Context Navigation

← Previous Changeset
Next Changeset →

Changeset 641

Timestamp:

06/06/14 16:57:46 (10 years ago)

Author:

Kris Deugau

Message:

/trunk

Fix another subtle session bug; if a user disabled *themself*, then used
the Back button somewhere along the line, they could continue to browse.
It's not clear if some aspect of this could be abused to view data without
ever having been logged in.

File:

: 1 edited

trunk/dns.cgi (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/dns.cgi

-              r640
+              r641
         or die CGI::Session->errstr();
 if (!$sid || $session->is_expired) {
+if (!$sid || $session->is_expired || !$session->param('uid') || !$dnsdb->userStatus($session->param('uid')) ) {
   $webvar{page} = 'login';
 } else {
 …
         ($permissions{self_edit} && $webvar{id} == $session->param('uid')) )) {
       my $stat = $dnsdb->userStatus($webvar{id}, $webvar{userstatus});
+      # kick user out if user disabled self
+      # arguably there should be a more specific error message for this case
+      changepage(page=> 'login', sessexpired => 1) if $webvar{id} == $session->param('uid');
       $page->param(resultmsg => $DNSDB::resultstr);
     } else {

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 641

Legend:

trunk/dns.cgi

Download in other formats: