[irc/unrealircd/unrealircd-webpanel.git] / Classes / class-paneluser.php

<?php
/** Relating to Panel Access: Can add, delete and edit users. Big boss. */
define('PERMISSION_MANAGE_USERS', 'manage_users'); 
/** Relating to Users tab: Can ban users connected to IRC */
define('PERMISSION_BAN_USERS', 'ban_users');
/** Change properties of a user, i.e. vhost, modes and more */
define('PERMISSION_EDIT_USER', 'edit_user');
/** Change properties of a channel, i.e. topic, modes and more */
define('PERMISSION_EDIT_CHANNEL', 'edit_channel'); 
/** Change properties of a user on a channel i.e give/remove voice or ops and more */
define('PERMISSION_EDIT_CHANNEL_USER', 'edit_channel_user'); 
/** Can add manual bans, including G-Lines, Z-Lines and more */
define('PERMISSION_SERVER_BAN_ADD', 'tkl_add'); 
/** Can remove set bans, including G-Lines, Z-Lines and more */
define('PERMISSION_SERVER_BAN_DEL', 'tkl_del');
/** Can add Name Bans (Q-Lines) */
define('PERMISSION_NAME_BAN_ADD', 'nb_add');
/** Can delete Name Bans (Q-Lines) */
define('PERMISSION_NAME_BAN_DEL', 'nb_del'); 
/** Can add ban exceptions (E-Lines) */
define('PERMISSION_BAN_EXCEPTION_ADD', 'be_add'); 
/** Can delete ban exceptions (E-Lines) */
define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del'); 
/** Can add spamfilter entries */
define('PERMISSION_SPAMFILTER_ADD', 'sf_add'); 
/** Can delete spamfilter entries */
define('PERMISSION_SPAMFILTER_DEL', 'sf_del'); 
/** Can rehash servers */
define('PERMISSION_REHASH', 'rhs');
/** Can install and uninstall plugins */
define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
/**
 * PanelUser
 * This is the User class for the SQL_Auth plugin
 */
class PanelUser
{
	public $id = NULL;
	public $username = NULL;
	private $passhash = NULL;
	public $first_name = NULL;
	public $last_name = NULL;
	public $created = NULL;
	public $user_meta = [];
	public $bio = NULL;
	public $email = NULL;

	/**
	 * Find a user in the database by name or ID
	 * @param string $name
	 * @param mixed $id
	 */
	function __construct(string $name = NULL, int $id = NULL)
	{
		$user["name"] = $name;
		$user["id"] = $id;
		$user["object"] = NULL;
		Hook::run(HOOKTYPE_USER_LOOKUP, $user);
		if ($user['object'] === null)
			return; /* no auth module loaded? */
		foreach ($user['object'] as $key => $value)
			$this->$key = $value;
	}

	/**
	 * Verify a user's password
	 * @param string $input
	 * @return bool
	 */
	function password_verify(string $password, bool &$hash_needs_updating = false) : bool
	{
		GLOBAL $config;
		$hash_needs_updating = false;
		$p2 = $password;
		if (str_starts_with($this->passhash, "peppered:"))
		{
			/* Argon2 with pepper */
			$password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
			if (password_verify($password, substr($this->passhash,9)))
			{
				$this->HIBP(sha1($p2));
				return true;
			}
		}
		else
		{
			/* Old standard argon2 */
			if (password_verify($password, $this->passhash))
			{
				$this->HIBP(sha1($p2));
				$hash_needs_updating = true;
				return true;
			}
		}
		return false;
	}

	/**
	 * Generate hash of user's password
	 * @param string $password
	 * @return string
	 */
	public static function password_hash(string $password) : string
	{
		GLOBAL $config;
		$input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
		return "peppered:".password_hash($input, PASSWORD_ARGON2ID);
	}

	/**
	 * Add user meta data
	 * If using an array for the first param then you
	 * must also use an array for the second param
	 * @param array|string $key
	 * @param array|string|int|bool|null $value
	 */
	function add_meta(array|string $key, array|string|int|bool|null $value)
	{
		
		if (!$key)
			return false;

		if (is_array($key))
		{
			foreach ($key as $i => $k)
				$arr[$k] = $value[$i];
		} else {
			$arr[$key] = $value;
		}

		foreach($arr as $k => $v)
		{
			$meta = [
				"id" => $this->id,
				"key" => $k,
				"value" => $v
			];

			$array['meta'] = $meta;
			$array['user'] = $this;
			Hook::run(HOOKTYPE_USERMETA_ADD, $array);
		}
		
	}

	/**
	 * Delete user meta data by key
	 * @param string $key
	 */
	function delete_meta(string $key)
	{
		if (!$key )
			return false;

		$meta = [
			"id" => $this->id,
			"key" => $key,
		];
		$array['meta'] = $meta;
		$array['user'] = $this;
		Hook::run(HOOKTYPE_USERMETA_DEL, $array);

	}

	/** PERMISSIONS */

	function add_permission($permission)
	{
		$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
		if (!in_array($permission,$meta))
			$meta[] = $permission;
		$this->add_meta("permissions", serialize($meta)); // updet de dettabess
		$this->user_meta['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used
	}
	function delete_permission($permission)
	{
		$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
		foreach($meta as $key => $value)
		{
			if (!strcmp($permission, $value))
				unset($meta[$key]);
		}
		$this->add_meta("permissions", serialize($meta));
		$this->user_meta['permissions'] = serialize($meta);
	}

	/** Updates core user info.
	 * CAUTION: Updating a non-existent column will crash
	 * your shit
	 */
	function update_core_info($array)
	{
		$arr = ['info' => $array, 'user' => $this];
		Hook::run(HOOKTYPE_EDIT_USER, $arr);
	}

	/** Have I Been Pwned
	 * Check password against HIBP to let them know about their
	 * leaked password.
	 * @param string $password_hash This should be a pre-hashed sha1 password
	 */
	function HIBP($password_hash)
	{
		$url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
		$end = substr($password_hash,5);
		$ch = curl_init($url);

		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

		$response = curl_exec($ch);

		if (curl_errno($ch))
		{
			error_log("[error] Could not check against Have I Been Pwned API");
			return;
		}
		$data = explode("\r\n",$response);
		curl_close($ch);
		$count = count($data);
		$i = 1;
		foreach($data as $dat)
		{
			$result = explode(":",$dat);
			error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5));
			if ($result[0] == strtoupper($end))
			{
				error_log("FOUND");
				$this->add_meta("hibp", $result[1]);
				return;
			}
			$i++;
		}
	}
}


/**
 * This class looks up and returns any user meta.
 * This is used by PanelUser, so you won't need to 
 * call it separately from PanelUser.
 */
class PanelUser_Meta
{
	public $list = [];
	function __construct($id)
	{
		$array = [];
		$arr["id"] = $id;
		$arr['meta'] = &$array;
		Hook::run(HOOKTYPE_USERMETA_GET, $arr);
		$this->list = $arr['meta'];
		
	}
}

/**
 * Array of user
 * 
 * Required:
 * user_name
 * user_pass
 * 
 * Optional:
 * user_fname
 * user_lname
 * 
 * @param array $user
 * @throws Exception
 * @return bool
 */
function create_new_user(array &$user) : bool
{
	if (!isset($user['user_name']) || !isset($user['user_pass']))
		throw new Exception("Attempted to add user without specifying user_name or user_pass");

	$user['user_name'] = htmlspecialchars($user['user_name']);
	$user['user_pass'] = PanelUser::password_hash($user['user_pass']);
	$user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
	$last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
	$user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
	$user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL;

	if (($u = new PanelUser($user['user_name']))->id)
	{
		$user['err'] = "User already exists";
		return false;
	}
	// internal use
	$user['success'] = false;
	$user['errmsg'] = [];
	
	Hook::run(HOOKTYPE_USER_CREATE, $user);
	if (!$user['success'])
		return false;
	
	return true;
}

/**
 * Gets the user object for the current session
 * @return PanelUser|bool
 */
function unreal_get_current_user() : PanelUser|bool
{
	if (isset($_SESSION) && isset($_SESSION['id']))
	{
		$user = new PanelUser(NULL, $_SESSION['id']);
		if ($user->id)
			return $user;
	}
	return false;
}

/**
 * Checks if a user can do something
 * @param string $permission
 * @return bool
 */
function current_user_can($permission) : bool
{
	$user = unreal_get_current_user();
	if (!$user)
		return false;
	return user_can($user, $permission);
}

/**
 * Checks if a user can do something
 * @param string $permission
 * @return bool
 */
function user_can(PanelUser $user, $permission) : bool
{
	global $config;
	if (!$user)
		return false;

	if (isset($user->user_meta['role']))
	{
		if ($user->user_meta['role'] == "Super-Admin")
			return true;

		else if ($user->user_meta['role'] == "Read-Only")
			return false;

		else if (in_array($permission, $config['user_roles'][$user->user_meta['role']]))
			return true;
			
		return false;
	}

	/* compatibility fallback */
	if (isset($user->user_meta['permissions']))
	{
		$perms = unserialize($user->user_meta['permissions']);
		if (in_array($permission, $perms))
			return true;
	}
	return false;
}

/**
 * Delete a user and related meta
 * @param int $id The ID of the user in the SQL database.
 * @param array $info This will fill with a response.
 * @return int
 * 
 * Return values:
 *  1   The user was successfully deleted.
 *  0   The user was not found
 *  -1  The admin does not have permission to delete users [TODO]
 */
function delete_user(int $id, &$info = []) : int
{
	$user = new PanelUser(NULL, $id);
	if (!$user->id) {
		$info[] = "Could not find user";
		return 0;
	}
	$arr = ["user" => $user, "info" => &$info, "boolint" => 0];
	Hook::run(HOOKTYPE_USER_DELETE, $arr);
	return $arr["boolint"];
}

function get_panel_user_permission_list()
{
	$list = [
		"Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
		"Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS,
		"Can ban/kill IRC users" => PERMISSION_BAN_USERS,
		"Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
		"Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
		"Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER,
		"Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD,
		"Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL,
		"Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD,
		"Can unforbid usernames and channels" => PERMISSION_NAME_BAN_DEL,
		"Can add server ban exceptions" => PERMISSION_BAN_EXCEPTION_ADD,
		"Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
		"Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
		"Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL

	];
	Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
	return $list;
}

function generate_panel_user_permission_table($user)
{
	
	$list = get_panel_user_permission_list();
	foreach($list as $desc => $slug)
	{
		$attributes = "";
		$attributes .= (current_user_can(PERMISSION_MANAGE_USERS)) ? "" : "disabled ";
		?>
		<div class="input-group">
			<div class="input-group-prepend">
				<div class="input-group-text">
					<input <?php
						$attributes .= (user_can($user, $slug)) ? "checked" : "";
						echo $attributes;
					?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
				</div>
			</div>
			<input type="text" readonly  class="form-control" value="<?php echo "$desc ($slug)"; ?>">
		</div>

		<?php
	}
}

function get_panel_user_roles_list()
{
	GLOBAL $config;

	/* Defaults */
	$list = [
	        "Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
	        "Read-Only" => [], // Read Only can do nothing
	];

	if (isset($config["user_roles"]))
		foreach($config['user_roles'] as $r => $role)
			$list[$r] = $role;

	return $list;
}

function generate_role_list($list)
{
	$list2 = get_panel_user_permission_list();
	?>
		<h5>Roles List:</h5>
		<div id="permlist">
		<div class="container-xxl" style="max-width: 1430px;">
		<div class="accordion" id="roles_accord">

<?php foreach($list as $role => $slug) {?>
	<div class="card">
		<div class="card-header" id="<?php echo to_slug($role); ?>_heading">
			<div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>">
				<?php echo $role ?>
				
			</div>
		</div>

		<div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord">
			<div id="results_rpc" class="card-body">
				<form method="post">
				<?php if ($role !== "Super-Admin" && $role !== "Read-Only") { ?>
					<div class="container row mb-2">
						<button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button>
						<button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button>
					</div>
					
				<?php } ?>
				<div id="<?php echo $role; ?>_input_area"><?php
					foreach($list2 as $desc => $slug)
					{
					$attributes = "";
					$attributes .= ($role == "Super-Admin" || $role == "Read-Only") ? "disabled " : "";

						?>
						<div class="input-group">
							<div class="input-group-prepend">
								<div class="input-group-text">
									<input <?php
										$attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
										echo $attributes;
									?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
								</div>
							</div>
							<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
						</div>
				
						<?php
					}
				?>	</div>
				</form>
			</div>
		</div>
	</div>
<?php }?>

		</div></div><br>
			
</div><?php

}
Commit	Line	Data
961b0aa7	1	<?php
cc9898cc VP	2	/** Relating to Panel Access: Can add, delete and edit users. Big boss. */
	3	define('PERMISSION_MANAGE_USERS', 'manage_users');
	4	/** Relating to Users tab: Can ban users connected to IRC */
	5	define('PERMISSION_BAN_USERS', 'ban_users');
	6	/** Change properties of a user, i.e. vhost, modes and more */
	7	define('PERMISSION_EDIT_USER', 'edit_user');
	8	/** Change properties of a channel, i.e. topic, modes and more */
	9	define('PERMISSION_EDIT_CHANNEL', 'edit_channel');
	10	/** Change properties of a user on a channel i.e give/remove voice or ops and more */
	11	define('PERMISSION_EDIT_CHANNEL_USER', 'edit_channel_user');
	12	/** Can add manual bans, including G-Lines, Z-Lines and more */
	13	define('PERMISSION_SERVER_BAN_ADD', 'tkl_add');
	14	/** Can remove set bans, including G-Lines, Z-Lines and more */
	15	define('PERMISSION_SERVER_BAN_DEL', 'tkl_del');
	16	/** Can add Name Bans (Q-Lines) */
	17	define('PERMISSION_NAME_BAN_ADD', 'nb_add');
	18	/** Can delete Name Bans (Q-Lines) */
	19	define('PERMISSION_NAME_BAN_DEL', 'nb_del');
	20	/** Can add ban exceptions (E-Lines) */
	21	define('PERMISSION_BAN_EXCEPTION_ADD', 'be_add');
	22	/** Can delete ban exceptions (E-Lines) */
	23	define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del');
	24	/** Can add spamfilter entries */
	25	define('PERMISSION_SPAMFILTER_ADD', 'sf_add');
	26	/** Can delete spamfilter entries */
	27	define('PERMISSION_SPAMFILTER_DEL', 'sf_del');
5a7f0cde VP	28	/** Can rehash servers */
5a7f0cde VP	29	define('PERMISSION_REHASH', 'rhs');
fae5cd15 VP	30	/** Can install and uninstall plugins */
fae5cd15 VP	31	define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
6b3d3f83	32	/**
6930484c	33	* PanelUser
6b3d3f83 VP	34	* This is the User class for the SQL_Auth plugin
6b3d3f83 VP	35	*/
6930484c	36	class PanelUser
961b0aa7	37	{
d72d1923 VP	38	public $id = NULL;
	39	public $username = NULL;
	40	private $passhash = NULL;
	41	public $first_name = NULL;
	42	public $last_name = NULL;
	43	public $created = NULL;
	44	public $user_meta = [];
	45	public $bio = NULL;
0b546dde	46	public $email = NULL;
d72d1923 VP	47
	48	/**
	49	* Find a user in the database by name or ID
	50	* @param string $name
	51	* @param mixed $id
	52	*/
	53	function __construct(string $name = NULL, int $id = NULL)
	54	{
6930484c VP	55	$user["name"] = $name;
	56	$user["id"] = $id;
	57	$user["object"] = NULL;
6930484c	58	Hook::run(HOOKTYPE_USER_LOOKUP, $user);
cd1dee97 BM	59	if ($user['object'] === null)
cd1dee97 BM	60	return; /* no auth module loaded? */
6930484c VP	61	foreach ($user['object'] as $key => $value)
6930484c VP	62	$this->$key = $value;
d72d1923 VP	63	}
	64
	65	/**
	66	* Verify a user's password
	67	* @param string $input
	68	* @return bool
	69	*/
6b08fcb9	70	function password_verify(string $password, bool &$hash_needs_updating = false) : bool
d72d1923	71	{
6b08fcb9 BM	72	GLOBAL $config;
6b08fcb9 BM	73	$hash_needs_updating = false;
579020f8	74	$p2 = $password;
6b08fcb9 BM	75	if (str_starts_with($this->passhash, "peppered:"))
	76	{
	77	/* Argon2 with pepper */
	78	$password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
	79	if (password_verify($password, substr($this->passhash,9)))
579020f8 VP	80	{
579020f8 VP	81	$this->HIBP(sha1($p2));
6b08fcb9	82	return true;
579020f8 VP	83	}
	84	}
	85	else
	86	{
6b08fcb9 BM	87	/* Old standard argon2 */
	88	if (password_verify($password, $this->passhash))
	89	{
579020f8	90	$this->HIBP(sha1($p2));
6b08fcb9 BM	91	$hash_needs_updating = true;
	92	return true;
	93	}
	94	}
d72d1923 VP	95	return false;
	96	}
	97
6b08fcb9 BM	98	/**
	99	* Generate hash of user's password
	100	* @param string $password
	101	* @return string
	102	*/
	103	public static function password_hash(string $password) : string
	104	{
	105	GLOBAL $config;
	106	$input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
	107	return "peppered:".password_hash($input, PASSWORD_ARGON2ID);
	108	}
	109
d72d1923 VP	110	/**
d72d1923 VP	111	* Add user meta data
3ca012c9 VP	112	* If using an array for the first param then you
3ca012c9 VP	113	* must also use an array for the second param
7a345d4a	114	* @param array\|string $key
75b243f6	115	* @param array\|string\|int\|bool\|null $value
d72d1923	116	*/
75b243f6	117	function add_meta(array\|string $key, array\|string\|int\|bool\|null $value)
d72d1923	118	{
6930484c	119
75b243f6	120	if (!$key)
d72d1923 VP	121	return false;
d72d1923 VP	122
75b243f6 BM	123	if (is_array($key))
75b243f6 BM	124	{
7a345d4a VP	125	foreach ($key as $i => $k)
7a345d4a VP	126	$arr[$k] = $value[$i];
75b243f6 BM	127	} else {
	128	$arr[$key] = $value;
	129	}
	130
7a345d4a VP	131	foreach($arr as $k => $v)
	132	{
	133	$meta = [
	134	"id" => $this->id,
	135	"key" => $k,
	136	"value" => $v
	137	];
	138
	139	$array['meta'] = $meta;
	140	$array['user'] = $this;
	141	Hook::run(HOOKTYPE_USERMETA_ADD, $array);
	142	}
6930484c	143
d72d1923 VP	144	}
	145
	146	/**
	147	* Delete user meta data by key
	148	* @param string $key
d72d1923 VP	149	*/
	150	function delete_meta(string $key)
	151	{
	152	if (!$key )
	153	return false;
	154
	155	$meta = [
	156	"id" => $this->id,
	157	"key" => $key,
	158	];
c53841fe BM	159	$array['meta'] = $meta;
	160	$array['user'] = $this;
	161	Hook::run(HOOKTYPE_USERMETA_DEL, $array);
d72d1923 VP	162
	163	}
	164
	165	/** PERMISSIONS */
	166
	167	function add_permission($permission)
	168	{
	169	$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
	170	if (!in_array($permission,$meta))
	171	$meta[] = $permission;
	172	$this->add_meta("permissions", serialize($meta)); // updet de dettabess
	173	$this->user_meta['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used
	174	}
	175	function delete_permission($permission)
	176	{
	177	$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
	178	foreach($meta as $key => $value)
	179	{
	180	if (!strcmp($permission, $value))
	181	unset($meta[$key]);
	182	}
	183	$this->add_meta("permissions", serialize($meta));
	184	$this->user_meta['permissions'] = serialize($meta);
	185	}
	186
5a7f0cde VP	187	/** Updates core user info.
	188	* CAUTION: Updating a non-existent column will crash
	189	* your shit
	190	*/
	191	function update_core_info($array)
	192	{
	193	$arr = ['info' => $array, 'user' => $this];
	194	Hook::run(HOOKTYPE_EDIT_USER, $arr);
	195	}
579020f8 VP	196
	197	/** Have I Been Pwned
	198	* Check password against HIBP to let them know about their
	199	* leaked password.
	200	* @param string $password_hash This should be a pre-hashed sha1 password
	201	*/
	202	function HIBP($password_hash)
	203	{
	204	$url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
	205	$end = substr($password_hash,5);
	206	$ch = curl_init($url);
	207
	208	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	209
	210	$response = curl_exec($ch);
	211
	212	if (curl_errno($ch))
	213	{
	214	error_log("[error] Could not check against Have I Been Pwned API");
	215	return;
	216	}
	217	$data = explode("\r\n",$response);
	218	curl_close($ch);
	219	$count = count($data);
	220	$i = 1;
	221	foreach($data as $dat)
	222	{
	223	$result = explode(":",$dat);
	224	error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5));
	225	if ($result[0] == strtoupper($end))
	226	{
	227	error_log("FOUND");
	228	$this->add_meta("hibp", $result[1]);
	229	return;
	230	}
	231	$i++;
	232	}
	233	}
4d634d0a	234	}
a3151e7c	235
6b3d3f83 VP	236
	237	/**
	238	* This class looks up and returns any user meta.
6930484c VP	239	* This is used by PanelUser, so you won't need to
6930484c VP	240	* call it separately from PanelUser.
6b3d3f83	241	*/
6930484c	242	class PanelUser_Meta
4d634d0a	243	{
d72d1923 VP	244	public $list = [];
	245	function __construct($id)
	246	{
6930484c VP	247	$array = [];
	248	$arr["id"] = $id;
	249	$arr['meta'] = &$array;
	250	Hook::run(HOOKTYPE_USERMETA_GET, $arr);
6930484c VP	251	$this->list = $arr['meta'];
6930484c VP	252
d72d1923	253	}
a3151e7c VP	254	}
a3151e7c VP	255
4225314c VP	256	/**
	257	* Array of user
	258	*
	259	* Required:
	260	* user_name
	261	* user_pass
	262	*
	263	* Optional:
	264	* user_fname
	265	* user_lname
	266	*
	267	* @param array $user
	268	* @throws Exception
	269	* @return bool
	270	*/
180b8ec1	271	function create_new_user(array &$user) : bool
4d634d0a	272	{
d72d1923 VP	273	if (!isset($user['user_name']) \|\| !isset($user['user_pass']))
	274	throw new Exception("Attempted to add user without specifying user_name or user_pass");
	275
180b8ec1	276	$user['user_name'] = htmlspecialchars($user['user_name']);
6b08fcb9	277	$user['user_pass'] = PanelUser::password_hash($user['user_pass']);
180b8ec1 VP	278	$user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
	279	$last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
	280	$user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
9a674833	281	$user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL;
d72d1923	282
180b8ec1 VP	283	if (($u = new PanelUser($user['user_name']))->id)
	284	{
	285	$user['err'] = "User already exists";
	286	return false;
	287	}
	288	// internal use
	289	$user['success'] = false;
	290	$user['errmsg'] = [];
	291
	292	Hook::run(HOOKTYPE_USER_CREATE, $user);
	293	if (!$user['success'])
	294	return false;
d72d1923 VP	295
d72d1923 VP	296	return true;
4d634d0a VP	297	}
	298
	299	/**
	300	* Gets the user object for the current session
6930484c	301	* @return PanelUser\|bool
4d634d0a	302	*/
6930484c	303	function unreal_get_current_user() : PanelUser\|bool
a3151e7c	304	{
d3e3ec08	305	if (isset($_SESSION) && isset($_SESSION['id']))
d72d1923	306	{
6930484c	307	$user = new PanelUser(NULL, $_SESSION['id']);
d72d1923 VP	308	if ($user->id)
	309	return $user;
	310	}
	311	return false;
4d634d0a VP	312	}
	313
	314	/**
	315	* Checks if a user can do something
	316	* @param string $permission
	317	* @return bool
	318	*/
d72d1923	319	function current_user_can($permission) : bool
4d634d0a	320	{
d72d1923	321	$user = unreal_get_current_user();
6c67bf53 VP	322	if (!$user)
6c67bf53 VP	323	return false;
2405dc8e VP	324	return user_can($user, $permission);
	325	}
	326
	327	/**
	328	* Checks if a user can do something
	329	* @param string $permission
	330	* @return bool
	331	*/
	332	function user_can(PanelUser $user, $permission) : bool
	333	{
6f0e7ce4	334	global $config;
d72d1923 VP	335	if (!$user)
d72d1923 VP	336	return false;
2405dc8e	337
6f0e7ce4 VP	338	if (isset($user->user_meta['role']))
	339	{
	340	if ($user->user_meta['role'] == "Super-Admin")
	341	return true;
	342
	343	else if ($user->user_meta['role'] == "Read-Only")
	344	return false;
	345
	346	else if (in_array($permission, $config['user_roles'][$user->user_meta['role']]))
	347	return true;
	348
	349	return false;
	350	}
	351
	352	/* compatibility fallback */
d72d1923 VP	353	if (isset($user->user_meta['permissions']))
	354	{
	355	$perms = unserialize($user->user_meta['permissions']);
	356	if (in_array($permission, $perms))
d72d1923	357	return true;
d72d1923 VP	358	}
d72d1923 VP	359	return false;
4d634d0a VP	360	}
4d634d0a VP	361
7aad7c29 VP	362	/**
	363	* Delete a user and related meta
	364	* @param int $id The ID of the user in the SQL database.
d72d1923	365	* @param array $info This will fill with a response.
7aad7c29 VP	366	* @return int
	367	*
	368	* Return values:
	369	* 1 The user was successfully deleted.
	370	* 0 The user was not found
	371	* -1 The admin does not have permission to delete users [TODO]
	372	*/
	373	function delete_user(int $id, &$info = []) : int
	374	{
6930484c	375	$user = new PanelUser(NULL, $id);
d72d1923 VP	376	if (!$user->id) {
	377	$info[] = "Could not find user";
	378	return 0;
	379	}
180b8ec1 VP	380	$arr = ["user" => $user, "info" => &$info, "boolint" => 0];
	381	Hook::run(HOOKTYPE_USER_DELETE, $arr);
	382	return $arr["boolint"];
54b5ea90 VP	383	}
54b5ea90 VP	384
2405dc8e VP	385	function get_panel_user_permission_list()
	386	{
	387	$list = [
	388	"Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
fae5cd15	389	"Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS,
2405dc8e	390	"Can ban/kill IRC users" => PERMISSION_BAN_USERS,
9616b8e6	391	"Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
2405dc8e	392	"Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
462bd723	393	"Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER,
2405dc8e VP	394	"Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD,
	395	"Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL,
	396	"Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD,
	397	"Can unforbid usernames and channels" => PERMISSION_NAME_BAN_DEL,
	398	"Can add server ban exceptions" => PERMISSION_BAN_EXCEPTION_ADD,
	399	"Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
	400	"Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
	401	"Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL
fae5cd15	402
2405dc8e VP	403	];
	404	Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
	405	return $list;
	406	}
	407
	408	function generate_panel_user_permission_table($user)
	409	{
	410
	411	$list = get_panel_user_permission_list();
	412	foreach($list as $desc => $slug)
	413	{
	414	$attributes = "";
	415	$attributes .= (current_user_can(PERMISSION_MANAGE_USERS)) ? "" : "disabled ";
	416	?>
	417	<div class="input-group">
	418	<div class="input-group-prepend">
	419	<div class="input-group-text">
	420	<input <?php
	421	$attributes .= (user_can($user, $slug)) ? "checked" : "";
	422	echo $attributes;
	423	?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
	424	</div>
	425	</div>
	426	<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
	427	</div>
	428
	429	<?php
	430	}
9616b8e6	431	}
4b48b46f VP	432
	433	function get_panel_user_roles_list()
	434	{
8c415815 BM	435	GLOBAL $config;
8c415815 BM	436
4b48b46f VP	437	/* Defaults */
4b48b46f VP	438	$list = [
8c415815 BM	439	"Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
8c415815 BM	440	"Read-Only" => [], // Read Only can do nothing
4b48b46f VP	441	];
4b48b46f VP	442
8c415815 BM	443	if (isset($config["user_roles"]))
	444	foreach($config['user_roles'] as $r => $role)
	445	$list[$r] = $role;
	446
4b48b46f VP	447	return $list;
	448	}
	449
	450	function generate_role_list($list)
	451	{
	452	$list2 = get_panel_user_permission_list();
	453	?>
	454	<h5>Roles List:</h5>
	455	<div id="permlist">
088733d4	456	<div class="container-xxl" style="max-width: 1430px;">
4b48b46f VP	457	<div class="accordion" id="roles_accord">
	458
	459	<?php foreach($list as $role => $slug) {?>
	460	<div class="card">
	461	<div class="card-header" id="<?php echo to_slug($role); ?>_heading">
	462	<div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>">
	463	<?php echo $role ?>
1634b6ac	464
4b48b46f VP	465	</div>
	466	</div>
	467
	468	<div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord">
	469	<div id="results_rpc" class="card-body">
1634b6ac	470	<form method="post">
6f0e7ce4	471	<?php if ($role !== "Super-Admin" && $role !== "Read-Only") { ?>
1634b6ac VP	472	<div class="container row mb-2">
	473	<button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button>
	474	<button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button>
	475	</div>
	476
	477	<?php } ?>
	478	<div id="<?php echo $role; ?>_input_area"><?php
4b48b46f VP	479	foreach($list2 as $desc => $slug)
	480	{
	481	$attributes = "";
6f0e7ce4	482	$attributes .= ($role == "Super-Admin" \|\| $role == "Read-Only") ? "disabled " : "";
4b48b46f VP	483
	484	?>
	485	<div class="input-group">
	486	<div class="input-group-prepend">
	487	<div class="input-group-text">
	488	<input <?php
	489	$attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
	490	echo $attributes;
1634b6ac	491	?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
4b48b46f VP	492	</div>
	493	</div>
	494	<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
	495	</div>
	496
	497	<?php
	498	}
1634b6ac VP	499	?> </div>
1634b6ac VP	500	</form>
4b48b46f VP	501	</div>
	502	</div>
	503	</div>
	504	<?php }?>
	505
	506	</div></div><br>
1634b6ac	507
4b48b46f VP	508	</div><?php
	509
	510	}