X-Git-Url: https://git.ucc.asn.au/?a=blobdiff_plain;f=server%2Flogin.c;h=3445c04ff1649054b50f4dbbec845010ff703306;hb=bd93dbb92da512a1bd585ed29bc46a5e8fc60015;hp=ecc081197899bb36035c65c2d5dd3fe242c76a22;hpb=1b3737962d2abeb9359d92de0977d0ca108ff05b;p=matches%2FMCTX3420.git diff --git a/server/login.c b/server/login.c index ecc0811..3445c04 100644 --- a/server/login.c +++ b/server/login.c @@ -110,7 +110,12 @@ UserType Login_MySQL(const char * user, const char * pass, Log(LOGERR, "No user matching %s", user); } - + //TODO: Handle administrator users somehow better than this + // UserCake stores the permission level in a seperate table to the username/password, which is annoying + if (user_type != USER_UNAUTH && strcmp(user, "admin") == 0) + { + user_type = USER_ADMIN; + } mysql_free_result(result); mysql_close(con); return user_type; @@ -281,7 +286,10 @@ void Logout_Handler(FCGIContext * context, char * params) /** * Handle a Login Request * @param context - The context - * @param params - Parameter string, should contain username and password + * @param params - Parameter string, should contain username and password. + * NOTE: Care should be taken when using params, as it is + * completely unescaped. Do not log or use it without + * suitable escaping. */ void Login_Handler(FCGIContext * context, char * params) { @@ -323,7 +331,7 @@ void Login_Handler(FCGIContext * context, char * params) case AUTH_LDAP: { - if (strlen(pass) <= 0) + if (*pass == '\0') { FCGI_RejectJSON(context, "No password supplied."); return; @@ -368,7 +376,7 @@ void Login_Handler(FCGIContext * context, char * params) { //WARNING: C string manipulation code approaching! // Non reentrent; uses strsep and modifies g_options.auth_options - // If problems happen, try strdup ... + // If problems happen, try strdup first ... static char * db_opts[] = {"root", "", "users", "uc_users"}; static bool db_init_opts = false; if (!db_init_opts) @@ -387,7 +395,7 @@ void Login_Handler(FCGIContext * context, char * params) break; } } - Log(LOGDEBUG, "MySQL: user %s pass %s name %s table %s", db_opts[0], db_opts[1], db_opts[2], db_opts[3]); + //Log(LOGDEBUG, "MySQL: user %s pass %s name %s table %s", db_opts[0], db_opts[1], db_opts[2], db_opts[3]); } user_type = Login_MySQL(user, pass, g_options.auth_uri, db_opts[0],db_opts[1], db_opts[2], db_opts[3]);