// System-User? $uid = (int) $login; if ($uid == 0) $uid = 'NULL'; $result = db_query("SELECT passwort AS password, kundenaccount AS `primary`, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;"); if (@mysql_num_rows($result) > 0) { $entry = mysql_fetch_object($result); $db_password = $entry->password; $hash = crypt($password, $db_password); if ($hash == $db_password || $i_am_admin) { $role = ROLE_SYSTEMUSER; if ($entry->primary) $role = $role | ROLE_CUSTOMER; if ($entry->admin) $role = $role | ROLE_SYSADMIN; logger(LOG_INFO, "session/checkuser", "login", "logged in systemuser »{$login}«."); return $role; } logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing useraccount »{$login}«."); } else { logger(LOG_WARNING, "session/checkuser", "login", "did not find useraccount »{$login}«. trying other roles..."); } // Customer? $customerno = (int) $login; $pass = sha1($password); $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno} AND passwort='{$pass}';"); if ($i_am_admin) $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno}"); if (@mysql_num_rows($result) > 0) { return ROLE_CUSTOMER; } // Mail-Account $account = $login; if (! strstr($account, '@')) { $account .= '@'.config('masterdomain'); } $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;"); if (@mysql_num_rows($result) > 0) { $entry = mysql_fetch_object($result); $db_password = $entry->cryptpass; $hash = crypt($password, $db_password); if ($hash == $db_password || $i_am_admin) { logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«."); return ROLE_MAILACCOUNT; } logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing e-mail-account »{$account}«."); } // virtueller Mail-Account $account = $login; $result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account='{$account}' LIMIT 1;"); if (@mysql_num_rows($result) > 0) { $entry = mysql_fetch_object($result); $db_password = $entry->cryptpass; $hash = crypt($password, $db_password); if ($hash == $db_password || $i_am_admin) { logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«."); return ROLE_VMAIL_ACCOUNT; } logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing virtual e-mail-account »{$account}«."); } // Sub-User $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'"); if (@mysql_num_rows($result) > 0) { $entry = mysql_fetch_object($result); $db_password = $entry->password; $hash = sha1($password); if ($hash == $db_password || $i_am_admin) { logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«."); return ROLE_SUBUSER; } logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«."); } // Nothing? return NULL; } function get_customer_info($customer) { if (! $_SESSION['role'] & ROLE_CUSTOMER) return array(); $ret = array(); $customerno = (int) $customer; if ($customerno != 0) { DEBUG('Looking up customerinfo for customer no. '.$customerno); $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden WHERE id={$customerno} LIMIT 1;"); } else { $username = mysql_real_escape_string($customer); DEBUG('looking up customer info for username '.$username); $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'"); } if (@mysql_num_rows($result) == 0) system_failure("Konnte Kundendaten nicht auslesen!"); $data = mysql_fetch_assoc($result); DEBUG($data); $ret['customerno'] = $data['id']; $ret['title'] = $data['anrede']; $ret['company'] = $data['firma']; $ret['name'] = $data['name']; $ret['email'] = $data['email']; return $ret; } function get_subuser_info($username) { $result = db_query("SELECT uid, modules FROM system.subusers WHERE username='{$username}'"); if (mysql_num_rows($result) < 1) { logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«"); system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator'); } $data = mysql_fetch_assoc($result); $userinfo = get_user_info($data['uid']); $userinfo['modules'] = $data['modules']; return $userinfo; } function get_user_info($username) { $username = mysql_real_escape_string($username); $result = db_query("SELECT kunde AS customerno, username, uid, homedir, name FROM system.v_useraccounts WHERE username='{$username}' OR uid='{$username}' LIMIT 1"); if (mysql_num_rows($result) < 1) { logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«"); system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator'); } $val = @mysql_fetch_object($result); return array( 'username' => $val->username, 'customerno' => $val->customerno, 'uid' => $val->uid, 'homedir' => $val->homedir, 'name' => $val->name, ); } function set_customer_verified($customerno) { $customerno = (int) $customerno; db_query("UPDATE kundendaten.kunden SET status=0 WHERE id={$customerno};"); logger(LOG_INFO, "session/checkuser", "register", "set customer's status to 0."); } function set_customer_lastlogin($customerno) { $customerno = (int) $customerno; db_query("UPDATE kundendaten.kunden SET lastlogin=NOW() WHERE id={$customerno};"); } function set_customer_password($customerno, $newpass) { $customerno = (int) $customerno; $newpass = sha1($newpass); db_query("UPDATE kundendaten.kunden SET passwort='$newpass' WHERE id='".$customerno."' LIMIT 1"); logger(LOG_INFO, "session/checkuser", "pwchange", "changed customer's password."); } function set_subuser_password($subuser, $newpass) { $subuser = mysql_real_escape_string($subuser); $uid = (int) $_SESSION['userinfo']['uid']; $newpass = sha1($newpass); db_query("UPDATE system.subusers SET password='$newpass' WHERE username='{$subuser}' AND uid={$uid}"); logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password."); } function set_systemuser_password($uid, $newpass) { $uid = (int) $uid; require_once('inc/base.php'); if (defined("CRYPT_SHA512") && CRYPT_SHA512 == 1) { $rounds = rand(1000, 5000); $salt = "rounds=".$rounds."$".random_string(8); $newpass = crypt($newpass, "\$6\${$salt}\$"); } else { $salt = random_string(8); $newpass = crypt($newpass, "\$1\${$salt}\$"); } db_query("UPDATE system.passwoerter SET passwort='$newpass' WHERE uid='".$uid."' LIMIT 1"); logger(LOG_INFO, "session/checkuser", "pwchange", "changed user's password."); } function setup_session($role, $useridentity) { session_regenerate_id(); $_SESSION['role'] = $role; if ($role & ROLE_SUBUSER) { DEBUG("We are a sub-user"); $info = get_subuser_info($useridentity); $_SESSION['userinfo'] = $info; $_SESSION['subuser'] = $useridentity; $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER; $_SESSION['restrict_modules'] = explode(',', $info['modules']); logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«"); } if ($role & ROLE_SYSTEMUSER) { DEBUG("We are system user"); $info = get_user_info($useridentity); $_SESSION['userinfo'] = $info; logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«"); $useridentity = $info['customerno']; } if ($role & ROLE_CUSTOMER) { $info = get_customer_info($useridentity); $_SESSION['customerinfo'] = $info; set_customer_lastlogin($info['customerno']); logger(LOG_INFO, "session/start", "login", "logged in customer no »{$info['customerno']}«"); } if ($role & ROLE_MAILACCOUNT) { $id = $useridentity; if (! strstr($id, '@')) $id .= '@'.config('masterdomain'); $_SESSION['mailaccount'] = $id; DEBUG("We are mailaccount: {$_SESSION['mailaccount']}"); } if ($role & ROLE_VMAIL_ACCOUNT) { $id = $useridentity; $_SESSION['mailaccount'] = $id; DEBUG("We are virtual mailaccount: {$_SESSION['mailaccount']}"); } } ?>