session/checkuser.php
defbfa55
 <?php
c208bd90
 /*
 This file belongs to the Webinterface of schokokeks.org Hosting
 
cf54502a
 Written 2008-2018 by schokokeks.org Hosting, namely
c208bd90
   Bernd Wurst <bernd@schokokeks.org>
   Hanno Böck <hanno@schokokeks.org>
 
 To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
 
 You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 
 http://creativecommons.org/publicdomain/zero/1.0/
 
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
defbfa55
 
fb92f399
 require_once('inc/base.php');
defbfa55
 require_once('inc/debug.php');
 require_once('inc/error.php');
 
 
 define('ROLE_ANONYMOUS', 0);
ce0caaf4
 define('ROLE_MAILACCOUNT', 1);
b631cd6b
 define('ROLE_VMAIL_ACCOUNT', 2);
 define('ROLE_SYSTEMUSER', 4);
 define('ROLE_CUSTOMER', 8);
 define('ROLE_SYSADMIN', 16);
ff0f9b9b
 define('ROLE_SUBUSER', 32);
defbfa55
 
 
 // Gibt die Rolle aus, wenn das Passwort stimmt
 
7da094bc
 function find_role($login, $password, $i_am_admin = False)
defbfa55
 {
   // Domain-Admin?  <not implemented>
   // System-User?
   $uid = (int) $login;
   if ($uid == 0)
2b7dc717
     $uid = NULL;
8132c40e
   $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid=:uid OR username=:login LIMIT 1;", array(":uid" => $uid, ":login" => $login));
f1f231f5
   if (@$result->rowCount() > 0)
defbfa55
   {
f1f231f5
     $entry = $result->fetch(PDO::FETCH_OBJ);
ce7f565e
     if (strcasecmp($entry->username, $login) == 0 && $entry->username != $login) {
5e7e9f9a
       // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.
       logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");
       warning('Beachten Sie bei der Eingabe Ihrer Zugangsdaten bitte die Groß- und Kleinschreibung.');
       return NULL;  
     }
7da094bc
     $db_password = $entry->password;
defbfa55
     $hash = crypt($password, $db_password);
a95ec07a
     if (($entry->status == 0 && $hash == $db_password) || $i_am_admin)
7da094bc
     {
       $role = ROLE_SYSTEMUSER;
       if ($entry->primary)
         $role = $role | ROLE_CUSTOMER;
       if ($entry->admin)
         $role = $role | ROLE_SYSADMIN;
3048f62f
       logger(LOG_INFO, "session/checkuser", "login", "logged in systemuser »{$login}«.");
7da094bc
       return $role;
     }
3048f62f
     logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing useraccount »{$login}«.");
80d76d53
   } else {
3048f62f
     logger(LOG_WARNING, "session/checkuser", "login", "did not find useraccount »{$login}«. trying other roles...");
defbfa55
   }
 
   // Customer?
   $customerno = (int) $login;
   $pass = sha1($password);
8132c40e
   $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=:customerno AND passwort=:pass", array(":customerno" => $customerno, ":pass" => $pass));
7da094bc
   if ($i_am_admin)
8132c40e
     $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=?", array($customerno));
f1f231f5
   if (@$result->rowCount() > 0)
defbfa55
   {
     return ROLE_CUSTOMER;
   }
 
b07839f3
   // Sub-User
 
8132c40e
   $result = db_query("SELECT password FROM system.subusers WHERE username=?", array($login));
f1f231f5
   if (@$result->rowCount() > 0)
b07839f3
   {
f1f231f5
     $entry = $result->fetch(PDO::FETCH_OBJ);
b07839f3
     $db_password = $entry->password;
     // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
     if (hash("sha1", $password) == $db_password || hash("sha256", $password) == $db_password || $i_am_admin)
     {
       logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
       return ROLE_SUBUSER;
     }
     logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
   }
 
 
ce0caaf4
   // Mail-Account
   $account = $login;
   if (! strstr($account, '@')) {
d96a86aa
     $account .= '@'.config('masterdomain');
ce0caaf4
   }
00532760
   if (!$i_am_admin && have_module('webmailtotp')) {
     require_once('modules/webmailtotp/include/totp.php');
     if (account_has_totp($account)) {
b07839f3
       if (check_webmail_password($account, $password)) {
00532760
         $_SESSION['totp_username'] = $account;
         $_SESSION['totp'] = True;
         show_page('webmailtotp-login');
b07839f3
         die();
       } else {
         return NULL;
       }
     }
   }
8132c40e
   $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account=?", array($account));
f1f231f5
   if (@$result->rowCount() > 0)
ce0caaf4
   {
f1f231f5
     $entry = $result->fetch(PDO::FETCH_OBJ);
ce0caaf4
     $db_password = $entry->cryptpass;
     $hash = crypt($password, $db_password);
     if ($hash == $db_password || $i_am_admin)
     {
3048f62f
       logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«.");
ce0caaf4
       return ROLE_MAILACCOUNT;
     }
3048f62f
     logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing e-mail-account »{$account}«.");
ce0caaf4
   }
   
b631cd6b
   // virtueller Mail-Account
   $account = $login;
8132c40e
   $result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account=?", array($account));
f1f231f5
   if (@$result->rowCount() > 0)
b631cd6b
   {
f1f231f5
     $entry = $result->fetch(PDO::FETCH_OBJ);
b631cd6b
     $db_password = $entry->cryptpass;
     $hash = crypt($password, $db_password);
     if ($hash == $db_password || $i_am_admin)
     {
3048f62f
       logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«.");
b631cd6b
       return ROLE_VMAIL_ACCOUNT;
     }
3048f62f
     logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing virtual e-mail-account »{$account}«.");
b631cd6b
   }
   
ce0caaf4
 
 
defbfa55
   // Nothing?
   return NULL;
 }
 
 
7da094bc
 function get_customer_info($customer)
defbfa55
 {
7da094bc
   if (! $_SESSION['role'] & ROLE_CUSTOMER)
     return array();
defbfa55
   $ret = array();
7da094bc
   $customerno = (int) $customer;
   if ($customerno != 0)
   {
     DEBUG('Looking up customerinfo for customer no. '.$customerno);
8132c40e
     $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden WHERE id=?", array($customerno));
7da094bc
   }
   else
   {
8132c40e
     $username = $customer;
7da094bc
     DEBUG('looking up customer info for username '.$username);
8132c40e
     $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
7da094bc
   }
f1f231f5
   if (@$result->rowCount() == 0)
defbfa55
     system_failure("Konnte Kundendaten nicht auslesen!");
f1f231f5
   $data = $result->fetch();
c2de2826
   DEBUG($data);
   $ret['customerno'] = $data['id'];
   $ret['title'] = $data['anrede'];
   $ret['company'] = $data['firma'];
   $ret['name'] = $data['name'];
   $ret['email'] = $data['email'];
defbfa55
   
   return $ret;
 }
 
 
ff0f9b9b
 function get_subuser_info($username)
 {
8132c40e
   $result = db_query("SELECT uid, modules FROM system.subusers WHERE username=?", array($username));
f1f231f5
   if ($result->rowCount() < 1)
ff0f9b9b
   {
     logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
     system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
   }
f1f231f5
   $data = $result->fetch();
ff0f9b9b
   $userinfo = get_user_info($data['uid']);
   $userinfo['modules'] = $data['modules'];
   return $userinfo;
 }
 
 
defbfa55
 function get_user_info($username)
 {
a6f3794e
   $result = db_query("SELECT kunde AS customerno, username, uid, homedir, name, server
8132c40e
                       FROM system.v_useraccounts WHERE username=:username OR uid=:username", array(":username" => $username));
f1f231f5
   if ($result->rowCount() < 1)
3477e99f
   {
3048f62f
     logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«");
defbfa55
     system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
3477e99f
   }
f1f231f5
   $val = @$result->fetch(PDO::FETCH_OBJ);
defbfa55
   return array(
           'username'      => $val->username,
           'customerno'    => $val->customerno,
           'uid'           => $val->uid,
           'homedir'       => $val->homedir,
a6f3794e
           'server'        => $val->server,
defbfa55
           'name'          => $val->name,
           );
 }
 
3477e99f
 function set_customer_verified($customerno)
 {
   $customerno = (int) $customerno;
8132c40e
   db_query("UPDATE kundendaten.kunden SET status=0 WHERE id=?", array($customerno));
3048f62f
   logger(LOG_INFO, "session/checkuser", "register", "set customer's status to 0.");
3477e99f
 }
 
 function set_customer_lastlogin($customerno)
 {
   $customerno = (int) $customerno;
8132c40e
   db_query("UPDATE kundendaten.kunden SET lastlogin=NOW() WHERE id=?", array($customerno));
3477e99f
 }
 
defbfa55
 function set_customer_password($customerno, $newpass)
 {
   $customerno = (int) $customerno;
   $newpass = sha1($newpass);
8132c40e
   db_query("UPDATE kundendaten.kunden SET passwort=:newpass WHERE id=:customerno", array(":newpass" => $newpass, ":customerno" => $customerno));
3048f62f
   logger(LOG_INFO, "session/checkuser", "pwchange", "changed customer's password.");
3d226dfe
 }
 
 function set_subuser_password($subuser, $newpass)
 {
8132c40e
   $args = array(":subuser" => $subuser,
                 ":uid" => (int) $_SESSION['userinfo']['uid'],
                 ":newpass" => sha1($newpass));
   db_query("UPDATE system.subusers SET password=:newpass WHERE username=:subuser AND uid=:uid", $args);
3d226dfe
   logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password.");
defbfa55
 }
 
 function set_systemuser_password($uid, $newpass)
 {
   $uid = (int) $uid;
   require_once('inc/base.php');
e8904863
   if (defined("CRYPT_SHA512") && CRYPT_SHA512 == 1)
   {
     $rounds = rand(1000, 5000);
     $salt = "rounds=".$rounds."$".random_string(8);
     $newpass = crypt($newpass, "\$6\${$salt}\$");
   }
   else
   {
     $salt = random_string(8);
     $newpass = crypt($newpass, "\$1\${$salt}\$");
   }
8132c40e
   db_query("UPDATE system.passwoerter SET passwort=:newpass WHERE uid=:uid", array(":newpass" => $newpass, ":uid" => $uid));
3048f62f
   logger(LOG_INFO, "session/checkuser", "pwchange", "changed user's password.");
defbfa55
 }
 
7da094bc
 
f588b9c2
 function user_for_mailaccount($account) 
 {
8132c40e
   $result = db_query("SELECT uid FROM mail.courier_mailaccounts WHERE account=?", array($account));
f1f231f5
   if ($result->rowCount() != 1) {
f588b9c2
     system_failure('Diese Adresse ist herrenlos?!');
   }
f1f231f5
   $tmp = $result->fetch();
f588b9c2
   return $tmp['uid'];
 }
 
 function user_for_vmail_account($account)
 {
8132c40e
   $result = db_query("SELECT useraccount FROM mail.v_vmail_accounts WHERE CONCAT_WS('@', local, domainname)=?", array($account));
f1f231f5
   if ($result->rowCount() != 1) {
f588b9c2
     system_failure('Diese Adresse ist herrenlos?!');
   }
f1f231f5
   $tmp = $result->fetch();
f588b9c2
   return $tmp['useraccount'];
 }
 
 
7da094bc
 function setup_session($role, $useridentity)
 {
   session_regenerate_id();
   $_SESSION['role'] = $role;
ff0f9b9b
   if ($role & ROLE_SUBUSER)
   {
     DEBUG("We are a sub-user");
     $info = get_subuser_info($useridentity);
     $_SESSION['userinfo'] = $info;
4ba2a6d0
     $_SESSION['restrict_modules'] = explode(',', $info['modules']);
e6ac12e6
     $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER;
ff0f9b9b
     $_SESSION['subuser'] = $useridentity;
8132c40e
     $data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username=?", array($info['username']));
a53636c5
     if ($entry = $data->fetch()) {
e6ac12e6
       if ($entry['kundenaccount'] == 1) {
         $customer = get_customer_info($_SESSION['userinfo']['username']);
         $_SESSION['customerinfo'] = $customer;
         $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_CUSTOMER | ROLE_SUBUSER;
       }
     }
ff0f9b9b
     logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
   }
7da094bc
   if ($role & ROLE_SYSTEMUSER)
   {
     DEBUG("We are system user");
     $info = get_user_info($useridentity);
     $_SESSION['userinfo'] = $info;
3048f62f
     logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
7da094bc
     $useridentity = $info['customerno'];
   }
   if ($role & ROLE_CUSTOMER)
   {
     $info = get_customer_info($useridentity);
     $_SESSION['customerinfo'] = $info;
959b506a
     if (!isset($_SESSION['admin_user'])) {
       set_customer_lastlogin($info['customerno']);
     }
3048f62f
     logger(LOG_INFO, "session/start", "login", "logged in customer no »{$info['customerno']}«");
7da094bc
   }
ce0caaf4
   if ($role & ROLE_MAILACCOUNT)
   {
     $id = $useridentity;
     if (! strstr($id, '@'))
d96a86aa
       $id .= '@'.config('masterdomain');
f588b9c2
     $uid = user_for_mailaccount($id);
ce0caaf4
     $_SESSION['mailaccount'] = $id;
f588b9c2
     $_SESSION['userinfo'] = get_user_info($uid);
ce0caaf4
     DEBUG("We are mailaccount: {$_SESSION['mailaccount']}");
   }
b631cd6b
   if ($role & ROLE_VMAIL_ACCOUNT)
   {
     $id = $useridentity;
f588b9c2
     $uid = user_for_vmail_account($id);
b631cd6b
     $_SESSION['mailaccount'] = $id;
f588b9c2
     $_SESSION['userinfo'] = get_user_info($uid);
b631cd6b
     DEBUG("We are virtual mailaccount: {$_SESSION['mailaccount']}");
   }
ce0caaf4
 
7da094bc
 }
 
defbfa55
 ?>