fecf1c0bd221a4268a6d36d11e2caed4c0435e66
bernd webinterface => /webinterface

bernd authored 17 years ago

1) <?php
Bernd Wurst Added license tags for CC0,...

Bernd Wurst authored 12 years ago

2) /*
3) This file belongs to the Webinterface of schokokeks.org Hosting
4) 
Bernd Wurst Copyright year update

Bernd Wurst authored 6 years ago

5) Written 2008-2018 by schokokeks.org Hosting, namely
Bernd Wurst Added license tags for CC0,...

Bernd Wurst authored 12 years ago

6)   Bernd Wurst <bernd@schokokeks.org>
7)   Hanno Böck <hanno@schokokeks.org>
8) 
9) To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
10) 
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

11) You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see
Bernd Wurst Added license tags for CC0,...

Bernd Wurst authored 12 years ago

12) http://creativecommons.org/publicdomain/zero/1.0/
13) 
14) Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
15) */
bernd webinterface => /webinterface

bernd authored 17 years ago

16) 
bernd Logging aktiviert

bernd authored 17 years ago

17) require_once('inc/base.php');
bernd webinterface => /webinterface

bernd authored 17 years ago

18) require_once('inc/debug.php');
19) require_once('inc/error.php');
20) 
21) 
22) define('ROLE_ANONYMOUS', 0);
bernd Auch mailaccounts können si...

bernd authored 17 years ago

23) define('ROLE_MAILACCOUNT', 1);
bernd VMail-accounts können sich...

bernd authored 16 years ago

24) define('ROLE_VMAIL_ACCOUNT', 2);
25) define('ROLE_SYSTEMUSER', 4);
26) define('ROLE_CUSTOMER', 8);
27) define('ROLE_SYSADMIN', 16);
bernd Erlaube subusers, die nur Z...

bernd authored 14 years ago

28) define('ROLE_SUBUSER', 32);
bernd webinterface => /webinterface

bernd authored 17 years ago

29) 
30) 
31) // Gibt die Rolle aus, wenn das Passwort stimmt
32) 
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

33) function find_role($login, $password, $i_am_admin = false)
bernd webinterface => /webinterface

bernd authored 17 years ago

34) {
Bernd Wurst add brute force protection...

Bernd Wurst authored 5 years ago

35)     if (!$i_am_admin) {
36)         $failed = count_failed_logins();
37)         if ($failed > 5) {
38)             global $title;
39)             $title = '';
40)             system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!");
41)         }
42)     }
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

43)     // Domain-Admin?  <not implemented>
44)     // System-User?
45)     $uid = (int) $login;
46)     if ($uid == 0) {
47)         $uid = null;
Bernd Wurst Beachte Groß- und Kleinshre...

Bernd Wurst authored 12 years ago

48)     }
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

49)     $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid=:uid OR username=:login LIMIT 1;", array(":uid" => $uid, ":login" => $login));
50)     if (@$result->rowCount() > 0) {
51)         $entry = $result->fetch(PDO::FETCH_OBJ);
52)         if (strcasecmp($entry->username, $login) == 0 && $entry->username != $login) {
53)             // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.
54)             logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");
55)             warning('Beachten Sie bei der Eingabe Ihrer Zugangsdaten bitte die Groß- und Kleinschreibung.');
56)             return null;
57)         }
58)         $db_password = $entry->password;
59)         $hash = crypt($password, $db_password);
60)         if (($entry->status == 0 && $hash == $db_password) || $i_am_admin) {
61)             $role = ROLE_SYSTEMUSER;
62)             if ($entry->primary) {
63)                 $role = $role | ROLE_CUSTOMER;
64)             }
65)             if ($entry->admin) {
66)                 $role = $role | ROLE_SYSADMIN;
67)             }
68)             logger(LOG_INFO, "session/checkuser", "login", "logged in systemuser »{$login}«.");
69)             return $role;
70)         }
71)         logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing useraccount »{$login}«.");
72)     } else {
73)         logger(LOG_WARNING, "session/checkuser", "login", "did not find useraccount »{$login}«. trying other roles...");
bernd * Initialisierung der Sessi...

bernd authored 17 years ago

74)     }
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

75) 
76)     // Customer?
77)     $customerno = (int) $login;
78)     $pass = sha1($password);
79)     $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=:customerno AND passwort=:pass", array(":customerno" => $customerno, ":pass" => $pass));
80)     if ($i_am_admin) {
81)         $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=?", array($customerno));
82)     }
83)     if (@$result->rowCount() > 0) {
84)         return ROLE_CUSTOMER;
85)     }
86) 
87)     // Sub-User
88) 
89)     $result = db_query("SELECT password FROM system.subusers WHERE username=?", array($login));
90)     if (@$result->rowCount() > 0) {
91)         $entry = $result->fetch(PDO::FETCH_OBJ);
92)         $db_password = $entry->password;
93)         // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
94)         if (hash("sha1", $password) == $db_password || hash("sha256", $password) == $db_password || $i_am_admin) {
95)             logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
96)             return ROLE_SUBUSER;
97)         }
98)         logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
99)     }
100) 
101) 
102)     // Mail-Account
103)     $account = $login;
104)     if (! strstr($account, '@')) {
105)         $account .= '@'.config('masterdomain');
Bernd Wurst Login am Webiterface mit Go...

Bernd Wurst authored 12 years ago

106)     }
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

107)     if (!$i_am_admin && have_module('webmailtotp')) {
108)         require_once('modules/webmailtotp/include/totp.php');
109)         if (account_has_totp($account)) {
110)             if (check_webmail_password($account, $password)) {
111)                 $_SESSION['totp_username'] = $account;
112)                 $_SESSION['totp'] = true;
113)                 show_page('webmailtotp-login');
114)                 die();
115)             } else {
116)                 return null;
117)             }
118)         }
Bernd Wurst Login am Webiterface mit Go...

Bernd Wurst authored 12 years ago

119)     }
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

120)     $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account=?", array($account));
121)     if (@$result->rowCount() > 0) {
122)         $entry = $result->fetch(PDO::FETCH_OBJ);
123)         $db_password = $entry->cryptpass;
124)         $hash = crypt($password, $db_password);
125)         if ($hash == $db_password || $i_am_admin) {
126)             logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«.");
127)             return ROLE_MAILACCOUNT;
128)         }
129)         logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing e-mail-account »{$account}«.");
bernd Auch mailaccounts können si...

bernd authored 17 years ago

130)     }
Hanno remove whitespace in empty...

Hanno authored 6 years ago

131) 
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

132)     // virtueller Mail-Account
133)     $account = $login;
134)     $result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account=?", array($account));
135)     if (@$result->rowCount() > 0) {
136)         $entry = $result->fetch(PDO::FETCH_OBJ);
137)         $db_password = $entry->cryptpass;
138)         $hash = crypt($password, $db_password);
139)         if ($hash == $db_password || $i_am_admin) {
140)             logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«.");
141)             return ROLE_VMAIL_ACCOUNT;
142)         }
143)         logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing virtual e-mail-account »{$account}«.");
bernd VMail-accounts können sich...

bernd authored 16 years ago

144)     }
Hanno remove whitespace in empty...

Hanno authored 6 years ago

145) 
bernd Auch mailaccounts können si...

bernd authored 17 years ago

146) 
147) 
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

148)     // Nothing?
149)     return null;
bernd webinterface => /webinterface

bernd authored 17 years ago

150) }
151) 
Bernd Wurst show a warning on the start...

Bernd Wurst authored 4 years ago

152) function is_locked()
153) {
154)     $result = null;
155)     if (isset($_SESSION['customerinfo']['customerno'])) {
156)         $result = db_query("SELECT gesperrt FROM kundendaten.kunden WHERE id=?", array($_SESSION['customerinfo']['customerno']));
157)     } elseif (isset($_SESSION['userinfo']['uid'])) {
158)         $result = db_query("SELECT (SELECT gesperrt FROM kundendaten.kunden WHERE id=useraccounts.kunde) AS gesperrt FROM system.useraccounts WHERE uid=?", array($_SESSION['userinfo']['uid']));
159)     }
160)     if ($result) {
161)         $line = $result->fetch();
162)         if ($line['gesperrt'] == 1) {
163)             return true;
164)         }
165)     }
166)     return false;
167) }
168) 
bernd webinterface => /webinterface

bernd authored 17 years ago

169) 
bernd * Initialisierung der Sessi...

bernd authored 17 years ago

170) function get_customer_info($customer)
bernd webinterface => /webinterface

bernd authored 17 years ago

171) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

172)     if (! $_SESSION['role'] & ROLE_CUSTOMER) {
173)         return array();
174)     }
175)     $ret = array();
176)     $customerno = (int) $customer;
177)     if ($customerno != 0) {
178)         DEBUG('Looking up customerinfo for customer no. '.$customerno);
179)         $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden WHERE id=?", array($customerno));
180)     } else {
181)         $username = $customer;
182)         DEBUG('looking up customer info for username '.$username);
183)         $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
184)     }
185)     if (@$result->rowCount() == 0) {
186)         system_failure("Konnte Kundendaten nicht auslesen!");
187)     }
188)     $data = $result->fetch();
189)     DEBUG($data);
190)     $ret['customerno'] = $data['id'];
191)     $ret['title'] = $data['anrede'];
192)     $ret['company'] = $data['firma'];
193)     $ret['name'] = $data['name'];
194)     $ret['email'] = $data['email'];
Hanno remove whitespace in empty...

Hanno authored 6 years ago

195) 
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

196)     return $ret;
bernd webinterface => /webinterface

bernd authored 17 years ago

197) }
198) 
199) 
bernd Erlaube subusers, die nur Z...

bernd authored 14 years ago

200) function get_subuser_info($username)
201) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

202)     $result = db_query("SELECT uid, modules FROM system.subusers WHERE username=?", array($username));
203)     if ($result->rowCount() < 1) {
204)         logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
205)         system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
206)     }
207)     $data = $result->fetch();
208)     $userinfo = get_user_info($data['uid']);
209)     $userinfo['modules'] = $data['modules'];
210)     return $userinfo;
bernd Erlaube subusers, die nur Z...

bernd authored 14 years ago

211) }
212) 
213) 
bernd webinterface => /webinterface

bernd authored 17 years ago

214) function get_user_info($username)
215) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

216)     $result = db_query("SELECT kunde AS customerno, username, uid, homedir, name, server
Bernd Wurst * Weitere Module auf prepar...

Bernd Wurst authored 10 years ago

217)                       FROM system.v_useraccounts WHERE username=:username OR uid=:username", array(":username" => $username));
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

218)     if ($result->rowCount() < 1) {
219)         logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«");
220)         system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
221)     }
222)     $val = @$result->fetch(PDO::FETCH_OBJ);
223)     return array(
bernd webinterface => /webinterface

bernd authored 17 years ago

224)           'username'      => $val->username,
225)           'customerno'    => $val->customerno,
226)           'uid'           => $val->uid,
227)           'homedir'       => $val->homedir,
bernd IPv6-Option nur anzeigen we...

bernd authored 14 years ago

228)           'server'        => $val->server,
bernd webinterface => /webinterface

bernd authored 17 years ago

229)           'name'          => $val->name,
230)           );
231) }
232) 
bernd Kunden-Status wird benutzt...

bernd authored 17 years ago

233) function set_customer_verified($customerno)
234) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

235)     $customerno = (int) $customerno;
236)     db_query("UPDATE kundendaten.kunden SET status=0 WHERE id=?", array($customerno));
237)     logger(LOG_INFO, "session/checkuser", "register", "set customer's status to 0.");
bernd Kunden-Status wird benutzt...

bernd authored 17 years ago

238) }
239) 
240) function set_customer_lastlogin($customerno)
241) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

242)     $customerno = (int) $customerno;
243)     db_query("UPDATE kundendaten.kunden SET lastlogin=NOW() WHERE id=?", array($customerno));
bernd Kunden-Status wird benutzt...

bernd authored 17 years ago

244) }
245) 
bernd webinterface => /webinterface

bernd authored 17 years ago

246) function set_customer_password($customerno, $newpass)
247) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

248)     $customerno = (int) $customerno;
249)     $newpass = sha1($newpass);
250)     db_query("UPDATE kundendaten.kunden SET passwort=:newpass WHERE id=:customerno", array(":newpass" => $newpass, ":customerno" => $customerno));
251)     logger(LOG_INFO, "session/checkuser", "pwchange", "changed customer's password.");
bernd Passwort-Ändern geht jetzt...

bernd authored 14 years ago

252) }
253) 
254) function set_subuser_password($subuser, $newpass)
255) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

256)     $args = array(":subuser" => $subuser,
Bernd Wurst * Weitere Module auf prepar...

Bernd Wurst authored 10 years ago

257)                 ":uid" => (int) $_SESSION['userinfo']['uid'],
258)                 ":newpass" => sha1($newpass));
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

259)     db_query("UPDATE system.subusers SET password=:newpass WHERE username=:subuser AND uid=:uid", $args);
260)     logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password.");
bernd webinterface => /webinterface

bernd authored 17 years ago

261) }
262) 
263) function set_systemuser_password($uid, $newpass)
264) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

265)     $uid = (int) $uid;
266)     require_once('inc/base.php');
267)     if (defined("CRYPT_SHA512") && CRYPT_SHA512 == 1) {
268)         $rounds = rand(1000, 5000);
269)         $salt = "rounds=".$rounds."$".random_string(8);
270)         $newpass = crypt($newpass, "\$6\${$salt}\$");
271)     } else {
272)         $salt = random_string(8);
273)         $newpass = crypt($newpass, "\$1\${$salt}\$");
274)     }
275)     db_query("UPDATE system.passwoerter SET passwort=:newpass WHERE uid=:uid", array(":newpass" => $newpass, ":uid" => $uid));
276)     logger(LOG_INFO, "session/checkuser", "pwchange", "changed user's password.");
bernd webinterface => /webinterface

bernd authored 17 years ago

277) }
278) 
bernd * Initialisierung der Sessi...

bernd authored 17 years ago

279) 
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

280) function user_for_mailaccount($account)
Bernd Wurst Zeige User-Infos beim Login...

Bernd Wurst authored 11 years ago

281) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

282)     $result = db_query("SELECT uid FROM mail.courier_mailaccounts WHERE account=?", array($account));
283)     if ($result->rowCount() != 1) {
284)         system_failure('Diese Adresse ist herrenlos?!');
285)     }
286)     $tmp = $result->fetch();
287)     return $tmp['uid'];
Bernd Wurst Zeige User-Infos beim Login...

Bernd Wurst authored 11 years ago

288) }
289) 
290) function user_for_vmail_account($account)
291) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

292)     $result = db_query("SELECT useraccount FROM mail.v_vmail_accounts WHERE CONCAT_WS('@', local, domainname)=?", array($account));
293)     if ($result->rowCount() != 1) {
294)         system_failure('Diese Adresse ist herrenlos?!');
295)     }
296)     $tmp = $result->fetch();
297)     return $tmp['useraccount'];
Bernd Wurst Zeige User-Infos beim Login...

Bernd Wurst authored 11 years ago

298) }
299) 
300) 
bernd * Initialisierung der Sessi...

bernd authored 17 years ago

301) function setup_session($role, $useridentity)
302) {
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

303)     session_regenerate_id();
304)     $_SESSION['role'] = $role;
305)     if ($role & ROLE_SUBUSER) {
306)         DEBUG("We are a sub-user");
307)         $info = get_subuser_info($useridentity);
308)         $_SESSION['userinfo'] = $info;
309)         $_SESSION['restrict_modules'] = explode(',', $info['modules']);
310)         $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER;
311)         $_SESSION['subuser'] = $useridentity;
312)         $data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username=?", array($info['username']));
313)         if ($entry = $data->fetch()) {
314)             if ($entry['kundenaccount'] == 1) {
315)                 $customer = get_customer_info($_SESSION['userinfo']['username']);
316)                 $_SESSION['customerinfo'] = $customer;
317)                 $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_CUSTOMER | ROLE_SUBUSER;
318)             }
319)         }
320)         logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
Bernd Wurst Subuser sollen nicht automa...

Bernd Wurst authored 11 years ago

321)     }
Hanno Fix coding style with php-c...

Hanno authored 6 years ago

322)     if ($role & ROLE_SYSTEMUSER) {
323)         DEBUG("We are system user");
324)         $info = get_user_info($useridentity);
325)         $_SESSION['userinfo'] = $info;
326)         logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
327)         $useridentity = $info['customerno'];
328)     }
329)     if ($role & ROLE_CUSTOMER) {
330)         $info = get_customer_info($useridentity);
331)         $_SESSION['customerinfo'] = $info;
332)         if (!isset($_SESSION['admin_user'])) {
333)             set_customer_lastlogin($info['customerno']);
334)         }
335)         logger(LOG_INFO, "session/start", "login", "logged in customer no »{$info['customerno']}«");
336)     }
337)     if ($role & ROLE_MAILACCOUNT) {
338)         $id = $useridentity;
339)         if (! strstr($id, '@')) {
340)             $id .= '@'.config('masterdomain');
341)         }
342)         $uid = user_for_mailaccount($id);
343)         $_SESSION['mailaccount'] = $id;
344)         $_SESSION['userinfo'] = get_user_info($uid);
345)         DEBUG("We are mailaccount: {$_SESSION['mailaccount']}");
346)     }
347)     if ($role & ROLE_VMAIL_ACCOUNT) {
348)         $id = $useridentity;
349)         $uid = user_for_vmail_account($id);
350)         $_SESSION['mailaccount'] = $id;
351)         $_SESSION['userinfo'] = get_user_info($uid);
352)         DEBUG("We are virtual mailaccount: {$_SESSION['mailaccount']}");
bernd Setze lastlogin nur bei Nic...

bernd authored 13 years ago

353)     }
Bernd Wurst Lösche alte Kundendaten aus...

Bernd Wurst authored 5 years ago

354)     if (! ($role & ROLE_CUSTOMER)) {
355)         $_SESSION['customerinfo'] = array();
356)     }