gitlabFork/ISPConfig3.git - Solinfo Gitblit

- don't set password via remoting if field is empty

Marius Cramer

2015-08-06 37b29231e47a0c4458dc1c15d98588f16f07e1e2

commit \| author \| age
a892b8	1	<?php
V	2	/*
	3	Copyright (c) 2010 Till Brehm, projektfarm Gmbh and Oliver Vogel www.muv.com
	4	All rights reserved.
	5
	6	Redistribution and use in source and binary forms, with or without modification,
	7	are permitted provided that the following conditions are met:
	8
	9	* Redistributions of source code must retain the above copyright notice,
	10	this list of conditions and the following disclaimer.
	11	* Redistributions in binary form must reproduce the above copyright notice,
	12	this list of conditions and the following disclaimer in the documentation
	13	and/or other materials provided with the distribution.
	14	* Neither the name of ISPConfig nor the names of its contributors
	15	may be used to endorse or promote products derived from this software without
	16	specific prior written permission.
	17
	18	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	19	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	20	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	21	IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
	22	INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	23	BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	24	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	25	OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
	26	NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
	27	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
	30
	31	/******************************************
	32	* Begin Form configuration
	33	******************************************/
	34
	35	$tform_def_file = "form/webdav_user.tform.php";
	36
	37	/******************************************
	38	* End Form configuration
	39	******************************************/
	40
b1a6a5	41	require_once '../../lib/config.inc.php';
MC	42	require_once '../../lib/app.inc.php';
a892b8	43
V	44	//* Check permissions for module
	45	$app->auth->check_module_permissions('sites');
	46
	47	// Loading classes
	48	$app->uses('tpl,tform,tform_actions');
	49	$app->load('tform_actions');
	50
	51	class page_action extends tform_actions {
1cc9f1	52
a892b8	53	function onShowNew() {
V	54	global $app, $conf;
1cc9f1	55
a892b8	56	// we will check only users, not admins
V	57	if($_SESSION["s"]["user"]["typ"] == 'user') {
	58	if(!$app->tform->checkClientLimit('limit_webdav_user')) {
	59	$app->error($app->tform->wordbook["limit_webdav_user_txt"]);
	60	}
	61	if(!$app->tform->checkResellerLimit('limit_webdav_user')) {
	62	$app->error('Reseller: '.$app->tform->wordbook["limit_webdav_user_txt"]);
	63	}
	64	}
1cc9f1	65
a892b8	66	parent::onShowNew();
V	67	}
	68
	69	function onShowEnd() {
	70	global $app, $conf, $interfaceConf;
	71	/*
	72	* If the names are restricted -> remove the restriction, so that the
	73	* data can be edited
1cc9f1	74	*/
31f6ce	75	$app->uses('getconf,tools_sites');
a892b8	76	$global_config = $app->getconf->get_global_config('sites');
31f6ce	77	$webdavuser_prefix = $app->tools_sites->replacePrefix($global_config['webdavuser_prefix'], $this->dataRecord);
1cc9f1	78
V	79	if ($this->dataRecord['username'] != "") {
a892b8	80	/* REMOVE the restriction */
10b4c8	81	$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix));
a892b8	82	}
b1a6a5	83
ba18a8	84	if($this->dataRecord['username'] == "") {
07c297	85	$app->tpl->setVar("username_prefix", $webdavuser_prefix);
SC	86	} else {
	87	$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']));
	88	}
b1a6a5	89
a892b8	90	if($this->id > 0) {
V	91	//* we are editing a existing record
	92	$app->tpl->setVar("edit_disabled", 1);
	93	$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
	94	} else {
	95	$app->tpl->setVar("edit_disabled", 0);
	96	}
	97
	98	parent::onShowEnd();
	99	}
1cc9f1	100
a892b8	101	function onSubmit() {
V	102	global $app, $conf;
1cc9f1	103
V	104	/* Get the record of the parent domain */
2af58c	105	$parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), @$this->dataRecord["parent_domain_id"]);
b1a6a5	106	if(!$parent_domain \|\| $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
1cc9f1	107
V	108	/*
	109	* Set a few fixed values
	110	*/
a892b8	111	$this->dataRecord["server_id"] = $parent_domain["server_id"];
1cc9f1	112
V	113	/*
	114	* Are there some errors?
	115	*/
a892b8	116	if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />';
V	117	if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />';
b1a6a5	118	if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'], '..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />';
MC	119	if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'], './')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />';
	120
a892b8	121	parent::onSubmit();
V	122	}
1cc9f1	123
a892b8	124	function onBeforeInsert() {
V	125	global $app, $conf, $interfaceConf;
	126
	127	/*
	128	* If the names should be restricted -> do it!
1cc9f1	129	*/
V	130	if ($app->tform->errorMessage == '') {
	131
31f6ce	132	$app->uses('getconf,tools_sites');
a892b8	133	$global_config = $app->getconf->get_global_config('sites');
31f6ce	134	$webdavuser_prefix = $app->tools_sites->replacePrefix($global_config['webdavuser_prefix'], $this->dataRecord);
1cc9f1	135
b1a6a5	136	$this->dataRecord['username_prefix'] = $webdavuser_prefix;
MC	137
a892b8	138	/* restrict the names */
V	139	$this->dataRecord['username'] = $webdavuser_prefix . $this->dataRecord['username'];
1cc9f1	140
V	141	/*
	142	* Get the data of the domain, owning the webdav user
	143	*/
65ea2e	144	$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"]));
1cc9f1	145	/* The server is the server of the domain */
V	146	$this->dataRecord["server_id"] = $web["server_id"];
	147	/* The Webdav user shall be owned by the same group then the website */
	148	$this->dataRecord["sys_groupid"] = $web['sys_groupid'];
a892b8	149	}
1cc9f1	150
a892b8	151	parent::onBeforeInsert();
V	152	}
1cc9f1	153
a892b8	154	function onAfterInsert() {
V	155	global $app, $conf;
d6e652	156
2af58c	157	$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->dataRecord["parent_domain_id"]);
d6e652	158	$server_id = $app->functions->intval($web["server_id"]);
SC	159
	160	// The webdav user shall be owned by the same group then the website
	161	$sys_groupid = $app->functions->intval($web['sys_groupid']);
1302aa	162
FT	163	/*
	164	* We shall not save the pwd in plaintext, so we store it as the hash, the apache-moule needs
	165	*/
	166	$hash = md5($this->dataRecord["username"] . ':' . $this->dataRecord["dir"] . ':' . $this->dataRecord["password"]);
	167	$this->dataRecord["password"] = $hash;
	168
2af58c	169	$sql = "UPDATE webdav_user SET server_id = ?, sys_groupid = ?, password = ? WHERE webdav_user_id = ?";
MC	170	$app->db->query($sql, $server_id, $sys_groupid, $this->dataRecord["password"], $this->id);
a892b8	171	}
1cc9f1	172
a892b8	173	function onBeforeUpdate() {
V	174	global $app, $conf, $interfaceConf;
1cc9f1	175
a892b8	176	/*
1cc9f1	177	* we can not change the username and the dir, so get the "old" - data from the db
V	178	* and set it
	179	*/
2af58c	180	$data = $app->db->queryOneRecord("SELECT * FROM webdav_user WHERE webdav_user_id = ?", $this->id);
1cc9f1	181	$this->dataRecord["username"] = $data['username'];
V	182	$this->dataRecord["dir"] = $data['dir'];
10b4c8	183	$this->dataRecord['username_prefix'] = $data['username_prefix'];
1302aa	184	$this->dataRecord['passwordOld'] = $data['password'];
1cc9f1	185
V	186	parent::onBeforeUpdate();
a892b8	187	}
1cc9f1	188
a892b8	189	function onAfterUpdate() {
V	190	global $app, $conf;
d6e652	191
SC	192	//* When the site of the webdav user has been changed
	193	if(isset($this->dataRecord['parent_domain_id']) && $this->oldDataRecord['parent_domain_id'] != $this->dataRecord['parent_domain_id']) {
2af58c	194	$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->dataRecord["parent_domain_id"]);
d6e652	195	$server_id = $app->functions->intval($web["server_id"]);
SC	196
	197	// The webdav user shall be owned by the same group then the website
	198	$sys_groupid = $app->functions->intval($web['sys_groupid']);
	199
2af58c	200	$sql = "UPDATE webdav_user SET server_id = ?, sys_groupid = ? WHERE webdav_user_id = ?";
MC	201	$app->db->query($sql, $server_id, $sys_groupid, $this->id);
d6e652	202	}
1302aa	203
FT	204	/*
	205	* We shall not save the pwd in plaintext, so we store it as the hash, the apache-moule
	206	* needs (only if the pwd is changed)
	207	*/
	208	if ((isset($this->dataRecord["password"])) && ($this->dataRecord["password"] != '') && ($this->dataRecord["password"] != $this->dataRecord['passwordOld'])) {
	209	$hash = md5($this->dataRecord["username"] . ':' . $this->dataRecord["dir"] . ':' . $this->dataRecord["password"]);
	210	$this->dataRecord["password"] = $hash;
2af58c	211	$app->db->query("UPDATE webdav_user SET password = ? WHERE webdav_user_id = ?", $this->dataRecord["password"], $this->id);
1302aa	212	}
FT	213
a892b8	214	}
b1a6a5	215
a892b8	216	}
V	217
	218	$page = new page_action;
	219	$page->onLoad();
	220
b1a6a5	221	?>