/ - Diff - UnivNautes - Redmine Entr’ouvert

« Précédent | Suivant »

Révision 1a6769a6

Ajouté par Renato Botelho il y a plus de 9 ans

ID 1a6769a630b73e20dc093df7d9b59e8bd4dfce74
Parent 7c2d0050
Enfant e373e4cd

Replace GET by POST on system_usermanager.php and make necessary adjustments on necessary pages. It fixes #3856

     			if (!$input_errors)
     				write_config();
     			if ($userid)
     				pfSenseHeader("system_usermanager.php?act=edit&amp;id={$userid}");
     			if ($userid) {
     				post_redirect("system_usermanager.php", array('act' => 'edit', 'userid' => $userid));
     				exit;
+    			}
+    		}
+    	}

     // start admin user code
     $pgtitle = array(gettext("System"),gettext("User Manager"));
     if (is_numericint($_GET['id']))
     	$id = $_GET['id'];
     if (isset($_POST['id']) && is_numericint($_POST['id']))
     	$id = $_POST['id'];
     if (isset($_POST['userid']) && is_numericint($_POST['userid']))
     	$id = $_POST['userid'];
     if (!is_array($config['system']['user']))
     if (!isset($config['system']['user']) || !is_array($config['system']['user']))
     	$config['system']['user'] = array();
     $a_user = &$config['system']['user'];
-...
     	$pconfig['disabled'] = isset($a_user[$id]['disabled']);
+    }
     if ($_GET['act'] == "deluser") {
     if ($_POST['act'] == "deluser") {
     	if (!$a_user[$id]) {
     		pfSenseHeader("system_usermanager.php");
-...
     	$savemsg = gettext("User")." {$userdeleted} ".
     				gettext("successfully deleted")."<br />";
+    }
     else if ($_GET['act'] == "delpriv") {
     else if ($_POST['act'] == "delpriv") {
     	if (!$a_user[$id]) {
     		pfSenseHeader("system_usermanager.php");
     		exit;
+    	}
     	$privdeleted = $priv_list[$a_user[$id]['priv'][$_GET['privid']]]['name'];
     	unset($a_user[$id]['priv'][$_GET['privid']]);
     	$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
     	unset($a_user[$id]['priv'][$_POST['privid']]);
     	local_user_set($a_user[$id]);
     	write_config();
     	$_GET['act'] = "edit";
     	$_POST['act'] = "edit";
     	$savemsg = gettext("Privilege")." {$privdeleted} ".
     				gettext("successfully deleted")."<br />";
+    }
     else if ($_GET['act'] == "expcert") {
     else if ($_POST['act'] == "expcert") {
     	if (!$a_user[$id]) {
     		pfSenseHeader("system_usermanager.php");
     		exit;
+    	}
     	$cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]);
     	$cert =& lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
     	$exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.crt");
     	$exp_data = base64_decode($cert['crt']);
-...
     	echo $exp_data;
     	exit;
+    }
     else if ($_GET['act'] == "expckey") {
     else if ($_POST['act'] == "expckey") {
     	if (!$a_user[$id]) {
     		pfSenseHeader("system_usermanager.php");
     		exit;
+    	}
     	$cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]);
     	$cert =& lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
     	$exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.key");
     	$exp_data = base64_decode($cert['prv']);
-...
     	echo $exp_data;
     	exit;
+    }
     else if ($_GET['act'] == "delcert") {
     else if ($_POST['act'] == "delcert") {
     	if (!$a_user[$id]) {
     		pfSenseHeader("system_usermanager.php");
     		exit;
+    	}
     	$certdeleted = lookup_cert($a_user[$id]['cert'][$_GET['certid']]);
     	$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
     	$certdeleted = $certdeleted['descr'];
     	unset($a_user[$id]['cert'][$_GET['certid']]);
     	unset($a_user[$id]['cert'][$_POST['certid']]);
     	write_config();
     	$_GET['act'] = "edit";
     	$_POST['act'] = "edit";
     	$savemsg = gettext("Certificate")." {$certdeleted} ".
     				gettext("association removed.")."<br />";
+    }
     else if ($_GET['act'] == "new") {
     else if ($_POST['act'] == "new") {
     	/*
     	 * set this value cause the text field is read only
     	 * and the user should not be able to mess with this
-...
     	$pconfig['lifetime'] = 3650;
+    }
     if ($_POST) {
     if ($_POST['save']) {
     	unset($input_errors);
     	$pconfig = $_POST;
-...
     		<td id="mainarea">
     			<div class="tabcont">
     <?php
     			if ($_GET['act'] == "new" || $_GET['act'] == "edit" || $input_errors):
     			if ($_POST['act'] == "new" || $_POST['act'] == "edit" || $input_errors):
     ?>
     				<form action="system_usermanager.php" method="post" name="iform" id="iform" onsubmit="presubmit()">
     					<input type="hidden" id="act" name="act" value="" />
     					<input type="hidden" id="userid" name="userid" value="<?=(isset($id) ? $id : '');?>" />
     					<input type="hidden" id="privid" name="privid" value="" />
     					<input type="hidden" id="certid" name="certid" value="" />
     					<table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area">
     <?php
     						$ro = "";
-...
     <?php
     										if (!$group):
     ?>
     											<a href="system_usermanager.php?act=delpriv&amp;id=<?=$id?>&amp;privid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this privilege?");?>')">
     												<img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="delete" />
     											</a>
     											<input type="image" name="delpriv[]" width="17" height="17" border="0"
     												src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif"
     												onclick="document.getElementById('privid').value='<?=$i;?>';
     													document.getElementById('userid').value='<?=$id;?>';
     													document.getElementById('act').value='<?php echo "delpriv";?>';
     													return confirm('<?=gettext("Do you really want to delete this privilege?");?>');"
     												title="<?=gettext("delete privilege");?>" />
     <?php
     										endif;
     ?>
-...
     											<?=htmlspecialchars($ca['descr']);?>
     										</td>
     										<td valign="middle" class="list nowrap">
     											<a href="system_usermanager.php?act=expckey&amp;id=<?=$id;?>&amp;certid=<?=$i;?>">
     												<img src="/themes/<?= $g['theme'];?>/images/icons/icon_down.gif" title="<?=gettext("export private key"); ?>" alt="<?=gettext("export private key"); ?>" width="17" height="17" border="0" />
     											</a>
     											<a href="system_usermanager.php?act=expcert&amp;id=<?=$id;?>&amp;certid=<?=$i;?>">
     												<img src="/themes/<?= $g['theme'];?>/images/icons/icon_down.gif" title="<?=gettext("export cert"); ?>" alt="<?=gettext("export cert"); ?>" width="17" height="17" border="0" />
     											</a>
     											<a href="system_usermanager.php?act=delcert&amp;id=<?=$id?>&amp;certid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to remove this certificate association?") .'\n'. gettext("(Certificate will not be deleted)");?>')">
     												<img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="<?=gettext("delete cert");?>" />
     											</a>
     											<input type="image" name="expckey[]" width="17" height="17" border="0"
     												src="/themes/<?=$g['theme'];?>/images/icons/icon_down.gif"
     												onclick="document.getElementById('certid').value='<?=$i;?>';
     													document.getElementById('userid').value='<?=$id;?>';
     													document.getElementById('act').value='<?php echo "expckey";?>';"
     												title="<?=gettext("export private key");?>" />
     											<input type="image" name="expcert[]" width="17" height="17" border="0"
     												src="/themes/<?=$g['theme'];?>/images/icons/icon_down.gif"
     												onclick="document.getElementById('certid').value='<?=$i;?>';
     													document.getElementById('userid').value='<?=$id;?>';
     													document.getElementById('act').value='<?php echo "expcert";?>';"
     												title="<?=gettext("export cert");?>" />
     											<input type="image" name="delcert[]" width="17" height="17" border="0"
     												src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif"
     												onclick="document.getElementById('certid').value='<?=$i;?>';
     													document.getElementById('userid').value='<?=$id;?>';
     													document.getElementById('act').value='<?php echo "delcert";?>';
     													return confirm('<?=gettext("Do you really want to remove this certificate association?") .'\n'. gettext("(Certificate will not be deleted)");?>')"
     												title="<?=gettext("delete cert");?>" />
     										</td>
     									</tr>
     <?php
-...
     <?php
     			else:
     ?>
     				<table class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0" summary="">
     					<thead>
     						<tr>
     							<th width="25%" class="listhdrr"><?=gettext("Username"); ?></th>
     							<th width="25%" class="listhdrr"><?=gettext("Full name"); ?></th>
     							<th width="5%" class="listhdrr"><?=gettext("Disabled"); ?></th>
     							<th width="25%" class="listhdrr"><?=gettext("Groups"); ?></th>
     							<th width="10%" class="list"></th>
     						</tr>
     					</thead>
     					<tfoot>
     						<tr>
     							<td class="list" colspan="4"></td>
     							<td class="list">
     								<a href="system_usermanager.php?act=new">
     									<img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?=gettext("add user"); ?>" alt="<?=gettext("add user"); ?>" width="17" height="17" border="0" />
     								</a>
     							</td>
     						</tr>
     						<tr>
     							<td colspan="4">
     								<p>
     									<?=gettext("Additional users can be added here. User permissions for accessing " .
     									"the webConfigurator can be assigned directly or inherited from group memberships. " .
     									"An icon that appears grey indicates that it is a system defined object. " .
     									"Some system object properties can be modified but they cannot be deleted."); ?>
     									<br /><br />
     									<?=gettext("Accounts created here are also used for other parts of the system " .
     									"such as OpenVPN, IPsec, and Captive Portal.");?>
     								</p>
     							</td>
     						</tr>
     					</tfoot>
     					<tbody>
     <?php
     					$i = 0;
     					foreach($a_user as $userent):
     ?>
     						<tr ondblclick="document.location='system_usermanager.php?act=edit&amp;id=<?=$i;?>'">
     							<td class="listlr">
     								<table border="0" cellpadding="0" cellspacing="0" summary="icons">
     									<tr>
     										<td align="left" valign="middle">
     <?php
     											if($userent['scope'] != "user")
     												$usrimg = "/themes/{$g['theme']}/images/icons/icon_system-user-grey.png";
     											else
     												$usrimg = "/themes/{$g['theme']}/images/icons/icon_system-user.png";
     ?>
     											<img src="<?=$usrimg;?>" alt="<?=gettext("User"); ?>" title="<?=gettext("User"); ?>" border="0" height="16" width="16" />
     										</td>
     										<td align="left" valign="middle">
     											<?=htmlspecialchars($userent['name']);?>
     										</td>
     									</tr>
     								</table>
     							</td>
     							<td class="listr"><?=htmlspecialchars($userent['descr']);?>&nbsp;</td>
     							<td class="listr"><?php if(isset($userent['disabled'])) echo "*"; ?></td>
     							<td class="listbg">
     								<?=implode(",",local_user_get_groups($userent));?>
     								&nbsp;
     							</td>
     							<td valign="middle" class="list nowrap">
     								<a href="system_usermanager.php?act=edit&amp;id=<?=$i;?>">
     									<img src="/themes/<?= $g['theme'];?>/images/icons/icon_e.gif" title="<?=gettext("edit user"); ?>" alt="<?=gettext("edit user"); ?>" width="17" height="17" border="0" />
     								</a>
     <?php
     							if($userent['scope'] != "system"):
     ?>
     								&nbsp;
     								<a href="system_usermanager.php?act=deluser&amp;id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this User?");?>')">
     									<img src="/themes/<?= $g['theme'];?>/images/icons/icon_x.gif" title="<?=gettext("delete user"); ?>" alt="<?=gettext("delete user"); ?>" width="17" height="17" border="0" />
     								</a>
     <?php
     							endif;
     ?>
     							</td>
     						</tr>
     <?php
     						$i++;
     					endforeach;
     ?>
     					</tbody>
     				</table>
     				<form action="system_usermanager.php" method="post" name="iform2" id="iform2">
     					<input type="hidden" id="act" name="act" value="" />
     					<input type="hidden" id="userid" name="userid" value="<?=(isset($id) ? $id : '');?>" />
     					<input type="hidden" id="privid" name="privid" value="" />
     					<input type="hidden" id="certid" name="certid" value="" />
     					<table class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0" summary="">
     						<thead>
     							<tr>
     								<th width="25%" class="listhdrr"><?=gettext("Username"); ?></th>
     								<th width="25%" class="listhdrr"><?=gettext("Full name"); ?></th>
     								<th width="5%" class="listhdrr"><?=gettext("Disabled"); ?></th>
     								<th width="25%" class="listhdrr"><?=gettext("Groups"); ?></th>
     								<th width="10%" class="list"></th>
     							</tr>
     						</thead>
     						<tfoot>
     							<tr>
     								<td class="list" colspan="4"></td>
     								<td class="list">
     									<input type="image" name="addcert" width="17" height="17" border="0"
     										src="/themes/<?=$g['theme'];?>/images/icons/icon_plus.gif"
     										onclick="document.getElementById('act').value='<?php echo "new";?>';"
     										title="<?=gettext("add user");?>" />
     								</td>
     							</tr>
     							<tr>
     								<td colspan="4">
     									<p>
     										<?=gettext("Additional users can be added here. User permissions for accessing " .
     										"the webConfigurator can be assigned directly or inherited from group memberships. " .
     										"An icon that appears grey indicates that it is a system defined object. " .
     										"Some system object properties can be modified but they cannot be deleted."); ?>
     										<br /><br />
     										<?=gettext("Accounts created here are also used for other parts of the system " .
     										"such as OpenVPN, IPsec, and Captive Portal.");?>
     									</p>
     								</td>
     							</tr>
     						</tfoot>
     						<tbody>
     <?php
     						$i = 0;
     						foreach($a_user as $userent):
     ?>
     								<tr ondblclick="document.getElementById('act').value='<?php echo "edit";?>';
     									document.getElementById('userid').value='<?=$i;?>';
     									document.iform2.submit();">
     								<td class="listlr">
     									<table border="0" cellpadding="0" cellspacing="0" summary="icons">
     										<tr>
     											<td align="left" valign="middle">
     <?php
     												if($userent['scope'] != "user")
     													$usrimg = "/themes/{$g['theme']}/images/icons/icon_system-user-grey.png";
     												else
     													$usrimg = "/themes/{$g['theme']}/images/icons/icon_system-user.png";
     ?>
     												<img src="<?=$usrimg;?>" alt="<?=gettext("User"); ?>" title="<?=gettext("User"); ?>" border="0" height="16" width="16" />
     											</td>
     											<td align="left" valign="middle">
     												<?=htmlspecialchars($userent['name']);?>
     											</td>
     										</tr>
     									</table>
     								</td>
     								<td class="listr"><?=htmlspecialchars($userent['descr']);?>&nbsp;</td>
     								<td class="listr"><?php if(isset($userent['disabled'])) echo "*"; ?></td>
     								<td class="listbg">
     									<?=implode(",",local_user_get_groups($userent));?>
     									&nbsp;
     								</td>
     								<td valign="middle" class="list nowrap">
     									<input type="image" name="edituser[]" width="17" height="17" border="0"
     										src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
     										onclick="document.getElementById('userid').value='<?=$i;?>';
     											document.getElementById('act').value='<?php echo "edit";?>';"
     										title="<?=gettext("edit user");?>" />
     <?php
     								if($userent['scope'] != "system"):
     ?>
     									&nbsp;
     									<input type="image" name="deluser[]" width="17" height="17" border="0"
     										src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif"
     										onclick="document.getElementById('userid').value='<?=$i;?>';
     											document.getElementById('act').value='<?php echo "deluser";?>';
     											return confirm('<?=gettext("Do you really want to delete this user?");?>');"
     										title="<?=gettext("delete user");?>" />
     <?php
     								endif;
     ?>
     								</td>
     							</tr>
     <?php
     							$i++;
     						endforeach;
     ?>
     						</tbody>
     					</table>
     				</form>
     <?php
     			endif;
     ?>

     if (isset($_POST['userid']) && is_numericint($_POST['userid']))
     	$userid = $_POST['userid'];
     $a_user = & $config['system']['user'][$userid];
     if (!is_array($a_user)) {
     	pfSenseHeader("system_usermanager.php?id={$userid}");
     	exit;
+    }
     if (!is_array($a_user)) {
     if (!isset($config['system']['user'][$userid]) && !is_array($config['system']['user'][$userid])) {
     	pfSenseHeader("system_usermanager.php");
     	exit;
+    }
     $a_user = & $config['system']['user'][$userid];
     if (!is_array($a_user['priv']))
     	$a_user['priv'] = array();
-...
     		$savemsg = get_std_save_message($retval);
     		conf_mount_ro();
     		pfSenseHeader("system_usermanager.php?act=edit&id={$userid}");
     		post_redirect("system_usermanager.php", array('act' => 'edit', 'userid' => $userid));
     		exit;
+    	}

     <body link="#0000CC" vlink="#0000CC" alink="#0000CC">
     <?php include("fbegin.inc"); ?>
     <form action="vpn_ipsec.php" method="post">
     <?php
     if ($savemsg)
     	print_info_box($savemsg);
-...
     		<td class="listr gray">
     			<?=htmlspecialchars($secretent['pre-shared-key']);?>
     		</td>
     		<td class="list nowrap"><a href="system_usermanager.php?act=edit&amp;id=<?=$secretent['id'];?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit key"); ?>" width="17" height="17" border="0" alt="edit" /></a>
     		<td class="list nowrap">
     			<form action="system_usermanager.php" method="post" name="form_edit_key">
     				<input type="hidden" name="act" value="edit" />
     				<input type="hidden" name="userid" value="<?=$secretent['id'];?>" />
     				<input type="image" name="edituser[]" width="17" height="17" border="0"
     					src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
     					title="<?=gettext("edit");?>" />
     			</form>
     		&nbsp;</td>
     				</tr>
     			  <?php $i++; endforeach; ?>
-...
     		</td>
     	</tr>
     </table>
     </form>
     <?php include("fend.inc"); ?>
     </body>
     </html>

Formats disponibles : Unified diff

Projet

Général

Profil

UnivNautes

Révision 1a6769a6

Ajouté par Renato Botelho il y a plus de 9 ans