From 5f205faca640e0503f4b80e85a41742b6cd869e6 Mon Sep 17 00:00:00 2001 From: kanoi Date: Wed, 8 Apr 2015 19:34:03 +1000 Subject: [PATCH] ckdb/php - allow admin user to view other user reports - without ease --- pool/db.php | 13 +++++++++++++ src/ckdb.h | 2 +- src/ckdb_cmd.c | 33 ++++++++++++++++++++++++++++----- 3 files changed, 42 insertions(+), 6 deletions(-) diff --git a/pool/db.php b/pool/db.php index 2525a0a7..b2cb3b85 100644 --- a/pool/db.php +++ b/pool/db.php @@ -110,6 +110,18 @@ function zeip() return $_SERVER['REMOTE_ADDR']; } # +# user administration overrided +function adm($user, &$msg) +{ + global $fld_sep, $val_sep; + if ($user == 'Kano') + { + $admin = getparam('admin', true); + if (!nuem($admin)) + $msg .= $fld_sep . 'admin' . $val_sep . $admin; + } +} +# function fldEncode($flds, $name, $first) { global $fld_sep, $val_sep; @@ -134,6 +146,7 @@ function msgEncode($cmd, $id, $fields, $user) $msg .= 'createcode' . $val_sep . 'php' . $fld_sep; $msg .= 'createby' . $val_sep . $user . $fld_sep; $msg .= 'createinet' . $val_sep . zeip(); + adm($user, $msg); return $msg; } # diff --git a/src/ckdb.h b/src/ckdb.h index 4ad8dffd..7edb433e 100644 --- a/src/ckdb.h +++ b/src/ckdb.h @@ -55,7 +55,7 @@ #define DB_VLOCK "1" #define DB_VERSION "1.0.0" -#define CKDB_VERSION DB_VERSION"-1.061" +#define CKDB_VERSION DB_VERSION"-1.066" #define WHERE_FFL " - from %s %s() line %d" #define WHERE_FFL_HERE __FILE__, __func__, __LINE__ diff --git a/src/ckdb_cmd.c b/src/ckdb_cmd.c index 464a72a6..35a00ddd 100644 --- a/src/ckdb_cmd.c +++ b/src/ckdb_cmd.c @@ -9,6 +9,29 @@ #include "ckdb.h" +/* + * Allow overriding the username however the username must still be present + * This should ONLY be used for web reporting cmds i.e. read only + * Current PHP allows this for a hard coded user + */ +static K_ITEM *adminuser(K_TREE *trf_root, char *reply, size_t siz) +{ + K_ITEM *i_username, *i_admin; + char reply2[1024] = ""; + + i_username = require_name(trf_root, "username", 3, (char *)userpatt, + reply, siz); + if (!i_username) + return NULL; + + i_admin = optional_name(trf_root, "admin", 3, (char *)userpatt, + reply2, sizeof(reply2)); + if (i_admin) + return i_admin; + + return i_username; +} + static char *cmd_adduser(PGconn *conn, char *cmd, char *id, tv_t *now, char *by, char *code, char *inet, __maybe_unused tv_t *notcd, K_TREE *trf_root) @@ -1235,7 +1258,7 @@ static char *cmd_payments(__maybe_unused PGconn *conn, char *cmd, char *id, LOGDEBUG("%s(): cmd '%s'", __func__, cmd); - i_username = require_name(trf_root, "username", 3, (char *)userpatt, reply, siz); + i_username = adminuser(trf_root, reply, siz); if (!i_username) return strdup(reply); @@ -1567,7 +1590,7 @@ static char *cmd_workers(__maybe_unused PGconn *conn, char *cmd, char *id, LOGDEBUG("%s(): cmd '%s'", __func__, cmd); - i_username = require_name(trf_root, "username", 3, (char *)userpatt, reply, siz); + i_username = adminuser(trf_root, reply, siz); if (!i_username) return strdup(reply); @@ -4584,7 +4607,7 @@ static char *cmd_mpayouts(__maybe_unused PGconn *conn, char *cmd, char *id, LOGDEBUG("%s(): cmd '%s'", __func__, cmd); - i_username = require_name(trf_root, "username", 3, (char *)userpatt, reply, siz); + i_username = adminuser(trf_root, reply, siz); if (!i_username) return strdup(reply); @@ -4790,7 +4813,7 @@ static char *cmd_shifts(__maybe_unused PGconn *conn, char *cmd, char *id, LOGDEBUG("%s(): cmd '%s'", __func__, cmd); - i_username = require_name(trf_root, "username", 3, (char *)userpatt, reply, siz); + i_username = adminuser(trf_root, reply, siz); if (!i_username) return strdup(reply); @@ -5644,7 +5667,7 @@ static char *cmd_pshift(__maybe_unused PGconn *conn, char *cmd, char *id, LOGDEBUG("%s(): cmd '%s'", __func__, cmd); - i_username = require_name(trf_root, "username", 3, (char *)userpatt, reply, siz); + i_username = adminuser(trf_root, reply, siz); if (!i_username) return strdup(reply);