X-Git-Url: https://git.ucc.asn.au/?a=blobdiff_plain;f=server%2Flogin.c;h=3445c04ff1649054b50f4dbbec845010ff703306;hb=828cdbf49f52572e93c5c5a48e05277525a4055f;hp=c1d981f2e562ddb4eca7d352fe96288b59f83122;hpb=dd239d26439d97188aa6cad06573a6584dc250a6;p=matches%2FMCTX3420.git diff --git a/server/login.c b/server/login.c index c1d981f..3445c04 100644 --- a/server/login.c +++ b/server/login.c @@ -110,7 +110,12 @@ UserType Login_MySQL(const char * user, const char * pass, Log(LOGERR, "No user matching %s", user); } - + //TODO: Handle administrator users somehow better than this + // UserCake stores the permission level in a seperate table to the username/password, which is annoying + if (user_type != USER_UNAUTH && strcmp(user, "admin") == 0) + { + user_type = USER_ADMIN; + } mysql_free_result(result); mysql_close(con); return user_type; @@ -273,14 +278,18 @@ int Login_LDAP_Bind(const char * uri, const char * dn, const char * pass) void Logout_Handler(FCGIContext * context, char * params) { FCGI_ReleaseControl(context); - FCGI_AcceptJSON(context, "Logged out", "0"); + FCGI_SendControlCookie(context, false); //Unset the cookie + FCGI_AcceptJSON(context, "Logged out"); } /** * Handle a Login Request * @param context - The context - * @param params - Parameter string, should contain username and password + * @param params - Parameter string, should contain username and password. + * NOTE: Care should be taken when using params, as it is + * completely unescaped. Do not log or use it without + * suitable escaping. */ void Login_Handler(FCGIContext * context, char * params) { @@ -322,7 +331,7 @@ void Login_Handler(FCGIContext * context, char * params) case AUTH_LDAP: { - if (strlen(pass) <= 0) + if (*pass == '\0') { FCGI_RejectJSON(context, "No password supplied."); return; @@ -367,7 +376,7 @@ void Login_Handler(FCGIContext * context, char * params) { //WARNING: C string manipulation code approaching! // Non reentrent; uses strsep and modifies g_options.auth_options - // If problems happen, try strdup ... + // If problems happen, try strdup first ... static char * db_opts[] = {"root", "", "users", "uc_users"}; static bool db_init_opts = false; if (!db_init_opts) @@ -386,7 +395,7 @@ void Login_Handler(FCGIContext * context, char * params) break; } } - Log(LOGDEBUG, "MySQL: user %s pass %s name %s table %s", db_opts[0], db_opts[1], db_opts[2], db_opts[3]); + //Log(LOGDEBUG, "MySQL: user %s pass %s name %s table %s", db_opts[0], db_opts[1], db_opts[2], db_opts[3]); } user_type = Login_MySQL(user, pass, g_options.auth_uri, db_opts[0],db_opts[1], db_opts[2], db_opts[3]); @@ -414,7 +423,8 @@ void Login_Handler(FCGIContext * context, char * params) { FCGI_EscapeText(context->user_name); //Don't break javascript pls // Give the user a cookie - FCGI_AcceptJSON(context, "Logged in", context->control_key); + FCGI_SendControlCookie(context, true); //Send the control key + FCGI_AcceptJSON(context, "Logged in"); Log(LOGDEBUG, "Successful authentication for %s", user); } else