From e0a618f31747d01e31798715bed1759cbcc76c0d Mon Sep 17 00:00:00 2001
From: James Lu <james@overdrivenetworks.com>
Date: Wed, 26 Jun 2019 13:17:00 -0700
Subject: [PATCH] [SECURITY] permissions: only whitelist the defined login:user
 for legacy accounts

It's possible for login:user and login:accounts to be used together, although this is discouraged.

(cherry picked from commit 4eb0420378e7b627dbf1f3c90e0e33012f54d4b6)
---
 coremods/permissions.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/coremods/permissions.py b/coremods/permissions.py
index 4026afd..f0c17ad 100644
--- a/coremods/permissions.py
+++ b/coremods/permissions.py
@@ -32,7 +32,8 @@ def check_permissions(irc, uid, perms, also_show=[]):
     """
     # For old (< 1.1 login blocks):
     # If the user is logged in, they automatically have all permissions.
-    if irc.match_host('$pylinkacc', uid) and conf.conf['login'].get('user'):
+    olduser = conf.conf['login'].get('user')
+    if olduser and irc.match_host('$pylinkacc:%s' % olduser, uid):
         log.debug('permissions: overriding permissions check for old-style admin user %s',
                   irc.get_hostmask(uid))
         return True