From 40aec564afe84fba5e7c6361efe43491e8689e02 Mon Sep 17 00:00:00 2001
From: "alejandro.campos@artica.es" <alejandro.campos@artica.es>
Date: Fri, 22 Oct 2021 14:38:20 +0200
Subject: [PATCH] prevent global admins to log in remotely

---
 pandora_console/include/auth/mysql.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php
index 4e8f7caa61..660171fbf5 100644
--- a/pandora_console/include/auth/mysql.php
+++ b/pandora_console/include/auth/mysql.php
@@ -218,6 +218,11 @@ function process_user_login_remote($login, $pass, $api=false)
     switch ($config['auth']) {
         // LDAP
         case 'ldap':
+            // Use local authentication if user is global admin.
+            if (is_user_admin($login) === true) {
+                return false;
+            }
+
             $sr = ldap_process_user_login($login, $pass);
 
             if (!$sr) {
@@ -227,6 +232,11 @@ function process_user_login_remote($login, $pass, $api=false)
 
         // Active Directory
         case 'ad':
+            // Use local authentication if user is global admin.
+            if (is_user_admin($login) === true) {
+                return false;
+            }
+
             if (enterprise_hook('ad_process_user_login', [$login, $pass]) === false) {
                 $config['auth_error'] = 'User not found in database or incorrect password';
                 return false;