2010-01-20 16:55:27 +00:00
< ? php
/**
2010-01-22 15:03:14 +00:00
* This file is part of the Froxlor project .
2010-01-20 16:55:27 +00:00
* Copyright ( c ) 2003 - 2009 the SysCP Team ( see authors ) .
2010-01-22 15:03:14 +00:00
* Copyright ( c ) 2010 the Froxlor Team ( see authors ) .
2010-01-20 16:55:27 +00:00
*
* For the full copyright and license information , please view the COPYING
* file that was distributed with this source code . You can also view the
2010-01-22 15:03:14 +00:00
* COPYING file online at http :// files . froxlor . org / misc / COPYING . txt
2010-01-20 16:55:27 +00:00
*
* @ copyright ( c ) the authors
2010-01-22 15:03:14 +00:00
* @ author Florian Lippert < flo @ syscp . org > ( 2003 - 2009 )
2010-01-25 10:06:34 +00:00
* @ author Froxlor team < team @ froxlor . org > ( 2010 - )
2010-01-22 15:03:14 +00:00
* @ license GPLv2 http :// files . froxlor . org / misc / COPYING . txt
2010-01-20 16:55:27 +00:00
* @ package Panel
2011-05-04 09:59:20 +00:00
*
2010-01-20 16:55:27 +00:00
*/
define ( 'AREA' , 'login' );
/**
* Include our init . php , which manages Sessions , Language etc .
*/
require ( " ./lib/init.php " );
if ( $action == '' )
{
$action = 'login' ;
}
if ( $action == 'login' )
{
if ( isset ( $_POST [ 'send' ])
2010-01-26 09:45:57 +00:00
&& $_POST [ 'send' ] == 'send' )
2010-01-20 16:55:27 +00:00
{
$loginname = validate ( $_POST [ 'loginname' ], 'loginname' );
$password = validate ( $_POST [ 'password' ], 'password' );
2010-01-26 09:45:57 +00:00
$row = $db -> query_first ( " SELECT `loginname` AS `customer` FROM ` " . TABLE_PANEL_CUSTOMERS . " ` WHERE `loginname`=' " . $db -> escape ( $loginname ) . " ' " );
if ( $row [ 'customer' ] == $loginname )
2010-01-20 16:55:27 +00:00
{
2010-01-26 09:45:57 +00:00
$table = " ` " . TABLE_PANEL_CUSTOMERS . " ` " ;
$uid = 'customerid' ;
$adminsession = '0' ;
$is_admin = false ;
2010-01-20 16:55:27 +00:00
}
else
2010-01-26 09:45:57 +00:00
{
2010-10-15 11:48:05 +00:00
if (( int ) $settings [ 'login' ][ 'domain_login' ] == 1 )
{
/**
* check if the customer tries to login with a domain , #374
*/
$domainname = $idna_convert -> encode ( preg_replace ( Array ( '/\:(\d)+$/' , '/^https?\:\/\//' ), '' , $loginname ));
$row2 = $db -> query_first ( " SELECT `customerid` FROM ` " . TABLE_PANEL_DOMAINS . " ` WHERE `domain` = ' " . $db -> escape ( $domainname ) . " ' " );
if ( isset ( $row2 [ 'customerid' ]) && $row2 [ 'customerid' ] > 0 )
{
$loginname = getCustomerDetail ( $row2 [ 'customerid' ], 'loginname' );
if ( $loginname !== false )
{
$row3 = $db -> query_first ( " SELECT `loginname` AS `customer` FROM ` " . TABLE_PANEL_CUSTOMERS . " ` WHERE `loginname`=' " . $db -> escape ( $loginname ) . " ' " );
if ( $row3 [ 'customer' ] == $loginname )
{
$table = " ` " . TABLE_PANEL_CUSTOMERS . " ` " ;
$uid = 'customerid' ;
$adminsession = '0' ;
$is_admin = false ;
}
}
else
{
$is_admin = true ;
}
}
else
{
$is_admin = true ;
}
}
else
{
$is_admin = true ;
}
2010-01-26 09:45:57 +00:00
}
if ( hasUpdates ( $version ) && $is_admin == false )
2010-01-20 16:55:27 +00:00
{
2010-01-26 08:59:19 +00:00
redirectTo ( 'index.php' );
exit ;
}
2010-01-26 09:45:57 +00:00
2010-01-26 08:59:19 +00:00
if ( $is_admin )
{
if ( hasUpdates ( $version ))
{
$row = $db -> query_first ( " SELECT `loginname` AS `admin` FROM ` " . TABLE_PANEL_ADMINS . " ` WHERE `loginname`=' " . $db -> escape ( $loginname ) . " ' AND `change_serversettings` = '1' " );
/*
* not an admin who can see updates
*/
if ( ! isset ( $row [ 'admin' ]))
{
redirectTo ( 'index.php' );
exit ;
}
}
else
{
$row = $db -> query_first ( " SELECT `loginname` AS `admin` FROM ` " . TABLE_PANEL_ADMINS . " ` WHERE `loginname`=' " . $db -> escape ( $loginname ) . " ' " );
}
2010-01-26 09:45:57 +00:00
2010-01-20 16:55:27 +00:00
if ( $row [ 'admin' ] == $loginname )
{
$table = " ` " . TABLE_PANEL_ADMINS . " ` " ;
$uid = 'adminid' ;
$adminsession = '1' ;
}
else
{
redirectTo ( 'index.php' , Array ( 'showmessage' => '2' ), true );
exit ;
}
}
$userinfo = $db -> query_first ( " SELECT * FROM $table WHERE `loginname`=' " . $db -> escape ( $loginname ) . " ' " );
if ( $userinfo [ 'loginfail_count' ] >= $settings [ 'login' ][ 'maxloginattempts' ]
2010-01-26 09:45:57 +00:00
&& $userinfo [ 'lastlogin_fail' ] > ( time () - $settings [ 'login' ][ 'deactivatetime' ]))
2010-01-20 16:55:27 +00:00
{
redirectTo ( 'index.php' , Array ( 'showmessage' => '3' ), true );
exit ;
}
elseif ( $userinfo [ 'password' ] == md5 ( $password ))
{
// login correct
// reset loginfail_counter, set lastlogin_succ
$db -> query ( " UPDATE $table SET `lastlogin_succ`=' " . time () . " ', `loginfail_count`='0' WHERE ` $uid `=' " . ( int ) $userinfo [ $uid ] . " ' " );
$userinfo [ 'userid' ] = $userinfo [ $uid ];
$userinfo [ 'adminsession' ] = $adminsession ;
}
else
{
// login incorrect
$db -> query ( " UPDATE $table SET `lastlogin_fail`=' " . time () . " ', `loginfail_count`=`loginfail_count`+1 WHERE ` $uid `=' " . ( int ) $userinfo [ $uid ] . " ' " );
unset ( $userinfo );
redirectTo ( 'index.php' , Array ( 'showmessage' => '2' ), true );
exit ;
}
if ( isset ( $userinfo [ 'userid' ])
2010-01-26 09:45:57 +00:00
&& $userinfo [ 'userid' ] != '' )
2010-01-20 16:55:27 +00:00
{
$s = md5 ( uniqid ( microtime (), 1 ));
if ( isset ( $_POST [ 'language' ]))
{
$language = validate ( $_POST [ 'language' ], 'language' );
if ( $language == 'profile' )
{
$language = $userinfo [ 'def_language' ];
}
elseif ( ! isset ( $languages [ $language ]))
{
$language = $settings [ 'panel' ][ 'standardlanguage' ];
}
}
else
{
$language = $settings [ 'panel' ][ 'standardlanguage' ];
}
2011-02-08 11:53:24 +00:00
if ( isset ( $userinfo [ 'theme' ]) && $userinfo [ 'theme' ] != '' ) {
$theme = $userinfo [ 'theme' ];
}
else
{
$theme = $settings [ 'panel' ][ 'default_theme' ];
}
2010-01-20 16:55:27 +00:00
if ( $settings [ 'session' ][ 'allow_multiple_login' ] != '1' )
{
$db -> query ( " DELETE FROM ` " . TABLE_PANEL_SESSIONS . " ` WHERE `userid` = ' " . ( int ) $userinfo [ 'userid' ] . " ' AND `adminsession` = ' " . $db -> escape ( $userinfo [ 'adminsession' ]) . " ' " );
}
2011-02-23 07:47:14 +00:00
// check for field 'theme' in session-table, refs #607
$fields = mysql_list_fields ( $db -> getDbName (), TABLE_PANEL_SESSIONS );
$columns = mysql_num_fields ( $fields );
$field_array = array ();
for ( $i = 0 ; $i < $columns ; $i ++ ) {
$field_array [] = mysql_field_name ( $fields , $i );
}
if ( ! in_array ( 'theme' , $field_array )) {
$db -> query ( " INSERT INTO ` " . TABLE_PANEL_SESSIONS . " ` (`hash`, `userid`, `ipaddress`, `useragent`, `lastactivity`, `language`, `adminsession`) VALUES (' " . $db -> escape ( $s ) . " ', ' " . ( int ) $userinfo [ 'userid' ] . " ', ' " . $db -> escape ( $remote_addr ) . " ', ' " . $db -> escape ( $http_user_agent ) . " ', ' " . time () . " ', ' " . $db -> escape ( $language ) . " ', ' " . $db -> escape ( $userinfo [ 'adminsession' ]) . " ') " );
} else {
$db -> query ( " INSERT INTO ` " . TABLE_PANEL_SESSIONS . " ` (`hash`, `userid`, `ipaddress`, `useragent`, `lastactivity`, `language`, `adminsession`, `theme`) VALUES (' " . $db -> escape ( $s ) . " ', ' " . ( int ) $userinfo [ 'userid' ] . " ', ' " . $db -> escape ( $remote_addr ) . " ', ' " . $db -> escape ( $http_user_agent ) . " ', ' " . time () . " ', ' " . $db -> escape ( $language ) . " ', ' " . $db -> escape ( $userinfo [ 'adminsession' ]) . " ', ' " . $db -> escape ( $theme ) . " ') " );
}
2010-01-20 16:55:27 +00:00
if ( $userinfo [ 'adminsession' ] == '1' )
{
2010-01-26 08:59:19 +00:00
if ( hasUpdates ( $version ))
{
redirectTo ( 'admin_updates.php' , Array ( 's' => $s ), true );
exit ;
}
else
{
redirectTo ( 'admin_index.php' , Array ( 's' => $s ), true );
exit ;
}
2010-01-20 16:55:27 +00:00
}
else
{
redirectTo ( 'customer_index.php' , Array ( 's' => $s ), true );
exit ;
}
}
else
{
redirectTo ( 'index.php' , Array ( 'showmessage' => '2' ), true );
exit ;
}
}
else
{
$language_options = '' ;
$language_options .= makeoption ( $lng [ 'login' ][ 'profile_lng' ], 'profile' , 'profile' , true , true );
while ( list ( $language_file , $language_name ) = each ( $languages ))
{
$language_options .= makeoption ( $language_name , $language_file , 'profile' , true );
}
$smessage = isset ( $_GET [ 'showmessage' ]) ? ( int ) $_GET [ 'showmessage' ] : 0 ;
$message = '' ;
2011-02-08 11:53:24 +00:00
$successmessage = '' ;
2010-01-20 16:55:27 +00:00
switch ( $smessage )
{
case 1 :
2011-03-13 07:57:34 +00:00
$successmessage = $lng [ 'pwdreminder' ][ 'success' ];
2010-01-20 16:55:27 +00:00
break ;
case 2 :
$message = $lng [ 'error' ][ 'login' ];
break ;
case 3 :
$message = $lng [ 'error' ][ 'login_blocked' ];
break ;
case 4 :
2011-01-27 12:35:27 +00:00
$cmail = isset ( $_GET [ 'customermail' ]) ? $_GET [ 'customermail' ] : 'unknown' ;
$message = str_replace ( '%s' , $cmail , $lng [ 'error' ][ 'errorsendingmail' ]);
2010-01-20 16:55:27 +00:00
break ;
2011-04-16 11:32:11 +00:00
case 5 :
$message = $lng [ 'error' ][ 'user_banned' ];
break ;
2010-01-20 16:55:27 +00:00
}
2010-01-26 09:45:57 +00:00
2010-01-26 08:59:19 +00:00
$update_in_progress = '' ;
if ( hasUpdates ( $version ))
{
2010-01-26 09:45:57 +00:00
$update_in_progress = $lng [ 'update' ][ 'updateinprogress_onlyadmincanlogin' ];
}
2010-01-20 16:55:27 +00:00
eval ( " echo \" " . getTemplate ( " login " ) . " \" ; " );
}
}
if ( $action == 'forgotpwd' )
{
2010-04-14 10:09:31 +00:00
$adminchecked = false ;
2010-04-14 10:27:28 +00:00
$message = '' ;
2010-01-20 16:55:27 +00:00
if ( isset ( $_POST [ 'send' ])
2010-01-26 09:45:57 +00:00
&& $_POST [ 'send' ] == 'send' )
2010-01-20 16:55:27 +00:00
{
$loginname = validate ( $_POST [ 'loginname' ], 'loginname' );
$email = validateEmail ( $_POST [ 'loginemail' ], 'email' );
2011-04-16 11:32:11 +00:00
$sql = " SELECT `adminid`, `customerid`, `firstname`, `name`, `company`, `email`, `loginname`, `def_language`, `deactivated` FROM ` " . TABLE_PANEL_CUSTOMERS . " `
2010-01-20 16:55:27 +00:00
WHERE `loginname` = '" . $db->escape($loginname) . "'
AND `email` = '" . $db->escape($email) . "' " ;
$result = $db -> query ( $sql );
if ( $db -> num_rows () == 0 )
{
2010-08-17 06:19:57 +00:00
$sql = " SELECT `adminid`, `name`, `email`, `loginname`, `def_language` FROM ` " . TABLE_PANEL_ADMINS . " `
2010-01-20 16:55:27 +00:00
WHERE `loginname` = '" . $db->escape($loginname) . "'
AND `email` = '" . $db->escape($email) . "' " ;
$result = $db -> query ( $sql );
2010-04-14 10:27:28 +00:00
if ( $db -> num_rows () > 0 )
{
$adminchecked = true ;
}
else
{
$result = null ;
}
2010-01-20 16:55:27 +00:00
}
2010-04-14 10:27:28 +00:00
if ( $result !== null )
2010-01-20 16:55:27 +00:00
{
2010-04-14 10:27:28 +00:00
$user = $db -> fetch_array ( $result );
2011-04-16 11:32:11 +00:00
/* Check whether user is banned */
if ( $user [ 'deactivated' ])
{
$message = $lng [ 'pwdreminder' ][ 'notallowed' ];
redirectTo ( 'index.php' , Array ( 'showmessage' => '5' ), true );
}
2010-04-14 10:27:28 +00:00
if (( $adminchecked && $settings [ 'panel' ][ 'allow_preset_admin' ] == '1' )
|| $adminchecked == false )
2010-01-20 16:55:27 +00:00
{
2010-04-14 10:27:28 +00:00
if ( $user !== false )
{
if ( $settings [ 'panel' ][ 'password_min_length' ] <= 6 ) {
$password = substr ( md5 ( uniqid ( microtime (), 1 )), 12 , 6 );
} else {
// make it two times larger than password_min_length
$rnd = '' ;
$minlength = $settings [ 'panel' ][ 'password_min_length' ];
while ( strlen ( $rnd ) < ( $minlength * 2 ))
{
$rnd .= md5 ( uniqid ( microtime (), 1 ));
}
$password = substr ( $rnd , ( int )( $minlength / 2 ), $minlength );
}
if ( $adminchecked )
2010-03-17 07:51:16 +00:00
{
2010-04-14 10:27:28 +00:00
$db -> query ( " UPDATE ` " . TABLE_PANEL_ADMINS . " ` SET `password`=' " . md5 ( $password ) . " '
WHERE `loginname` = '" . $user[' loginname '] . "'
AND `email` = '" . $user[' email '] . "' " );
}
else
{
$db -> query ( " UPDATE ` " . TABLE_PANEL_CUSTOMERS . " ` SET `password`=' " . md5 ( $password ) . " '
WHERE `loginname` = '" . $user[' loginname '] . "'
AND `email` = '" . $user[' email '] . "' " );
2010-03-17 07:51:16 +00:00
}
2010-01-20 16:55:27 +00:00
2010-04-14 10:27:28 +00:00
$rstlog = FroxlorLogger :: getInstanceOf ( array ( 'loginname' => 'password_reset' ), $db , $settings );
$rstlog -> logAction ( USR_ACTION , LOG_WARNING , " Password for user ' " . $user [ 'loginname' ] . " ' has been reset! " );
2010-08-17 06:19:57 +00:00
$replace_arr = array (
'SALUTATION' => getCorrectUserSalutation ( $user ),
'USERNAME' => $user [ 'loginname' ],
'PASSWORD' => $password
);
2010-04-14 10:27:28 +00:00
$body = strtr ( $lng [ 'pwdreminder' ][ 'body' ], array ( '%s' => $user [ 'firstname' ] . ' ' . $user [ 'name' ], '%p' => $password ));
2010-08-17 06:19:57 +00:00
$def_language = ( $user [ 'def_language' ] != '' ) ? $user [ 'def_language' ] : $settings [ 'panel' ][ 'standardlanguage' ];
$result = $db -> query_first ( 'SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '` WHERE `adminid`=\'' . ( int ) $user [ 'adminid' ] . '\' AND `language`=\'' . $db -> escape ( $def_language ) . '\' AND `templategroup`=\'mails\' AND `varname`=\'password_reset_subject\'' );
$mail_subject = html_entity_decode ( replace_variables ((( $result [ 'value' ] != '' ) ? $result [ 'value' ] : $lng [ 'pwdreminder' ][ 'subject' ]), $replace_arr ));
$result = $db -> query_first ( 'SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '` WHERE `adminid`=\'' . ( int ) $user [ 'adminid' ] . '\' AND `language`=\'' . $db -> escape ( $def_language ) . '\' AND `templategroup`=\'mails\' AND `varname`=\'password_reset_mailbody\'' );
$mail_body = html_entity_decode ( replace_variables ((( $result [ 'value' ] != '' ) ? $result [ 'value' ] : $body ), $replace_arr ));
2010-04-14 10:27:28 +00:00
$_mailerror = false ;
try {
2010-08-17 06:19:57 +00:00
$mail -> Subject = $mail_subject ;
$mail -> AltBody = $mail_body ;
2010-12-05 17:15:24 +00:00
$mail -> MsgHTML ( str_replace ( " \n " , " <br /> " , $mail_body ));
2010-04-14 10:27:28 +00:00
$mail -> AddAddress ( $user [ 'email' ], $user [ 'firstname' ] . ' ' . $user [ 'name' ]);
$mail -> Send ();
} catch ( phpmailerException $e ) {
$mailerr_msg = $e -> errorMessage ();
$_mailerror = true ;
} catch ( Exception $e ) {
$mailerr_msg = $e -> getMessage ();
$_mailerror = true ;
}
if ( $_mailerror ) {
$rstlog = FroxlorLogger :: getInstanceOf ( array ( 'loginname' => 'password_reset' ), $db , $settings );
$rstlog -> logAction ( ADM_ACTION , LOG_ERR , " Error sending mail: " . $mailerr_msg );
2011-01-27 12:35:27 +00:00
redirectTo ( 'index.php' , Array ( 'showmessage' => '4' , 'customermail' => $user [ 'email' ]), true );
2010-04-14 10:27:28 +00:00
exit ;
}
$mail -> ClearAddresses ();
redirectTo ( 'index.php' , Array ( 'showmessage' => '1' ), true );
exit ;
2010-01-20 16:55:27 +00:00
}
else
{
2010-01-22 15:03:14 +00:00
$rstlog = FroxlorLogger :: getInstanceOf ( array ( 'loginname' => 'password_reset' ), $db , $settings );
2010-04-14 10:27:28 +00:00
$rstlog -> logAction ( USR_ACTION , LOG_WARNING , " User ' " . $loginname . " ' tried to reset pwd but wasn't found in database! " );
2011-04-16 13:28:19 +00:00
$message = $lng [ 'login' ][ 'combination_not_found' ];
2010-01-20 16:55:27 +00:00
}
2010-04-14 10:27:28 +00:00
unset ( $user );
2010-01-20 16:55:27 +00:00
}
}
2011-02-08 11:53:24 +00:00
else
{
$message = $lng [ 'login' ][ 'usernotfound' ];
}
2010-01-20 16:55:27 +00:00
}
2010-04-14 10:27:28 +00:00
2010-02-25 19:06:02 +00:00
if ( $adminchecked )
2010-03-01 07:42:07 +00:00
{
2010-02-25 19:06:02 +00:00
if ( $settings [ 'panel' ][ 'allow_preset_admin' ] != '1' )
{
$message = $lng [ 'pwdreminder' ][ 'notallowed' ];
unset ( $adminchecked );
}
2010-03-01 07:42:07 +00:00
}
else
2010-01-20 16:55:27 +00:00
{
2010-03-01 07:42:07 +00:00
if ( $settings [ 'panel' ][ 'allow_preset' ] != '1' )
{
$message = $lng [ 'pwdreminder' ][ 'notallowed' ];
}
2010-01-20 16:55:27 +00:00
}
eval ( " echo \" " . getTemplate ( " fpwd " ) . " \" ; " );
}