index.php 9.66 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
<?php

/*
Copyright (c) 2005, Till Brehm, projektfarm Gmbh
All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice,
      this list of conditions and the following disclaimer in the documentation
      and/or other materials provided with the distribution.
    * Neither the name of ISPConfig nor the names of its contributors
      may be used to endorse or promote products derived from this software without
      specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

//

class login_index {

	public $status = '';
	private $target = '';
	private $app;
	private $conf;
39

40
	public function render() {
41

42
		global $app, $conf;
43

44 45 46 47 48 49
		/* Redirect to page, if login form was NOT send */
		if(count($_POST) == 0) {
			if(isset($_SESSION['s']['user']) && is_array($_SESSION['s']['user']) && is_array($_SESSION['s']['module'])) {
				die('HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']);
			}
		}
50

51 52
		$app->uses('tpl');
		$app->tpl->newTemplate('form.tpl.htm');
53

54
	    $error = '';
55

56
		$app->load_language_file('web/login/lib/lang/'.$conf["language"].'.lng');
57

58 59
		// Maintenance mode
		$maintenance_mode = false;
60
		$maintenance_mode_error = '';
61 62 63 64 65 66
		$app->uses('ini_parser,getconf');
		$server_config_array = $app->getconf->get_global_config('misc');
		if($server_config_array['maintenance_mode'] == 'y'){
			$maintenance_mode = true;
			$maintenance_mode_error = $app->lng('error_maintenance_mode');
		}
67

68 69
		//* Login Form was send
		if(count($_POST) > 0) {
70

71
			//** Check variables
72
			if(!preg_match("/^[\w\.\-\_\@]{1,128}$/", $_POST['username'])) $error = $app->lng('user_regex_error');
73
			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');
74

75 76 77 78 79
	        //** iporting variables
	        $ip 	  = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));
	        $username = $app->db->quote($_POST['username']);
	        $passwort = $app->db->quote($_POST['passwort']);
			$loginAs  = false;
80
			$time = time();
81 82
			$logging = 'Failed login for user '. $username .' from '. long2ip($ip) .' at '. date('Y-m-d H:i:s');

83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114
	        if($username != '' && $passwort != '' && $error == '') {
				/*
				 *  Check, if there is a "login as" instead of a "normal" login
				 */
				if (isset($_SESSION['s']['user']) && $_SESSION['s']['user']['active'] == 1){
					/*
					 * only the admin can "login as" so if the user is NOT a admin, we
					 * open the startpage (after killing the old session), so the user
					 * is logout and has to start again!
					 */
					if ($_SESSION['s']['user']['typ'] != 'admin') {
						/*
						 * The actual user is NOT a admin, but maybe the admin
						 * has logged in as "normal" user bevore...
						 */
						if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin')){
							/* The "old" user is admin, so everything is ok */
						}
						else {
							die("You don't have the right to 'login as'!");
						}
					}
					$loginAs = true;
				}
				else {
					/* normal login */
					$loginAs = false;
				}

	        	//* Check if there are already wrong logins
	        	$sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND  `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
	        	$alreadyfailed = $app->db->queryOneRecord($sql);
115
	        	//* too many failedlogins
116 117 118
	        	if($alreadyfailed['times'] > 5) {
	        		$error = $app->lng('error_user_too_many_logins');
	        	} else {
119

120 121 122 123
					if ($loginAs){
			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
						$user = $app->db->queryOneRecord($sql);
					} else {
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
						if(stristr($username,'@')) {
							//* mailuser login
							$sql = "SELECT * FROM mail_user WHERE login = '$username'";
							$mailuser = $app->db->queryOneRecord($sql);
							$user = false;
							if($mailuser) {
								$saved_password = stripslashes($mailuser['password']);
								$salt = '$1$'.substr($saved_password,3,8).'$';
								//* Check if mailuser password is correct
								if(crypt(stripslashes($passwort),$salt) == $saved_password) {
									//* we build a fake user here which has access to the mailuser module only and userid 0
									$user = array();
									$user['userid'] = 0;
									$user['active'] = 1;
									$user['startmodule'] = 'mailuser';
									$user['modules'] = 'mailuser';
									$user['typ'] = 'user';
									$user['email'] = $mailuser['email'];
									$user['username'] = $username;
									$user['language'] = $conf['language'];
									$user['theme'] = $conf['theme'];
									$user['mailuser_id'] = $mailuser['mailuser_id'];
									$user['default_group'] = $mailuser['sys_groupid'];
								}
							}
149

150 151 152 153
						} else {
							//* normal cp user login
							$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
							$user = $app->db->queryOneRecord($sql);
154

155 156
							if($user) {
								$saved_password = stripslashes($user['passwort']);
157

158 159 160
								if(substr($saved_password,0,3) == '$1$') {
									//* The password is crypt-md5 encrypted
									$salt = '$1$'.substr($saved_password,3,8).'$';
161

162 163 164 165
									if(crypt(stripslashes($passwort),$salt) != $saved_password) {
										$user = false;
									}
								} else {
166

167 168 169 170
									//* The password is md5 encrypted
									if(md5($passwort) != $saved_password) {
										$user = false;
									}
171
								}
172 173
							} else {
								$user = false;
174 175 176
							}
						}
					}
177

178 179
		            if($user) {
		                if($user['active'] == 1) {
180 181 182 183 184 185
							// Maintenance mode - allow logins only when maintenance mode is off or if the user is admin
							if(!$maintenance_mode || $user['typ'] == 'admin'){
								// User login right, so attempts can be deleted
								$sql = "DELETE FROM `attempts_login` WHERE `ip`='{$ip}'";
								$app->db->query($sql);
								$user = $app->db->toLower($user);
186

187 188 189 190 191 192 193
								if ($loginAs) $oldSession = $_SESSION['s'];
								$_SESSION = array();
								if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
								$_SESSION['s']['user'] = $user;
								$_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default';
								$_SESSION['s']['language'] = $user['language'];
								$_SESSION["s"]['theme'] = $_SESSION['s']['user']['theme'];
194

195 196 197 198
								if(is_file($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php')) {
									include_once($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php');
									$_SESSION['s']['module'] = $module;
								}
199

200
								$app->plugin->raiseEvent('login',$this);
201

202 203 204 205 206
								/*
								* We need LOGIN_REDIRECT instead of HEADER_REDIRECT to load the
								* new theme, if the logged-in user has another
								*/
								echo 'LOGIN_REDIRECT:'.$_SESSION['s']['module']['startpage'];
207

208 209
								exit;
							}
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226
		             	} else {
		                	$error = $app->lng('error_user_blocked');
		                }
		        	} else {
		        		if(!$alreadyfailed['times'] )
		        		{
		        			//* user login the first time wrong
		        			$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('{$ip}', 1, NOW())";
		        			$app->db->query($sql);
		        		} elseif($alreadyfailed['times'] >= 1) {
		        			//* update times wrong
		        			$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `login_time` >= '{$time}' LIMIT 1";
		        			$app->db->query($sql);
		        		}
		            	//* Incorrect login - Username and password incorrect
		                $error = $app->lng('error_user_password_incorrect');
		                if($app->db->errorMessage != '') $error .= '<br />'.$app->db->errorMessage != '';
227 228 229 230 231

						$app->plugin->raiseEvent('login_failed',$this);

						//* write to log (e.g. for fail2ban)
						exec('echo '. $logging .' >> /tmp/login.log');
232 233 234 235 236
		           	}
	        	}
	      	} else {
	       		//* Username or password empty
	            if($error == '') $error = $app->lng('error_user_password_empty');
237

238
				$app->plugin->raiseEvent('login_empty',$this);
239 240
	        }
		}
241

242 243
		// Maintenance mode - show message when people try to log in and also when people are forcedly logged off
		if($maintenance_mode_error != '') $error = '<strong>'.$maintenance_mode_error.'</strong><br><br>'.$error;
244 245 246
		if($error != ''){
	  		$error = '<div class="box box_error"><h1>Error</h1>'.$error.'</div>';
		}
247

248
		$app->tpl->setVar('error', $error);
249
        $app->tpl->setVar('pw_lost_txt', $app->lng('pw_lost_txt'));
250 251 252 253 254
		$app->tpl->setVar('username_txt', $app->lng('username_txt'));
		$app->tpl->setVar('password_txt', $app->lng('password_txt'));
		$app->tpl->setVar('login_button_txt', $app->lng('login_button_txt'));
		$app->tpl->setInclude('content_tpl','login/templates/index.htm');
		$app->tpl_defaults();
255

256
		$this->status = 'OK';
257

258
		return $app->tpl->grab();
259

260 261 262 263
	} // << end function

} // << end class

tbrehm's avatar
tbrehm committed
264
?>