gitlabFork/ISPConfig3.git - Solinfo Gitblit

FS#3641 - Add option to disable the password reset function

Till Brehm

2014-08-25 0baacefd19b7d78ab2c31d947109dec82a17f1cd

commit \| author \| age
11b3da	1	<?php
T	2
	3	/*
	4	Copyright (c) 2005, Till Brehm, projektfarm Gmbh
	5	All rights reserved.
	6
	7	Redistribution and use in source and binary forms, with or without modification,
	8	are permitted provided that the following conditions are met:
	9
	10	* Redistributions of source code must retain the above copyright notice,
	11	this list of conditions and the following disclaimer.
	12	* Redistributions in binary form must reproduce the above copyright notice,
	13	this list of conditions and the following disclaimer in the documentation
	14	and/or other materials provided with the distribution.
	15	* Neither the name of ISPConfig nor the names of its contributors
	16	may be used to endorse or promote products derived from this software without
	17	specific prior written permission.
	18
	19	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	20	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	21	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	22	IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
	23	INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	24	BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	25	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	26	OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
	27	NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
	28	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	29	*/
	30
	31	//
	32
	33	class login_index {
	34
	35	public $status = '';
	36	private $target = '';
	37	private $app;
	38	private $conf;
816e7e	39
11b3da	40	public function render() {
816e7e	41
11b3da	42	global $app, $conf;
816e7e	43
11b3da	44	/* Redirect to page, if login form was NOT send */
T	45	if(count($_POST) == 0) {
	46	if(isset($_SESSION['s']['user']) && is_array($_SESSION['s']['user']) && is_array($_SESSION['s']['module'])) {
	47	die('HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']);
	48	}
	49	}
816e7e	50
11b3da	51	$app->uses('tpl');
T	52	$app->tpl->newTemplate('form.tpl.htm');
816e7e	53
7fe908	54	$error = '';
816e7e	55
11b3da	56	$app->load_language_file('web/login/lib/lang/'.$conf["language"].'.lng');
816e7e	57
bf7d95	58	// Maintenance mode
F	59	$maintenance_mode = false;
a0196e	60	$maintenance_mode_error = '';
bf7d95	61	$app->uses('ini_parser,getconf');
F	62	$server_config_array = $app->getconf->get_global_config('misc');
	63	if($server_config_array['maintenance_mode'] == 'y'){
	64	$maintenance_mode = true;
	65	$maintenance_mode_error = $app->lng('error_maintenance_mode');
	66	}
816e7e	67
5715f5	68	//* Login Form was sent
11b3da	69	if(count($_POST) > 0) {
816e7e	70
11b3da	71	//** Check variables
b0711a	72	if(!preg_match("/^[\w\.\-\_\@]{1,128}$/", $_POST['username'])) $error = $app->lng('user_regex_error');
11b3da	73	if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');
816e7e	74
7fe908	75	//** iporting variables
MC	76	$ip = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));
	77	$username = $app->db->quote($_POST['username']);
	78	$passwort = $app->db->quote($_POST['passwort']);
11b3da	79	$loginAs = false;
209188	80	$time = time();
816e7e	81
7fe908	82	if($username != '' && $passwort != '' && $error == '') {
11b3da	83	/*
T	84	* Check, if there is a "login as" instead of a "normal" login
	85	*/
	86	if (isset($_SESSION['s']['user']) && $_SESSION['s']['user']['active'] == 1){
	87	/*
c6f36f	88	* only the admin or reseller can "login as" so if the user is NOT an admin or reseller, we
11b3da	89	* open the startpage (after killing the old session), so the user
T	90	* is logout and has to start again!
	91	*/
c6f36f	92	if ($_SESSION['s']['user']['typ'] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
11b3da	93	/*
c6f36f	94	* The actual user is NOT a admin or reseller, but maybe he
MC	95	* has logged in as "normal" user before...
11b3da	96	*/
c6f36f	97
MC	98	if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin' \|\| $app->auth->has_clients($_SESSION['s_old']['user']['userid']))){
	99	/* The "old" user is admin or reseller, so everything is ok
	100	* if he is reseller, we need to check if he logs in to one of his clients
	101	*/
	102	if($_SESSION['s_old']['user']['typ'] != 'admin') {
	103
	104	/* this is the one currently logged in (normal user) */
	105	$old_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
	106	$old_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $old_client_group_id");
	107
	108	/* this is the reseller, that shall be re-logged in */
	109	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
	110	$tmp = $app->db->queryOneRecord($sql);
	111	$client_group_id = $app->functions->intval($tmp['default_group']);
	112	$tmp_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
	113
	114	if(!$tmp_client \|\| $old_client["parent_client_id"] != $tmp_client["client_id"] \|\| $tmp["default_group"] != $_SESSION["s_old"]["user"]["default_group"] ) {
	115	die("You don't have the right to 'login as' this user!");
	116	}
	117	unset($old_client);
	118	unset($tmp_client);
	119	unset($tmp);
	120	}
11b3da	121	}
T	122	else {
	123	die("You don't have the right to 'login as'!");
	124	}
de0256	125	} elseif($_SESSION['s']['user']['typ'] != 'admin' && (!isset($_SESSION['s_old']['user']) \|\| $_SESSION['s_old']['user']['typ'] != 'admin')) {
c6f36f	126	/* a reseller wants to 'login as', we need to check if he is allowed to */
MC	127	$res_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
	128	$res_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $res_client_group_id");
	129
	130	/* this is the user the reseller wants to 'login as' */
	131	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
	132	$tmp = $app->db->queryOneRecord($sql);
	133	$tmp_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = " . $app->functions->intval($tmp["default_group"]));
	134
	135	if(!$tmp \|\| $tmp_client["parent_client_id"] != $res_client["client_id"]) {
	136	die("You don't have the right to login as this user!");
	137	}
	138	unset($res_client);
	139	unset($tmp);
	140	unset($tmp_client);
11b3da	141	}
T	142	$loginAs = true;
	143	}
	144	else {
	145	/* normal login */
	146	$loginAs = false;
	147	}
	148
7fe908	149	//* Check if there are already wrong logins
MC	150	$sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
	151	$alreadyfailed = $app->db->queryOneRecord($sql);
	152	//* too many failedlogins
	153	if($alreadyfailed['times'] > 5) {
	154	$error = $app->lng('error_user_too_many_logins');
	155	} else {
816e7e	156
11b3da	157	if ($loginAs){
7fe908	158	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
11b3da	159	$user = $app->db->queryOneRecord($sql);
T	160	} else {
7fe908	161	if(stristr($username, '@')) {
b0711a	162	//* mailuser login
T	163	$sql = "SELECT * FROM mail_user WHERE login = '$username'";
	164	$mailuser = $app->db->queryOneRecord($sql);
	165	$user = false;
	166	if($mailuser) {
	167	$saved_password = stripslashes($mailuser['password']);
7fe908	168	$salt = '$1$'.substr($saved_password, 3, 8).'$';
b0711a	169	//* Check if mailuser password is correct
7fe908	170	if(crypt(stripslashes($passwort), $salt) == $saved_password) {
b0711a	171	//* we build a fake user here which has access to the mailuser module only and userid 0
T	172	$user = array();
	173	$user['userid'] = 0;
	174	$user['active'] = 1;
	175	$user['startmodule'] = 'mailuser';
	176	$user['modules'] = 'mailuser';
	177	$user['typ'] = 'user';
	178	$user['email'] = $mailuser['email'];
	179	$user['username'] = $username;
	180	$user['language'] = $conf['language'];
	181	$user['theme'] = $conf['theme'];
d3a285	182	$user['app_theme'] = $conf['theme'];
b0711a	183	$user['mailuser_id'] = $mailuser['mailuser_id'];
T	184	$user['default_group'] = $mailuser['sys_groupid'];
11b3da	185	}
T	186	}
816e7e	187
11b3da	188	} else {
b0711a	189	//* normal cp user login
T	190	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
	191	$user = $app->db->queryOneRecord($sql);
816e7e	192
b0711a	193	if($user) {
T	194	$saved_password = stripslashes($user['passwort']);
816e7e	195
7fe908	196	if(substr($saved_password, 0, 3) == '$1$') {
b0711a	197	//* The password is crypt-md5 encrypted
7fe908	198	$salt = '$1$'.substr($saved_password, 3, 8).'$';
816e7e	199
7fe908	200	if(crypt(stripslashes($passwort), $salt) != $saved_password) {
b0711a	201	$user = false;
T	202	}
f227fb	203	} elseif(substr($saved_password, 0, 3) == '$5$') {
0e73fc	204	//* The password is crypt-sha256 encrypted
f227fb	205	$salt = '$5$'.substr($saved_password, 3, 16).'$';
MC	206
	207	if(crypt(stripslashes($passwort), $salt) != $saved_password) {
	208	$user = false;
	209	}
b0711a	210	} else {
816e7e	211
b0711a	212	//* The password is md5 encrypted
T	213	if(md5($passwort) != $saved_password) {
	214	$user = false;
	215	}
	216	}
	217	} else {
	218	$user = false;
	219	}
11b3da	220	}
T	221	}
816e7e	222
7fe908	223	if($user) {
MC	224	if($user['active'] == 1) {
bf7d95	225	// Maintenance mode - allow logins only when maintenance mode is off or if the user is admin
F	226	if(!$maintenance_mode \|\| $user['typ'] == 'admin'){
	227	// User login right, so attempts can be deleted
	228	$sql = "DELETE FROM `attempts_login` WHERE `ip`='{$ip}'";
	229	$app->db->query($sql);
	230	$user = $app->db->toLower($user);
816e7e	231
bf7d95	232	if ($loginAs) $oldSession = $_SESSION['s'];
ef28e4	233	session_regenerate_id();
bf7d95	234	$_SESSION = array();
F	235	if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
	236	$_SESSION['s']['user'] = $user;
	237	$_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default';
	238	$_SESSION['s']['language'] = $user['language'];
	239	$_SESSION["s"]['theme'] = $_SESSION['s']['user']['theme'];
c951bb	240
bf7d95	241	if(is_file($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php')) {
7fe908	242	include_once $_SESSION['s']['user']['startmodule'].'/lib/module.conf.php';
MC	243	$menu_dir = ISPC_WEB_PATH.'/' . $_SESSION['s']['user']['startmodule'] . '/lib/menu.d';
f699a2	244
7fe908	245	if (is_dir($menu_dir)) {
MC	246	if ($dh = opendir($menu_dir)) {
	247	//** Go through all files in the menu dir
	248	while (($file = readdir($dh)) !== false) {
	249	if ($file != '.' && $file != '..' && substr($file, -9, 9) == '.menu.php' && $file != 'dns_resync.menu.php') {
	250	include_once $menu_dir . '/' . $file;
	251	}
	252	}
	253	}
	254	}
bf7d95	255	$_SESSION['s']['module'] = $module;
F	256	}
816e7e	257
7fe908	258	// check if the user theme is valid
MC	259	if($_SESSION['s']['user']['theme'] != 'default') {
	260	$tmp_path = ISPC_THEMES_PATH."/".$_SESSION['s']['user']['theme'];
	261	if(!@is_dir($tmp_path) \|\| !@file_exists($tmp_path."/ispconfig_version") \|\| trim(file_get_contents($tmp_path."/ispconfig_version")) != ISPC_APP_VERSION) {
	262	// fall back to default theme if this one is not compatible with current ispc version
	263	$_SESSION['s']['user']['theme'] = 'default';
	264	$_SESSION['s']['theme'] = 'default';
	265	$_SESSION['show_error_msg'] = $app->lng('theme_not_compatible');
	266	}
	267	}
	268
	269	$app->plugin->raiseEvent('login', $this);
816e7e	270
a8ccf6	271	//* Save successfull login message to var
M	272	$authlog = 'Successful login for user \''. $username .'\' from '. long2ip($ip) .' at '. date('Y-m-d H:i:s');
	273	$authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a');
	274	fwrite($authlog_handle, $authlog ."\n");
	275	fclose($authlog_handle);
	276
bf7d95	277	/*
F	278	* We need LOGIN_REDIRECT instead of HEADER_REDIRECT to load the
	279	* new theme, if the logged-in user has another
	280	*/
	281	echo 'LOGIN_REDIRECT:'.$_SESSION['s']['module']['startpage'];
816e7e	282
bf7d95	283	exit;
11b3da	284	}
7fe908	285	} else {
MC	286	$error = $app->lng('error_user_blocked');
	287	}
a8ccf6	288
7fe908	289	} else {
MC	290	if(!$alreadyfailed['times'] )
	291	{
	292	//* user login the first time wrong
	293	$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('{$ip}', 1, NOW())";
	294	$app->db->query($sql);
	295	} elseif($alreadyfailed['times'] >= 1) {
	296	//* update times wrong
	297	$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `login_time` >= '{$time}' LIMIT 1";
	298	$app->db->query($sql);
	299	}
	300	//* Incorrect login - Username and password incorrect
	301	$error = $app->lng('error_user_password_incorrect');
	302	if($app->db->errorMessage != '') $error .= '<br />'.$app->db->errorMessage != '';
816e7e	303
7fe908	304	$app->plugin->raiseEvent('login_failed', $this);
816e7e	305
a8ccf6	306	//* Save failed login message to var
M	307	$authlog = 'Failed login for user \''. $username .'\' from '. long2ip($ip) .' at '. date('Y-m-d H:i:s');
	308	$authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a');
	309	fwrite($authlog_handle, $authlog ."\n");
	310	fclose($authlog_handle);
7fe908	311	}
MC	312	}
a8ccf6	313
7fe908	314	} else {
MC	315	//* Username or password empty
	316	if($error == '') $error = $app->lng('error_user_password_empty');
816e7e	317
7fe908	318	$app->plugin->raiseEvent('login_empty', $this);
MC	319	}
11b3da	320	}
816e7e	321
bf7d95	322	// Maintenance mode - show message when people try to log in and also when people are forcedly logged off
F	323	if($maintenance_mode_error != '') $error = '<strong>'.$maintenance_mode_error.'</strong><br><br>'.$error;
11b3da	324	if($error != ''){
7fe908	325	$error = '<div class="box box_error"><h1>Error</h1>'.$error.'</div>';
11b3da	326	}
de0256	327
0baace	328	$app->load('getconf');
TB	329
	330	$security_config = $app->getconf->get_security_config('permissions');
	331	if($security_config['password_reset_allowed'] == 'yes') {
	332	$app->tpl->setVar('pw_lost_show', 1);
	333	} else {
	334	$app->tpl->setVar('pw_lost_show', 0);
	335	}
	336
11b3da	337	$app->tpl->setVar('error', $error);
7fe908	338	$app->tpl->setVar('pw_lost_txt', $app->lng('pw_lost_txt'));
11b3da	339	$app->tpl->setVar('username_txt', $app->lng('username_txt'));
T	340	$app->tpl->setVar('password_txt', $app->lng('password_txt'));
de0256	341	$app->tpl->setVar('stay_logged_in_txt', $app->lng('stay_logged_in_txt'));
11b3da	342	$app->tpl->setVar('login_button_txt', $app->lng('login_button_txt'));
de0256	343	$app->tpl->setVar('session_timeout', $server_config_array['session_timeout']);
MC	344	$app->tpl->setVar('session_allow_endless', $server_config_array['session_allow_endless']);
7fe908	345	$app->tpl->setInclude('content_tpl', 'login/templates/index.htm');
11b3da	346	$app->tpl_defaults();
816e7e	347
11b3da	348	$this->status = 'OK';
816e7e	349
11b3da	350	return $app->tpl->grab();
816e7e	351
11b3da	352	} // << end function
T	353
	354	} // << end class
	355
7fe908	356	?>