From bb0a65898bf93d59f8ef7e0a4d57198d71122fc8 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Wed, 3 Jan 2018 09:06:55 +0100
Subject: [PATCH] Implemented #4903 Extend IDS system to allow different
 settings for clients and admin

---
 interface/lib/classes/ids.inc.php | 24 +++++++++++++++++++++---
 security/security_settings.ini    | 16 ++++++++++++----
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/interface/lib/classes/ids.inc.php b/interface/lib/classes/ids.inc.php
index ac5cb19128..abdf32b302 100644
--- a/interface/lib/classes/ids.inc.php
+++ b/interface/lib/classes/ids.inc.php
@@ -118,7 +118,25 @@ class ids {
 			
 			$impact = $ids_result->getImpact();
 			
-			if($impact >= $security_config['ids_log_level']) {
+			// Choose level from security config
+			if($app->auth->is_admin()) {
+				// User is admin
+				$ids_log_level = $security_config['ids_admin_log_level'];
+				$ids_warn_level = $security_config['ids_admin_warn_level'];
+				$ids_block_level = $security_config['ids_admin_block_level'];
+			} elseif(is_array($_SESSION['s']['user']) && $_SESSION['s']['user']['userid'] > 0) {
+				// User is Client or Reseller
+				$ids_log_level = $security_config['ids_user_log_level'];
+				$ids_warn_level = $security_config['ids_user_warn_level'];
+				$ids_block_level = $security_config['ids_user_block_level'];
+			} else {
+				// Not logged in
+				$ids_log_level = $security_config['ids_anon_log_level'];
+				$ids_warn_level = $security_config['ids_anon_warn_level'];
+				$ids_block_level = $security_config['ids_anon_block_level'];
+			}
+			
+			if($impact >= $ids_log_level) {
 				$ids_log = ISPC_ROOT_PATH.'/temp/ids.log';
 				if(!is_file($ids_log)) touch($ids_log);
 				
@@ -132,11 +150,11 @@ class ids {
 				
 			}
 			
-			if($impact >= $security_config['ids_warn_level']) {
+			if($impact >= $ids_warn_level) {
 				$app->log("PHP IDS Alert.".$ids_result, 2);
 			}
 			
-			if($impact >= $security_config['ids_block_level']) {
+			if($impact >= $ids_block_level) {
 				$app->error("Possible attack detected. This action has been logged.",'', true, 2);
 			}
 			
diff --git a/security/security_settings.ini b/security/security_settings.ini
index eb78e24d53..e705b3574e 100644
--- a/security/security_settings.ini
+++ b/security/security_settings.ini
@@ -19,10 +19,18 @@ password_reset_allowed=yes
 session_regenerate_id=yes
 
 [ids]
-ids_enabled=no
-ids_log_level=1
-ids_warn_level=5
-ids_block_level=100
+ids_anon_enabled=yes
+ids_anon_log_level=1
+ids_anon_warn_level=5
+ids_anon_block_level=10
+ids_user_enabled=yes
+ids_user_log_level=1
+ids_user_warn_level=10
+ids_user_block_level=50
+ids_admin_enabled=no
+ids_admin_log_level=1
+ids_admin_warn_level=5
+ids_admin_block_level=100
 sql_scan_enabled=yes
 sql_scan_action=warn
 apache_directives_scan_enabled=yes
-- 
GitLab