo status-icon green"></i><?=_('Refresh')?></a>
@@ -12,7 +16,11 @@
1216
<div class="actions-panel display-inline-block" key-action="js">
1317
<a class="data-controls do_delete ui-button danger cancel">
1418
<i class="do_delete fas fa-times-circle status-icon red"></i><?=_('Delete')?>
15-
<input type="hidden" name="delete_url" value="/delete/log/auth/?token=<?=$_SESSION['token']?>" />
19+
<? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user']))) {?>
20+
<input type="hidden" name="delete_url" value="/delete/log/auth/?user=<?=$_GET['user'];?>&token=<?=$_SESSION['token']?>" />
21+
<? } else { ?>
22+
<input type="hidden" name="delete_url" value="/delete/log/auth/?token=<?=$_SESSION['token']?>" />
23+
<? } ?>
1624
<div class="confirmation-text-delete hidden" title="<?=_('Confirmation')?>">
1725
<p class="confirmation"><?=_('DELETE_LOGS_CONFIRMATION')?></p>
1826
</div>

0 commit comments

Comments
 (0)