commit | author | age
|
532ae5
|
1 |
<?php |
L |
2 |
|
|
3 |
/* |
|
4 |
Copyright (c) 2007, Till Brehm, projektfarm Gmbh |
|
5 |
All rights reserved. |
|
6 |
|
|
7 |
Redistribution and use in source and binary forms, with or without modification, |
|
8 |
are permitted provided that the following conditions are met: |
|
9 |
|
|
10 |
* Redistributions of source code must retain the above copyright notice, |
|
11 |
this list of conditions and the following disclaimer. |
|
12 |
* Redistributions in binary form must reproduce the above copyright notice, |
|
13 |
this list of conditions and the following disclaimer in the documentation |
|
14 |
and/or other materials provided with the distribution. |
|
15 |
* Neither the name of ISPConfig nor the names of its contributors |
|
16 |
may be used to endorse or promote products derived from this software without |
|
17 |
specific prior written permission. |
|
18 |
|
|
19 |
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND |
|
20 |
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
|
21 |
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
|
22 |
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, |
|
23 |
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
|
24 |
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
|
25 |
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
|
26 |
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
|
27 |
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, |
|
28 |
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
29 |
*/ |
|
30 |
|
|
31 |
class auth { |
|
32 |
var $client_limits = null; |
|
33 |
|
|
34 |
public function get_user_id() |
|
35 |
{ |
5308a8
|
36 |
global $app; |
604c0c
|
37 |
return $app->functions->intval($_SESSION['s']['user']['userid']); |
532ae5
|
38 |
} |
7fe908
|
39 |
|
532ae5
|
40 |
public function is_admin() { |
L |
41 |
if($_SESSION['s']['user']['typ'] == 'admin') { |
|
42 |
return true; |
|
43 |
} else { |
|
44 |
return false; |
|
45 |
} |
7fe908
|
46 |
} |
19b5e0
|
47 |
|
TB |
48 |
public function is_superadmin() { |
9edea9
|
49 |
if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) { |
19b5e0
|
50 |
return true; |
TB |
51 |
} else { |
|
52 |
return false; |
|
53 |
} |
|
54 |
} |
7fe908
|
55 |
|
532ae5
|
56 |
public function has_clients($userid) { |
L |
57 |
global $app, $conf; |
7fe908
|
58 |
|
65ea2e
|
59 |
$userid = $app->functions->intval($userid); |
532ae5
|
60 |
$client = $app->db->queryOneRecord("SELECT client.limit_client FROM sys_user, client WHERE sys_user.userid = $userid AND sys_user.client_id = client.client_id"); |
71c5c2
|
61 |
if($client['limit_client'] != 0) { |
532ae5
|
62 |
return true; |
L |
63 |
} else { |
|
64 |
return false; |
|
65 |
} |
|
66 |
} |
7fe908
|
67 |
|
532ae5
|
68 |
//** This function adds a given group id to a given user. |
7fe908
|
69 |
public function add_group_to_user($userid, $groupid) { |
532ae5
|
70 |
global $app; |
7fe908
|
71 |
|
65ea2e
|
72 |
$userid = $app->functions->intval($userid); |
M |
73 |
$groupid = $app->functions->intval($groupid); |
7fe908
|
74 |
|
532ae5
|
75 |
if($userid > 0 && $groupid > 0) { |
L |
76 |
$user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = $userid"); |
7fe908
|
77 |
$groups = explode(',', $user['groups']); |
MC |
78 |
if(!in_array($groupid, $groups)) $groups[] = $groupid; |
|
79 |
$groups_string = implode(',', $groups); |
532ae5
|
80 |
$sql = "UPDATE sys_user SET groups = '$groups_string' WHERE userid = $userid"; |
L |
81 |
$app->db->query($sql); |
|
82 |
return true; |
|
83 |
} else { |
|
84 |
return false; |
|
85 |
} |
|
86 |
} |
|
87 |
|
|
88 |
//** This function returns given client limit as integer, -1 means no limit |
|
89 |
public function get_client_limit($userid, $limitname) |
|
90 |
{ |
|
91 |
global $app; |
604c0c
|
92 |
|
TB |
93 |
$userid = $app->functions->intval($userid); |
19b5e0
|
94 |
if(!preg_match('/^[a-zA-Z0-9\-\_]{1,64}$/',$limitname)) $app->error('Invalid limit name '.$limitname); |
604c0c
|
95 |
|
532ae5
|
96 |
// simple query cache |
7fe908
|
97 |
if($this->client_limits===null) |
532ae5
|
98 |
$this->client_limits = $app->db->queryOneRecord("SELECT client.* FROM sys_user, client WHERE sys_user.userid = $userid AND sys_user.client_id = client.client_id"); |
7fe908
|
99 |
|
532ae5
|
100 |
// isn't client -> no limit |
L |
101 |
if(!$this->client_limits) |
|
102 |
return -1; |
7fe908
|
103 |
|
532ae5
|
104 |
if(isset($this->client_limits['limit_'.$limitname])) { |
L |
105 |
return $this->client_limits['limit_'.$limitname]; |
7fe908
|
106 |
} |
MC |
107 |
} |
|
108 |
|
532ae5
|
109 |
//** This function removes a given group id from a given user. |
7fe908
|
110 |
public function remove_group_from_user($userid, $groupid) { |
532ae5
|
111 |
global $app; |
7fe908
|
112 |
|
65ea2e
|
113 |
$userid = $app->functions->intval($userid); |
M |
114 |
$groupid = $app->functions->intval($groupid); |
7fe908
|
115 |
|
532ae5
|
116 |
if($userid > 0 && $groupid > 0) { |
L |
117 |
$user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = $userid"); |
7fe908
|
118 |
$groups = explode(',', $user['groups']); |
MC |
119 |
$key = array_search($groupid, $groups); |
532ae5
|
120 |
unset($groups[$key]); |
7fe908
|
121 |
$groups_string = implode(',', $groups); |
532ae5
|
122 |
$sql = "UPDATE sys_user SET groups = '$groups_string' WHERE userid = $userid"; |
L |
123 |
$app->db->query($sql); |
|
124 |
return true; |
|
125 |
} else { |
|
126 |
return false; |
|
127 |
} |
|
128 |
} |
7fe908
|
129 |
|
532ae5
|
130 |
public function check_module_permissions($module) { |
L |
131 |
// Check if the current user has the permissions to access this module |
19b5e0
|
132 |
$user_modules = explode(',',$_SESSION["s"]["user"]["modules"]); |
TB |
133 |
if(!in_array($module,$user_modules)) { |
532ae5
|
134 |
// echo "LOGIN_REDIRECT:/index.php"; |
L |
135 |
header("Location: /index.php"); |
|
136 |
exit; |
|
137 |
} |
|
138 |
} |
9edea9
|
139 |
|
TB |
140 |
public function check_security_permissions($permission) { |
|
141 |
|
|
142 |
global $app; |
|
143 |
|
|
144 |
$app->uses('getconf'); |
|
145 |
$security_config = $app->getconf->get_security_config('permissions'); |
|
146 |
|
|
147 |
$security_check = false; |
|
148 |
if($security_config[$permission] == 'yes') $security_check = true; |
|
149 |
if($security_config[$permission] == 'superadmin' && $app->auth->is_superadmin()) $security_check = true; |
|
150 |
if($security_check !== true) { |
|
151 |
$app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt')); |
|
152 |
} |
|
153 |
|
|
154 |
} |
7fe908
|
155 |
|
9c7907
|
156 |
public function get_random_password($minLength = 8, $special = false) { |
MC |
157 |
if($minLength < 8) $minLength = 8; |
|
158 |
$maxLength = $minLength + 5; |
|
159 |
$length = mt_rand($minLength, $maxLength); |
|
160 |
|
|
161 |
$alphachars = "abcdefghijklmnopqrstuvwxyz"; |
|
162 |
$upperchars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; |
|
163 |
$numchars = "1234567890"; |
|
164 |
$specialchars = "!@#_"; |
|
165 |
|
|
166 |
$num_special = 0; |
|
167 |
if($special == true) { |
|
168 |
$num_special = intval(mt_rand(0, round($length / 4))) + 1; |
f9c7f3
|
169 |
} |
9c7907
|
170 |
$numericlen = mt_rand(1, 2); |
MC |
171 |
$alphalen = $length - $num_special - $numericlen; |
|
172 |
$upperlen = intval($alphalen / 2); |
|
173 |
$alphalen = $alphalen - $upperlen; |
|
174 |
$password = ''; |
|
175 |
|
|
176 |
for($i = 0; $i < $alphalen; $i++) { |
|
177 |
$password .= substr($alphachars, mt_rand(0, strlen($alphachars) - 1), 1); |
|
178 |
} |
|
179 |
|
|
180 |
for($i = 0; $i < $upperlen; $i++) { |
|
181 |
$password .= substr($upperchars, mt_rand(0, strlen($upperchars) - 1), 1); |
|
182 |
} |
|
183 |
|
|
184 |
for($i = 0; $i < $num_special; $i++) { |
|
185 |
$password .= substr($specialchars, mt_rand(0, strlen($specialchars) - 1), 1); |
|
186 |
} |
|
187 |
|
|
188 |
for($i = 0; $i < $numericlen; $i++) { |
|
189 |
$password .= substr($numchars, mt_rand(0, strlen($numchars) - 1), 1); |
|
190 |
} |
|
191 |
|
|
192 |
return str_shuffle($password); |
f9c7f3
|
193 |
} |
7fe908
|
194 |
|
c614f1
|
195 |
public function crypt_password($cleartext_password) { |
T |
196 |
$salt="$1$"; |
|
197 |
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; |
|
198 |
for ($n=0;$n<8;$n++) { |
7fe908
|
199 |
$salt.=$base64_alphabet[mt_rand(0, 63)]; |
c614f1
|
200 |
} |
T |
201 |
$salt.="$"; |
7fe908
|
202 |
return crypt($cleartext_password, $salt); |
c614f1
|
203 |
} |
5af0cf
|
204 |
|
TB |
205 |
public function csrf_token_get($form_name) { |
|
206 |
/* CSRF PROTECTION */ |
|
207 |
// generate csrf protection id and key |
|
208 |
$_csrf_id = uniqid($form_name . '_'); // form id |
|
209 |
$_csrf_key = sha1(uniqid(microtime(true), true)); // the key |
|
210 |
if(!isset($_SESSION['_csrf'])) $_SESSION['_csrf'] = array(); |
|
211 |
if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array(); |
|
212 |
$_SESSION['_csrf'][$_csrf_id] = $_csrf_key; |
|
213 |
$_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour |
|
214 |
|
|
215 |
return array('csrf_id' => $_csrf_id,'csrf_key' => $_csrf_key); |
|
216 |
} |
|
217 |
|
|
218 |
public function csrf_token_check() { |
|
219 |
global $app; |
|
220 |
|
|
221 |
if(isset($_POST) && is_array($_POST)) { |
|
222 |
$_csrf_valid = false; |
|
223 |
if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) { |
|
224 |
$_csrf_id = trim($_POST['_csrf_id']); |
|
225 |
$_csrf_key = trim($_POST['_csrf_key']); |
|
226 |
if(isset($_SESSION['_csrf']) && isset($_SESSION['_csrf'][$_csrf_id]) && isset($_SESSION['_csrf_timeout']) && isset($_SESSION['_csrf_timeout'][$_csrf_id])) { |
|
227 |
if($_SESSION['_csrf'][$_csrf_id] === $_csrf_key && $_SESSION['_csrf_timeout'] >= time()) $_csrf_valid = true; |
|
228 |
} |
|
229 |
} |
|
230 |
if($_csrf_valid !== true) { |
|
231 |
$app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN); |
|
232 |
$app->error($app->lng('err_csrf_attempt_blocked')); |
|
233 |
} |
|
234 |
$_SESSION['_csrf'][$_csrf_id] = null; |
|
235 |
$_SESSION['_csrf_timeout'][$_csrf_id] = null; |
|
236 |
unset($_SESSION['_csrf'][$_csrf_id]); |
|
237 |
unset($_SESSION['_csrf_timeout'][$_csrf_id]); |
|
238 |
|
|
239 |
if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) { |
|
240 |
$to_unset = array(); |
|
241 |
foreach($_SESSION['_csrf_timeout'] as $_csrf_id => $timeout) { |
|
242 |
if($timeout < time()) $to_unset[] = $_csrf_id; |
|
243 |
} |
|
244 |
foreach($to_unset as $_csrf_id) { |
|
245 |
$_SESSION['_csrf'][$_csrf_id] = null; |
|
246 |
$_SESSION['_csrf_timeout'][$_csrf_id] = null; |
|
247 |
unset($_SESSION['_csrf'][$_csrf_id]); |
|
248 |
unset($_SESSION['_csrf_timeout'][$_csrf_id]); |
|
249 |
} |
|
250 |
unset($to_unset); |
|
251 |
} |
|
252 |
} |
|
253 |
} |
7fe908
|
254 |
|
532ae5
|
255 |
} |
L |
256 |
|
7fe908
|
257 |
?> |