From 677f5c017b36cb620a2de2cc4876fbbf10c057a8 Mon Sep 17 00:00:00 2001
From: zarzuelo <zarzuelo@gmail.com>
Date: Thu, 14 Jun 2012 11:59:10 +0000
Subject: [PATCH] 2012-06-14  Sergio Martin <sergio.martin@artica.es>

	* include/api.php: Change the security checks adding
	a new parameter to API pass
	Merged from 4.0.2



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@6549 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
---
 pandora_console/ChangeLog       |  6 ++++++
 pandora_console/include/api.php | 28 ++++++++++++++--------------
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index d0c1a06917..dd7e312380 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,9 @@
+2012-06-14  Sergio Martin <sergio.martin@artica.es>
+
+	* include/api.php: Change the security checks adding
+	a new parameter to API pass
+	Merged from 4.0.2
+
 2012-06-14 Miguel de Dios <miguel.dedios@artica.es>
 	
 	* include/functions_agents.php: deprecated the function with bad and
diff --git a/pandora_console/include/api.php b/pandora_console/include/api.php
index 37de860511..c5bb5e84e8 100644
--- a/pandora_console/include/api.php
+++ b/pandora_console/include/api.php
@@ -34,6 +34,7 @@ $id2 = get_parameter('id2');
 $otherSerialize = get_parameter('other');
 $otherMode = get_parameter('other_mode', 'url_encode');
 $returnType = get_parameter('return_type', 'string');
+$api_password = get_parameter('apipass', '');
 $password = get_parameter('pass', '');
 $user = get_parameter('user', '');
 
@@ -43,27 +44,25 @@ $apiPassword = db_get_value_filter('value', 'tconfig', array('token' => 'api_pas
 
 $correctLogin = false;
 $user_in_db = null;
-if (!empty($apiPassword)) {
-	if (($password === $apiPassword) && (empty($user))) {
-		$correctLogin = true;
-	}
-	else {
+$no_login_msg = "";
+
+if (isInACL($ipOrigin)) {
+	if(empty($apiPassword) || (!empty($apiPassword) && $api_password === $apiPassword)) {
 		$user_in_db = process_user_login($user, $password);
 		if ($user_in_db !== false) {
 			$config['id_user'] = $user_in_db;
 			$correctLogin = true;
 		}
+		else {
+			$no_login_msg = "Incorrect user credentials";
+		}
+	}
+	else {
+		$no_login_msg = "Incorrect given API password";
 	}
 }
 else {
-	$user_in_db = process_user_login($user, $password);
-	if ($user_in_db !== false) {
-		$config['id_user'] = $user_in_db;
-		$correctLogin = true;
-	}
-	else if (isInACL($ipOrigin)) {
-		$correctLogin = true;
-	}
+	$no_login_msg = "IP $ipOrigin is not in ACL list";
 }
 
 if ($correctLogin) {
@@ -86,6 +85,7 @@ if ($correctLogin) {
 	}
 }
 else {
-	echo 'ERROR: Your IP (' . $ipOrigin . ') is not in ACL IP list.';
+	db_pandora_audit("API access Failed", $no_login_msg, $user, $ipOrigin);
+	echo 'auth error';
 }
 ?>