[irc/unrealircd/unrealircd-webpanel.git] / Classes / class-paneluser.php

<?php
/** Relating to Panel Access: Can add, delete and edit users. Big boss. */
define('PERMISSION_MANAGE_USERS', 'manage_users'); 
/** Relating to Users tab: Can ban users connected to IRC */
define('PERMISSION_BAN_USERS', 'ban_users');
/** Change properties of a user, i.e. vhost, modes and more */
define('PERMISSION_EDIT_USER', 'edit_user');
/** Change properties of a channel, i.e. topic, modes and more */
define('PERMISSION_EDIT_CHANNEL', 'edit_channel'); 
/** Change properties of a user on a channel i.e give/remove voice or ops and more */
define('PERMISSION_EDIT_CHANNEL_USER', 'edit_channel_user'); 
/** Can add manual bans, including G-Lines, Z-Lines and more */
define('PERMISSION_SERVER_BAN_ADD', 'tkl_add'); 
/** Can remove set bans, including G-Lines, Z-Lines and more */
define('PERMISSION_SERVER_BAN_DEL', 'tkl_del');
/** Can add Name Bans (Q-Lines) */
define('PERMISSION_NAME_BAN_ADD', 'nb_add');
/** Can delete Name Bans (Q-Lines) */
define('PERMISSION_NAME_BAN_DEL', 'nb_del'); 
/** Can add ban exceptions (E-Lines) */
define('PERMISSION_BAN_EXCEPTION_ADD', 'be_add'); 
/** Can delete ban exceptions (E-Lines) */
define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del'); 
/** Can add spamfilter entries */
define('PERMISSION_SPAMFILTER_ADD', 'sf_add'); 
/** Can delete spamfilter entries */
define('PERMISSION_SPAMFILTER_DEL', 'sf_del'); 
/** Can rehash servers */
define('PERMISSION_REHASH', 'rhs');
/** Can install and uninstall plugins */
define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
/**
 * PanelUser
 * This is the User class for the SQL_Auth plugin
 */
class PanelUser
{
	public $id = NULL;
	public $username = NULL;
	private $passhash = NULL;
	public $first_name = NULL;
	public $last_name = NULL;
	public $created = NULL;
	public $user_meta = [];
	public $bio = NULL;
	public $email = NULL;

	/**
	 * Find a user in the database by name or ID
	 * @param string $name
	 * @param mixed $id
	 */
	function __construct(string $name = NULL, int $id = NULL)
	{
		$user["name"] = $name;
		$user["id"] = $id;
		$user["object"] = NULL;
		Hook::run(HOOKTYPE_USER_LOOKUP, $user);
		if ($user['object'] === null)
			return; /* no auth module loaded? */
		foreach ($user['object'] as $key => $value)
			$this->$key = $value;
	}

	/**
	 * Verify a user's password
	 * @param string $input
	 * @return bool
	 */
	function password_verify(string $password, bool &$hash_needs_updating = false) : bool
	{
		GLOBAL $config;
		$hash_needs_updating = false;
		$p2 = $password;
		if (str_starts_with($this->passhash, "peppered:"))
		{
			/* Argon2 with pepper */
			$password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
			if (password_verify($password, substr($this->passhash,9)))
			{
				$this->HIBP(sha1($p2));
				return true;
			}
		}
		else
		{
			/* Old standard argon2 */
			if (password_verify($password, $this->passhash))
			{
				$this->HIBP(sha1($p2));
				$hash_needs_updating = true;
				return true;
			}
		}
		return false;
	}

	/**
	 * Generate hash of user's password
	 * @param string $password
	 * @return string
	 */
	public static function password_hash(string $password) : string
	{
		GLOBAL $config;
		$input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
		return "peppered:".password_hash($input, PASSWORD_ARGON2ID);
	}

	/**
	 * Add user meta data
	 * If using an array for the first param then you
	 * must also use an array for the second param
	 * @param array|string $key
	 * @param array|string|int|bool|null $value
	 */
	function add_meta(array|string $key, array|string|int|bool|null $value)
	{
		
		if (!$key)
			return false;

		if (is_array($key))
		{
			foreach ($key as $i => $k)
				$arr[$k] = $value[$i];
		} else {
			$arr[$key] = $value;
		}

		foreach($arr as $k => $v)
		{
			$meta = [
				"id" => $this->id,
				"key" => $k,
				"value" => $v
			];

			$array['meta'] = $meta;
			$array['user'] = $this;
			Hook::run(HOOKTYPE_USERMETA_ADD, $array);
		}
		
	}

	/**
	 * Delete user meta data by key
	 * @param string $key
	 */
	function delete_meta(string $key)
	{
		if (!$key )
			return false;

		$meta = [
			"id" => $this->id,
			"key" => $key,
		];
		$array['meta'] = $meta;
		$array['user'] = $this;
		Hook::run(HOOKTYPE_USERMETA_DEL, $array);

	}

	/** PERMISSIONS */

	function add_permission($permission)
	{
		$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
		if (!in_array($permission,$meta))
			$meta[] = $permission;
		$this->add_meta("permissions", serialize($meta)); // updet de dettabess
		$this->user_meta['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used
	}
	function delete_permission($permission)
	{
		$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
		foreach($meta as $key => $value)
		{
			if (!strcmp($permission, $value))
				unset($meta[$key]);
		}
		$this->add_meta("permissions", serialize($meta));
		$this->user_meta['permissions'] = serialize($meta);
	}

	/** Updates core user info.
	 * CAUTION: Updating a non-existent column will crash
	 * your shit
	 */
	function update_core_info($array)
	{
		$arr = ['info' => $array, 'user' => $this];
		Hook::run(HOOKTYPE_EDIT_USER, $arr);
	}

	/** Have I Been Pwned
	 * Check password against HIBP to let them know about their
	 * leaked password.
	 * @param string $password_hash This should be a pre-hashed sha1 password
	 */
	function HIBP($password_hash)
	{
		if (get_config("hibp") == false)
			return;
		$url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
		$end = substr($password_hash,5);
		$ch = curl_init($url);

		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

		$response = curl_exec($ch);

		if (curl_errno($ch))
		{
			error_log("[error] Could not check against Have I Been Pwned API");
			return;
		}
		$data = explode("\r\n",$response);
		curl_close($ch);
		$count = count($data);
		$i = 1;
		foreach($data as $dat)
		{
			$result = explode(":",$dat);
			error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5));
			if ($result[0] == strtoupper($end))
			{
				error_log("FOUND");
				$this->add_meta("hibp", $result[1]);
				return;
			}
			$i++;
		}
	}
}


/**
 * This class looks up and returns any user meta.
 * This is used by PanelUser, so you won't need to 
 * call it separately from PanelUser.
 */
class PanelUser_Meta
{
	public $list = [];
	function __construct($id)
	{
		$array = [];
		$arr["id"] = $id;
		$arr['meta'] = &$array;
		Hook::run(HOOKTYPE_USERMETA_GET, $arr);
		$this->list = $arr['meta'];
		
	}
}

/**
 * Array of user
 * 
 * Required:
 * user_name
 * user_pass
 * 
 * Optional:
 * user_fname
 * user_lname
 * 
 * @param array $user
 * @throws Exception
 * @return bool
 */
function create_new_user(array &$user) : bool
{
	if (!isset($user['user_name']) || !isset($user['user_pass']))
		throw new Exception("Attempted to add user without specifying user_name or user_pass");

	$user['user_name'] = htmlspecialchars($user['user_name']);
	$user['user_pass'] = PanelUser::password_hash($user['user_pass']);
	$user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
	$last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
	$user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
	$user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL;

	if (($u = new PanelUser($user['user_name']))->id)
	{
		$user['err'] = "User already exists";
		return false;
	}
	// internal use
	$user['success'] = false;
	$user['errmsg'] = [];
	
	Hook::run(HOOKTYPE_USER_CREATE, $user);
	if (!$user['success'])
		return false;
	
	return true;
}

/**
 * Gets the user object for the current session
 * @return PanelUser|bool
 */
function unreal_get_current_user() : PanelUser|bool
{
	if (isset($_SESSION) && isset($_SESSION['id']))
	{
		$user = new PanelUser(NULL, $_SESSION['id']);
		if ($user->id)
			return $user;
	}
	return false;
}

/**
 * Checks if a user can do something
 * @param string $permission
 * @return bool
 */
function current_user_can($permission) : bool
{
	$user = unreal_get_current_user();
	if (!$user)
		return false;
	return user_can($user, $permission);
}

/**
 * Checks if a user can do something
 * @param string $permission
 * @return bool
 */
function user_can(PanelUser $user, $permission) : bool
{
	global $config;
	if (!$user)
		return false;

	if (isset($user->user_meta['role']))
	{
		if ($user->user_meta['role'] == "Super-Admin")
			return true;

		else if ($user->user_meta['role'] == "Read-Only")
			return false;

		else if (in_array($permission, $config['user_roles'][$user->user_meta['role']]))
			return true;
			
		return false;
	}

	/* compatibility fallback */
	if (isset($user->user_meta['permissions']))
	{
		$perms = unserialize($user->user_meta['permissions']);
		if (in_array($permission, $perms))
			return true;
	}
	return false;
}

/**
 * Delete a user and related meta
 * @param int $id The ID of the user in the SQL database.
 * @param array $info This will fill with a response.
 * @return int
 * 
 * Return values:
 *  1   The user was successfully deleted.
 *  0   The user was not found
 *  -1  The admin does not have permission to delete users [TODO]
 */
function delete_user(int $id, &$info = []) : int
{
	$user = new PanelUser(NULL, $id);
	if (!$user->id) {
		$info[] = "Could not find user";
		return 0;
	}
	$arr = ["user" => $user, "info" => &$info, "boolint" => 0];
	Hook::run(HOOKTYPE_USER_DELETE, $arr);
	return $arr["boolint"];
}

function get_panel_user_permission_list()
{
	$list = [
		"Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
		"Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS,
		"Can ban/kill IRC users" => PERMISSION_BAN_USERS,
		"Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
		"Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
		"Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER,
		"Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD,
		"Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL,
		"Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD,
		"Can unforbid usernames and channels" => PERMISSION_NAME_BAN_DEL,
		"Can add server ban exceptions" => PERMISSION_BAN_EXCEPTION_ADD,
		"Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
		"Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
		"Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL

	];
	Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
	return $list;
}

function generate_panel_user_permission_table($user)
{
	
	$list = get_panel_user_permission_list();
	foreach($list as $desc => $slug)
	{
		$attributes = "";
		$attributes .= (current_user_can(PERMISSION_MANAGE_USERS)) ? "" : "disabled ";
		?>
		<div class="input-group">
			<div class="input-group-prepend">
				<div class="input-group-text">
					<input <?php
						$attributes .= (user_can($user, $slug)) ? "checked" : "";
						echo $attributes;
					?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
				</div>
			</div>
			<input type="text" readonly  class="form-control" value="<?php echo "$desc ($slug)"; ?>">
		</div>

		<?php
	}
}

function get_panel_user_roles_list()
{
	GLOBAL $config;

	/* Defaults */
	$list = [
	        "Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
	        "Read-Only" => [], // Read Only can do nothing
	];

	if (isset($config["user_roles"]))
		foreach($config['user_roles'] as $r => $role)
			$list[$r] = $role;

	return $list;
}

function generate_role_list($list)
{
	$list2 = get_panel_user_permission_list();
	?>
		<h5>Roles List:</h5>
		<div id="permlist">
		<div class="container-xxl" style="max-width: 1430px;">
		<div class="accordion" id="roles_accord">

<?php foreach($list as $role => $slug) {?>
	<div class="card">
		<div class="card-header" id="<?php echo to_slug($role); ?>_heading">
			<div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>">
				<?php echo $role ?>
				
			</div>
		</div>

		<div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord">
			<div id="results_rpc" class="card-body">
				<form method="post">
				<?php if ($role !== "Super-Admin" && $role !== "Read-Only") { ?>
					<div class="container row mb-2">
						<button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button>
						<button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button>
					</div>
					
				<?php } ?>
				<div id="<?php echo $role; ?>_input_area"><?php
					foreach($list2 as $desc => $slug)
					{
					$attributes = "";
					$attributes .= ($role == "Super-Admin" || $role == "Read-Only") ? "disabled " : "";

						?>
						<div class="input-group">
							<div class="input-group-prepend">
								<div class="input-group-text">
									<input <?php
										$attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
										echo $attributes;
									?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
								</div>
							</div>
							<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
						</div>
				
						<?php
					}
				?>	</div>
				</form>
			</div>
		</div>
	</div>
<?php }?>

		</div></div><br>
			
</div><?php

}
Commit	Line	Data
961b0aa7	1	<?php
cc9898cc VP	2	/** Relating to Panel Access: Can add, delete and edit users. Big boss. */
	3	define('PERMISSION_MANAGE_USERS', 'manage_users');
	4	/** Relating to Users tab: Can ban users connected to IRC */
	5	define('PERMISSION_BAN_USERS', 'ban_users');
	6	/** Change properties of a user, i.e. vhost, modes and more */
	7	define('PERMISSION_EDIT_USER', 'edit_user');
	8	/** Change properties of a channel, i.e. topic, modes and more */
	9	define('PERMISSION_EDIT_CHANNEL', 'edit_channel');
	10	/** Change properties of a user on a channel i.e give/remove voice or ops and more */
	11	define('PERMISSION_EDIT_CHANNEL_USER', 'edit_channel_user');
	12	/** Can add manual bans, including G-Lines, Z-Lines and more */
	13	define('PERMISSION_SERVER_BAN_ADD', 'tkl_add');
	14	/** Can remove set bans, including G-Lines, Z-Lines and more */
	15	define('PERMISSION_SERVER_BAN_DEL', 'tkl_del');
	16	/** Can add Name Bans (Q-Lines) */
	17	define('PERMISSION_NAME_BAN_ADD', 'nb_add');
	18	/** Can delete Name Bans (Q-Lines) */
	19	define('PERMISSION_NAME_BAN_DEL', 'nb_del');
	20	/** Can add ban exceptions (E-Lines) */
	21	define('PERMISSION_BAN_EXCEPTION_ADD', 'be_add');
	22	/** Can delete ban exceptions (E-Lines) */
	23	define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del');
	24	/** Can add spamfilter entries */
	25	define('PERMISSION_SPAMFILTER_ADD', 'sf_add');
	26	/** Can delete spamfilter entries */
	27	define('PERMISSION_SPAMFILTER_DEL', 'sf_del');
5a7f0cde VP	28	/** Can rehash servers */
5a7f0cde VP	29	define('PERMISSION_REHASH', 'rhs');
fae5cd15 VP	30	/** Can install and uninstall plugins */
fae5cd15 VP	31	define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
6b3d3f83	32	/**
6930484c	33	* PanelUser
6b3d3f83 VP	34	* This is the User class for the SQL_Auth plugin
6b3d3f83 VP	35	*/
6930484c	36	class PanelUser
961b0aa7	37	{
d72d1923 VP	38	public $id = NULL;
	39	public $username = NULL;
	40	private $passhash = NULL;
	41	public $first_name = NULL;
	42	public $last_name = NULL;
	43	public $created = NULL;
	44	public $user_meta = [];
	45	public $bio = NULL;
0b546dde	46	public $email = NULL;
d72d1923 VP	47
	48	/**
	49	* Find a user in the database by name or ID
	50	* @param string $name
	51	* @param mixed $id
	52	*/
	53	function __construct(string $name = NULL, int $id = NULL)
	54	{
6930484c VP	55	$user["name"] = $name;
	56	$user["id"] = $id;
	57	$user["object"] = NULL;
6930484c	58	Hook::run(HOOKTYPE_USER_LOOKUP, $user);
cd1dee97 BM	59	if ($user['object'] === null)
cd1dee97 BM	60	return; /* no auth module loaded? */
6930484c VP	61	foreach ($user['object'] as $key => $value)
6930484c VP	62	$this->$key = $value;
d72d1923 VP	63	}
	64
	65	/**
	66	* Verify a user's password
	67	* @param string $input
	68	* @return bool
	69	*/
6b08fcb9	70	function password_verify(string $password, bool &$hash_needs_updating = false) : bool
d72d1923	71	{
6b08fcb9 BM	72	GLOBAL $config;
6b08fcb9 BM	73	$hash_needs_updating = false;
579020f8	74	$p2 = $password;
6b08fcb9 BM	75	if (str_starts_with($this->passhash, "peppered:"))
	76	{
	77	/* Argon2 with pepper */
	78	$password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
	79	if (password_verify($password, substr($this->passhash,9)))
579020f8 VP	80	{
579020f8 VP	81	$this->HIBP(sha1($p2));
6b08fcb9	82	return true;
579020f8 VP	83	}
	84	}
	85	else
	86	{
6b08fcb9 BM	87	/* Old standard argon2 */
	88	if (password_verify($password, $this->passhash))
	89	{
579020f8	90	$this->HIBP(sha1($p2));
6b08fcb9 BM	91	$hash_needs_updating = true;
	92	return true;
	93	}
	94	}
d72d1923 VP	95	return false;
	96	}
	97
6b08fcb9 BM	98	/**
	99	* Generate hash of user's password
	100	* @param string $password
	101	* @return string
	102	*/
	103	public static function password_hash(string $password) : string
	104	{
	105	GLOBAL $config;
	106	$input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
	107	return "peppered:".password_hash($input, PASSWORD_ARGON2ID);
	108	}
	109
d72d1923 VP	110	/**
d72d1923 VP	111	* Add user meta data
3ca012c9 VP	112	* If using an array for the first param then you
3ca012c9 VP	113	* must also use an array for the second param
7a345d4a	114	* @param array\|string $key
75b243f6	115	* @param array\|string\|int\|bool\|null $value
d72d1923	116	*/
75b243f6	117	function add_meta(array\|string $key, array\|string\|int\|bool\|null $value)
d72d1923	118	{
6930484c	119
75b243f6	120	if (!$key)
d72d1923 VP	121	return false;
d72d1923 VP	122
75b243f6 BM	123	if (is_array($key))
75b243f6 BM	124	{
7a345d4a VP	125	foreach ($key as $i => $k)
7a345d4a VP	126	$arr[$k] = $value[$i];
75b243f6 BM	127	} else {
	128	$arr[$key] = $value;
	129	}
	130
7a345d4a VP	131	foreach($arr as $k => $v)
	132	{
	133	$meta = [
	134	"id" => $this->id,
	135	"key" => $k,
	136	"value" => $v
	137	];
	138
	139	$array['meta'] = $meta;
	140	$array['user'] = $this;
	141	Hook::run(HOOKTYPE_USERMETA_ADD, $array);
	142	}
6930484c	143
d72d1923 VP	144	}
	145
	146	/**
	147	* Delete user meta data by key
	148	* @param string $key
d72d1923 VP	149	*/
	150	function delete_meta(string $key)
	151	{
	152	if (!$key )
	153	return false;
	154
	155	$meta = [
	156	"id" => $this->id,
	157	"key" => $key,
	158	];
c53841fe BM	159	$array['meta'] = $meta;
	160	$array['user'] = $this;
	161	Hook::run(HOOKTYPE_USERMETA_DEL, $array);
d72d1923 VP	162
	163	}
	164
	165	/** PERMISSIONS */
	166
	167	function add_permission($permission)
	168	{
	169	$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
	170	if (!in_array($permission,$meta))
	171	$meta[] = $permission;
	172	$this->add_meta("permissions", serialize($meta)); // updet de dettabess
	173	$this->user_meta['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used
	174	}
	175	function delete_permission($permission)
	176	{
	177	$meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : [];
	178	foreach($meta as $key => $value)
	179	{
	180	if (!strcmp($permission, $value))
	181	unset($meta[$key]);
	182	}
	183	$this->add_meta("permissions", serialize($meta));
	184	$this->user_meta['permissions'] = serialize($meta);
	185	}
	186
5a7f0cde VP	187	/** Updates core user info.
	188	* CAUTION: Updating a non-existent column will crash
	189	* your shit
	190	*/
	191	function update_core_info($array)
	192	{
	193	$arr = ['info' => $array, 'user' => $this];
	194	Hook::run(HOOKTYPE_EDIT_USER, $arr);
	195	}
579020f8 VP	196
	197	/** Have I Been Pwned
	198	* Check password against HIBP to let them know about their
	199	* leaked password.
	200	* @param string $password_hash This should be a pre-hashed sha1 password
	201	*/
	202	function HIBP($password_hash)
	203	{
3d4e4ec4 VP	204	if (get_config("hibp") == false)
3d4e4ec4 VP	205	return;
579020f8 VP	206	$url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
	207	$end = substr($password_hash,5);
	208	$ch = curl_init($url);
	209
	210	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	211
	212	$response = curl_exec($ch);
	213
	214	if (curl_errno($ch))
	215	{
	216	error_log("[error] Could not check against Have I Been Pwned API");
	217	return;
	218	}
	219	$data = explode("\r\n",$response);
	220	curl_close($ch);
	221	$count = count($data);
	222	$i = 1;
	223	foreach($data as $dat)
	224	{
	225	$result = explode(":",$dat);
	226	error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5));
	227	if ($result[0] == strtoupper($end))
	228	{
	229	error_log("FOUND");
	230	$this->add_meta("hibp", $result[1]);
	231	return;
	232	}
	233	$i++;
	234	}
	235	}
4d634d0a	236	}
a3151e7c	237
6b3d3f83 VP	238
	239	/**
	240	* This class looks up and returns any user meta.
6930484c VP	241	* This is used by PanelUser, so you won't need to
6930484c VP	242	* call it separately from PanelUser.
6b3d3f83	243	*/
6930484c	244	class PanelUser_Meta
4d634d0a	245	{
d72d1923 VP	246	public $list = [];
	247	function __construct($id)
	248	{
6930484c VP	249	$array = [];
	250	$arr["id"] = $id;
	251	$arr['meta'] = &$array;
	252	Hook::run(HOOKTYPE_USERMETA_GET, $arr);
6930484c VP	253	$this->list = $arr['meta'];
6930484c VP	254
d72d1923	255	}
a3151e7c VP	256	}
a3151e7c VP	257
4225314c VP	258	/**
	259	* Array of user
	260	*
	261	* Required:
	262	* user_name
	263	* user_pass
	264	*
	265	* Optional:
	266	* user_fname
	267	* user_lname
	268	*
	269	* @param array $user
	270	* @throws Exception
	271	* @return bool
	272	*/
180b8ec1	273	function create_new_user(array &$user) : bool
4d634d0a	274	{
d72d1923 VP	275	if (!isset($user['user_name']) \|\| !isset($user['user_pass']))
	276	throw new Exception("Attempted to add user without specifying user_name or user_pass");
	277
180b8ec1	278	$user['user_name'] = htmlspecialchars($user['user_name']);
6b08fcb9	279	$user['user_pass'] = PanelUser::password_hash($user['user_pass']);
180b8ec1 VP	280	$user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
	281	$last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
	282	$user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
9a674833	283	$user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL;
d72d1923	284
180b8ec1 VP	285	if (($u = new PanelUser($user['user_name']))->id)
	286	{
	287	$user['err'] = "User already exists";
	288	return false;
	289	}
	290	// internal use
	291	$user['success'] = false;
	292	$user['errmsg'] = [];
	293
	294	Hook::run(HOOKTYPE_USER_CREATE, $user);
	295	if (!$user['success'])
	296	return false;
d72d1923 VP	297
d72d1923 VP	298	return true;
4d634d0a VP	299	}
	300
	301	/**
	302	* Gets the user object for the current session
6930484c	303	* @return PanelUser\|bool
4d634d0a	304	*/
6930484c	305	function unreal_get_current_user() : PanelUser\|bool
a3151e7c	306	{
d3e3ec08	307	if (isset($_SESSION) && isset($_SESSION['id']))
d72d1923	308	{
6930484c	309	$user = new PanelUser(NULL, $_SESSION['id']);
d72d1923 VP	310	if ($user->id)
	311	return $user;
	312	}
	313	return false;
4d634d0a VP	314	}
	315
	316	/**
	317	* Checks if a user can do something
	318	* @param string $permission
	319	* @return bool
	320	*/
d72d1923	321	function current_user_can($permission) : bool
4d634d0a	322	{
d72d1923	323	$user = unreal_get_current_user();
6c67bf53 VP	324	if (!$user)
6c67bf53 VP	325	return false;
2405dc8e VP	326	return user_can($user, $permission);
	327	}
	328
	329	/**
	330	* Checks if a user can do something
	331	* @param string $permission
	332	* @return bool
	333	*/
	334	function user_can(PanelUser $user, $permission) : bool
	335	{
6f0e7ce4	336	global $config;
d72d1923 VP	337	if (!$user)
d72d1923 VP	338	return false;
2405dc8e	339
6f0e7ce4 VP	340	if (isset($user->user_meta['role']))
	341	{
	342	if ($user->user_meta['role'] == "Super-Admin")
	343	return true;
	344
	345	else if ($user->user_meta['role'] == "Read-Only")
	346	return false;
	347
	348	else if (in_array($permission, $config['user_roles'][$user->user_meta['role']]))
	349	return true;
	350
	351	return false;
	352	}
	353
	354	/* compatibility fallback */
d72d1923 VP	355	if (isset($user->user_meta['permissions']))
	356	{
	357	$perms = unserialize($user->user_meta['permissions']);
	358	if (in_array($permission, $perms))
d72d1923	359	return true;
d72d1923 VP	360	}
d72d1923 VP	361	return false;
4d634d0a VP	362	}
4d634d0a VP	363
7aad7c29 VP	364	/**
	365	* Delete a user and related meta
	366	* @param int $id The ID of the user in the SQL database.
d72d1923	367	* @param array $info This will fill with a response.
7aad7c29 VP	368	* @return int
	369	*
	370	* Return values:
	371	* 1 The user was successfully deleted.
	372	* 0 The user was not found
	373	* -1 The admin does not have permission to delete users [TODO]
	374	*/
	375	function delete_user(int $id, &$info = []) : int
	376	{
6930484c	377	$user = new PanelUser(NULL, $id);
d72d1923 VP	378	if (!$user->id) {
	379	$info[] = "Could not find user";
	380	return 0;
	381	}
180b8ec1 VP	382	$arr = ["user" => $user, "info" => &$info, "boolint" => 0];
	383	Hook::run(HOOKTYPE_USER_DELETE, $arr);
	384	return $arr["boolint"];
54b5ea90 VP	385	}
54b5ea90 VP	386
2405dc8e VP	387	function get_panel_user_permission_list()
	388	{
	389	$list = [
	390	"Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
fae5cd15	391	"Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS,
2405dc8e	392	"Can ban/kill IRC users" => PERMISSION_BAN_USERS,
9616b8e6	393	"Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
2405dc8e	394	"Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
462bd723	395	"Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER,
2405dc8e VP	396	"Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD,
	397	"Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL,
	398	"Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD,
	399	"Can unforbid usernames and channels" => PERMISSION_NAME_BAN_DEL,
	400	"Can add server ban exceptions" => PERMISSION_BAN_EXCEPTION_ADD,
	401	"Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
	402	"Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
	403	"Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL
fae5cd15	404
2405dc8e VP	405	];
	406	Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
	407	return $list;
	408	}
	409
	410	function generate_panel_user_permission_table($user)
	411	{
	412
	413	$list = get_panel_user_permission_list();
	414	foreach($list as $desc => $slug)
	415	{
	416	$attributes = "";
	417	$attributes .= (current_user_can(PERMISSION_MANAGE_USERS)) ? "" : "disabled ";
	418	?>
	419	<div class="input-group">
	420	<div class="input-group-prepend">
	421	<div class="input-group-text">
	422	<input <?php
	423	$attributes .= (user_can($user, $slug)) ? "checked" : "";
	424	echo $attributes;
	425	?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
	426	</div>
	427	</div>
	428	<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
	429	</div>
	430
	431	<?php
	432	}
9616b8e6	433	}
4b48b46f VP	434
	435	function get_panel_user_roles_list()
	436	{
8c415815 BM	437	GLOBAL $config;
8c415815 BM	438
4b48b46f VP	439	/* Defaults */
4b48b46f VP	440	$list = [
8c415815 BM	441	"Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
8c415815 BM	442	"Read-Only" => [], // Read Only can do nothing
4b48b46f VP	443	];
4b48b46f VP	444
8c415815 BM	445	if (isset($config["user_roles"]))
	446	foreach($config['user_roles'] as $r => $role)
	447	$list[$r] = $role;
	448
4b48b46f VP	449	return $list;
	450	}
	451
	452	function generate_role_list($list)
	453	{
	454	$list2 = get_panel_user_permission_list();
	455	?>
	456	<h5>Roles List:</h5>
	457	<div id="permlist">
088733d4	458	<div class="container-xxl" style="max-width: 1430px;">
4b48b46f VP	459	<div class="accordion" id="roles_accord">
	460
	461	<?php foreach($list as $role => $slug) {?>
	462	<div class="card">
	463	<div class="card-header" id="<?php echo to_slug($role); ?>_heading">
	464	<div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>">
	465	<?php echo $role ?>
1634b6ac	466
4b48b46f VP	467	</div>
	468	</div>
	469
	470	<div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord">
	471	<div id="results_rpc" class="card-body">
1634b6ac	472	<form method="post">
6f0e7ce4	473	<?php if ($role !== "Super-Admin" && $role !== "Read-Only") { ?>
1634b6ac VP	474	<div class="container row mb-2">
	475	<button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button>
	476	<button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button>
	477	</div>
	478
	479	<?php } ?>
	480	<div id="<?php echo $role; ?>_input_area"><?php
4b48b46f VP	481	foreach($list2 as $desc => $slug)
	482	{
	483	$attributes = "";
6f0e7ce4	484	$attributes .= ($role == "Super-Admin" \|\| $role == "Read-Only") ? "disabled " : "";
4b48b46f VP	485
	486	?>
	487	<div class="input-group">
	488	<div class="input-group-prepend">
	489	<div class="input-group-text">
	490	<input <?php
	491	$attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
	492	echo $attributes;
1634b6ac	493	?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
4b48b46f VP	494	</div>
	495	</div>
	496	<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
	497	</div>
	498
	499	<?php
	500	}
1634b6ac VP	501	?> </div>
1634b6ac VP	502	</form>
4b48b46f VP	503	</div>
	504	</div>
	505	</div>
	506	<?php }?>
	507
	508	</div></div><br>
1634b6ac	509
4b48b46f VP	510	</div><?php
	511
	512	}