diff options
| author | Lester Caine <lester@lsces.co.uk> | 2026-06-06 20:55:21 +0100 |
|---|---|---|
| committer | Lester Caine <lester@lsces.co.uk> | 2026-06-06 20:55:21 +0100 |
| commit | 2957fcfd1be9f9cfdfc8329833e048290a556611 (patch) | |
| tree | 9f2aae8d168d8dafa07b1f62ea969570f4aceeb4 | |
| parent | 0321f026df8e6d41df05e54bbc6222ca6588fd05 (diff) | |
| download | kernel-2957fcfd1be9f9cfdfc8329833e048290a556611.tar.gz kernel-2957fcfd1be9f9cfdfc8329833e048290a556611.tar.bz2 kernel-2957fcfd1be9f9cfdfc8329833e048290a556611.zip | |
kernel: fix site_closed login bypass for nginx (SCRIPT_URL not set)
SCRIPT_URL is an Apache-only variable — nginx does not set it unless
explicitly added to fastcgi_params. When site_closed is active, validate.php
needs to bypass the gate so admins can log in, but the SCRIPT_URL check
always failed on nginx, making login impossible while the site is closed.
Fall back to PHP_SELF (set by nginx) when SCRIPT_URL is absent.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| -rwxr-xr-x | includes/setup_inc.php | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/includes/setup_inc.php b/includes/setup_inc.php index 2af1143..ba1487f 100755 --- a/includes/setup_inc.php +++ b/includes/setup_inc.php @@ -179,7 +179,9 @@ if( $gBitSystem->isDatabaseValid() ) { //$gBitSmarty->assign( "gBitSystemPackages", $gBitSystem->mPackages ); doesn't seem to be used - xing // check to see if admin has closed the site - if(( isset( $_SERVER['SCRIPT_URL'] ) && $_SERVER['SCRIPT_URL'] == USERS_PKG_URL.'validate.php' )) { + // SCRIPT_URL is Apache-only; fall back to PHP_SELF (set by nginx) for nginx stacks + $scriptUrl = $_SERVER['SCRIPT_URL'] ?? $_SERVER['PHP_SELF'] ?? ''; + if( $scriptUrl === USERS_PKG_URL.'validate.php' ) { $bypass_siteclose_check = 'y'; } if( empty($gShellScript) && $gBitSystem->isFeatureActive( 'site_closed' ) && !$gBitUser->hasPermission( 'p_access_closed_site' ) && !isset( $bypass_siteclose_check )) { |