Beachte Groß- und Kleinshreibung beim Login (5e7e9f9) - webinterface.git

@@ -39,10 +39,16 @@ function find_role($login, $password, $i_am_admin = False)
   $uid = (int) $login;
   if ($uid == 0)
     $uid = 'NULL';
-  $result = db_query("SELECT passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
+  $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
   if (@mysql_num_rows($result) > 0)
   {
     $entry = mysql_fetch_object($result);
+    if ($entry->username != $login) {
+      // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.
+      logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");
+      warning('Beachten Sie bei der Eingabe Ihrer Zugangsdaten bitte die Groß- und Kleinschreibung.');
+      return NULL;  
+    }
     $db_password = $entry->password;
     $hash = crypt($password, $db_password);
     if (($entry->status == 0 && $hash == $db_password) || $i_am_admin)


...	...	@@ -39,10 +39,16 @@ function find_role($login, $password, $i_am_admin = False)
39	39	$uid = (int) $login;
40	40	if ($uid == 0)
41	41	$uid = 'NULL';
42		- $result = db_query("SELECT passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
	42	+ $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
43	43	if (@mysql_num_rows($result) > 0)
44	44	{
45	45	$entry = mysql_fetch_object($result);
	46	+ if ($entry->username != $login) {
	47	+ // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.
	48	+ logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");
	49	+ warning('Beachten Sie bei der Eingabe Ihrer Zugangsdaten bitte die Groß- und Kleinschreibung.');
	50	+ return NULL;
	51	+ }
46	52	$db_password = $entry->password;
47	53	$hash = crypt($password, $db_password);
48	54	if (($entry->status == 0 && $hash == $db_password) \|\| $i_am_admin)
49	55