Fix deletion of admin logs from other admin accounts

web/delete/log/index.php

@@ -10,12 +10,25 @@ if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
     exit();
 }
 
+// Check if administrator is viewing system log (currently 'admin' user)
+if (($_SESSION['userContext'] === "admin") && ($_GET['user']) === 'admin') {
+    $user=$_GET['user'];
+    $token=$_SESSION['token'];
+}
+
+// Set correct page reload target
+if (($_SESSION['userContext'] === "admin") && ($_GET['user']) === 'admin') {
+    header("Location: /list/log/?user=$user&token=$token");
+} else {
+    header("Location: /list/log/");
+}
+
 // Clear log
-header("Location: /list/log/");
 $v_username = escapeshellarg($user);
 exec (HESTIA_CMD."v-delete-user-log ".$v_username." ".$output, $return_var);
 check_return_code($return_var,$output);
 unset($output);
+unset($token);
 
 // Render page
 render_page($user, $TAB, 'list_log');

web/list/log/index.php

@@ -7,8 +7,14 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Data
 if (($_SESSION['userContext'] === "admin") && ($_GET['user'])) {
+    // Check token
+    if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+        header('location: /login/');
+        exit();
+    }
     $user=escapeshellarg($_GET['user']);
 }
+
 exec (HESTIA_CMD."v-list-user-log $user json", $output, $return_var);
 check_error($return_var);
 $data = json_decode(implode('', $output), true);

web/templates/admin/list_log.html

@@ -20,7 +20,11 @@
       <div class="actions-panel display-inline-block" key-action="js">
         <a class="data-controls do_delete ui-button danger cancel">
           <i class="do_delete fas fa-times-circle status-icon red"></i><?=_('Delete')?>
-          <input type="hidden" name="delete_url" value="/delete/log/?token=<?=$_SESSION['token']?>" />
+          <? if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] === 'admin')) {?>
+            <input type="hidden" name="delete_url" value="/delete/log/?user=admin&token=<?=$_SESSION['token']?>" />
+          <? } else { ?>
+            <input type="hidden" name="delete_url" value="/delete/log/?token=<?=$_SESSION['token']?>" />
+          <? } ?>
             <div class="confirmation-text-delete hidden" title="<?=_('Confirmation')?>">
               <p class="confirmation"><?=_('DELETE_LOGS_CONFIRMATION')?></p>
             </div>

web/templates/admin/list_services.html

@@ -8,7 +8,7 @@
             <a href="/list/firewall/" class="ui-button cancel" dir="ltr"><i class="fas fa-shield-alt status-icon red"></i><?=_('Firewall')?></a>
           <?php }?>
           <a href="/list/updates/" class="ui-button cancel" dir="ltr"><i class="fas fa-sync status-icon green"></i><?=_('Updates')?></a>
-          <a href="/list/log/?user=admin" class="ui-button cancel" dir="ltr"><i class="fas fa-book-reader status-icon lightblue"></i><?=_('Logs')?></a>
+          <a href="/list/log/?user=admin&token=<?=$_SESSION['token']?>" class="ui-button cancel" dir="ltr"><i class="fas fa-book-reader status-icon lightblue"></i><?=_('Logs')?></a>
           <div class="actions-panel display-inline-block" key-action="js">
               <a class="data-controls do_servicerestart ui-button danger cancel">
                 <i class="do_servicerestart fas fa-undo status-icon red"></i><?=_('Restart')?>