Development

Revision 1394, 11.8 kB (checked in by scitech, 3 weeks ago)
Maintenance mode automatically on if any update is available

Line
1	<?php
2	/**
3	* ispCP ω (OMEGA) a Virtual Hosting Control System
4	*
5	* @copyright 2001-2006 by moleSoftware GmbH
6	* @copyright 2006-2008 by ispCP \| http://isp-control.net
7	* @version SVN: $Id$
8	* @link http://isp-control.net
9	* @author ispCP Team (2007)
10	*
11	* @license
12	* This program is free software; you can redistribute it and/or modify it under
13	* the terms of the MPL General Public License as published by the Free Software
14	* Foundation; either version 1.1 of the License, or (at your option) any later
15	* version.
16	* You should have received a copy of the MPL Mozilla Public License along with
17	* this program; if not, write to the Open Source Initiative (OSI)
18	* http://opensource.org \| osi@opensource.org
19	*/
20
21	function init_login() {
22	// just make sure to expire counters in case BRUTEFORCE is turned off
23	unblock(Config::get('BRUTEFORCE_BLOCK_TIME'));
24
25	if (Config::get('BRUTEFORCE')) {
26	is_ipaddr_blocked(null, 'bruteforce', true);
27	}
28	}
29
30	function register_user($uname, $upass) {
31	$sql = Database::getInstance();
32	$backButtonDestination = 'http://' . Config::get('BASE_SERVER_VHOST');
33
34	check_ipaddr();
35
36	if (!username_exists($uname)) {
37	write_log("Login error, <b><i>".$uname."</i></b> unknown username");
38	system_message(tr('You entered an incorrect username/password.'), $backButtonDestination);
39	return false;
40	}
41
42	$udata = array();
43	$udata = get_userdata($uname);
44
45	if ((Config::get('MAINTENANCEMODE') \|\| databaseUpdate::getInstance()->checkUpdateExists() \|\| criticalUpdate::getInstance()->checkUpdateExists()) && $udata['admin_type'] != 'admin') {
46	write_log("Login error, <b><i>".$uname."</i></b> system currently in maintenance mode");
47	system_message(tr('System is currently under maintenance! Only administrators can login.'));
48	return false;
49	}
50
51	if (crypt($upass, $udata['admin_pass']) == $udata['admin_pass'] \|\| md5($upass) == $udata['admin_pass']) {
52
53	if (isset($_SESSION['user_logged'])) {
54	write_log(tr("%s user already logged or session sharing problem! Aborting...", $uname));
55	system_message(tr('User already logged or session sharing problem! Aborting...'));
56	unset_user_login_data();
57	return false;
58	}
59
60	if (!is_userdomain_ok($uname)) {
61	write_log(tr("%s's account status is not ok!", $uname));
62	system_message(tr("%s's account status is not ok!", $uname));
63	return false;
64	}
65
66	$sess_id = session_id();
67
68	$query = <<<SQL_QUERY
69	update
70	login
71	set
72	user_name = ?,
73	lastaccess = ?
74	where
75	session_id = ?
76	SQL_QUERY;
77
78	exec_query($sql, $query, array($uname, time(), $sess_id));
79
80	$_SESSION['user_logged'] = $udata['admin_name'];
81	$_SESSION['user_pass'] = $udata['admin_pass'];
82	$_SESSION['user_type'] = $udata['admin_type'];
83	$_SESSION['user_id'] = $udata['admin_id'];
84	$_SESSION['user_email'] = $udata['email'];
85	$_SESSION['user_created_by'] = $udata['created_by'];
86	$_SESSION['user_login_time'] = time();
87
88	write_log($uname." logged in.");
89	return true;
90	} else {
91	write_log($uname . ' entered incorrect password.');
92	system_message(tr('You entered an incorrect username/password.'), $backButtonDestination);
93	return false;
94	}
95
96	}
97
98	function check_user_login() {
99	$sql = Database::getInstance();
100
101	$sess_id = session_id();
102	/* kill timed out sessions */
103	do_session_timeout();
104	$user_logged = isset($_SESSION['user_logged']) ? $_SESSION['user_logged'] : false;
105
106	if (!$user_logged) {
107	return false;
108	}
109
110	$user_pass = $_SESSION['user_pass'];
111	$user_type = $_SESSION['user_type'];
112	$user_id = $_SESSION['user_id'];
113
114	// verify sessiondata with database
115	$query = <<<SQL_QUERY
116	select
117	*
118	from
119	admin, login
120	where
121	admin.admin_name = ?
122	and
123	admin.admin_pass = ?
124	and
125	admin.admin_type = ?
126	and
127	admin.admin_id = ?
128	and
129	login.session_id = ?
130	SQL_QUERY;
131
132	$rs = exec_query($sql, $query, array($user_logged, $user_pass, $user_type, $user_id, $sess_id));
133
134	if ($rs->RecordCount() != 1) {
135	write_log("Detected session manipulation on $user_logged's session!");
136	unset_user_login_data();
137	return false;
138	}
139
140	if ((Config::get('MAINTENANCEMODE') \|\| databaseUpdate::getInstance()->checkUpdateExists() \|\| criticalUpdate::getInstance()->checkUpdateExists()) && $user_type != 'admin') {
141	unset_user_login_data(true);
142	write_log("System is currently in maintenance mode. Logging out <b><i>".$user_logged."</i></b>");
143	header("Location: /index.php");
144	die();
145	}
146	/* userlogindata correct - update session and lastaccess */
147	$_SESSION['user_login_time'] = time();
148
149	$query = <<<SQL_QUERY
150	update
151	login
152	set
153	lastaccess = ?
154	where
155	session_id = ?
156	SQL_QUERY;
157
158	exec_query($sql, $query, array(time(), $sess_id));
159	return true;
160	}
161
162	function check_login($fName = null, $checkReferer = true) {
163
164	// session-type check:
165	if (!check_user_login()) {
166	header("Location: /index.php");
167	die();
168	}
169
170	if ($fName != null) {
171	$levels = explode('/', realpath(dirname($fName)));
172	$level = $levels[count($levels) - 1];
173
174	switch ($level) {
175	case 'user':
176	$level = 'client';
177	case 'admin':
178	case 'reseller':
179	if ($level != $_SESSION['user_type']) {
180	write_log('Warning! user \|'.$_SESSION['user_logged'].'\| requested \|'.$_SERVER["REQUEST_URI"].'\| with REQUEST_METHOD \|'.$_SERVER["REQUEST_METHOD"].'\|');
181	header("Location: /index.php");
182	die();
183	}
184	break;
185	}
186	}
187
188	if ($checkReferer) {
189	if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
190
191	$info = parse_url($_SERVER['HTTP_REFERER']);
192	if (isset($info['host']) && !empty($info['host'])) {
193	if ($info['host'] != $_SERVER['HTTP_HOST'] \|\| $info['host'] != $_SERVER['SERVER_NAME']) {
194	set_page_message(tr('Request from foreign host was blocked!'));
195	if(!(substr($_SERVER['SCRIPT_FILENAME'], (int)-strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) === $_SERVER['REDIRECT_URL']))
196	redirect_to_level_page();
197	}
198	}
199
200	}
201	}
202	}
203
204	function change_user_interface($from_id, $to_id) {
205	$sql = Database::getInstance();
206
207	$index = null;
208	while (1) { //used to easily exit
209	$query = 'select admin_id, admin_name, admin_pass, admin_type, email, created_by from admin where binary admin_id = ?';
210
211	$rs_from = exec_query($sql, $query, array($from_id));
212	$rs_to = exec_query($sql, $query, array($to_id));
213
214	if (($rs_from -> RecordCount()) != 1 \|\| ($rs_to -> RecordCount()) != 1) {
215	set_page_message(tr('User does not exist or you do not have permission to access this interface!'));
216	break;
217	}
218
219	$from_udata = $rs_from->FetchRow();
220	$to_udata = $rs_to->FetchRow();
221
222	if (!is_userdomain_ok($to_udata['admin_name'])) {
223	set_page_message(tr("%s's account status is not ok!", decode_idna($to_udata['admin_name'])));
224	break;
225	}
226
227	$to_admin_type = strtolower($to_udata['admin_type']);
228	$from_admin_type = strtolower($from_udata['admin_type']);
229
230	$allowed_changes = array();
231
232	$allowed_changes['admin']['admin'] = 'manage_users.php';
233	$allowed_changes['admin']['BACK'] = 'manage_users.php';
234	$allowed_changes['admin']['reseller'] = 'index.php';
235	$allowed_changes['admin']['user'] = 'index.php';
236	$allowed_changes['reseller']['user'] = 'index.php';
237	$allowed_changes['reseller']['BACK'] = 'users.php';
238
239	if (!isset($allowed_changes[$from_admin_type][$to_admin_type]) \|\|
240	($to_admin_type == $from_admin_type && $from_admin_type != 'admin')) {
241
242	if (isset($_SESSION['logged_from_id']) && $_SESSION['logged_from_id'] == $to_id) {
243	$index = $allowed_changes[$to_admin_type]['BACK'];
244	} else {
245	set_page_message(tr('You do not have permission to access this interface!'));
246	break;
247	}
248	}
249
250	$index = $index ? $index : $allowed_changes[$from_admin_type][$to_admin_type];
251
252	unset_user_login_data();
253
254	if (($to_admin_type != 'admin' &&
255	((isset($_SESSION['logged_from_id']) && $_SESSION['logged_from_id'] != $to_id) \|\|
256	!isset($_SESSION['logged_from_id'])))
257	\|\| ($from_admin_type == 'admin' && $to_admin_type == 'admin')) {
258
259	$_SESSION['logged_from'] = $from_udata['admin_name'];
260	$_SESSION['logged_from_id'] = $from_udata['admin_id'];
261
262	}
263	if ($from_admin_type == 'user') { // Ticket 830 - remove the 'logged_from' if back from user
264	unset($_SESSION['logged_from']); // maybe integrated in the construction above...
265	unset($_SESSION['logged_from_id']);
266	}
267
268	// we gonna kill all sessions and globals if user get back to admin level
269	if (isset($_SESSION['admin_name']))
270	unset($_SESSION['admin_name']);
271
272	if (isset($_SESSION['admin_id']))
273	unset($_SESSION['admin_id']);
274
275	if (isset($GLOBALS['admin_name']))
276	unset($GLOBALS['admin_name']);
277
278	if (isset($GLOBALS['admin_id']))
279	unset($GLOBALS['admin_id']);
280	// no more sessions and globals to kill - they were always killed - rest in peace
281
282	$_SESSION['user_logged'] = $to_udata['admin_name'];
283	$_SESSION['user_pass'] = $to_udata['admin_pass'];
284	$_SESSION['user_type'] = $to_udata['admin_type'];
285	$_SESSION['user_id'] = $to_udata['admin_id'];
286	$_SESSION['user_email'] = $to_udata['email'];
287	$_SESSION['user_created_by'] = $to_udata['created_by'];
288	$_SESSION['user_login_time'] = time();
289
290	$query = 'INSERT INTO login (session_id, user_name, lastaccess) VALUES (?, ?, ?) ';
291
292	exec_query($sql, $query, array(session_id(), $to_udata['admin_name'], $_SESSION['user_login_time']));
293
294	write_log(sprintf("%s changes into %s's interface", decode_idna($from_udata['admin_name']), decode_idna($to_udata['admin_name'])));
295	break;
296	}
297
298	redirect_to_level_page($index);
299	}
300
301	function unset_user_login_data ($ignorePreserve = false) {
302	$sql = Database::getInstance();
303
304	if (isset($_SESSION['user_logged'])) {
305
306	$sess_id = session_id();
307
308	$admin_name = $_SESSION['user_logged'];
309
310	$query = <<<SQL_QUERY
311	delete from
312	login
313	where
314	session_id = ?
315	and
316	user_name = ?
317	SQL_QUERY;
318
319	$rs = exec_query($sql, $query, array($sess_id, $admin_name));
320
321	}
322
323	$preserve_list = array('user_def_lang', 'user_theme');
324	$preserve_vals = array();
325
326	if (!$ignorePreserve) {
327	foreach ($preserve_list as $p) {
328	if (isset($_SESSION[$p])) {
329	$preserve_vals[$p] = $_SESSION[$p];
330	}
331	}
332	}
333
334	$_SESSION = array();
335
336	foreach ($preserve_list as $p) {
337	if (isset($preserve_vals[$p])) {
338	$_SESSION[$p] = $preserve_vals[$p];
339	}
340	}
341
342	}
343
344	function redirect_to_level_page($file = null, $force = false) {
345
346	if (!isset($_SESSION['user_type']) && !$force)
347	return false;
348
349	if (!$file) {
350	$file = 'index.php';
351	}
352
353	$user_type = isset($_SESSION['user_type']) ? $_SESSION['user_type'] : '';
354
355	switch ($user_type) {
356	case 'user':
357	$user_type = 'client';
358	case 'admin':
359	case 'reseller':
360	header('Location: /' . $user_type . '/' . $file);
361	break;
362	case '':
363	header('Location: /index.php');
364	break;
365	default:
366	die("FIXME! " . __FILE__ . ":" . __LINE__);
367	break;
368	}
369	exit();
370	}
371
372	?>
373

Note: See TracBrowser for help on using the browser.

Development

root/trunk/gui/include/login.php

Download in other formats: