From af0e5ce80abb5ebb92672541d9c9603f92e80292 Mon Sep 17 00:00:00 2001
From: cassio <cassiopc@gmail.com>
Date: Tue, 15 Sep 2015 12:03:11 +0100
Subject: better order of checks for login

---
 src/flog.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/flog.php b/src/flog.php
index 5aef8e0..0024727 100644
--- a/src/flog.php
+++ b/src/flog.php
@@ -138,12 +138,6 @@ function DBLogInContest($name,$pass,$contest,$msg=true) {
 
 	$p = myhash($a["userpassword"] . session_id());
 	$_SESSION['usertable']['userpassword'] = $p;
-	if ($a["userpassword"] != "" && $p != $pass) {
-		LOGLevel("User $name tried to log in contest $contest but password was incorrect.",2);
-		if($msg) MSGError("Incorrect password.");
-		unset($_SESSION["usertable"]);
-		return false;
-	}
 	if ($d["sitepermitlogins"]=="f" && $a["usertype"] != "admin" && $a["usertype"] != "judge" && $a["usertype"] != "site") {
 		LOGLevel("User $name tried to login contest $contest but logins are denied.",2);
 		if($msg) MSGError("Logins are not allowed.");
@@ -156,6 +150,12 @@ function DBLogInContest($name,$pass,$contest,$msg=true) {
 		unset($_SESSION["usertable"]);
 		return false;
 	}
+	if ($a["userpassword"] != "" && $p != $pass) {
+		LOGLevel("User $name tried to log in contest $contest but password was incorrect.",2);
+		if($msg) MSGError("Incorrect password.");
+		unset($_SESSION["usertable"]);
+		return false;
+	}
 	$gip=getIP();
 	if ($a["userip"] != $gip && $a["userip"] != "" && $a["usertype"] != "score") {
 		LOGLevel("User $name is using two different IPs: " . $a["userip"] . 
-- 
cgit v1.2.3