commit | author | age
|
11b3da
|
1 |
<?php |
T |
2 |
|
|
3 |
/* |
|
4 |
Copyright (c) 2005, Till Brehm, projektfarm Gmbh |
|
5 |
All rights reserved. |
|
6 |
|
|
7 |
Redistribution and use in source and binary forms, with or without modification, |
|
8 |
are permitted provided that the following conditions are met: |
|
9 |
|
|
10 |
* Redistributions of source code must retain the above copyright notice, |
|
11 |
this list of conditions and the following disclaimer. |
|
12 |
* Redistributions in binary form must reproduce the above copyright notice, |
|
13 |
this list of conditions and the following disclaimer in the documentation |
|
14 |
and/or other materials provided with the distribution. |
|
15 |
* Neither the name of ISPConfig nor the names of its contributors |
|
16 |
may be used to endorse or promote products derived from this software without |
|
17 |
specific prior written permission. |
|
18 |
|
|
19 |
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND |
|
20 |
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
|
21 |
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
|
22 |
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, |
|
23 |
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
|
24 |
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
|
25 |
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
|
26 |
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
|
27 |
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, |
|
28 |
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
29 |
*/ |
|
30 |
|
|
31 |
// |
|
32 |
|
|
33 |
class login_index { |
|
34 |
|
|
35 |
public $status = ''; |
|
36 |
private $target = ''; |
|
37 |
private $app; |
|
38 |
private $conf; |
816e7e
|
39 |
|
11b3da
|
40 |
public function render() { |
816e7e
|
41 |
|
11b3da
|
42 |
global $app, $conf; |
816e7e
|
43 |
|
11b3da
|
44 |
/* Redirect to page, if login form was NOT send */ |
T |
45 |
if(count($_POST) == 0) { |
|
46 |
if(isset($_SESSION['s']['user']) && is_array($_SESSION['s']['user']) && is_array($_SESSION['s']['module'])) { |
|
47 |
die('HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']); |
|
48 |
} |
|
49 |
} |
816e7e
|
50 |
|
11b3da
|
51 |
$app->uses('tpl'); |
T |
52 |
$app->tpl->newTemplate('form.tpl.htm'); |
816e7e
|
53 |
|
7fe908
|
54 |
$error = ''; |
816e7e
|
55 |
|
11b3da
|
56 |
$app->load_language_file('web/login/lib/lang/'.$conf["language"].'.lng'); |
816e7e
|
57 |
|
bf7d95
|
58 |
// Maintenance mode |
F |
59 |
$maintenance_mode = false; |
a0196e
|
60 |
$maintenance_mode_error = ''; |
bf7d95
|
61 |
$app->uses('ini_parser,getconf'); |
F |
62 |
$server_config_array = $app->getconf->get_global_config('misc'); |
|
63 |
if($server_config_array['maintenance_mode'] == 'y'){ |
|
64 |
$maintenance_mode = true; |
|
65 |
$maintenance_mode_error = $app->lng('error_maintenance_mode'); |
|
66 |
} |
816e7e
|
67 |
|
5715f5
|
68 |
//* Login Form was sent |
11b3da
|
69 |
if(count($_POST) > 0) { |
816e7e
|
70 |
|
11b3da
|
71 |
//** Check variables |
b0711a
|
72 |
if(!preg_match("/^[\w\.\-\_\@]{1,128}$/", $_POST['username'])) $error = $app->lng('user_regex_error'); |
11b3da
|
73 |
if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length'); |
816e7e
|
74 |
|
7fe908
|
75 |
//** iporting variables |
MC |
76 |
$ip = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR'])); |
|
77 |
$username = $app->db->quote($_POST['username']); |
|
78 |
$passwort = $app->db->quote($_POST['passwort']); |
11b3da
|
79 |
$loginAs = false; |
209188
|
80 |
$time = time(); |
816e7e
|
81 |
|
7fe908
|
82 |
if($username != '' && $passwort != '' && $error == '') { |
11b3da
|
83 |
/* |
T |
84 |
* Check, if there is a "login as" instead of a "normal" login |
|
85 |
*/ |
|
86 |
if (isset($_SESSION['s']['user']) && $_SESSION['s']['user']['active'] == 1){ |
|
87 |
/* |
c6f36f
|
88 |
* only the admin or reseller can "login as" so if the user is NOT an admin or reseller, we |
11b3da
|
89 |
* open the startpage (after killing the old session), so the user |
T |
90 |
* is logout and has to start again! |
|
91 |
*/ |
c6f36f
|
92 |
if ($_SESSION['s']['user']['typ'] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) { |
11b3da
|
93 |
/* |
c6f36f
|
94 |
* The actual user is NOT a admin or reseller, but maybe he |
MC |
95 |
* has logged in as "normal" user before... |
11b3da
|
96 |
*/ |
c6f36f
|
97 |
|
MC |
98 |
if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin' || $app->auth->has_clients($_SESSION['s_old']['user']['userid']))){ |
|
99 |
/* The "old" user is admin or reseller, so everything is ok |
|
100 |
* if he is reseller, we need to check if he logs in to one of his clients |
|
101 |
*/ |
|
102 |
if($_SESSION['s_old']['user']['typ'] != 'admin') { |
|
103 |
|
|
104 |
/* this is the one currently logged in (normal user) */ |
|
105 |
$old_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); |
|
106 |
$old_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $old_client_group_id"); |
|
107 |
|
|
108 |
/* this is the reseller, that shall be re-logged in */ |
|
109 |
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; |
|
110 |
$tmp = $app->db->queryOneRecord($sql); |
|
111 |
$client_group_id = $app->functions->intval($tmp['default_group']); |
|
112 |
$tmp_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); |
|
113 |
|
|
114 |
if(!$tmp_client || $old_client["parent_client_id"] != $tmp_client["client_id"] || $tmp["default_group"] != $_SESSION["s_old"]["user"]["default_group"] ) { |
|
115 |
die("You don't have the right to 'login as' this user!"); |
|
116 |
} |
|
117 |
unset($old_client); |
|
118 |
unset($tmp_client); |
|
119 |
unset($tmp); |
|
120 |
} |
11b3da
|
121 |
} |
T |
122 |
else { |
|
123 |
die("You don't have the right to 'login as'!"); |
|
124 |
} |
de0256
|
125 |
} elseif($_SESSION['s']['user']['typ'] != 'admin' && (!isset($_SESSION['s_old']['user']) || $_SESSION['s_old']['user']['typ'] != 'admin')) { |
c6f36f
|
126 |
/* a reseller wants to 'login as', we need to check if he is allowed to */ |
MC |
127 |
$res_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); |
|
128 |
$res_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $res_client_group_id"); |
|
129 |
|
|
130 |
/* this is the user the reseller wants to 'login as' */ |
|
131 |
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; |
|
132 |
$tmp = $app->db->queryOneRecord($sql); |
|
133 |
$tmp_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = " . $app->functions->intval($tmp["default_group"])); |
|
134 |
|
|
135 |
if(!$tmp || $tmp_client["parent_client_id"] != $res_client["client_id"]) { |
|
136 |
die("You don't have the right to login as this user!"); |
|
137 |
} |
|
138 |
unset($res_client); |
|
139 |
unset($tmp); |
|
140 |
unset($tmp_client); |
11b3da
|
141 |
} |
T |
142 |
$loginAs = true; |
|
143 |
} |
|
144 |
else { |
|
145 |
/* normal login */ |
|
146 |
$loginAs = false; |
|
147 |
} |
|
148 |
|
7fe908
|
149 |
//* Check if there are already wrong logins |
MC |
150 |
$sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; |
|
151 |
$alreadyfailed = $app->db->queryOneRecord($sql); |
|
152 |
//* too many failedlogins |
|
153 |
if($alreadyfailed['times'] > 5) { |
|
154 |
$error = $app->lng('error_user_too_many_logins'); |
|
155 |
} else { |
816e7e
|
156 |
|
11b3da
|
157 |
if ($loginAs){ |
7fe908
|
158 |
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; |
11b3da
|
159 |
$user = $app->db->queryOneRecord($sql); |
T |
160 |
} else { |
7fe908
|
161 |
if(stristr($username, '@')) { |
b0711a
|
162 |
//* mailuser login |
T |
163 |
$sql = "SELECT * FROM mail_user WHERE login = '$username'"; |
|
164 |
$mailuser = $app->db->queryOneRecord($sql); |
|
165 |
$user = false; |
|
166 |
if($mailuser) { |
|
167 |
$saved_password = stripslashes($mailuser['password']); |
7fe908
|
168 |
$salt = '$1$'.substr($saved_password, 3, 8).'$'; |
b0711a
|
169 |
//* Check if mailuser password is correct |
7fe908
|
170 |
if(crypt(stripslashes($passwort), $salt) == $saved_password) { |
b0711a
|
171 |
//* we build a fake user here which has access to the mailuser module only and userid 0 |
T |
172 |
$user = array(); |
|
173 |
$user['userid'] = 0; |
|
174 |
$user['active'] = 1; |
|
175 |
$user['startmodule'] = 'mailuser'; |
|
176 |
$user['modules'] = 'mailuser'; |
|
177 |
$user['typ'] = 'user'; |
|
178 |
$user['email'] = $mailuser['email']; |
|
179 |
$user['username'] = $username; |
|
180 |
$user['language'] = $conf['language']; |
|
181 |
$user['theme'] = $conf['theme']; |
d3a285
|
182 |
$user['app_theme'] = $conf['theme']; |
b0711a
|
183 |
$user['mailuser_id'] = $mailuser['mailuser_id']; |
T |
184 |
$user['default_group'] = $mailuser['sys_groupid']; |
11b3da
|
185 |
} |
T |
186 |
} |
816e7e
|
187 |
|
11b3da
|
188 |
} else { |
b0711a
|
189 |
//* normal cp user login |
T |
190 |
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'"; |
|
191 |
$user = $app->db->queryOneRecord($sql); |
816e7e
|
192 |
|
b0711a
|
193 |
if($user) { |
T |
194 |
$saved_password = stripslashes($user['passwort']); |
816e7e
|
195 |
|
7fe908
|
196 |
if(substr($saved_password, 0, 3) == '$1$') { |
b0711a
|
197 |
//* The password is crypt-md5 encrypted |
7fe908
|
198 |
$salt = '$1$'.substr($saved_password, 3, 8).'$'; |
816e7e
|
199 |
|
7fe908
|
200 |
if(crypt(stripslashes($passwort), $salt) != $saved_password) { |
b0711a
|
201 |
$user = false; |
T |
202 |
} |
f227fb
|
203 |
} elseif(substr($saved_password, 0, 3) == '$5$') { |
0e73fc
|
204 |
//* The password is crypt-sha256 encrypted |
f227fb
|
205 |
$salt = '$5$'.substr($saved_password, 3, 16).'$'; |
MC |
206 |
|
|
207 |
if(crypt(stripslashes($passwort), $salt) != $saved_password) { |
|
208 |
$user = false; |
|
209 |
} |
b0711a
|
210 |
} else { |
816e7e
|
211 |
|
b0711a
|
212 |
//* The password is md5 encrypted |
T |
213 |
if(md5($passwort) != $saved_password) { |
|
214 |
$user = false; |
|
215 |
} |
|
216 |
} |
|
217 |
} else { |
|
218 |
$user = false; |
|
219 |
} |
11b3da
|
220 |
} |
T |
221 |
} |
816e7e
|
222 |
|
7fe908
|
223 |
if($user) { |
MC |
224 |
if($user['active'] == 1) { |
bf7d95
|
225 |
// Maintenance mode - allow logins only when maintenance mode is off or if the user is admin |
F |
226 |
if(!$maintenance_mode || $user['typ'] == 'admin'){ |
|
227 |
// User login right, so attempts can be deleted |
|
228 |
$sql = "DELETE FROM `attempts_login` WHERE `ip`='{$ip}'"; |
|
229 |
$app->db->query($sql); |
|
230 |
$user = $app->db->toLower($user); |
816e7e
|
231 |
|
bf7d95
|
232 |
if ($loginAs) $oldSession = $_SESSION['s']; |
ef28e4
|
233 |
session_regenerate_id(); |
bf7d95
|
234 |
$_SESSION = array(); |
F |
235 |
if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back! |
|
236 |
$_SESSION['s']['user'] = $user; |
|
237 |
$_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default'; |
|
238 |
$_SESSION['s']['language'] = $user['language']; |
|
239 |
$_SESSION["s"]['theme'] = $_SESSION['s']['user']['theme']; |
c951bb
|
240 |
|
bf7d95
|
241 |
if(is_file($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php')) { |
7fe908
|
242 |
include_once $_SESSION['s']['user']['startmodule'].'/lib/module.conf.php'; |
MC |
243 |
$menu_dir = ISPC_WEB_PATH.'/' . $_SESSION['s']['user']['startmodule'] . '/lib/menu.d'; |
f699a2
|
244 |
|
7fe908
|
245 |
if (is_dir($menu_dir)) { |
MC |
246 |
if ($dh = opendir($menu_dir)) { |
|
247 |
//** Go through all files in the menu dir |
|
248 |
while (($file = readdir($dh)) !== false) { |
|
249 |
if ($file != '.' && $file != '..' && substr($file, -9, 9) == '.menu.php' && $file != 'dns_resync.menu.php') { |
|
250 |
include_once $menu_dir . '/' . $file; |
|
251 |
} |
|
252 |
} |
|
253 |
} |
|
254 |
} |
bf7d95
|
255 |
$_SESSION['s']['module'] = $module; |
F |
256 |
} |
816e7e
|
257 |
|
7fe908
|
258 |
// check if the user theme is valid |
MC |
259 |
if($_SESSION['s']['user']['theme'] != 'default') { |
|
260 |
$tmp_path = ISPC_THEMES_PATH."/".$_SESSION['s']['user']['theme']; |
|
261 |
if(!@is_dir($tmp_path) || !@file_exists($tmp_path."/ispconfig_version") || trim(file_get_contents($tmp_path."/ispconfig_version")) != ISPC_APP_VERSION) { |
|
262 |
// fall back to default theme if this one is not compatible with current ispc version |
|
263 |
$_SESSION['s']['user']['theme'] = 'default'; |
|
264 |
$_SESSION['s']['theme'] = 'default'; |
|
265 |
$_SESSION['show_error_msg'] = $app->lng('theme_not_compatible'); |
|
266 |
} |
|
267 |
} |
|
268 |
|
|
269 |
$app->plugin->raiseEvent('login', $this); |
816e7e
|
270 |
|
a8ccf6
|
271 |
//* Save successfull login message to var |
M |
272 |
$authlog = 'Successful login for user \''. $username .'\' from '. long2ip($ip) .' at '. date('Y-m-d H:i:s'); |
|
273 |
$authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a'); |
|
274 |
fwrite($authlog_handle, $authlog ."\n"); |
|
275 |
fclose($authlog_handle); |
|
276 |
|
bf7d95
|
277 |
/* |
F |
278 |
* We need LOGIN_REDIRECT instead of HEADER_REDIRECT to load the |
|
279 |
* new theme, if the logged-in user has another |
|
280 |
*/ |
|
281 |
echo 'LOGIN_REDIRECT:'.$_SESSION['s']['module']['startpage']; |
816e7e
|
282 |
|
bf7d95
|
283 |
exit; |
11b3da
|
284 |
} |
7fe908
|
285 |
} else { |
MC |
286 |
$error = $app->lng('error_user_blocked'); |
|
287 |
} |
a8ccf6
|
288 |
|
7fe908
|
289 |
} else { |
MC |
290 |
if(!$alreadyfailed['times'] ) |
|
291 |
{ |
|
292 |
//* user login the first time wrong |
|
293 |
$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('{$ip}', 1, NOW())"; |
|
294 |
$app->db->query($sql); |
|
295 |
} elseif($alreadyfailed['times'] >= 1) { |
|
296 |
//* update times wrong |
|
297 |
$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `login_time` >= '{$time}' LIMIT 1"; |
|
298 |
$app->db->query($sql); |
|
299 |
} |
|
300 |
//* Incorrect login - Username and password incorrect |
|
301 |
$error = $app->lng('error_user_password_incorrect'); |
|
302 |
if($app->db->errorMessage != '') $error .= '<br />'.$app->db->errorMessage != ''; |
816e7e
|
303 |
|
7fe908
|
304 |
$app->plugin->raiseEvent('login_failed', $this); |
816e7e
|
305 |
|
a8ccf6
|
306 |
//* Save failed login message to var |
M |
307 |
$authlog = 'Failed login for user \''. $username .'\' from '. long2ip($ip) .' at '. date('Y-m-d H:i:s'); |
|
308 |
$authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a'); |
|
309 |
fwrite($authlog_handle, $authlog ."\n"); |
|
310 |
fclose($authlog_handle); |
7fe908
|
311 |
} |
MC |
312 |
} |
a8ccf6
|
313 |
|
7fe908
|
314 |
} else { |
MC |
315 |
//* Username or password empty |
|
316 |
if($error == '') $error = $app->lng('error_user_password_empty'); |
816e7e
|
317 |
|
7fe908
|
318 |
$app->plugin->raiseEvent('login_empty', $this); |
MC |
319 |
} |
11b3da
|
320 |
} |
816e7e
|
321 |
|
bf7d95
|
322 |
// Maintenance mode - show message when people try to log in and also when people are forcedly logged off |
F |
323 |
if($maintenance_mode_error != '') $error = '<strong>'.$maintenance_mode_error.'</strong><br><br>'.$error; |
11b3da
|
324 |
if($error != ''){ |
7fe908
|
325 |
$error = '<div class="box box_error"><h1>Error</h1>'.$error.'</div>'; |
11b3da
|
326 |
} |
de0256
|
327 |
|
0baace
|
328 |
$app->load('getconf'); |
TB |
329 |
|
|
330 |
$security_config = $app->getconf->get_security_config('permissions'); |
|
331 |
if($security_config['password_reset_allowed'] == 'yes') { |
|
332 |
$app->tpl->setVar('pw_lost_show', 1); |
|
333 |
} else { |
|
334 |
$app->tpl->setVar('pw_lost_show', 0); |
|
335 |
} |
|
336 |
|
11b3da
|
337 |
$app->tpl->setVar('error', $error); |
7fe908
|
338 |
$app->tpl->setVar('pw_lost_txt', $app->lng('pw_lost_txt')); |
11b3da
|
339 |
$app->tpl->setVar('username_txt', $app->lng('username_txt')); |
T |
340 |
$app->tpl->setVar('password_txt', $app->lng('password_txt')); |
de0256
|
341 |
$app->tpl->setVar('stay_logged_in_txt', $app->lng('stay_logged_in_txt')); |
11b3da
|
342 |
$app->tpl->setVar('login_button_txt', $app->lng('login_button_txt')); |
de0256
|
343 |
$app->tpl->setVar('session_timeout', $server_config_array['session_timeout']); |
MC |
344 |
$app->tpl->setVar('session_allow_endless', $server_config_array['session_allow_endless']); |
7fe908
|
345 |
$app->tpl->setInclude('content_tpl', 'login/templates/index.htm'); |
11b3da
|
346 |
$app->tpl_defaults(); |
816e7e
|
347 |
|
11b3da
|
348 |
$this->status = 'OK'; |
816e7e
|
349 |
|
11b3da
|
350 |
return $app->tpl->grab(); |
816e7e
|
351 |
|
11b3da
|
352 |
} // << end function |
T |
353 |
|
|
354 |
} // << end class |
|
355 |
|
7fe908
|
356 |
?> |