better fix for the view=console security flaw.

This does it in index.php,so it guards all pages, and also just changes the view to login, so instead of giving an error, it presents you with the login, which I think is better.
This commit is contained in:
Isaac Connor 2014-12-12 09:38:54 -05:00
parent 9d9396c8bc
commit 3c8153c9b4
2 changed files with 5 additions and 5 deletions

View File

@ -122,6 +122,11 @@ foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
require_once( 'includes/actions.php' );
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
if ( ZM_OPT_USE_AUTH && ! isset($user) && $view != 'login' ) {
$view = 'login';
}
if ( isset( $_REQUEST['request'] ) )
{
foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )

View File

@ -18,11 +18,6 @@
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
//
if ( ZM_OPT_USE_AUTH && ! isset($user) ) {
$view = "error";
return;
}
$eventCounts = array(
array(
"title" => $SLANG['Events'],