<?php
require_once('inc/base.php');
require_once('inc/debug.php');
require_once('inc/error.php');
require_once('inc/db_connect.php');
define('ROLE_ANONYMOUS', 0);
define('ROLE_MAILACCOUNT', 1);
define('ROLE_VMAIL_ACCOUNT', 2);
define('ROLE_SYSTEMUSER', 4);
define('ROLE_CUSTOMER', 8);
define('ROLE_SYSADMIN', 16);
define('ROLE_SUBUSER', 32);
// Gibt die Rolle aus, wenn das Passwort stimmt
function find_role($login, $password, $i_am_admin = False)
{
$login = mysql_real_escape_string($login);
// Domain-Admin? <not implemented>
// System-User?
$uid = (int) $login;
if ($uid == 0)
$uid = 'NULL';
$result = db_query("SELECT passwort AS password, kundenaccount AS `primary`, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
if (@mysql_num_rows($result) > 0)
{
$entry = mysql_fetch_object($result);
$db_password = $entry->password;
$hash = crypt($password, $db_password);
if ($hash == $db_password || $i_am_admin)
{
$role = ROLE_SYSTEMUSER;
if ($entry->primary)
$role = $role | ROLE_CUSTOMER;
if ($entry->admin)
$role = $role | ROLE_SYSADMIN;
logger(LOG_INFO, "session/checkuser", "login", "logged in systemuser »{$login}«.");
return $role;
}
logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing useraccount »{$login}«.");
} else {
logger(LOG_WARNING, "session/checkuser", "login", "did not find useraccount »{$login}«. trying other roles...");
}
// Customer?
$customerno = (int) $login;
$pass = sha1($password);
$result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno} AND passwort='{$pass}';");
if ($i_am_admin)
$result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno}");
if (@mysql_num_rows($result) > 0)
{
return ROLE_CUSTOMER;
}
// Mail-Account
$account = $login;
if (! strstr($account, '@')) {
$account .= '@'.config('masterdomain');
}
$result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
if (@mysql_num_rows($result) > 0)
{
$entry = mysql_fetch_object($result);
$db_password = $entry->cryptpass;
$hash = crypt($password, $db_password);
if ($hash == $db_password || $i_am_admin)
{
logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«.");
return ROLE_MAILACCOUNT;
}
logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing e-mail-account »{$account}«.");
}
// virtueller Mail-Account
$account = $login;
$result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account='{$account}' LIMIT 1;");
if (@mysql_num_rows($result) > 0)
{
$entry = mysql_fetch_object($result);
$db_password = $entry->cryptpass;
$hash = crypt($password, $db_password);
if ($hash == $db_password || $i_am_admin)
{
logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«.");
return ROLE_VMAIL_ACCOUNT;
}
logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing virtual e-mail-account »{$account}«.");
}
// Sub-User
$result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
if (@mysql_num_rows($result) > 0)
{
$entry = mysql_fetch_object($result);
$db_password = $entry->password;
$hash = sha1($password);
if ($hash == $db_password || $i_am_admin)
{
logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
return ROLE_SUBUSER;
}
logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
}
// Nothing?
return NULL;
}
function get_customer_info($customer)
{
if (! $_SESSION['role'] & ROLE_CUSTOMER)
return array();
$ret = array();
$customerno = (int) $customer;
if ($customerno != 0)
{
DEBUG('Looking up customerinfo for customer no. '.$customerno);
$result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden WHERE id={$customerno} LIMIT 1;");
}
else
{
$username = mysql_real_escape_string($customer);
DEBUG('looking up customer info for username '.$username);
$result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
}
if (@mysql_num_rows($result) == 0)
system_failure("Konnte Kundendaten nicht auslesen!");
$data = mysql_fetch_assoc($result);
DEBUG($data);
$ret['customerno'] = $data['id'];
$ret['title'] = $data['anrede'];
$ret['company'] = $data['firma'];
$ret['name'] = $data['name'];
$ret['email'] = $data['email'];
return $ret;
}
function get_subuser_info($username)
{
$result = db_query("SELECT uid, modules FROM system.subusers WHERE username='{$username}'");
if (mysql_num_rows($result) < 1)
{
logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
}
$data = mysql_fetch_assoc($result);
$userinfo = get_user_info($data['uid']);
$userinfo['modules'] = $data['modules'];
return $userinfo;
}
function get_user_info($username)
{
$username = mysql_real_escape_string($username);
$result = db_query("SELECT kunde AS customerno, username, uid, homedir, name, server
FROM system.v_useraccounts WHERE username='{$username}' OR uid='{$username}' LIMIT 1");
if (mysql_num_rows($result) < 1)
{
logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«");
system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
}
$val = @mysql_fetch_object($result);
return array(
'username' => $val->username,
'customerno' => $val->customerno,
'uid' => $val->uid,
'homedir' => $val->homedir,
'server' => $val->server,
'name' => $val->name,
);
}
function set_customer_verified($customerno)
{
$customerno = (int) $customerno;
db_query("UPDATE kundendaten.kunden SET status=0 WHERE id={$customerno};");
logger(LOG_INFO, "session/checkuser", "register", "set customer's status to 0.");
}
function set_customer_lastlogin($customerno)
{
$customerno = (int) $customerno;
db_query("UPDATE kundendaten.kunden SET lastlogin=NOW() WHERE id={$customerno};");
}
function set_customer_password($customerno, $newpass)
{
$customerno = (int) $customerno;
$newpass = sha1($newpass);
db_query("UPDATE kundendaten.kunden SET passwort='$newpass' WHERE id='".$customerno."' LIMIT 1");
logger(LOG_INFO, "session/checkuser", "pwchange", "changed customer's password.");
}
function set_subuser_password($subuser, $newpass)
{
$subuser = mysql_real_escape_string($subuser);
$uid = (int) $_SESSION['userinfo']['uid'];
$newpass = sha1($newpass);
db_query("UPDATE system.subusers SET password='$newpass' WHERE username='{$subuser}' AND uid={$uid}");
logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password.");
}
function set_systemuser_password($uid, $newpass)
{
$uid = (int) $uid;
require_once('inc/base.php');
if (defined("CRYPT_SHA512") && CRYPT_SHA512 == 1)
{
$rounds = rand(1000, 5000);
$salt = "rounds=".$rounds."$".random_string(8);
$newpass = crypt($newpass, "\$6\${$salt}\$");
}
else
{
$salt = random_string(8);
$newpass = crypt($newpass, "\$1\${$salt}\$");
}
db_query("UPDATE system.passwoerter SET passwort='$newpass' WHERE uid='".$uid."' LIMIT 1");
logger(LOG_INFO, "session/checkuser", "pwchange", "changed user's password.");
}
function setup_session($role, $useridentity)
{
session_regenerate_id();
$_SESSION['role'] = $role;
if ($role & ROLE_SUBUSER)
{
DEBUG("We are a sub-user");
$info = get_subuser_info($useridentity);
$_SESSION['userinfo'] = $info;
$_SESSION['subuser'] = $useridentity;
$_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER;
$_SESSION['restrict_modules'] = explode(',', $info['modules']);
logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
}
if ($role & ROLE_SYSTEMUSER)
{
DEBUG("We are system user");
$info = get_user_info($useridentity);
$_SESSION['userinfo'] = $info;
logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
$useridentity = $info['customerno'];
}
if ($role & ROLE_CUSTOMER)
{
$info = get_customer_info($useridentity);
$_SESSION['customerinfo'] = $info;
set_customer_lastlogin($info['customerno']);
logger(LOG_INFO, "session/start", "login", "logged in customer no »{$info['customerno']}«");
}
if ($role & ROLE_MAILACCOUNT)
{
$id = $useridentity;
if (! strstr($id, '@'))
$id .= '@'.config('masterdomain');
$_SESSION['mailaccount'] = $id;
DEBUG("We are mailaccount: {$_SESSION['mailaccount']}");
}
if ($role & ROLE_VMAIL_ACCOUNT)
{
$id = $useridentity;
$_SESSION['mailaccount'] = $id;
DEBUG("We are virtual mailaccount: {$_SESSION['mailaccount']}");
}
}
?>