2010-01-20 16:55:27 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
/**
|
2010-01-22 15:03:14 +00:00
|
|
|
* This file is part of the Froxlor project.
|
|
|
|
|
* Copyright (c) 2010 the Froxlor Team (see authors).
|
2010-01-20 16:55:27 +00:00
|
|
|
*
|
2022-04-28 18:48:00 +00:00
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
|
* of the License, or (at your option) any later version.
|
2010-01-20 16:55:27 +00:00
|
|
|
*
|
2022-04-28 18:48:00 +00:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
2011-05-04 09:59:20 +00:00
|
|
|
*
|
2022-04-28 18:48:00 +00:00
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, you can also view it online at
|
|
|
|
|
* https://files.froxlor.org/misc/COPYING.txt
|
|
|
|
|
*
|
|
|
|
|
* @copyright the authors
|
|
|
|
|
* @author Froxlor team <team@froxlor.org>
|
|
|
|
|
* @license https://files.froxlor.org/misc/COPYING.txt GPLv2
|
2010-01-20 16:55:27 +00:00
|
|
|
*/
|
2022-04-28 18:48:00 +00:00
|
|
|
|
|
|
|
|
const AREA = 'login';
|
2022-02-20 17:00:44 +00:00
|
|
|
require __DIR__ . '/lib/init.php';
|
2010-01-20 16:55:27 +00:00
|
|
|
|
2022-04-28 18:48:00 +00:00
|
|
|
use Froxlor\CurrentUser;
|
|
|
|
|
use Froxlor\Customer\Customer;
|
2018-12-19 15:57:03 +00:00
|
|
|
use Froxlor\Database\Database;
|
2022-04-28 18:48:00 +00:00
|
|
|
use Froxlor\FileDir;
|
|
|
|
|
use Froxlor\Froxlor;
|
2018-12-19 15:57:03 +00:00
|
|
|
use Froxlor\FroxlorLogger;
|
2022-04-28 18:48:00 +00:00
|
|
|
use Froxlor\FroxlorTwoFactorAuth;
|
|
|
|
|
use Froxlor\PhpHelper;
|
|
|
|
|
use Froxlor\Settings;
|
|
|
|
|
use Froxlor\System\Crypt;
|
2022-02-15 19:37:27 +00:00
|
|
|
use Froxlor\UI\Panel\UI;
|
2022-04-28 18:48:00 +00:00
|
|
|
use Froxlor\UI\Response;
|
|
|
|
|
use Froxlor\User;
|
|
|
|
|
use Froxlor\Validate\Validate;
|
2018-12-18 12:45:05 +00:00
|
|
|
|
2013-04-27 07:06:19 +00:00
|
|
|
if ($action == '') {
|
2010-01-20 16:55:27 +00:00
|
|
|
$action = 'login';
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-30 12:45:17 +00:00
|
|
|
if ($action == '2fa_entercode') {
|
|
|
|
|
// page for entering the 2FA code after successful login
|
2022-02-15 19:37:27 +00:00
|
|
|
if (!isset($_SESSION) || !isset($_SESSION['secret_2fa'])) {
|
2018-11-30 12:45:17 +00:00
|
|
|
// no session - redirect to index
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php');
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
|
|
|
|
}
|
|
|
|
|
// show template to enter code
|
2022-03-18 11:53:34 +00:00
|
|
|
UI::view('login/enter2fa.html.twig', [
|
2022-04-28 18:48:00 +00:00
|
|
|
'pagetitle' => lng('login.2fa')
|
2022-03-18 10:41:07 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
} elseif ($action == '2fa_verify') {
|
|
|
|
|
// verify code from 2fa code-enter form
|
2022-02-15 19:37:27 +00:00
|
|
|
if (!isset($_SESSION) || !isset($_SESSION['secret_2fa'])) {
|
2018-11-30 12:45:17 +00:00
|
|
|
// no session - redirect to index
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php');
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
|
|
|
|
}
|
|
|
|
|
$code = isset($_POST['2fa_code']) ? $_POST['2fa_code'] : null;
|
|
|
|
|
// verify entered code
|
2022-05-15 10:27:48 +00:00
|
|
|
$tfa = new FroxlorTwoFactorAuth('Froxlor ' . Settings::Get('system.hostname'));
|
2018-11-30 12:45:17 +00:00
|
|
|
$result = ($_SESSION['secret_2fa'] == 'email' ? true : $tfa->verifyCode($_SESSION['secret_2fa'], $code, 3));
|
|
|
|
|
// either the code is valid when using authenticator-app, or we will select userdata by id and entered code
|
|
|
|
|
// which is temporarily stored for the customer when using email-2fa
|
|
|
|
|
if ($result) {
|
|
|
|
|
// get user-data
|
|
|
|
|
$table = $_SESSION['uidtable_2fa'];
|
|
|
|
|
$field = $_SESSION['uidfield_2fa'];
|
|
|
|
|
$uid = $_SESSION['uid_2fa'];
|
|
|
|
|
$isadmin = $_SESSION['unfo_2fa'];
|
2022-04-28 18:48:00 +00:00
|
|
|
$sel_param = [
|
2018-11-30 12:45:17 +00:00
|
|
|
'uid' => $uid
|
2022-04-28 18:48:00 +00:00
|
|
|
];
|
2018-11-30 12:45:17 +00:00
|
|
|
if ($_SESSION['secret_2fa'] == 'email') {
|
|
|
|
|
// verify code by selecting user by id and the temp. stored code,
|
|
|
|
|
// so only if it's the correct code, we get the user-data
|
|
|
|
|
$sel_stmt = Database::prepare("SELECT * FROM $table WHERE `" . $field . "` = :uid AND `data_2fa` = :code");
|
|
|
|
|
$sel_param['code'] = $code;
|
|
|
|
|
} else {
|
|
|
|
|
// Authenticator-verification has already happened at this point, so just get the user-data
|
|
|
|
|
$sel_stmt = Database::prepare("SELECT * FROM $table WHERE `" . $field . "` = :uid");
|
|
|
|
|
}
|
2018-12-22 07:15:31 +00:00
|
|
|
$userinfo = Database::pexecute_first($sel_stmt, $sel_param);
|
2018-11-30 12:45:17 +00:00
|
|
|
// whoops, no (valid) user? Start again
|
2018-12-22 07:15:31 +00:00
|
|
|
if (empty($userinfo)) {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '2'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
2018-12-22 07:15:31 +00:00
|
|
|
// set fields in $userinfo required for finishLogin()
|
|
|
|
|
$userinfo['adminsession'] = $isadmin;
|
|
|
|
|
$userinfo['userid'] = $uid;
|
2018-11-30 12:45:17 +00:00
|
|
|
|
|
|
|
|
// if not successful somehow - start again
|
2022-02-15 19:37:27 +00:00
|
|
|
if (!finishLogin($userinfo)) {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '2'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// when using email-2fa, remove the one-time-code
|
2018-12-22 07:15:31 +00:00
|
|
|
if ($userinfo['type_2fa'] == '1') {
|
2018-11-30 12:45:17 +00:00
|
|
|
$del_stmt = Database::prepare("UPDATE $table SET `data_2fa` = '' WHERE `" . $field . "` = :uid");
|
2022-04-28 18:48:00 +00:00
|
|
|
$userinfo = Database::pexecute_first($del_stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
'uid' => $uid
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
|
|
|
|
exit();
|
|
|
|
|
}
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '2'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
|
|
|
|
} elseif ($action == 'login') {
|
2013-11-04 14:23:52 +00:00
|
|
|
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
2022-04-28 18:48:00 +00:00
|
|
|
$loginname = Validate::validate($_POST['loginname'], 'loginname');
|
|
|
|
|
$password = Validate::validate($_POST['password'], 'password');
|
2013-11-18 12:02:59 +00:00
|
|
|
|
2013-11-04 14:23:52 +00:00
|
|
|
$stmt = Database::prepare("SELECT `loginname` AS `customer` FROM `" . TABLE_PANEL_CUSTOMERS . "`
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `loginname`= :loginname");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"loginname" => $loginname
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
$row = $stmt->fetch(PDO::FETCH_ASSOC);
|
2013-11-18 12:02:59 +00:00
|
|
|
|
2021-02-16 11:38:01 +00:00
|
|
|
if ($row && $row['customer'] == $loginname) {
|
2010-01-26 09:45:57 +00:00
|
|
|
$table = "`" . TABLE_PANEL_CUSTOMERS . "`";
|
|
|
|
|
$uid = 'customerid';
|
|
|
|
|
$adminsession = '0';
|
|
|
|
|
$is_admin = false;
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
|
|
|
|
$is_admin = true;
|
2022-04-28 18:48:00 +00:00
|
|
|
if ((int)Settings::Get('login.domain_login') == 1) {
|
|
|
|
|
$domainname = $idna_convert->encode(preg_replace([
|
2018-11-30 12:45:17 +00:00
|
|
|
'/\:(\d)+$/',
|
|
|
|
|
'/^https?\:\/\//'
|
2022-04-28 18:48:00 +00:00
|
|
|
], '', $loginname));
|
2013-11-04 14:23:52 +00:00
|
|
|
$stmt = Database::prepare("SELECT `customerid` FROM `" . TABLE_PANEL_DOMAINS . "`
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `domain` = :domain");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"domain" => $domainname
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
$row2 = $stmt->fetch(PDO::FETCH_ASSOC);
|
2013-11-18 12:02:59 +00:00
|
|
|
|
2013-04-27 07:06:19 +00:00
|
|
|
if (isset($row2['customerid']) && $row2['customerid'] > 0) {
|
2022-04-28 18:48:00 +00:00
|
|
|
$loginname = Customer::getCustomerDetail($row2['customerid'], 'loginname');
|
2013-04-27 07:06:19 +00:00
|
|
|
if ($loginname !== false) {
|
2013-11-04 14:23:52 +00:00
|
|
|
$stmt = Database::prepare("SELECT `loginname` AS `customer` FROM `" . TABLE_PANEL_CUSTOMERS . "`
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `loginname`= :loginname");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"loginname" => $loginname
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
$row3 = $stmt->fetch(PDO::FETCH_ASSOC);
|
2021-02-16 11:38:01 +00:00
|
|
|
if ($row3 && $row3['customer'] == $loginname) {
|
2010-10-15 11:48:05 +00:00
|
|
|
$table = "`" . TABLE_PANEL_CUSTOMERS . "`";
|
|
|
|
|
$uid = 'customerid';
|
|
|
|
|
$adminsession = '0';
|
|
|
|
|
$is_admin = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-01-26 09:45:57 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-28 18:48:00 +00:00
|
|
|
if ((Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) && $is_admin == false) {
|
|
|
|
|
Response::redirectTo('index.php');
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2010-01-26 08:59:19 +00:00
|
|
|
}
|
2010-01-26 09:45:57 +00:00
|
|
|
|
2013-04-27 07:06:19 +00:00
|
|
|
if ($is_admin) {
|
2022-04-28 18:48:00 +00:00
|
|
|
if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) {
|
2013-11-04 14:23:52 +00:00
|
|
|
$stmt = Database::prepare("SELECT `loginname` AS `admin` FROM `" . TABLE_PANEL_ADMINS . "`
|
|
|
|
|
WHERE `loginname`= :loginname
|
2018-11-30 12:45:17 +00:00
|
|
|
AND `change_serversettings` = '1'");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"loginname" => $loginname
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
$row = $stmt->fetch(PDO::FETCH_ASSOC);
|
2022-02-15 19:37:27 +00:00
|
|
|
if (!isset($row['admin'])) {
|
2013-11-04 14:23:52 +00:00
|
|
|
// not an admin who can see updates
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php');
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2010-01-26 08:59:19 +00:00
|
|
|
}
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2013-11-04 14:23:52 +00:00
|
|
|
$stmt = Database::prepare("SELECT `loginname` AS `admin` FROM `" . TABLE_PANEL_ADMINS . "`
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `loginname`= :loginname");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"loginname" => $loginname
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
$row = $stmt->fetch(PDO::FETCH_ASSOC);
|
2010-01-26 08:59:19 +00:00
|
|
|
}
|
2010-01-26 09:45:57 +00:00
|
|
|
|
2021-02-16 11:38:01 +00:00
|
|
|
if ($row && $row['admin'] == $loginname) {
|
2010-01-20 16:55:27 +00:00
|
|
|
$table = "`" . TABLE_PANEL_ADMINS . "`";
|
|
|
|
|
$uid = 'adminid';
|
|
|
|
|
$adminsession = '1';
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2013-12-14 09:28:33 +00:00
|
|
|
// Log failed login
|
2022-04-28 18:48:00 +00:00
|
|
|
$rstlog = FroxlorLogger::getInstanceOf([
|
2018-11-30 12:45:17 +00:00
|
|
|
'loginname' => $_SERVER['REMOTE_ADDR']
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "Unknown user '" . $loginname . "' tried to login.");
|
2013-12-14 09:28:33 +00:00
|
|
|
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '2'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-22 07:15:31 +00:00
|
|
|
$userinfo_stmt = Database::prepare("SELECT * FROM $table
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `loginname`= :loginname");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($userinfo_stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"loginname" => $loginname
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-12-22 07:15:31 +00:00
|
|
|
$userinfo = $userinfo_stmt->fetch(PDO::FETCH_ASSOC);
|
2010-01-20 16:55:27 +00:00
|
|
|
|
2018-12-22 07:15:31 +00:00
|
|
|
if ($userinfo['loginfail_count'] >= Settings::Get('login.maxloginattempts') && $userinfo['lastlogin_fail'] > (time() - Settings::Get('login.deactivatetime'))) {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '3'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2022-04-28 18:48:00 +00:00
|
|
|
} elseif (Crypt::validatePasswordLogin($userinfo, $password, $table, $uid)) {
|
2018-11-30 12:45:17 +00:00
|
|
|
// only show "you're banned" if the login was successful
|
|
|
|
|
// because we don't want to publish that the user does exist
|
2018-12-22 07:15:31 +00:00
|
|
|
if ($userinfo['deactivated']) {
|
|
|
|
|
unset($userinfo);
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '5'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
|
|
|
|
} else {
|
|
|
|
|
// login correct
|
|
|
|
|
// reset loginfail_counter, set lastlogin_succ
|
|
|
|
|
$stmt = Database::prepare("UPDATE $table
|
2022-02-15 19:37:27 +00:00
|
|
|
SET `lastlogin_succ`= :lastlogin_succ, `loginfail_count`='0'
|
|
|
|
|
WHERE `$uid`= :uid");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"lastlogin_succ" => time(),
|
2018-12-22 07:15:31 +00:00
|
|
|
"uid" => $userinfo[$uid]
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-12-22 07:15:31 +00:00
|
|
|
$userinfo['userid'] = $userinfo[$uid];
|
|
|
|
|
$userinfo['adminsession'] = $adminsession;
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2010-01-20 16:55:27 +00:00
|
|
|
// login incorrect
|
2013-11-04 14:23:52 +00:00
|
|
|
$stmt = Database::prepare("UPDATE $table
|
|
|
|
|
SET `lastlogin_fail`= :lastlogin_fail, `loginfail_count`=`loginfail_count`+1
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `$uid`= :uid");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"lastlogin_fail" => time(),
|
2018-12-22 07:15:31 +00:00
|
|
|
"uid" => $userinfo[$uid]
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-12-14 09:28:33 +00:00
|
|
|
|
|
|
|
|
// Log failed login
|
2022-04-28 18:48:00 +00:00
|
|
|
$rstlog = FroxlorLogger::getInstanceOf([
|
2018-11-30 12:45:17 +00:00
|
|
|
'loginname' => $_SERVER['REMOTE_ADDR']
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "User '" . $loginname . "' tried to login with wrong password.");
|
2013-12-14 09:28:33 +00:00
|
|
|
|
2018-12-22 07:15:31 +00:00
|
|
|
unset($userinfo);
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '2'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-30 12:45:17 +00:00
|
|
|
// 2FA activated
|
2018-12-22 07:15:31 +00:00
|
|
|
if (Settings::Get('2fa.enabled') == '1' && $userinfo['type_2fa'] > 0) {
|
2018-11-30 12:45:17 +00:00
|
|
|
// redirect to code-enter-page
|
2018-12-22 07:15:31 +00:00
|
|
|
$_SESSION['secret_2fa'] = ($userinfo['type_2fa'] == 2 ? $userinfo['data_2fa'] : 'email');
|
|
|
|
|
$_SESSION['uid_2fa'] = $userinfo[$uid];
|
2018-11-30 12:45:17 +00:00
|
|
|
$_SESSION['uidfield_2fa'] = $uid;
|
|
|
|
|
$_SESSION['uidtable_2fa'] = $table;
|
|
|
|
|
$_SESSION['unfo_2fa'] = $is_admin;
|
|
|
|
|
// send mail if type_2fa = 1 (email)
|
2018-12-22 07:15:31 +00:00
|
|
|
if ($userinfo['type_2fa'] == 1) {
|
2018-11-30 12:45:17 +00:00
|
|
|
// generate code
|
2022-05-15 10:27:48 +00:00
|
|
|
$tfa = new FroxlorTwoFactorAuth('Froxlor ' . Settings::Get('system.hostname'));
|
2018-11-30 12:45:17 +00:00
|
|
|
$code = $tfa->getCode($tfa->createSecret());
|
|
|
|
|
// set code for user
|
|
|
|
|
$stmt = Database::prepare("UPDATE $table SET `data_2fa` = :d2fa WHERE `$uid` = :uid");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"d2fa" => $code,
|
2018-12-22 07:15:31 +00:00
|
|
|
"uid" => $userinfo[$uid]
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
// build up & send email
|
|
|
|
|
$_mailerror = false;
|
|
|
|
|
$mailerr_msg = "";
|
2022-04-28 18:48:00 +00:00
|
|
|
$replace_arr = [
|
2018-11-30 12:45:17 +00:00
|
|
|
'CODE' => $code
|
2022-04-28 18:48:00 +00:00
|
|
|
];
|
|
|
|
|
$mail_body = html_entity_decode(PhpHelper::replaceVariables(lng('mails.2fa.mailbody'), $replace_arr));
|
2018-11-30 12:45:17 +00:00
|
|
|
|
|
|
|
|
try {
|
2022-04-28 18:48:00 +00:00
|
|
|
$mail->Subject = lng('mails.2fa.subject');
|
2018-11-30 12:45:17 +00:00
|
|
|
$mail->AltBody = $mail_body;
|
|
|
|
|
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
|
2022-04-28 18:48:00 +00:00
|
|
|
$mail->AddAddress($userinfo['email'], User::getCorrectUserSalutation($userinfo));
|
2018-11-30 12:45:17 +00:00
|
|
|
$mail->Send();
|
2018-12-18 12:45:05 +00:00
|
|
|
} catch (\PHPMailer\PHPMailer\Exception $e) {
|
2018-11-30 12:45:17 +00:00
|
|
|
$mailerr_msg = $e->errorMessage();
|
|
|
|
|
$_mailerror = true;
|
|
|
|
|
} catch (Exception $e) {
|
|
|
|
|
$mailerr_msg = $e->getMessage();
|
|
|
|
|
$_mailerror = true;
|
2013-11-04 14:23:52 +00:00
|
|
|
}
|
2013-11-18 12:02:59 +00:00
|
|
|
|
2018-11-30 12:45:17 +00:00
|
|
|
if ($_mailerror) {
|
2022-04-28 18:48:00 +00:00
|
|
|
$rstlog = FroxlorLogger::getInstanceOf([
|
2018-11-30 12:45:17 +00:00
|
|
|
'loginname' => '2fa code-sending'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
$rstlog->logAction(FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
|
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '4',
|
2018-12-22 07:15:31 +00:00
|
|
|
'customermail' => $userinfo['email']
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
|
|
|
|
}
|
2014-02-19 10:08:43 +00:00
|
|
|
|
2018-11-30 12:45:17 +00:00
|
|
|
$mail->ClearAddresses();
|
2014-01-05 21:35:26 +00:00
|
|
|
}
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'action' => '2fa_entercode'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
|
|
|
|
}
|
2014-02-19 10:08:43 +00:00
|
|
|
|
2022-02-15 19:37:27 +00:00
|
|
|
if (!finishLogin($userinfo)) {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '2'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
$smessage = isset($_GET['showmessage']) ? (int)$_GET['showmessage'] : 0;
|
2010-01-20 16:55:27 +00:00
|
|
|
$message = '';
|
2011-02-08 11:53:24 +00:00
|
|
|
$successmessage = '';
|
2010-01-20 16:55:27 +00:00
|
|
|
|
2013-04-27 07:06:19 +00:00
|
|
|
switch ($smessage) {
|
2018-11-30 12:45:17 +00:00
|
|
|
case 1:
|
2022-04-28 18:48:00 +00:00
|
|
|
$successmessage = lng('pwdreminder.success');
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
|
|
|
|
case 2:
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('error.login');
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
|
|
|
|
case 3:
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('error.login_blocked', [Settings::Get('login.deactivatetime')]);
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
|
|
|
|
case 4:
|
|
|
|
|
$cmail = isset($_GET['customermail']) ? $_GET['customermail'] : 'unknown';
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = str_replace('%s', $cmail, lng('error.errorsendingmail'));
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
|
|
|
|
case 5:
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('error.user_banned');
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
|
|
|
|
case 6:
|
2022-04-28 18:48:00 +00:00
|
|
|
$successmessage = lng('pwdreminder.changed');
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
|
|
|
|
case 7:
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('pwdreminder.wrongcode');
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
|
|
|
|
case 8:
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('pwdreminder.notallowed');
|
2018-11-30 12:45:17 +00:00
|
|
|
break;
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
2010-01-26 09:45:57 +00:00
|
|
|
|
2022-02-15 19:37:27 +00:00
|
|
|
$update_in_progress = false;
|
2022-04-28 18:48:00 +00:00
|
|
|
if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) {
|
2022-02-15 19:37:27 +00:00
|
|
|
$update_in_progress = true;
|
2010-01-26 09:45:57 +00:00
|
|
|
}
|
2018-11-30 12:45:17 +00:00
|
|
|
|
2014-01-05 21:35:26 +00:00
|
|
|
// Pass the last used page if needed
|
|
|
|
|
$lastscript = "";
|
|
|
|
|
if (isset($_REQUEST['script']) && $_REQUEST['script'] != "") {
|
|
|
|
|
$lastscript = $_REQUEST['script'];
|
2022-01-18 08:29:13 +00:00
|
|
|
$lastscript = str_replace("..", "", $lastscript);
|
|
|
|
|
$lastscript = htmlspecialchars($lastscript, ENT_QUOTES);
|
2014-11-04 12:01:42 +00:00
|
|
|
|
2022-02-15 19:37:27 +00:00
|
|
|
if (!file_exists(__DIR__ . "/" . $lastscript)) {
|
2014-11-04 12:01:42 +00:00
|
|
|
$lastscript = "";
|
|
|
|
|
}
|
2014-01-05 21:35:26 +00:00
|
|
|
}
|
|
|
|
|
$lastqrystr = "";
|
|
|
|
|
if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") {
|
2016-06-03 14:20:34 +00:00
|
|
|
$lastqrystr = htmlspecialchars($_REQUEST['qrystr'], ENT_QUOTES);
|
2014-01-05 21:35:26 +00:00
|
|
|
}
|
2010-01-20 16:55:27 +00:00
|
|
|
|
2022-03-18 11:53:34 +00:00
|
|
|
UI::view('login/login.html.twig', [
|
2022-02-15 19:37:27 +00:00
|
|
|
'pagetitle' => 'Login',
|
2022-02-16 20:08:25 +00:00
|
|
|
'languages' => $languages,
|
2022-02-15 19:37:27 +00:00
|
|
|
'lastscript' => $lastscript,
|
|
|
|
|
'lastqrystr' => $lastqrystr,
|
|
|
|
|
'upd_in_progress' => $update_in_progress,
|
|
|
|
|
'message' => $message,
|
|
|
|
|
'successmsg' => $successmessage
|
|
|
|
|
]);
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-04-27 07:06:19 +00:00
|
|
|
if ($action == 'forgotpwd') {
|
2010-04-14 10:09:31 +00:00
|
|
|
$adminchecked = false;
|
2010-04-14 10:27:28 +00:00
|
|
|
$message = '';
|
|
|
|
|
|
2013-11-04 14:23:52 +00:00
|
|
|
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
2022-04-28 18:48:00 +00:00
|
|
|
$loginname = Validate::validate($_POST['loginname'], 'loginname');
|
|
|
|
|
$email = Validate::validateEmail($_POST['loginemail'], 'email');
|
2020-02-29 07:16:55 +00:00
|
|
|
$result_stmt = Database::prepare("SELECT `adminid`, `customerid`, `customernumber`, `firstname`, `name`, `company`, `email`, `loginname`, `def_language`, `deactivated` FROM `" . TABLE_PANEL_CUSTOMERS . "`
|
2013-11-04 14:23:52 +00:00
|
|
|
WHERE `loginname`= :loginname
|
2018-11-30 12:45:17 +00:00
|
|
|
AND `email`= :email");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($result_stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"loginname" => $loginname,
|
|
|
|
|
"email" => $email
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
|
|
|
|
|
if (Database::num_rows() == 0) {
|
2013-11-30 20:30:24 +00:00
|
|
|
$result_stmt = Database::prepare("SELECT `adminid`, `name`, `email`, `loginname`, `def_language`, `deactivated` FROM `" . TABLE_PANEL_ADMINS . "`
|
2013-11-04 14:23:52 +00:00
|
|
|
WHERE `loginname`= :loginname
|
2018-11-30 12:45:17 +00:00
|
|
|
AND `email`= :email");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($result_stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"loginname" => $loginname,
|
|
|
|
|
"email" => $email
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-18 12:02:59 +00:00
|
|
|
|
2013-11-04 14:23:52 +00:00
|
|
|
if (Database::num_rows() > 0) {
|
2010-04-14 10:27:28 +00:00
|
|
|
$adminchecked = true;
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2013-11-04 14:23:52 +00:00
|
|
|
$result_stmt = null;
|
2010-04-14 10:27:28 +00:00
|
|
|
}
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
|
|
|
|
|
2013-11-04 14:23:52 +00:00
|
|
|
if ($result_stmt !== null) {
|
|
|
|
|
$user = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
2013-11-18 12:02:59 +00:00
|
|
|
|
2011-04-16 11:32:11 +00:00
|
|
|
/* Check whether user is banned */
|
2013-04-27 07:06:19 +00:00
|
|
|
if ($user['deactivated']) {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '8'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2011-04-16 11:32:11 +00:00
|
|
|
}
|
2010-04-14 10:27:28 +00:00
|
|
|
|
2013-12-15 11:24:32 +00:00
|
|
|
if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
|
2013-04-27 07:06:19 +00:00
|
|
|
if ($user !== false) {
|
2013-11-30 20:30:24 +00:00
|
|
|
// build a activation code
|
|
|
|
|
$timestamp = time();
|
2022-04-28 18:48:00 +00:00
|
|
|
$first = substr(md5($user['loginname'] . $timestamp . PhpHelper::randomStr(16)), 0, 15);
|
|
|
|
|
$third = substr(md5($user['email'] . $timestamp . PhpHelper::randomStr(16)), -15);
|
2013-11-30 20:30:24 +00:00
|
|
|
$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-11-30 20:30:24 +00:00
|
|
|
// Drop all existing activation codes for this user
|
|
|
|
|
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
|
|
|
|
|
WHERE `userid` = :userid
|
2018-11-30 12:45:17 +00:00
|
|
|
AND `admin` = :admin");
|
2022-04-28 18:48:00 +00:00
|
|
|
$params = [
|
2013-11-30 20:30:24 +00:00
|
|
|
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
|
|
|
|
|
"admin" => $adminchecked ? 1 : 0
|
2022-04-28 18:48:00 +00:00
|
|
|
];
|
2013-11-30 20:30:24 +00:00
|
|
|
Database::pexecute($stmt, $params);
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-11-30 20:30:24 +00:00
|
|
|
// Add new activation code to database
|
|
|
|
|
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
|
|
|
|
|
(userid, admin, creation, activationcode)
|
2018-11-30 12:45:17 +00:00
|
|
|
VALUES (:userid, :admin, :creation, :activationcode)");
|
2022-04-28 18:48:00 +00:00
|
|
|
$params = [
|
2013-11-30 20:30:24 +00:00
|
|
|
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
|
|
|
|
|
"admin" => $adminchecked ? 1 : 0,
|
|
|
|
|
"creation" => $timestamp,
|
|
|
|
|
"activationcode" => $activationcode
|
2022-04-28 18:48:00 +00:00
|
|
|
];
|
2013-11-30 20:30:24 +00:00
|
|
|
Database::pexecute($stmt, $params);
|
2010-01-20 16:55:27 +00:00
|
|
|
|
2022-04-28 18:48:00 +00:00
|
|
|
$rstlog = FroxlorLogger::getInstanceOf([
|
2018-11-30 12:45:17 +00:00
|
|
|
'loginname' => 'password_reset'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-11-30 20:30:24 +00:00
|
|
|
// Set together our activation link
|
2018-11-30 12:45:17 +00:00
|
|
|
$protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
|
2014-06-29 09:25:31 +00:00
|
|
|
// this can be a fixed value to avoid potential exploiting by modifying headers
|
|
|
|
|
$host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
|
2013-11-30 20:30:24 +00:00
|
|
|
$port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
|
2014-12-19 13:11:17 +00:00
|
|
|
// don't add :443 when https is used, as it is default (and just looks weird!)
|
|
|
|
|
if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
|
|
|
|
|
$port = '';
|
|
|
|
|
}
|
2014-06-29 09:25:31 +00:00
|
|
|
// there can be only one script to handle this so we can use a fixed value here
|
|
|
|
|
$script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
|
|
|
|
|
if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
|
2022-04-28 18:48:00 +00:00
|
|
|
$script = FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
|
2014-06-29 09:25:31 +00:00
|
|
|
}
|
2013-11-30 20:30:24 +00:00
|
|
|
$activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2022-04-28 18:48:00 +00:00
|
|
|
$replace_arr = [
|
|
|
|
|
'SALUTATION' => User::getCorrectUserSalutation($user),
|
2020-02-29 07:16:55 +00:00
|
|
|
'NAME' => $user['name'],
|
|
|
|
|
'FIRSTNAME' => $user['firstname'] ?? "",
|
|
|
|
|
'COMPANY' => $user['company'] ?? "",
|
|
|
|
|
'CUSTOMER_NO' => $user['customernumber'] ?? 0,
|
2014-12-19 13:11:17 +00:00
|
|
|
'USERNAME' => $loginname,
|
2013-11-30 20:30:24 +00:00
|
|
|
'LINK' => $activationlink
|
2022-04-28 18:48:00 +00:00
|
|
|
];
|
2010-08-17 06:19:57 +00:00
|
|
|
|
2013-12-15 11:24:32 +00:00
|
|
|
$def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
|
2013-11-04 14:23:52 +00:00
|
|
|
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
|
|
|
|
|
WHERE `adminid`= :adminid
|
|
|
|
|
AND `language`= :lang
|
2013-11-18 12:02:59 +00:00
|
|
|
AND `templategroup`=\'mails\'
|
2018-11-30 12:45:17 +00:00
|
|
|
AND `varname`=\'password_reset_subject\'');
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($result_stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"adminid" => $user['adminid'],
|
|
|
|
|
"lang" => $def_language
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
2022-04-28 18:48:00 +00:00
|
|
|
$mail_subject = html_entity_decode(PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : lng('mails.password_reset.subject')), $replace_arr));
|
2013-11-18 12:02:59 +00:00
|
|
|
|
2013-11-04 14:23:52 +00:00
|
|
|
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
|
|
|
|
|
WHERE `adminid`= :adminid
|
|
|
|
|
AND `language`= :lang
|
|
|
|
|
AND `templategroup`=\'mails\'
|
2018-11-30 12:45:17 +00:00
|
|
|
AND `varname`=\'password_reset_mailbody\'');
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($result_stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"adminid" => $user['adminid'],
|
|
|
|
|
"lang" => $def_language
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-04 14:23:52 +00:00
|
|
|
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
2022-04-28 18:48:00 +00:00
|
|
|
$mail_body = html_entity_decode(PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : lng('mails.password_reset.mailbody')), $replace_arr));
|
2013-12-01 10:06:33 +00:00
|
|
|
|
2010-04-14 10:27:28 +00:00
|
|
|
$_mailerror = false;
|
2018-11-30 12:45:17 +00:00
|
|
|
$mailerr_msg = "";
|
2010-04-14 10:27:28 +00:00
|
|
|
try {
|
2010-08-17 06:19:57 +00:00
|
|
|
$mail->Subject = $mail_subject;
|
|
|
|
|
$mail->AltBody = $mail_body;
|
2010-12-05 17:15:24 +00:00
|
|
|
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
|
2022-04-28 18:48:00 +00:00
|
|
|
$mail->AddAddress($user['email'], User::getCorrectUserSalutation($user));
|
2010-04-14 10:27:28 +00:00
|
|
|
$mail->Send();
|
2018-12-18 12:45:05 +00:00
|
|
|
} catch (\PHPMailer\PHPMailer\Exception $e) {
|
2010-04-14 10:27:28 +00:00
|
|
|
$mailerr_msg = $e->errorMessage();
|
|
|
|
|
$_mailerror = true;
|
|
|
|
|
} catch (Exception $e) {
|
|
|
|
|
$mailerr_msg = $e->getMessage();
|
|
|
|
|
$_mailerror = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($_mailerror) {
|
2022-04-28 18:48:00 +00:00
|
|
|
$rstlog = FroxlorLogger::getInstanceOf([
|
2018-11-30 12:45:17 +00:00
|
|
|
'loginname' => 'password_reset'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
$rstlog->logAction(FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
|
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '4',
|
|
|
|
|
'customermail' => $user['email']
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2010-04-14 10:27:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$mail->ClearAddresses();
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
'showmessage' => '1'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
exit();
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
$rstlog = FroxlorLogger::getInstanceOf([
|
2018-11-30 12:45:17 +00:00
|
|
|
'loginname' => 'password_reset'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
|
|
|
|
|
$message = lng('login.combination_not_found');
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
|
|
|
|
|
2010-04-14 10:27:28 +00:00
|
|
|
unset($user);
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('login.usernotfound');
|
2011-02-08 11:53:24 +00:00
|
|
|
}
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
2010-04-14 10:27:28 +00:00
|
|
|
|
2013-04-27 07:06:19 +00:00
|
|
|
if ($adminchecked) {
|
2013-12-15 11:24:32 +00:00
|
|
|
if (Settings::Get('panel.allow_preset_admin') != '1') {
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('pwdreminder.notallowed');
|
2018-11-30 12:45:17 +00:00
|
|
|
unset($adminchecked);
|
2010-02-25 19:06:02 +00:00
|
|
|
}
|
2013-04-27 07:06:19 +00:00
|
|
|
} else {
|
2013-12-15 11:24:32 +00:00
|
|
|
if (Settings::Get('panel.allow_preset') != '1') {
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('pwdreminder.notallowed');
|
2010-03-01 07:42:07 +00:00
|
|
|
}
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
|
|
|
|
|
2022-03-18 11:53:34 +00:00
|
|
|
UI::view('login/fpwd.html.twig', [
|
2022-04-28 18:48:00 +00:00
|
|
|
'pagetitle' => lng('login.presend'),
|
2022-02-16 20:08:25 +00:00
|
|
|
'action' => $action,
|
|
|
|
|
'message' => $message,
|
|
|
|
|
]);
|
2010-01-20 16:55:27 +00:00
|
|
|
}
|
2013-11-30 20:30:24 +00:00
|
|
|
|
|
|
|
|
if ($action == 'resetpwd') {
|
|
|
|
|
$message = '';
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-12-01 09:34:31 +00:00
|
|
|
// Remove old activation codes
|
|
|
|
|
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE creation < :oldest");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"oldest" => time() - 86400
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-11-30 20:30:24 +00:00
|
|
|
if (isset($_GET['resetcode']) && strlen($_GET['resetcode']) == 50) {
|
|
|
|
|
// Check if activation code is valid
|
|
|
|
|
$activationcode = $_GET['resetcode'];
|
|
|
|
|
$timestamp = substr($activationcode, 15, 10);
|
|
|
|
|
$third = substr($activationcode, 25, 15);
|
|
|
|
|
$check = substr($activationcode, 40, 10);
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-11-30 20:30:24 +00:00
|
|
|
if (substr(md5($third . $timestamp), 0, 10) == $check && $timestamp >= time() - 86400) {
|
|
|
|
|
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
|
|
|
|
$stmt = Database::prepare("SELECT `userid`, `admin` FROM `" . TABLE_PANEL_ACTIVATION . "`
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `activationcode` = :activationcode");
|
2022-04-28 18:48:00 +00:00
|
|
|
$result = Database::pexecute_first($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"activationcode" => $activationcode
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-11-30 20:30:24 +00:00
|
|
|
if ($result !== false) {
|
2020-02-08 09:03:41 +00:00
|
|
|
try {
|
2022-04-28 18:48:00 +00:00
|
|
|
$new_password = Crypt::validatePassword($_POST['new_password'], true);
|
|
|
|
|
$new_password_confirm = Crypt::validatePassword($_POST['new_password_confirm'], true);
|
2020-02-08 09:03:41 +00:00
|
|
|
} catch (Exception $e) {
|
|
|
|
|
$message = $e->getMessage();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (empty($message) && (empty($new_password) || $new_password != $new_password_confirm)) {
|
2022-04-28 18:48:00 +00:00
|
|
|
$message = lng('error.newpasswordconfirmerror');
|
2013-11-30 20:30:24 +00:00
|
|
|
}
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2020-02-08 09:03:41 +00:00
|
|
|
if (empty($message)) {
|
2013-11-30 20:30:24 +00:00
|
|
|
// Update user password
|
|
|
|
|
if ($result['admin'] == 1) {
|
|
|
|
|
$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_ADMINS . "`
|
|
|
|
|
SET `password` = :newpassword
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `adminid` = :userid");
|
2013-11-30 20:30:24 +00:00
|
|
|
} else {
|
|
|
|
|
$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "`
|
|
|
|
|
SET `password` = :newpassword
|
2018-11-30 12:45:17 +00:00
|
|
|
WHERE `customerid` = :userid");
|
2013-11-30 20:30:24 +00:00
|
|
|
}
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
|
|
|
|
"newpassword" => Crypt::makeCryptPassword($new_password),
|
2018-11-30 12:45:17 +00:00
|
|
|
"userid" => $result['userid']
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
|
2022-04-28 18:48:00 +00:00
|
|
|
$rstlog = FroxlorLogger::getInstanceOf([
|
2018-11-30 12:45:17 +00:00
|
|
|
'loginname' => 'password_reset'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_NOTICE, "changed password using password reset.");
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2013-11-30 20:30:24 +00:00
|
|
|
// Remove activation code from DB
|
|
|
|
|
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
|
|
|
|
|
WHERE `activationcode` = :activationcode
|
2018-11-30 12:45:17 +00:00
|
|
|
AND `userid` = :userid");
|
2022-04-28 18:48:00 +00:00
|
|
|
Database::pexecute($stmt, [
|
2018-11-30 12:45:17 +00:00
|
|
|
"activationcode" => $activationcode,
|
|
|
|
|
"userid" => $result['userid']
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
|
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
"showmessage" => '6'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-30 20:30:24 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
"showmessage" => '7'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-30 20:30:24 +00:00
|
|
|
}
|
|
|
|
|
}
|
2013-12-15 11:24:32 +00:00
|
|
|
|
2022-03-18 11:53:34 +00:00
|
|
|
UI::view('login/rpwd.html.twig', [
|
2022-04-28 18:48:00 +00:00
|
|
|
'pagetitle' => lng('pwdreminder.choosenew'),
|
2022-03-18 10:41:07 +00:00
|
|
|
'formaction' => 'index.php?action=resetpwd&resetcode=' . $activationcode,
|
|
|
|
|
'message' => $message,
|
|
|
|
|
]);
|
2013-11-30 20:30:24 +00:00
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
"showmessage" => '7'
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2013-11-30 20:30:24 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('index.php');
|
2013-11-30 20:30:24 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-11-30 12:45:17 +00:00
|
|
|
|
2018-12-22 07:15:31 +00:00
|
|
|
function finishLogin($userinfo)
|
2018-11-30 12:45:17 +00:00
|
|
|
{
|
2022-03-14 21:51:59 +00:00
|
|
|
global $languages;
|
2018-11-30 12:45:17 +00:00
|
|
|
|
2018-12-22 07:15:31 +00:00
|
|
|
if (isset($userinfo['userid']) && $userinfo['userid'] != '') {
|
2022-04-28 18:48:00 +00:00
|
|
|
CurrentUser::setData($userinfo);
|
2018-11-30 12:45:17 +00:00
|
|
|
|
|
|
|
|
if (isset($_POST['language'])) {
|
2022-04-28 18:48:00 +00:00
|
|
|
$language = Validate::validate($_POST['language'], 'language');
|
2018-11-30 12:45:17 +00:00
|
|
|
if ($language == 'profile') {
|
2018-12-22 07:15:31 +00:00
|
|
|
$language = $userinfo['def_language'];
|
2022-02-15 19:37:27 +00:00
|
|
|
} elseif (!isset($languages[$language])) {
|
2018-11-30 12:45:17 +00:00
|
|
|
$language = Settings::Get('panel.standardlanguage');
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
$language = Settings::Get('panel.standardlanguage');
|
|
|
|
|
}
|
2022-04-28 18:48:00 +00:00
|
|
|
CurrentUser::setField('language', $language);
|
2018-11-30 12:45:17 +00:00
|
|
|
|
2018-12-22 07:15:31 +00:00
|
|
|
if (isset($userinfo['theme']) && $userinfo['theme'] != '') {
|
|
|
|
|
$theme = $userinfo['theme'];
|
2018-11-30 12:45:17 +00:00
|
|
|
} else {
|
|
|
|
|
$theme = Settings::Get('panel.default_theme');
|
2022-04-28 18:48:00 +00:00
|
|
|
CurrentUser::setField('theme', $theme);
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-28 18:48:00 +00:00
|
|
|
$qryparams = [];
|
2018-11-30 12:45:17 +00:00
|
|
|
if (isset($_POST['qrystr']) && $_POST['qrystr'] != "") {
|
|
|
|
|
parse_str(urldecode($_POST['qrystr']), $qryparams);
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-22 07:15:31 +00:00
|
|
|
if ($userinfo['adminsession'] == '1') {
|
2022-04-28 18:48:00 +00:00
|
|
|
if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) {
|
|
|
|
|
Response::redirectTo('admin_updates.php?page=overview');
|
2018-11-30 12:45:17 +00:00
|
|
|
} else {
|
|
|
|
|
if (isset($_POST['script']) && $_POST['script'] != "") {
|
|
|
|
|
if (preg_match("/customer\_/", $_POST['script']) === 1) {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('admin_customers.php', [
|
2018-11-30 12:45:17 +00:00
|
|
|
"page" => "customers"
|
2022-04-28 18:48:00 +00:00
|
|
|
]);
|
2018-11-30 12:45:17 +00:00
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo($_POST['script'], $qryparams);
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('admin_index.php', $qryparams);
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (isset($_POST['script']) && $_POST['script'] != "") {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo($_POST['script'], $qryparams);
|
2018-11-30 12:45:17 +00:00
|
|
|
} else {
|
2022-04-28 18:48:00 +00:00
|
|
|
Response::redirectTo('customer_index.php', $qryparams);
|
2018-11-30 12:45:17 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
2018-12-20 11:38:18 +00:00
|
|
|
}
|
