Implemented #4903 Extend IDS system to allow different settings for clients and admin

bb0a6589 · Till Brehm · f93c9548 · bb0a6589 · bb0a6589
Commit bb0a6589 authored 7 years ago by Till Brehm
--- a/interface/lib/classes/ids.inc.php
+++ b/interface/lib/classes/ids.inc.php
@@ -118,7 +118,25 @@ class ids {
 			$impact = $ids_result->getImpact();
-			if($impact >= $security_config['ids_log_level']) {
+			// Choose level from security config
+			if($app->auth->is_admin()) {
+				// User is admin
+				$ids_log_level = $security_config['ids_admin_log_level'];
+				$ids_warn_level = $security_config['ids_admin_warn_level'];
+				$ids_block_level = $security_config['ids_admin_block_level'];
+			} elseif(is_array($_SESSION['s']['user']) && $_SESSION['s']['user']['userid'] > 0) {
+				// User is Client or Reseller
+				$ids_log_level = $security_config['ids_user_log_level'];
+				$ids_warn_level = $security_config['ids_user_warn_level'];
+				$ids_block_level = $security_config['ids_user_block_level'];
+			} else {
+				// Not logged in
+				$ids_log_level = $security_config['ids_anon_log_level'];
+				$ids_warn_level = $security_config['ids_anon_warn_level'];
+				$ids_block_level = $security_config['ids_anon_block_level'];
+			}
+			if($impact >= $ids_log_level) {
 				$ids_log = ISPC_ROOT_PATH.'/temp/ids.log';
 				if(!is_file($ids_log)) touch($ids_log);
@@ -132,11 +150,11 @@ class ids {
 			}
-			if($impact >= $security_config['ids_warn_level']) {
+			if($impact >= $ids_warn_level) {
 				$app->log("PHP IDS Alert.".$ids_result, 2);
 			}
-			if($impact >= $security_config['ids_block_level']) {
+			if($impact >= $ids_block_level) {
 				$app->error("Possible attack detected. This action has been logged.",'', true, 2);
 			}

--- a/security/security_settings.ini
+++ b/security/security_settings.ini
@@ -19,10 +19,18 @@ password_reset_allowed=yes
 session_regenerate_id=yes
 [ids]
-ids_enabled=no
+ids_anon_enabled=yes
-ids_log_level=1
+ids_anon_log_level=1
-ids_warn_level=5
+ids_anon_warn_level=5
-ids_block_level=100
+ids_anon_block_level=10
+ids_user_enabled=yes
+ids_user_log_level=1
+ids_user_warn_level=10
+ids_user_block_level=50
+ids_admin_enabled=no
+ids_admin_log_level=1
+ids_admin_warn_level=5
+ids_admin_block_level=100
 sql_scan_enabled=yes
 sql_scan_action=warn
 apache_directives_scan_enabled=yes