[irc/unrealircd/unrealircd-webpanel.git] / plugins / sql_auth / SQL / user.php

<?php

define('SQLPERM_MANAGE_USERS', 'manage_users'); /** Relating to Panel Access: Can add, delete and edit users. Big boss. */
define('SQLPERM_BAN_USERS', 'ban_users'); /** Relating to Users tab: Can ban users connected to IRC */
define('SQLPERM_EDIT_USER', 'edit_user'); /** Change properties of a user, i.e. vhost, modes and more */
define('SQLPERM_EDIT_CHANNEL', 'edit_channel'); /** Change properties of a channel, i.e. topic, modes and more */
define('SQLPERM_EDIT_CHANNEL_USER', 'edit_channel_user'); /** Change properties of a user on a channel i.e give/remove voice or ops and more */
define('SQLPERM_SERVER_BAN_ADD', 'tkl_add'); /** Can add manual bans, including G-Lines, Z-Lines and more */
define('SQLPERM_SERVER_BAN_DEL', 'tkl_del'); /** Can remove set bans, including G-Lines, Z-Lines and more */
define('SQLPERM_NAME_BAN_ADD', 'nb_add'); /** Can add Name Bans (Q-Lines) */
define('SQLPERM_NAME_BAN_DEL', 'nb_del'); /** Can delete Name Bans (Q-Lines) */
define('SQLPERM_BAN_EXCEPTION_ADD', 'be_add'); /** Can add ban exceptions (E-Lines) */
define('SQLPERM_BAN_EXCEPTION_DEL', 'be_del'); /** Can delete ban exceptions (E-Lines) */
define('SQLPERM_SPAMFILTER_ADD', 'sf_add'); /** Can add spamfilter entries */
define('SQLPERM_SPAMFILTER_DEL', 'sf_del'); /** Can delete spamfilter entries */
/**
 * SQLA_User
 * This is the User class for the SQL_Auth plugin
 */
class SQLA_User
{
	public $id = NULL;
	public $username = NULL;
	private $passhash = NULL;
	public $first_name = NULL;
	public $last_name = NULL;
	public $created = NULL;
	public $user_meta = [];
	public $bio = NULL;

	/**
	 * Find a user in the database by name or ID
	 * @param string $name
	 * @param mixed $id
	 */
	function __construct(string $name = NULL, int $id = NULL)
	{
		$conn = sqlnew();

		if ($id)
		{
			$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE user_id = :id LIMIT 1");
			$prep->execute(["id" => strtolower($id)]);
		}
		elseif ($name)
		{
			$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE LOWER(user_name) = :name LIMIT 1");
			$prep->execute(["name" => strtolower($name)]);
		}
		$data = NULL;
		if ($prep)
			$data = $prep->fetchAll();
		if (isset($data[0]) && $data = $data[0])
		{
			$this->id = $data['user_id'];
			$this->username = $data['user_name'];
			$this->passhash = $data['user_pass'];
			$this->first_name = $data['user_fname'] ?? NULL;
			$this->last_name = $data['user_lname'] ?? NULL;
			$this->created = $data['created'];
			$this->bio = $data['user_bio'];
			$this->user_meta = (new SQLA_User_Meta($this->id))->list;
		}
	}

	/**
	 * Verify a user's password
	 * @param string $input
	 * @return bool
	 */
	function password_verify(string $input) : bool
	{
		if (password_verify($input, $this->passhash))
			return true;
		return false;
	}

	/**
	 * Add user meta data
	 * @param string $key
	 * @param string $value
	 * @return bool
	 */
	function add_meta(string $key, string $value)
	{
		if (!$key || !$value)
			return false;

		$meta = [
			"id" => $this->id,
			"key" => $key,
			"value" => $value
		];
		
		$conn = sqlnew();

		/* check if it exists first, update it if it does */
		$query = "SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
		$stmt = $conn->prepare($query);
		$stmt->execute(["id" => $this->id, "key" => $key]);
		if ($stmt->rowCount()) // it exists, update instead of insert
		{
			$query = "UPDATE " . SQL_PREFIX . "user_meta SET meta_value = :value WHERE user_id = :id AND meta_key = :key";
			$stmt = $conn->prepare($query);
			$stmt->execute($meta);
			if ($stmt->rowCount())
				return true;
			return false;
		}

		else
		{
			$query = "INSERT INTO " . SQL_PREFIX . "user_meta (user_id, meta_key, meta_value) VALUES (:id, :key, :value)";
			$stmt = $conn->prepare($query);
			$stmt->execute($meta);
			if ($stmt->rowCount())
				return true;
			return false;
		}
	}

	/**
	 * Delete user meta data by key
	 * @param string $key
	 * @return bool
	 */
	function delete_meta(string $key)
	{
		if (!$key )
			return false;

		$meta = [
			"id" => $this->id,
			"key" => $key,
		];
		
		$conn = sqlnew();
		$query = "DELETE FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
		$stmt = $conn->prepare($query);
		$stmt->execute($meta);
		if ($stmt->rowCount())
			return true;
		return false;

	}

	/** PERMISSIONS */

	function add_permission($permission)
	{
		$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
		if (!in_array($permission,$meta))
			$meta[] = $permission;
		$this->add_meta("permissions", serialize($meta)); // updet de dettabess
		$this->user_meta['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used
	}
	function delete_permission($permission)
	{
		$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
		foreach($meta as $key => $value)
		{
			if (!strcmp($permission, $value))
				unset($meta[$key]);
		}
		$this->add_meta("permissions", serialize($meta));
		$this->user_meta['permissions'] = serialize($meta);
	}

}


/**
 * This class looks up and returns any user meta.
 * This is used by SQLA_User, so you won't need to 
 * call it separately from SQLA_User.
 */
class SQLA_User_Meta
{
	public $list = [];
	function __construct($id)
	{
		$conn = sqlnew();
		if ($id)
		{
			$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id");
			$prep->execute(["id" => $id]);
		}
		foreach ($prep->fetchAll() as $row)
		{
			$this->list[$row['meta_key']] = $row['meta_value'];
		}
	}
}

/**
 * Array of user
 * 
 * Required:
 * user_name
 * user_pass
 * 
 * Optional:
 * user_fname
 * user_lname
 * 
 * @param array $user
 * @throws Exception
 * @return bool
 */
function create_new_user(array $user) : bool
{
	if (!isset($user['user_name']) || !isset($user['user_pass']))
		throw new Exception("Attempted to add user without specifying user_name or user_pass");

	$username = $user['user_name'];
	$password = password_hash($user['user_pass'], PASSWORD_ARGON2ID);
	$first_name = (isset($user['fname'])) ? $user['fname'] : NULL;
	$last_name = (isset($user['lname'])) ? $user['lname'] : NULL;
	$user_bio = (isset($user['user_bio'])) ? $user['user_bio'] : NULL;
	

	$conn = sqlnew();
	$prep = $conn->prepare("INSERT INTO " . SQL_PREFIX . "users (user_name, user_pass, user_fname, user_lname, user_bio, created) VALUES (:name, :pass, :fname, :lname, :user_bio, :created)");
	$prep->execute(["name" => $username, "pass" => $password, "fname" => $first_name, "lname" => $last_name, "user_bio" => $user_bio, "created" => date("Y-m-d H:i:s")]);
	
	return true;
}

/**
 * Gets the user object for the current session
 * @return SQLA_User|bool
 */
function unreal_get_current_user() : SQLA_User|bool
{
	if (!isset($_SESSION))
	{
		session_set_cookie_params(3600);
		session_start();
	}
	if (isset($_SESSION['id']))
	{
		$user = new SQLA_User(NULL, $_SESSION['id']);
		if ($user->id)
			return $user;
	}
	return false;
}

/**
 * Checks if a user can do something
 * @param string $permission
 * @return bool
 */
function current_user_can($permission) : bool
{
	$user = unreal_get_current_user();
	if (!$user)
		return false;

	if (isset($user->user_meta['permissions']))
	{
		$perms = unserialize($user->user_meta['permissions']);
		if (in_array($permission, $perms))
		{
			return true;
		}
	}
	return false;
}

/**
 * Delete a user and related meta
 * @param int $id The ID of the user in the SQL database.
 * @param array $info This will fill with a response.
 * @return int
 * 
 * Return values:
 *  1   The user was successfully deleted.
 *  0   The user was not found
 *  -1  The admin does not have permission to delete users [TODO]
 */
function delete_user(int $id, &$info = []) : int
{
	$user = new SQLA_User(NULL, $id);
	if (!$user->id) {
		$info[] = "Could not find user";
		return 0;
	}
	$query = "DELETE FROM " . SQL_PREFIX . "users WHERE user_id = :id";
	$conn = sqlnew();
	$stmt = $conn->prepare($query);
	$stmt->execute(["id" => $user->id]);
	$deleted = $stmt->rowCount();
	if ($user->id)
	{
		$info[] = "Successfully deleted user \"$user->username\"";
		return 1;
	}
	$info[] = "Unknown error";
	return 0;
}
Commit	Line	Data
961b0aa7 VP	1	<?php
961b0aa7 VP	2
d72d1923 VP	3	define('SQLPERM_MANAGE_USERS', 'manage_users'); /** Relating to Panel Access: Can add, delete and edit users. Big boss. */
	4	define('SQLPERM_BAN_USERS', 'ban_users'); /** Relating to Users tab: Can ban users connected to IRC */
	5	define('SQLPERM_EDIT_USER', 'edit_user'); /** Change properties of a user, i.e. vhost, modes and more */
	6	define('SQLPERM_EDIT_CHANNEL', 'edit_channel'); /** Change properties of a channel, i.e. topic, modes and more */
	7	define('SQLPERM_EDIT_CHANNEL_USER', 'edit_channel_user'); /** Change properties of a user on a channel i.e give/remove voice or ops and more */
	8	define('SQLPERM_SERVER_BAN_ADD', 'tkl_add'); /** Can add manual bans, including G-Lines, Z-Lines and more */
	9	define('SQLPERM_SERVER_BAN_DEL', 'tkl_del'); /** Can remove set bans, including G-Lines, Z-Lines and more */
	10	define('SQLPERM_NAME_BAN_ADD', 'nb_add'); /** Can add Name Bans (Q-Lines) */
	11	define('SQLPERM_NAME_BAN_DEL', 'nb_del'); /** Can delete Name Bans (Q-Lines) */
	12	define('SQLPERM_BAN_EXCEPTION_ADD', 'be_add'); /** Can add ban exceptions (E-Lines) */
	13	define('SQLPERM_BAN_EXCEPTION_DEL', 'be_del'); /** Can delete ban exceptions (E-Lines) */
	14	define('SQLPERM_SPAMFILTER_ADD', 'sf_add'); /** Can add spamfilter entries */
	15	define('SQLPERM_SPAMFILTER_DEL', 'sf_del'); /** Can delete spamfilter entries */
6b3d3f83 VP	16	/**
	17	* SQLA_User
	18	* This is the User class for the SQL_Auth plugin
	19	*/
961b0aa7 VP	20	class SQLA_User
961b0aa7 VP	21	{
d72d1923 VP	22	public $id = NULL;
	23	public $username = NULL;
	24	private $passhash = NULL;
	25	public $first_name = NULL;
	26	public $last_name = NULL;
	27	public $created = NULL;
	28	public $user_meta = [];
	29	public $bio = NULL;
	30
	31	/**
	32	* Find a user in the database by name or ID
	33	* @param string $name
	34	* @param mixed $id
	35	*/
	36	function __construct(string $name = NULL, int $id = NULL)
	37	{
	38	$conn = sqlnew();
	39
	40	if ($id)
	41	{
	42	$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE user_id = :id LIMIT 1");
	43	$prep->execute(["id" => strtolower($id)]);
	44	}
	45	elseif ($name)
	46	{
	47	$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE LOWER(user_name) = :name LIMIT 1");
	48	$prep->execute(["name" => strtolower($name)]);
	49	}
	50	$data = NULL;
	51	if ($prep)
	52	$data = $prep->fetchAll();
	53	if (isset($data[0]) && $data = $data[0])
	54	{
	55	$this->id = $data['user_id'];
	56	$this->username = $data['user_name'];
	57	$this->passhash = $data['user_pass'];
	58	$this->first_name = $data['user_fname'] ?? NULL;
	59	$this->last_name = $data['user_lname'] ?? NULL;
	60	$this->created = $data['created'];
	61	$this->bio = $data['user_bio'];
	62	$this->user_meta = (new SQLA_User_Meta($this->id))->list;
	63	}
	64	}
	65
	66	/**
	67	* Verify a user's password
	68	* @param string $input
	69	* @return bool
	70	*/
	71	function password_verify(string $input) : bool
	72	{
	73	if (password_verify($input, $this->passhash))
	74	return true;
	75	return false;
	76	}
	77
	78	/**
	79	* Add user meta data
	80	* @param string $key
	81	* @param string $value
	82	* @return bool
	83	*/
	84	function add_meta(string $key, string $value)
	85	{
86	if (!$key \|\| !$value)
87	return false;
88
89	$meta = [
90	"id" => $this->id,
91	"key" => $key,
92	"value" => $value
93	];
94
95	$conn = sqlnew();
96
97	/* check if it exists first, update it if it does */
98	$query = "SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
99	$stmt = $conn->prepare($query);
100	$stmt->execute(["id" => $this->id, "key" => $key]);
101	if ($stmt->rowCount()) // it exists, update instead of insert
102	{
103	$query = "UPDATE " . SQL_PREFIX . "user_meta SET meta_value = :value WHERE user_id = :id AND meta_key = :key";
104	$stmt = $conn->prepare($query);
105	$stmt->execute($meta);
106	if ($stmt->rowCount())
107	return true;
108	return false;
109	}
110
111	else
112	{
113	$query = "INSERT INTO " . SQL_PREFIX . "user_meta (user_id, meta_key, meta_value) VALUES (:id, :key, :value)";
114	$stmt = $conn->prepare($query);
115	$stmt->execute($meta);
116	if ($stmt->rowCount())
117	return true;
118	return false;
119	}
120	}
121
122	/**
123	* Delete user meta data by key
124	* @param string $key
125	* @return bool
126	*/
127	function delete_meta(string $key)
128	{
129	if (!$key )
130	return false;
131
132	$meta = [
133	"id" => $this->id,
134	"key" => $key,
135	];
136
137	$conn = sqlnew();
138	$query = "DELETE FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
139	$stmt = $conn->prepare($query);
140	$stmt->execute($meta);
141	if ($stmt->rowCount())
142	return true;
143	return false;
144
145	}
146
147	/** PERMISSIONS */
148
149	function add_permission($permission)
150	{
151	$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
152	if (!in_array($permission,$meta))
153	$meta[] = $permission;
154	$this->add_meta("permissions", serialize($meta)); // updet de dettabess
155	$this->user_meta['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used
156	}
157	function delete_permission($permission)
158	{
159	$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
160	foreach($meta as $key => $value)
161	{
162	if (!strcmp($permission, $value))
163	unset($meta[$key]);
164	}
165	$this->add_meta("permissions", serialize($meta));
166	$this->user_meta['permissions'] = serialize($meta);
167	}
168
4d634d0a	169	}
a3151e7c	170
6b3d3f83 VP	171
	172	/**
	173	* This class looks up and returns any user meta.
	174	* This is used by SQLA_User, so you won't need to
	175	* call it separately from SQLA_User.
	176	*/
4d634d0a VP	177	class SQLA_User_Meta
4d634d0a VP	178	{
d72d1923 VP	179	public $list = [];
	180	function __construct($id)
	181	{
	182	$conn = sqlnew();
	183	if ($id)
	184	{
	185	$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id");
	186	$prep->execute(["id" => $id]);
	187	}
	188	foreach ($prep->fetchAll() as $row)
	189	{
	190	$this->list[$row['meta_key']] = $row['meta_value'];
	191	}
	192	}
a3151e7c VP	193	}
a3151e7c VP	194
4225314c VP	195	/**
	196	* Array of user
	197	*
	198	* Required:
	199	* user_name
	200	* user_pass
	201	*
	202	* Optional:
	203	* user_fname
	204	* user_lname
	205	*
	206	* @param array $user
	207	* @throws Exception
	208	* @return bool
	209	*/
4d634d0a VP	210	function create_new_user(array $user) : bool
4d634d0a VP	211	{
d72d1923 VP	212	if (!isset($user['user_name']) \|\| !isset($user['user_pass']))
	213	throw new Exception("Attempted to add user without specifying user_name or user_pass");
	214
	215	$username = $user['user_name'];
	216	$password = password_hash($user['user_pass'], PASSWORD_ARGON2ID);
	217	$first_name = (isset($user['fname'])) ? $user['fname'] : NULL;
	218	$last_name = (isset($user['lname'])) ? $user['lname'] : NULL;
	219	$user_bio = (isset($user['user_bio'])) ? $user['user_bio'] : NULL;
	220
	221
	222	$conn = sqlnew();
	223	$prep = $conn->prepare("INSERT INTO " . SQL_PREFIX . "users (user_name, user_pass, user_fname, user_lname, user_bio, created) VALUES (:name, :pass, :fname, :lname, :user_bio, :created)");
	224	$prep->execute(["name" => $username, "pass" => $password, "fname" => $first_name, "lname" => $last_name, "user_bio" => $user_bio, "created" => date("Y-m-d H:i:s")]);
	225
	226	return true;
4d634d0a VP	227	}
	228
	229	/**
	230	* Gets the user object for the current session
	231	* @return SQLA_User\|bool
	232	*/
	233	function unreal_get_current_user() : SQLA_User\|bool
a3151e7c	234	{
06369f59 VP	235	if (!isset($_SESSION))
	236	{
	237	session_set_cookie_params(3600);
	238	session_start();
	239	}
d72d1923 VP	240	if (isset($_SESSION['id']))
	241	{
	242	$user = new SQLA_User(NULL, $_SESSION['id']);
	243	if ($user->id)
	244	return $user;
	245	}
	246	return false;
4d634d0a VP	247	}
	248
	249	/**
	250	* Checks if a user can do something
	251	* @param string $permission
	252	* @return bool
	253	*/
d72d1923	254	function current_user_can($permission) : bool
4d634d0a	255	{
d72d1923 VP	256	$user = unreal_get_current_user();
	257	if (!$user)
	258	return false;
	259
	260	if (isset($user->user_meta['permissions']))
	261	{
	262	$perms = unserialize($user->user_meta['permissions']);
	263	if (in_array($permission, $perms))
	264	{
	265	return true;
	266	}
	267	}
	268	return false;
4d634d0a VP	269	}
4d634d0a VP	270
7aad7c29 VP	271	/**
	272	* Delete a user and related meta
	273	* @param int $id The ID of the user in the SQL database.
d72d1923	274	* @param array $info This will fill with a response.
7aad7c29 VP	275	* @return int
	276	*
	277	* Return values:
	278	* 1 The user was successfully deleted.
	279	* 0 The user was not found
	280	* -1 The admin does not have permission to delete users [TODO]
	281	*/
	282	function delete_user(int $id, &$info = []) : int
	283	{
d72d1923 VP	284	$user = new SQLA_User(NULL, $id);
	285	if (!$user->id) {
	286	$info[] = "Could not find user";
	287	return 0;
	288	}
	289	$query = "DELETE FROM " . SQL_PREFIX . "users WHERE user_id = :id";
	290	$conn = sqlnew();
	291	$stmt = $conn->prepare($query);
	292	$stmt->execute(["id" => $user->id]);
	293	$deleted = $stmt->rowCount();
	294	if ($user->id)
	295	{
	296	$info[] = "Successfully deleted user \"$user->username\"";
	297	return 1;
	298	}
	299	$info[] = "Unknown error";
	300	return 0;
54b5ea90 VP	301	}
54b5ea90 VP	302