diff --git a/modules/webadmin.cpp b/modules/webadmin.cpp index e3cf44a3..063a664c 100644 --- a/modules/webadmin.cpp +++ b/modules/webadmin.cpp @@ -223,6 +223,20 @@ public: return pNewUser; } + CString SafeGetUserNameParam(CWebSock& WebSock) { + CString sUserName = WebSock.GetParam("user"); // check for POST param + if(sUserName.empty() && !WebSock.IsPost()) { + // if no POST param named user has been given and we are not + // saving this form, fall back to using the GET parameter. + sUserName = WebSock.GetParam("user", false); + } + return sUserName; + } + + CUser* SafeGetUserFromParam(CWebSock& WebSock) { + return CZNC::Get().FindUser(SafeGetUserNameParam(WebSock)); + } + virtual CString GetWebMenuTitle() { return "webadmin"; } virtual bool OnWebRequest(CWebSock& WebSock, const CString& sPageName, CTemplate& Tmpl) { CSmartPtr spSession = WebSock.GetSession(); @@ -242,9 +256,9 @@ public: return UserPage(WebSock, Tmpl); } else if (sPageName == "editchan") { - CUser* pUser = CZNC::Get().FindUser(WebSock.GetParam("user")); + CUser* pUser = SafeGetUserFromParam(WebSock); - // Admin/Self Check + // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } @@ -254,7 +268,11 @@ public: return true; } - CChan* pChan = pUser->FindChan(WebSock.GetParam("name")); + CString sChan = WebSock.GetParam("name"); + if(sChan.empty() && !WebSock.IsPost()) { + sChan = WebSock.GetParam("name", false); + } + CChan* pChan = pUser->FindChan(sChan); if (!pChan) { WebSock.PrintErrorPage("No such channel"); return true; @@ -262,9 +280,9 @@ public: return ChanPage(WebSock, Tmpl, pUser, pChan); } else if (sPageName == "addchan") { - CUser* pUser = CZNC::Get().FindUser(WebSock.GetParam("user")); + CUser* pUser = SafeGetUserFromParam(WebSock); - // Admin/Self Check + // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } @@ -274,10 +292,11 @@ public: } WebSock.PrintErrorPage("No such username"); + return true; } else if (sPageName == "delchan") { - CUser* pUser = CZNC::Get().FindUser(WebSock.GetParam("user")); + CUser* pUser = CZNC::Get().FindUser(WebSock.GetParam("user", false)); - // Admin/Self Check + // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } @@ -287,14 +306,16 @@ public: } WebSock.PrintErrorPage("No such username"); + return true; } else if (sPageName == "deluser") { - // Admin Check if (!spSession->IsAdmin()) { return false; } if (!WebSock.IsPost()) { - CString sUser = WebSock.GetParam("user", true); + // Show the "Are you sure?" page: + + CString sUser = WebSock.GetParam("user", false); CUser* pUser = CZNC::Get().FindUser(sUser); if (!pUser) { @@ -307,6 +328,9 @@ public: return true; } + // The "Are you sure?" page has been submitted with "Yes", + // so we actually delete the user now: + CString sUser = WebSock.GetParam("user"); CUser* pUser = CZNC::Get().FindUser(sUser); @@ -321,9 +345,16 @@ public: WebSock.PrintErrorPage("No such username"); return true; } else if (sPageName == "edituser") { - CUser* pUser = WebSock.HasParam("user") ? CZNC::Get().FindUser(WebSock.GetParam("user")) : spSession->GetUser(); + CString sUserName = SafeGetUserNameParam(WebSock); + CUser* pUser = CZNC::Get().FindUser(sUserName); - // Admin/Self Check + if(!pUser) { + if(sUserName.empty()) { + pUser = spSession->GetUser(); + } // else: the "no such user" message will be printed. + } + + // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } @@ -333,8 +364,8 @@ public: } WebSock.PrintErrorPage("No such username"); + return true; } else if (sPageName == "listusers") { - // Admin Check if (!spSession->IsAdmin()) { return false; } @@ -434,7 +465,7 @@ public: } bool DelChan(CWebSock& WebSock, CUser* pUser) { - CString sChan = WebSock.GetParam("name"); + CString sChan = WebSock.GetParam("name", false); if (!pUser) { WebSock.PrintErrorPage("That user doesn't exist");