# user_chooser.cgi
# This CGI generated the HTML for choosing a user or list of users.
-require './web-lib.pl';
+BEGIN { push(@INC, ".."); };
+use WebminCore;
+
+$trust_unknown_referers = 1;
&init_config();
+if (&get_product_name() eq 'usermin') {
+ &switch_to_remote_user();
+ }
&ReadParse(undef, undef, 2);
%access = &get_module_acl();
print "sel = new Array($len);\n";
print "selr = new Array($len);\n";
for($i=0; $i<$len; $i++) {
- print "sel[$i] = \"$ul[$i]\";\n";
+ print "sel[$i] = \"".
+ "e_escape($ul[$i], '"')."\";\n";
@uinfo = getpwnam($ul[$i]);
- if (@uinfo) { print "selr[$i] = \"$uinfo[6]\";\n"; }
- else { print "selr[$i] = \"???\";\n"; }
+ if (@uinfo) {
+ print "selr[$i] = \"".
+ "e_escape($uinfo[6])."\";\n";
+ }
+ else {
+ print "selr[$i] = \"???\";\n";
+ }
}
print "</script>\n";
print "<title>$text{'users_title1'}</title>\n";
print "<frameset cols='50%,50%'>\n";
- print "<frame src=\"/user_chooser.cgi?frame=1&multi=1\">\n";
+ print "<frame src=\"user_chooser.cgi?frame=1&multi=1\">\n";
print "<frameset rows='*,50' frameborder=no>\n";
- print " <frame src=\"/user_chooser.cgi?frame=2&multi=1\">\n";
- print " <frame src=\"/user_chooser.cgi?frame=3&multi=1\" scrolling=no>\n";
+ print " <frame src=\"user_chooser.cgi?frame=2&multi=1\">\n";
+ print " <frame src=\"user_chooser.cgi?frame=3&multi=1\" scrolling=no>\n";
print "</frameset>\n";
print "</frameset>\n";
}
}
setpwent();
while(@uinfo = getpwent()) {
+ if ($access{'uedit_mode'} == 5 && $access{'uedit'} !~ /^\d+$/) {
+ # Get group for matching by group name
+ @ginfo = getgrgid($uinfo[3]);
+ }
if ($access{'uedit_mode'} == 0 ||
$access{'uedit_mode'} == 2 && $ucan{$uinfo[0]} ||
$access{'uedit_mode'} == 3 && !$ucan{$uinfo[0]} ||
$access{'uedit_mode'} == 4 &&
(!$access{'uedit'} || $uinfo[2] >= $access{'uedit'}) &&
(!$access{'uedit2'} || $uinfo[2] <= $access{'uedit2'}) ||
- $access{'uedit_mode'} == 5 && $uinfo[3] == $access{'uedit'}) {
+ $access{'uedit_mode'} == 5 &&
+ ($access{'uedit'} =~ /^\d+$/ && $uinfo[3] == $access{'uedit'} ||
+ $ginfo[0] eq $access{'uedit'})) {
push(@users, [ @uinfo ]) if (!$found{$uinfo[0]}++);
}
}