Login am Webiterface mit Googleauth möglich (b07839f) - webinterface.git

Bernd Wurst commited on 2012-09-18 12:32:29
Zeige 3 geänderte Dateien mit 124 Einfügungen und 16 Löschungen.

session/checkuser.php 6250001..a6d034a
session/start.php b64a7cb..af69405
themes/default/page-googleauth-login.tpl.php 0000000..ca6e5f0

@@ -77,11 +77,41 @@ function find_role($login, $password, $i_am_admin = False)
     return ROLE_CUSTOMER;
   }
 
+  // Sub-User
+
+  $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
+  if (@mysql_num_rows($result) > 0)
+  {
+    $entry = mysql_fetch_object($result);
+    $db_password = $entry->password;
+    // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
+    if (hash("sha1", $password) == $db_password || hash("sha256", $password) == $db_password || $i_am_admin)
+    {
+      logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
+      return ROLE_SUBUSER;
+    }
+    logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
+  }
+
+
   // Mail-Account
   $account = $login;
   if (! strstr($account, '@')) {
     $account .= '@'.config('masterdomain');
   }
+  if (!$i_am_admin && have_module('googleauth')) {
+    require_once('modules/googleauth/include/googleauth.php');
+    if (account_has_googleauth($account)) {
+      if (check_webmail_password($account, $password)) {
+        $_SESSION['googleauth_username'] = $account;
+        $_SESSION['googleauth'] = True;
+        show_page('googleauth-login');
+        die();
+      } else {
+        return NULL;
+      }
+    }
+  }
   $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
   if (@mysql_num_rows($result) > 0)
   {
@@ -113,22 +143,6 @@ function find_role($login, $password, $i_am_admin = False)
   }
   
 
-  // Sub-User
-
-  $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
-  if (@mysql_num_rows($result) > 0)
-  {
-    $entry = mysql_fetch_object($result);
-    $db_password = $entry->password;
-    // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
-    if (hash("sha1", $password) == $db_password || hash("sha256", $password) == $db_password || $i_am_admin)
-    {
-      logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
-      return ROLE_SUBUSER;
-    }
-    logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
-  }
-
 
   // Nothing?
   return NULL;

session/start.php

Zeige Datei @ b07839f

@@ -23,6 +23,29 @@ if (!session_start())
 
 DEBUG("<pre>POST-DATA: ".htmlspecialchars(print_r($_POST, true))."\nSESSION_DATA: ".htmlspecialchars(print_r($_SESSION, true))."</pre>");
 
+if (have_module('googleauth') && isset($_POST['webinterface_googlecode']) && isset($_SESSION['googleauth']) && isset($_SESSION['googleauth_username'])) {
+  require_once('modules/googleauth/include/googleauth.php');
+  $role = NULL;
+  if (check_googleauth($_SESSION['googleauth_username'], $_POST['webinterface_googlecode'])) {
+    $role = find_role($_SESSION['googleauth_username'], '', true);
+  }
+  if ($role === NULL)
+  {
+    $_SESSION['role'] = ROLE_ANONYMOUS;
+    logger(LOG_WARNING, "session/start", "login", "wrong googleauth code (username: »{$_SESSION['googleauth_username']}«)");
+    warning('Ihre Anmeldung konnte nicht durchgeführt werden. Geben Sie bitte einen neuen Code ein.');
+    show_page('googleauth-login');
+    die();
+  }
+  else
+  {
+    setup_session($role, $_SESSION['googleauth_username']);
+  }
+  unset($_POST['webinterface_googlecode']);
+  unset($_SESSION['googleauth']);
+  unset($_SESSION['googleauth_username']);
+}
+
 if (isset($_POST['webinterface_username']) && isset($_POST['webinterface_password']))
 {
   $role = find_role($_POST['webinterface_username'], $_POST['webinterface_password']);

themes/default/page-googleauth-login.tpl.php

Zeige Datei @ b07839f

...	...	@@ -0,0 +1,71 @@
	1	+<?php
	2	+/*
	3	+This file belongs to the Webinterface of schokokeks.org Hosting
	4	+
	5	+Written 2008-2012 by schokokeks.org Hosting, namely
	6	+ Bernd Wurst <bernd@schokokeks.org>
	7	+ Hanno Böck <hanno@schokokeks.org>
	8	+
	9	+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
	10	+
	11	+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see
	12	+http://creativecommons.org/publicdomain/zero/1.0/
	13	+
	14	+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
	15	+*/
	16	+?><?xml version="1.0" encoding="utf-8"?>
	17	+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
	18	+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
	19	+
	20	+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de">
	21	+<head>
	22	+
	23	+<?php
	24	+if ($title)
	25	+ echo "<title>$title - Administration</title>";
	26	+else
	27	+ echo "<title>Administration</title>";
	28	+?>
	29	+<link rel="stylesheet" href="<?php echo $THEME_PATH; ?>style.css" type="text/css" media="screen" title="Normal" />
	30	+<link rel="shortcut icon" href="<?php echo $THEME_PATH; ?>favicon.ico" type="image/x-icon" />
	31	+<?php echo $html_header; ?>
	32	+</head>
	33	+
	34	+<body onload="javascript:document.getElementById('code').focus();">
	35	+<div><a href="#content" style="display: none;">Zum Inhalt</a></div>
	36	+
	37	+<div class="menu">
	38	+<a href="<?php echo $BASE_PATH; ?>"><img src="<?php echo $THEME_PATH; ?>images/schokokeks.png" width="190" height="141" alt="schokokeks.org Hosting" /></a>
	39	+
	40	+<?php echo $menu; ?>
	41	+
	42	+<?php echo $userinfo; ?>
	43	+
	44	+</div>
	45	+
	46	+<div class="content">
	47	+<a id="content" style="display: none"> </a>
	48	+
	49	+<?php
	50	+if ($messages) {
	51	+ echo $messages;
	52	+}
	53	+?>
	54	+
	55	+<h3>Sicherheits-Code von Google-Authenticator</h3>
	56	+<p>Ihr Zugang ist mit einem zweistufigen Login-Prozess geschützt. Sie müssen daher jetzt noch den aktuellsten Code des Google-Authenticators eingeben.</p>
	57	+<form action="" method="post">
	58	+<p><label for="code" class="login_label">Google-Authenticator-Code:</label> <input type="text" id="code" name="webinterface_googlecode" size="20" /></p>
	59	+<p><span class="login_label"> </span> <input type="submit" value="Prüfen" /></p>
	60	+</form>
	61	+
	62	+</div>
	63	+
	64	+<div class="foot">
	65	+<p>Sollten Sie auf dieser Administrations-Oberfläche ein Problem entdecken oder Hilfe benötigen, schreiben Sie bitte eine einfache eMail an <a href="mailto:root@schokokeks.org">root@schokokeks.org</a>. Unser <a href="http://www.schokokeks.org/kontakt">Impressum</a> finden Sie auf der <a href="http://www.schokokeks.org/">öffentlichen Seite</a>. Lizenzinformationen zu diesem Webinterface und verwendeten Rechten finden Sie <a href="../../images/about.php">indem Sie hier klicken</a>.</p>
	66	+
	67	+</div>
	68	+
	69	+
	70	+</body>
	71	+</html>
0	72

...	...	@@ -77,11 +77,41 @@ function find_role($login, $password, $i_am_admin = False)
77	77	return ROLE_CUSTOMER;
78	78	}
79	79
	80	+ // Sub-User
	81	+
	82	+ $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
	83	+ if (@mysql_num_rows($result) > 0)
	84	+ {
	85	+ $entry = mysql_fetch_object($result);
	86	+ $db_password = $entry->password;
	87	+ // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
	88	+ if (hash("sha1", $password) == $db_password \|\| hash("sha256", $password) == $db_password \|\| $i_am_admin)
	89	+ {
	90	+ logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
	91	+ return ROLE_SUBUSER;
	92	+ }
	93	+ logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
	94	+ }
	95	+
	96	+
80	97	// Mail-Account
81	98	$account = $login;
82	99	if (! strstr($account, '@')) {
83	100	$account .= '@'.config('masterdomain');
84	101	}
	102	+ if (!$i_am_admin && have_module('googleauth')) {
	103	+ require_once('modules/googleauth/include/googleauth.php');
	104	+ if (account_has_googleauth($account)) {
	105	+ if (check_webmail_password($account, $password)) {
	106	+ $_SESSION['googleauth_username'] = $account;
	107	+ $_SESSION['googleauth'] = True;
	108	+ show_page('googleauth-login');
	109	+ die();
	110	+ } else {
	111	+ return NULL;
	112	+ }
	113	+ }
	114	+ }
85	115	$result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
86	116	if (@mysql_num_rows($result) > 0)
87	117	{
...	...	@@ -113,22 +143,6 @@ function find_role($login, $password, $i_am_admin = False)
113	143	}
114	144
115	145
116		- // Sub-User
117		-
118		- $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
119		- if (@mysql_num_rows($result) > 0)
120		- {
121		- $entry = mysql_fetch_object($result);
122		- $db_password = $entry->password;
123		- // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
124		- if (hash("sha1", $password) == $db_password \|\| hash("sha256", $password) == $db_password \|\| $i_am_admin)
125		- {
126		- logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
127		- return ROLE_SUBUSER;
128		- }
129		- logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
130		- }
131		-
132	146
133	147	// Nothing?
134	148	return NULL;

...	...	@@ -23,6 +23,29 @@ if (!session_start())
23	23
24	24	DEBUG("<pre>POST-DATA: ".htmlspecialchars(print_r($_POST, true))."\nSESSION_DATA: ".htmlspecialchars(print_r($_SESSION, true))."</pre>");
25	25
	26	+if (have_module('googleauth') && isset($_POST['webinterface_googlecode']) && isset($_SESSION['googleauth']) && isset($_SESSION['googleauth_username'])) {
	27	+ require_once('modules/googleauth/include/googleauth.php');
	28	+ $role = NULL;
	29	+ if (check_googleauth($_SESSION['googleauth_username'], $_POST['webinterface_googlecode'])) {
	30	+ $role = find_role($_SESSION['googleauth_username'], '', true);
	31	+ }
	32	+ if ($role === NULL)
	33	+ {
	34	+ $_SESSION['role'] = ROLE_ANONYMOUS;
	35	+ logger(LOG_WARNING, "session/start", "login", "wrong googleauth code (username: »{$_SESSION['googleauth_username']}«)");
	36	+ warning('Ihre Anmeldung konnte nicht durchgeführt werden. Geben Sie bitte einen neuen Code ein.');
	37	+ show_page('googleauth-login');
	38	+ die();
	39	+ }
	40	+ else
	41	+ {
	42	+ setup_session($role, $_SESSION['googleauth_username']);
	43	+ }
	44	+ unset($_POST['webinterface_googlecode']);
	45	+ unset($_SESSION['googleauth']);
	46	+ unset($_SESSION['googleauth_username']);
	47	+}
	48	+
26	49	if (isset($_POST['webinterface_username']) && isset($_POST['webinterface_password']))
27	50	{
28	51	$role = find_role($_POST['webinterface_username'], $_POST['webinterface_password']);