Fix viewing and deletion of user logs without requiring impersonation

web/delete/log/auth/index.php

@@ -10,6 +10,12 @@ if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
     exit();
 }
 
+// Check if administrator is viewing system log (currently 'admin' user)
+if (($_SESSION['userContext'] === "admin") && (isset($_GET['user']))) {
+    $user=$_GET['user'];
+    $token=$_SESSION['token'];
+}
+
 // Clear log
 $v_username = escapeshellarg($user);
 exec (HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var);
@@ -38,7 +44,11 @@ if (!isset($_SESSION['look'])) {
 unset($_SESSION['error_msg']);
 unset($_SESSION['ok_msg']);
 
-// Return to authentication history
-header("Location: /list/log/auth/");
+// Set correct page reload target
+if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
+    header("Location: /list/log/auth/?user=$user&token=$token");
+} else {
+    header("Location: /list/log/auth/");
+}
 
 exit;

web/delete/log/index.php

@@ -11,13 +11,13 @@ if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
 }
 
 // Check if administrator is viewing system log (currently 'admin' user)
-if (($_SESSION['userContext'] === "admin") && ($_GET['user']) === 'admin') {
+if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
     $user=$_GET['user'];
     $token=$_SESSION['token'];
 }
 
 // Set correct page reload target
-if (($_SESSION['userContext'] === "admin") && ($_GET['user']) === 'admin') {
+if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
     header("Location: /list/log/?user=$user&token=$token");
 } else {
     header("Location: /list/log/");

web/list/log/auth/index.php

@@ -9,6 +9,8 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 // Edit as someone else?
 if (($_SESSION['userContext'] === 'admin') && (isset($_SESSION['look']))) {
     $v_username = escapeshellarg($_SESSION['look']);
+} else if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
+    $v_username = escapeshellarg($_GET['user']);
 } else {
     $v_username = escapeshellarg($_SESSION['user']);
 }

web/list/log/index.php

@@ -6,7 +6,7 @@ $TAB = 'LOG';
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Data
-if (($_SESSION['userContext'] === "admin") && ($_GET['user'])) {
+if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
     // Check token
     if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
         header('location: /login/');

web/templates/admin/edit_user.html

@@ -2,10 +2,16 @@
         <div class="l-sort clearfix">
           <div class="l-unit-toolbar__buttonstrip">
             <a class="ui-button cancel" dir="ltr" id="btn-back" href="/list/user/"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
-            <? if (($_SESSION['user'] == $v_username) || (isset($_SESSION['look']))) {?>
-                <a href="/list/key/" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Manage SSH keys');?>"><i class="fas fa-key status-icon orange"></i><?=_('Manage SSH keys')?></a>
-                <a href="/list/log/" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Logs');?>"><i class="fas fa-history status-icon maroon"></i><?=_('Logs')?></a>
-            <? } ?>
+            <?php if (($_SESSION['userContext'] === 'admin') && (!isset($_SESSION['look'])) && ($_SESSION['user'] !== $v_username)) {
+                $ssh_key_url = "/list/key/?user=".$user."&token=".$_SESSION['token']."";
+                $log_url = "/list/log/?user=".$user."&token=".$_SESSION['token']."";
+            } else {
+                $ssh_key_url = "/list/key/";
+                $log_url = "/list/log/";
+            } ?>
+                <a href="<?php echo $ssh_key_url; ?>" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Manage SSH keys');?>"><i class="fas fa-key status-icon orange"></i><?=_('Manage SSH keys')?></a>
+                <a href="<?php echo $log_url; ?>" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('Logs');?>"><i class="fas fa-history status-icon maroon"></i><?=_('Logs')?></a>
+
           </div>
           <div class="l-unit-toolbar__buttonstrip float-right">
             <? if (($_SESSION['user'] == $v_username) || (isset($_SESSION['look']))) {?>

web/templates/admin/list_log.html

@@ -6,10 +6,18 @@
       <? } else if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] === 'admin')) { ?>
         <a href="/list/server/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
       <? } else {?>
-        <a href="/edit/user/?user=<?php echo $user; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
+        <? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
+        <a href="/edit/user/?user=<?php echo $_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
+        <? } else { ?>
+        <a href="/edit/user/?user=<?php echo $user;?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
+        <? } ?>
       <? } ?>
       <? if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] !== 'admin')) { ?>
-        <a href="/list/log/auth/" id="btn-list" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history')?></a>
+        <? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
+          <a href="/list/log/auth/?user=<?php echo $_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history')?></a>
+          <? } else { ?>
+          <a href="/list/log/auth/" id="btn-back" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history')?></a>
+          <? } ?>
       <? } ?>
     </div>
     <div class="l-unit-toolbar__buttonstrip float-right">
@@ -21,8 +29,8 @@
         <div class="actions-panel display-inline-block" key-action="js">
           <a class="data-controls do_delete ui-button danger cancel">
             <i class="do_delete fas fa-times-circle status-icon red"></i><?=_('Delete')?>
-            <? if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] === 'admin')) {?>
-              <input type="hidden" name="delete_url" value="/delete/log/?user=admin&token=<?=$_SESSION['token']?>" />
+            <? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user']))) {?>
+              <input type="hidden" name="delete_url" value="/delete/log/?user=<?=$_GET['user'];?>&token=<?=$_SESSION['token']?>" />
             <? } else { ?>
               <input type="hidden" name="delete_url" value="/delete/log/?token=<?=$_SESSION['token']?>" />
             <? } ?>

web/templates/admin/list_log_auth.html

@@ -1,7 +1,11 @@
 <div class="l-center">
   <div class="l-sort clearfix noselect">
     <div class="l-unit-toolbar__buttonstrip">
-      <a href="/list/log/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
+      <? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
+        <a href="/list/log/?user=<?php echo $_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
+        <? } else { ?>
+        <a href="/list/log/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back')?></a>
+        <? } ?>
     </div>
     <div class="l-unit-toolbar__buttonstrip float-right">
       <a href="javascript:location.reload();" class="ui-button cancel" dir="ltr"><i class="fas fa-redo status-icon green"></i><?=_('Refresh')?></a>
@@ -12,7 +16,11 @@
           <div class="actions-panel display-inline-block" key-action="js">
             <a class="data-controls do_delete ui-button danger cancel">
               <i class="do_delete fas fa-times-circle status-icon red"></i><?=_('Delete')?>
-              <input type="hidden" name="delete_url" value="/delete/log/auth/?token=<?=$_SESSION['token']?>" />
+                <? if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user']))) {?>
+                  <input type="hidden" name="delete_url" value="/delete/log/auth/?user=<?=$_GET['user'];?>&token=<?=$_SESSION['token']?>" />
+                <? } else { ?>
+                  <input type="hidden" name="delete_url" value="/delete/log/auth/?token=<?=$_SESSION['token']?>" />
+                <? } ?>
                 <div class="confirmation-text-delete hidden" title="<?=_('Confirmation')?>">
                   <p class="confirmation"><?=_('DELETE_LOGS_CONFIRMATION')?></p>
                 </div>