From 3c8153c9b4563df734d8da61fede0316bf047a89 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Fri, 12 Dec 2014 09:38:54 -0500 Subject: [PATCH] better fix for the view=console security flaw. This does it in index.php,so it guards all pages, and also just changes the view to login, so instead of giving an error, it presents you with the login, which I think is better. --- web/index.php | 5 +++++ web/skins/classic/views/console.php | 5 ----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/web/index.php b/web/index.php index f6ca44ff2..a91c59ce2 100644 --- a/web/index.php +++ b/web/index.php @@ -122,6 +122,11 @@ foreach ( getSkinIncludes( 'skin.php' ) as $includeFile ) require_once( 'includes/actions.php' ); +# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in. +if ( ZM_OPT_USE_AUTH && ! isset($user) && $view != 'login' ) { + $view = 'login'; +} + if ( isset( $_REQUEST['request'] ) ) { foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile ) diff --git a/web/skins/classic/views/console.php b/web/skins/classic/views/console.php index 54a39d662..3320857ba 100644 --- a/web/skins/classic/views/console.php +++ b/web/skins/classic/views/console.php @@ -18,11 +18,6 @@ // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. // -if ( ZM_OPT_USE_AUTH && ! isset($user) ) { - $view = "error"; - return; -} - $eventCounts = array( array( "title" => $SLANG['Events'],