backport these two upstream patches for newer release: https://bitbucket.org/ritt/elog/commits/2f6a300572bd6048351af8c45394ae62230c83d9 + https://bitbucket.org/ritt/elog/commits/9ca611aca2b1860efac15f806bf907cc2e6f870a/#Lsrc/elogd.cF26100T26104
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -3443,7 +3443,7 @@
             break;
          get_user_line(lbs, login_name, NULL, NULL, email_from, NULL, NULL, NULL);
          sprintf(email_from_name, "%s <%s>", login_name, email_from);
-         if (is_admin_user(lbs->name, login_name) && strchr(email_from, '@'))
+         if (is_admin_user(lbs, login_name) && strchr(email_from, '@'))
             break;
       }
    }
@@ -8578,7 +8578,7 @@
                wrong_pwd = 2;
          } else {
             /* administrator does not have to supply old password if changing other user's password */
-            if (isparam("unm") && is_admin_user(lbs->name, getparam("unm"))
+            if (isparam("unm") && is_admin_user(lbs, getparam("unm"))
                 && stricmp(getparam("unm"), user) != 0)
                wrong_pwd = 0;
             else {
@@ -8652,7 +8652,7 @@
 
    /* do not ask for old pwasword if admin changes other user's password */
    if (isparam("unm")) {
-      if (!is_admin_user(lbs->name, getparam("unm")) || stricmp(getparam("unm"), user) == 0) {
+      if (!is_admin_user(lbs, getparam("unm")) || stricmp(getparam("unm"), user) == 0) {
          if (isparam("oldpwd") && !(wrong_pwd == 1))    // hidden password for password recovery
             rsprintf("<input type=hidden name=oldpwd value=\"%s\"", getparam("oldpwd"));
          else {
@@ -8751,7 +8751,7 @@
    int i;
 
    /* check if current user is admin */
-   if (is_admin_user(lbs->name, getparam("unm")))
+   if (is_admin_user(lbs, getparam("unm")))
       return TRUE;
 
    /* search attribute which contains short_name of author */
@@ -12126,7 +12126,7 @@
    rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Cancel"));
 
    if (lbs->top_group[0] && (!top_group || strieq(top_group, "global"))) {
-      if (is_admin_user("global", getparam("unm"))) {
+      if (is_admin_user(NULL, getparam("unm"))) {
          if (lbs->top_group[0]) {
 
             sprintf(str, "global %s", lbs->top_group);
@@ -12159,7 +12159,7 @@
    }
 
    if (is_group("global") && !strieq(top_group, "global")) {
-      if (is_admin_user("global", getparam("unm"))) {
+      if (is_admin_user(NULL, getparam("unm"))) {
          rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Delete this logbook"));
          rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Rename this logbook"));
          rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Create new logbook"));
@@ -13275,7 +13275,7 @@
 
    /*---- if admin user, show user list ----*/
 
-   if (is_admin_user(logbook, getparam("unm"))) {
+   if (is_admin_user(lbs, getparam("unm"))) {
       rsprintf("<input type=hidden name=admin value=1>\n");
       rsprintf("<tr><td nowrap width=\"10%%\">%s:</td>\n", loc("Select user"));
       rsprintf("<td><select name=cfg_user onChange=\"document.form1.submit()\">\n");
@@ -13323,7 +13323,7 @@
    else
       strlcpy(str, user, sizeof(str));
 
-   if (is_admin_user(logbook, getparam("unm"))) {
+   if (is_admin_user(lbs, getparam("unm"))) {
       rsprintf("<tr><td nowrap width=\"15%%\">%s:</td>\n", loc("Active"));
       if (stricmp(user, getparam("unm")) == 0)
          rsprintf
@@ -13427,13 +13427,13 @@
 
    rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n");
 
-   if (is_admin_user(logbook, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
+   if (is_admin_user(lbs, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
        || atoi(str) == 1)
       rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Change password"));
 
    rsprintf("<input type=submit name=cmd value=\"%s\" onClick=\"return chkrem();\">\n", loc("Remove user"));
 
-   if (is_admin_user(logbook, getparam("unm"))) {
+   if (is_admin_user(lbs, getparam("unm"))) {
       rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("New user"));
       strlcpy(str, loc("Change config file"), sizeof(str));
       rsprintf("<input type=submit name=cmd value=\"%s\">\n", str);
@@ -18079,6 +18079,17 @@
 
 /*------------------------------------------------------------------*/
 
+BOOL logged_in(LOGBOOK *lbs)
+{
+   if (isparam("unm")) {
+      if (check_login_user(lbs, getparam("unm")) && check_login(lbs, getparam("sid")))
+          return TRUE;
+   }
+   return FALSE;
+}
+
+/*------------------------------------------------------------------*/
+
 BOOL is_user_allowed(LOGBOOK * lbs, char *command)
 {
    char str[1000], users[2000];
@@ -18109,7 +18120,7 @@
    /* check admin command */
    if (strieq(command, loc("Admin"))) {
       if (getcfg(lbs->name, "Admin user", str, sizeof(str))) {
-         return is_admin_user(lbs->name, getparam("unm"));
+         return is_admin_user(lbs, getparam("unm"));
       }
    }
 
@@ -18142,7 +18153,7 @@
       return TRUE;
 
    /* check for guest access */
-   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0)
+   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
       getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str));
 
    /* default menu commands */
@@ -18151,7 +18162,7 @@
 
       if (getcfg(lbs->name, "Password file", str, sizeof(str))) {
 
-         if (is_admin_user(lbs->name, getparam("unm"))) {
+         if (is_admin_user(lbs, getparam("unm"))) {
 
             strcat(menu_str, "Admin, ");
             strcat(menu_str, "Change config file, ");
@@ -18160,7 +18171,7 @@
             strcat(menu_str, "Create new logbook, ");
             strcat(menu_str, "GetPwdFile, ");
 
-            if (is_admin_user("global", getparam("unm"))) {
+            if (is_admin_user(NULL, getparam("unm"))) {
 
                if (lbs->top_group[0]) {
                   sprintf(str, "Change [global %s]", lbs->top_group);
@@ -18168,7 +18179,7 @@
                   strcat(menu_str, ", ");
                }
 
-               if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) {
+               if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) {
 
                   strcat(menu_str, "Change [global]");
                   strcat(menu_str, ", ");
@@ -18192,7 +18203,7 @@
       menu_str[0] = 0;
       for (i = 0; i < n; i++) {
          if (strcmp(menu_item[i], "Admin") == 0) {
-            if (!is_admin_user(lbs->name, getparam("unm")))
+            if (!is_admin_user(lbs, getparam("unm")))
                continue;
          }
          strcat(menu_str, menu_item[i]);
@@ -18201,7 +18212,7 @@
 
       strcat(menu_str, "HelpELCode, Synchronize, ");
 
-      if (is_admin_user(lbs->name, getparam("unm"))) {
+      if (is_admin_user(lbs, getparam("unm"))) {
 
          strcat(menu_str, "Change config file, ");
          strcat(menu_str, "Delete this logbook, ");
@@ -18209,7 +18220,7 @@
          strcat(menu_str, "Create new logbook, ");
          strcat(menu_str, "GetPwdFile, ");
 
-         if (is_admin_user("global", getparam("unm"))) {
+         if (is_admin_user(NULL, getparam("unm"))) {
 
             if (lbs->top_group[0]) {
                sprintf(str, "Change [global %s]", lbs->top_group);
@@ -18217,7 +18228,7 @@
                strcat(menu_str, ", ");
             }
 
-            if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) {
+            if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) {
 
                strcat(menu_str, "Change [global]");
                strcat(menu_str, ", ");
@@ -18228,11 +18239,11 @@
 
    /* check list menu commands */
    str[0] = 0;
-   if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || isparam("unm") != 0)
+   if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || logged_in(lbs))
       getcfg(lbs->name, "list menu commands", str, sizeof(str));
 
    if (!str[0]) {
-      if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || isparam("unm") != 0)
+      if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || logged_in(lbs))
          getcfg(lbs->name, "Find Menu commands", str, sizeof(str));
    }
 
@@ -18259,7 +18270,7 @@
       strlcat(other_str, "Save, ", sizeof(other_str));
 
    /* admin commands */
-   if (is_admin_user(lbs->name, getparam("unm"))) {
+   if (is_admin_user(lbs, getparam("unm"))) {
       strcat(other_str, "Remove user, New user, Activate, ");
    } else if (getcfg(lbs->name, "Self register", str, sizeof(str)) && atoi(str) > 0) {
       strcat(other_str, "Remove user, New user, ");
@@ -18298,6 +18309,10 @@
       }
    }
 
+   /* make sure user is logged in */
+   if (!logged_in(lbs))
+      return FALSE;
+
    return TRUE;
 }
 
@@ -20382,13 +20397,11 @@
             rsprintf("\">\n", str);
          }
 
-         if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || isparam("unm")
-             != 0)
+         if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
             getcfg(lbs->name, "Find menu commands", menu_str, sizeof(menu_str));
 
          if (!menu_str[0]) {
-            if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || isparam("unm")
-                != 0)
+            if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
                getcfg(lbs->name, "list menu commands", menu_str, sizeof(menu_str));
          }
 
@@ -23703,7 +23716,7 @@
    }
 
    /* check for guest access */
-   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0)
+   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
       getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str));
 
    /* default menu commands */
@@ -23723,7 +23736,7 @@
       menu_str[0] = 0;
       for (i = 0; i < n; i++) {
          if (strcmp(menu_item[i], "Admin") == 0) {
-            if (!is_admin_user(lbs->name, getparam("unm")))
+            if (!is_admin_user(lbs, getparam("unm")))
                continue;
          }
          strcat(menu_str, menu_item[i]);
@@ -25026,7 +25039,9 @@
    char str[256], global[256], orig_topgroup[256];
    
    orig_topgroup[0] = 0;
-   getcfg("global", "Password file", global, sizeof(global));
+   if (!getcfg("global", "Password file", global, sizeof(global)))
+       return NULL;
+
    if (getcfg_topgroup() && *getcfg_topgroup())
       strcpy(orig_topgroup, getcfg_topgroup());
    
@@ -25076,6 +25091,8 @@
       logbook with same password file than global section */
    if (lbs == NULL)
       lbs = get_first_lbs_with_global_passwd();
+   if (lbs == NULL)
+      return 0;
    
    getcfg(lbs->name, "Password file", str, sizeof(str));
 
@@ -25443,11 +25460,17 @@
 
 /*------------------------------------------------------------------*/
 
-BOOL is_admin_user(char *logbook, char *user)
+BOOL is_admin_user(LOGBOOK *lbs, char *user)
 {
    int i, n;
    char str[1000];
    char list[MAX_N_LIST][NAME_LENGTH];
+   char logbook[1000];
+   
+   if (lbs == NULL)
+      strlcpy(logbook, "global", sizeof(logbook));
+   else
+      strlcpy(logbook, lbs->name, sizeof(logbook));
 
    /* Removed user[0] for cloning, have to check implications, same below.
       if (getcfg(logbook, "Admin user", str, sizeof(str)) && user[0]) { */
@@ -25464,6 +25487,10 @@
       if (i == n)
          return FALSE;
    }
+   /* make sure user is logged in */
+   if (lbs && !logged_in(lbs))
+      return FALSE;
+   
    return TRUE;
 }
 
@@ -25487,6 +25514,7 @@
       if (i == n)
          return FALSE;
    }
+
    return TRUE;
 }
 
@@ -25988,7 +26016,7 @@
    if (getcfg("global", "mirror server", str, sizeof(str))) {
 
       /* only admin user sees synchronization link */
-      if (is_admin_user("global", getparam("unm"))) {
+      if (is_admin_user(NULL, getparam("unm"))) {
          rsprintf("<tr>\n");
          rsprintf("<td colspan=13 class=\"seltitle\">\n");
          rsprintf("<a href=\"?cmd=Synchronize\">%s</a></td>\n", loc("Synchronize all logbooks"));
--- a/src/elogd.h
+++ b/src/elogd.h
@@ -292,7 +292,7 @@
 BOOL check_login_user(LOGBOOK * lbs, char *user);
 LBLIST get_logbook_hierarchy(void);
 BOOL is_logbook_in_group(LBLIST pgrp, char *logbook);
-BOOL is_admin_user(char *logbook, char *user);
+BOOL is_admin_user(LOGBOOK * lbs, char *user);
 BOOL is_admin_user_global(char *user);
 void free_logbook_hierarchy(LBLIST root);
 void show_top_text(LOGBOOK * lbs);
@@ -308,6 +308,7 @@
 int parse_config_file(char *config_file);
 PMXML_NODE load_password_file(LOGBOOK * lbs, char *error, int error_size);
 int load_password_files();
+BOOL check_login(LOGBOOK * lbs, char *sid);
 void compose_base_url(LOGBOOK * lbs, char *base_url, int size, BOOL email_notify);
 void show_elog_entry(LOGBOOK * lbs, char *dec_path, char *command);
 char *loc(char *orig);
