Commit 7034b6d5 authored by Leigh Stoller's avatar Leigh Stoller

A little hack for Rob ... add "su as user" capability. When in admin

mode, the User Profile menu has a new "Su as User" option that flips
you to the target user. You are effectively logged out and logged back
in as the target.

No going back; you have to log out to return to your former self. That
would be too much work for something that is a rare event.
parent dc26410c
......@@ -232,6 +232,9 @@ if ($isadmin) {
WRITESUBMENUBUTTON("Delete User",
"deleteuser.php3?target_uid=$target_uid");
WRITESUBMENUBUTTON("SU as User",
"suuser.php?target_uid=$target_uid");
if (! strcmp($userstatus, TBDB_USERSTATUS_NEWUSER) ||
! strcmp($userstatus, TBDB_USERSTATUS_UNVERIFIED)) {
WRITESUBMENUBUTTON("Resend Verification Key",
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
#
# Only known and logged in users allowed.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
# Verify arguments.
#
if (!isset($target_uid) ||
strcmp($target_uid, "") == 0) {
USERERROR("You must provide a User ID.", 1);
}
if (!TBvalid_uid($target_uid)) {
PAGEARGERROR("Invalid characters in UID");
}
$isadmin = ISADMIN($uid);
if (!$isadmin) {
USERERROR("You do not have permission to do this!", 1);
}
#
# Confirm target is a real user.
#
if (! TBCurrentUser($target_uid)) {
USERERROR("No such user '$target_uid'", 1);
}
if (DOLOGIN_MAGIC($target_uid) < 0) {
USERERROR("Could not log you in as $target_uid", 1);
}
# So the menu and headers get spit out properly.
$_COOKIE[$TBNAMECOOKIE] = $target_uid;
PAGEHEADER("SU as User");
echo "<center>";
echo "<br><br>";
echo "<font size=+2>You are now logged in as <b>$target_uid</b></font>\n";
echo "<br><br>";
echo "<font size=+1>Be Careful!</font>\n";
echo "</center>";
#
# Standard Testbed Footer
#
PAGEFOOTER();
?>
......@@ -655,90 +655,10 @@ function DOLOGIN($token, $password, $adminmode = 0) {
"where uid='$uid'");
break;
}
#
# Pass! Insert a record in the login table for this uid with
# the new hash value. If the user is already logged in, thats
# okay; just update it in place with a new hash and timeout.
#
$timeout = $now + $TBAUTHTIMEOUT;
$hashkey = GENHASH();
$query_result =
DBQueryFatal("SELECT timeout FROM login WHERE uid='$uid'");
if (mysql_num_rows($query_result)) {
DBQueryFatal("UPDATE login set ".
"timeout='$timeout', hashkey='$hashkey' ".
"WHERE uid='$uid'");
}
else {
DBQueryFatal("INSERT into login (uid, hashkey, timeout) ".
"VALUES ('$uid', '$hashkey', '$timeout')");
}
#
# Usage stats.
#
DBQueryFatal("update user_stats set ".
" weblogin_count=weblogin_count+1, ".
" weblogin_last=now() ".
"where uid_idx='$uid_idx'");
#
# Issue the cookie requests so that subsequent pages come back
# with the hash value and auth usr embedded.
#
# For the hashkey, we use a zero timeout so that the cookie is
# a session cookie; killed when the browser is exited. Hopefully this
# keeps the key from going to disk on the client machine. The cookie
# lives as long as the browser is active, but we age the cookie here
# at the server so it will become invalid at some point.
#
setcookie($TBAUTHCOOKIE, $hashkey, 0, "/",
$TBAUTHDOMAIN, $TBSECURECOOKIES);
#
# Another cookie, to help in menu generation. See above in
# checklogin. This cookie is a simple hash of the real hash,
# intended to indicate if the current browser holds a real hash.
# All this does is change the menu options presented, imparting
# no actual privs.
#
$crc = bin2hex(mhash(MHASH_CRC32, $hashkey));
setcookie($TBLOGINCOOKIE, $crc, 0, "/", $TBAUTHDOMAIN, 0);
# Pass!
#
# We give this a really long timeout. We want to remember who the
# the user was each time they load a page, and more importantly,
# each time they come back to the main page so we can fill in their
# user name. NOTE: This cookie is integral to authorization, since
# we do not pass around the UID anymore, but look for it in the
# cookie.
#
$timeout = $now + (60 * 60 * 24 * 32);
setcookie($TBNAMECOOKIE, $uid, $timeout, "/", $TBAUTHDOMAIN, 0);
#
# Clear the existing Wiki cookie so that there is not an old one
# for a different user, sitting in the brower.
#
if ($WIKISUPPORT) {
$flushtime = time() - 1000000;
setcookie($WIKICOOKIENAME, "", $flushtime, "/",
$TBAUTHDOMAIN, $TBSECURECOOKIES);
}
#
# Ditto for bugdb
#
if ($BUGDBSUPPORT) {
$flushtime = time() - 1000000;
setcookie($BUGDBCOOKIENAME, "", $flushtime, "/",
$TBAUTHDOMAIN, $TBSECURECOOKIES);
}
#
# Set adminoff on new logins, unless user requested to be
# logged in as admin (and is an admin of course!). This is
......@@ -750,9 +670,21 @@ function DOLOGIN($token, $password, $adminmode = 0) {
if ($adminmode && $isadmin) {
$adminoff = 0;
}
DBQueryFatal("update users set adminoff=$adminoff, ".
" weblogin_failcount=0,weblogin_failstamp=0 ".
"where uid='$uid'");
#
# Insert a record in the login table for this uid.
#
if (DOLOGIN_MAGIC($uid, $adminoff) < 0) {
return -1;
}
#
# Usage stats.
#
DBQueryFatal("update user_stats set ".
" weblogin_count=weblogin_count+1, ".
" weblogin_last=now() ".
"where uid_idx='$uid_idx'");
# Clear IP record since we have a sucessful login from the IP.
if (isset($IP)) {
......@@ -806,6 +738,102 @@ function DOLOGIN($token, $password, $adminmode = 0) {
return -1;
}
function DOLOGIN_MAGIC($uid, $adminoff = 1)
{
global $TBAUTHCOOKIE, $TBAUTHDOMAIN, $TBAUTHTIMEOUT;
global $TBNAMECOOKIE, $TBLOGINCOOKIE, $TBSECURECOOKIES;
global $TBMAIL_OPS, $TBMAIL_AUDIT, $TBMAIL_WWW;
global $WIKISUPPORT, $WIKICOOKIENAME;
global $BUGDBSUPPORT, $BUGDBCOOKIENAME;
# Caller makes these checks too.
if (!TBvalid_uid($uid)) {
return -1;
}
$now = time();
#
# Insert a record in the login table for this uid with
# the new hash value. If the user is already logged in, thats
# okay; just update it in place with a new hash and timeout.
#
$timeout = $now + $TBAUTHTIMEOUT;
$hashkey = GENHASH();
$query_result =
DBQueryFatal("SELECT timeout FROM login WHERE uid='$uid'");
if (mysql_num_rows($query_result)) {
DBQueryFatal("UPDATE login set ".
"timeout='$timeout', hashkey='$hashkey' ".
"WHERE uid='$uid'");
}
else {
DBQueryFatal("INSERT into login (uid, hashkey, timeout) ".
"VALUES ('$uid', '$hashkey', '$timeout')");
}
#
# Issue the cookie requests so that subsequent pages come back
# with the hash value and auth usr embedded.
#
# For the hashkey, we use a zero timeout so that the cookie is
# a session cookie; killed when the browser is exited. Hopefully this
# keeps the key from going to disk on the client machine. The cookie
# lives as long as the browser is active, but we age the cookie here
# at the server so it will become invalid at some point.
#
setcookie($TBAUTHCOOKIE, $hashkey, 0, "/",
$TBAUTHDOMAIN, $TBSECURECOOKIES);
#
# Another cookie, to help in menu generation. See above in
# checklogin. This cookie is a simple hash of the real hash,
# intended to indicate if the current browser holds a real hash.
# All this does is change the menu options presented, imparting
# no actual privs.
#
$crc = bin2hex(mhash(MHASH_CRC32, $hashkey));
setcookie($TBLOGINCOOKIE, $crc, 0, "/", $TBAUTHDOMAIN, 0);
#
# We give this a really long timeout. We want to remember who the
# the user was each time they load a page, and more importantly,
# each time they come back to the main page so we can fill in their
# user name. NOTE: This cookie is integral to authorization, since
# we do not pass around the UID anymore, but look for it in the
# cookie.
#
$timeout = $now + (60 * 60 * 24 * 32);
setcookie($TBNAMECOOKIE, $uid, $timeout, "/", $TBAUTHDOMAIN, 0);
#
# Clear the existing Wiki cookie so that there is not an old one
# for a different user, sitting in the brower.
#
if ($WIKISUPPORT) {
$flushtime = time() - 1000000;
setcookie($WIKICOOKIENAME, "", $flushtime, "/",
$TBAUTHDOMAIN, $TBSECURECOOKIES);
}
#
# Ditto for bugdb
#
if ($BUGDBSUPPORT) {
$flushtime = time() - 1000000;
setcookie($BUGDBCOOKIENAME, "", $flushtime, "/",
$TBAUTHDOMAIN, $TBSECURECOOKIES);
}
DBQueryFatal("update users set adminoff=$adminoff, ".
" weblogin_failcount=0,weblogin_failstamp=0 ".
"where uid='$uid'");
return 0;
}
#
# Verify a password
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment