]>
Commit | Line | Data |
---|---|---|
961b0aa7 | 1 | <?php |
cc9898cc VP |
2 | /** Relating to Panel Access: Can add, delete and edit users. Big boss. */ |
3 | define('PERMISSION_MANAGE_USERS', 'manage_users'); | |
4 | /** Relating to Users tab: Can ban users connected to IRC */ | |
5 | define('PERMISSION_BAN_USERS', 'ban_users'); | |
6 | /** Change properties of a user, i.e. vhost, modes and more */ | |
7 | define('PERMISSION_EDIT_USER', 'edit_user'); | |
8 | /** Change properties of a channel, i.e. topic, modes and more */ | |
9 | define('PERMISSION_EDIT_CHANNEL', 'edit_channel'); | |
10 | /** Change properties of a user on a channel i.e give/remove voice or ops and more */ | |
11 | define('PERMISSION_EDIT_CHANNEL_USER', 'edit_channel_user'); | |
12 | /** Can add manual bans, including G-Lines, Z-Lines and more */ | |
13 | define('PERMISSION_SERVER_BAN_ADD', 'tkl_add'); | |
14 | /** Can remove set bans, including G-Lines, Z-Lines and more */ | |
15 | define('PERMISSION_SERVER_BAN_DEL', 'tkl_del'); | |
16 | /** Can add Name Bans (Q-Lines) */ | |
17 | define('PERMISSION_NAME_BAN_ADD', 'nb_add'); | |
18 | /** Can delete Name Bans (Q-Lines) */ | |
19 | define('PERMISSION_NAME_BAN_DEL', 'nb_del'); | |
20 | /** Can add ban exceptions (E-Lines) */ | |
21 | define('PERMISSION_BAN_EXCEPTION_ADD', 'be_add'); | |
22 | /** Can delete ban exceptions (E-Lines) */ | |
23 | define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del'); | |
24 | /** Can add spamfilter entries */ | |
25 | define('PERMISSION_SPAMFILTER_ADD', 'sf_add'); | |
26 | /** Can delete spamfilter entries */ | |
27 | define('PERMISSION_SPAMFILTER_DEL', 'sf_del'); | |
5a7f0cde VP |
28 | /** Can rehash servers */ |
29 | define('PERMISSION_REHASH', 'rhs'); | |
fae5cd15 VP |
30 | /** Can install and uninstall plugins */ |
31 | define('PERMISSION_MANAGE_PLUGINS', 'mng_plg'); | |
6b3d3f83 | 32 | /** |
6930484c | 33 | * PanelUser |
6b3d3f83 VP |
34 | * This is the User class for the SQL_Auth plugin |
35 | */ | |
6930484c | 36 | class PanelUser |
961b0aa7 | 37 | { |
d72d1923 VP |
38 | public $id = NULL; |
39 | public $username = NULL; | |
40 | private $passhash = NULL; | |
41 | public $first_name = NULL; | |
42 | public $last_name = NULL; | |
43 | public $created = NULL; | |
44 | public $user_meta = []; | |
45 | public $bio = NULL; | |
0b546dde | 46 | public $email = NULL; |
d72d1923 VP |
47 | |
48 | /** | |
49 | * Find a user in the database by name or ID | |
50 | * @param string $name | |
51 | * @param mixed $id | |
52 | */ | |
53 | function __construct(string $name = NULL, int $id = NULL) | |
54 | { | |
6930484c VP |
55 | $user["name"] = $name; |
56 | $user["id"] = $id; | |
57 | $user["object"] = NULL; | |
6930484c | 58 | Hook::run(HOOKTYPE_USER_LOOKUP, $user); |
cd1dee97 BM |
59 | if ($user['object'] === null) |
60 | return; /* no auth module loaded? */ | |
6930484c VP |
61 | foreach ($user['object'] as $key => $value) |
62 | $this->$key = $value; | |
d72d1923 VP |
63 | } |
64 | ||
65 | /** | |
66 | * Verify a user's password | |
67 | * @param string $input | |
68 | * @return bool | |
69 | */ | |
6b08fcb9 | 70 | function password_verify(string $password, bool &$hash_needs_updating = false) : bool |
d72d1923 | 71 | { |
6b08fcb9 BM |
72 | GLOBAL $config; |
73 | $hash_needs_updating = false; | |
579020f8 | 74 | $p2 = $password; |
6b08fcb9 BM |
75 | if (str_starts_with($this->passhash, "peppered:")) |
76 | { | |
77 | /* Argon2 with pepper */ | |
78 | $password = hash_hmac("sha256", $password, $config['secrets']['pepper']); | |
79 | if (password_verify($password, substr($this->passhash,9))) | |
579020f8 VP |
80 | { |
81 | $this->HIBP(sha1($p2)); | |
6b08fcb9 | 82 | return true; |
579020f8 VP |
83 | } |
84 | } | |
85 | else | |
86 | { | |
6b08fcb9 BM |
87 | /* Old standard argon2 */ |
88 | if (password_verify($password, $this->passhash)) | |
89 | { | |
579020f8 | 90 | $this->HIBP(sha1($p2)); |
6b08fcb9 BM |
91 | $hash_needs_updating = true; |
92 | return true; | |
93 | } | |
94 | } | |
d72d1923 VP |
95 | return false; |
96 | } | |
97 | ||
6b08fcb9 BM |
98 | /** |
99 | * Generate hash of user's password | |
100 | * @param string $password | |
101 | * @return string | |
102 | */ | |
103 | public static function password_hash(string $password) : string | |
104 | { | |
105 | GLOBAL $config; | |
106 | $input = hash_hmac("sha256", $password, $config['secrets']['pepper']); | |
107 | return "peppered:".password_hash($input, PASSWORD_ARGON2ID); | |
108 | } | |
109 | ||
d72d1923 VP |
110 | /** |
111 | * Add user meta data | |
3ca012c9 VP |
112 | * If using an array for the first param then you |
113 | * must also use an array for the second param | |
7a345d4a | 114 | * @param array|string $key |
75b243f6 | 115 | * @param array|string|int|bool|null $value |
d72d1923 | 116 | */ |
75b243f6 | 117 | function add_meta(array|string $key, array|string|int|bool|null $value) |
d72d1923 | 118 | { |
6930484c | 119 | |
75b243f6 | 120 | if (!$key) |
d72d1923 VP |
121 | return false; |
122 | ||
75b243f6 BM |
123 | if (is_array($key)) |
124 | { | |
7a345d4a VP |
125 | foreach ($key as $i => $k) |
126 | $arr[$k] = $value[$i]; | |
75b243f6 BM |
127 | } else { |
128 | $arr[$key] = $value; | |
129 | } | |
130 | ||
7a345d4a VP |
131 | foreach($arr as $k => $v) |
132 | { | |
133 | $meta = [ | |
134 | "id" => $this->id, | |
135 | "key" => $k, | |
136 | "value" => $v | |
137 | ]; | |
138 | ||
139 | $array['meta'] = $meta; | |
140 | $array['user'] = $this; | |
141 | Hook::run(HOOKTYPE_USERMETA_ADD, $array); | |
142 | } | |
6930484c | 143 | |
d72d1923 VP |
144 | } |
145 | ||
146 | /** | |
147 | * Delete user meta data by key | |
148 | * @param string $key | |
d72d1923 VP |
149 | */ |
150 | function delete_meta(string $key) | |
151 | { | |
152 | if (!$key ) | |
153 | return false; | |
154 | ||
155 | $meta = [ | |
156 | "id" => $this->id, | |
157 | "key" => $key, | |
158 | ]; | |
c53841fe BM |
159 | $array['meta'] = $meta; |
160 | $array['user'] = $this; | |
161 | Hook::run(HOOKTYPE_USERMETA_DEL, $array); | |
d72d1923 VP |
162 | |
163 | } | |
164 | ||
165 | /** PERMISSIONS */ | |
166 | ||
167 | function add_permission($permission) | |
168 | { | |
169 | $meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : []; | |
170 | if (!in_array($permission,$meta)) | |
171 | $meta[] = $permission; | |
172 | $this->add_meta("permissions", serialize($meta)); // updet de dettabess | |
173 | $this->user_meta['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used | |
174 | } | |
175 | function delete_permission($permission) | |
176 | { | |
177 | $meta = (isset($this->user_meta['permissions'])) ? unserialize($this->user_meta['permissions']) : []; | |
178 | foreach($meta as $key => $value) | |
179 | { | |
180 | if (!strcmp($permission, $value)) | |
181 | unset($meta[$key]); | |
182 | } | |
183 | $this->add_meta("permissions", serialize($meta)); | |
184 | $this->user_meta['permissions'] = serialize($meta); | |
185 | } | |
186 | ||
5a7f0cde VP |
187 | /** Updates core user info. |
188 | * CAUTION: Updating a non-existent column will crash | |
189 | * your shit | |
190 | */ | |
191 | function update_core_info($array) | |
192 | { | |
193 | $arr = ['info' => $array, 'user' => $this]; | |
194 | Hook::run(HOOKTYPE_EDIT_USER, $arr); | |
195 | } | |
579020f8 VP |
196 | |
197 | /** Have I Been Pwned | |
198 | * Check password against HIBP to let them know about their | |
199 | * leaked password. | |
200 | * @param string $password_hash This should be a pre-hashed sha1 password | |
201 | */ | |
202 | function HIBP($password_hash) | |
203 | { | |
3d4e4ec4 VP |
204 | if (get_config("hibp") == false) |
205 | return; | |
579020f8 VP |
206 | $url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5); |
207 | $end = substr($password_hash,5); | |
208 | $ch = curl_init($url); | |
209 | ||
210 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); | |
211 | ||
212 | $response = curl_exec($ch); | |
213 | ||
214 | if (curl_errno($ch)) | |
215 | { | |
216 | error_log("[error] Could not check against Have I Been Pwned API"); | |
217 | return; | |
218 | } | |
219 | $data = explode("\r\n",$response); | |
220 | curl_close($ch); | |
221 | $count = count($data); | |
222 | $i = 1; | |
223 | foreach($data as $dat) | |
224 | { | |
225 | $result = explode(":",$dat); | |
226 | error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5)); | |
227 | if ($result[0] == strtoupper($end)) | |
228 | { | |
229 | error_log("FOUND"); | |
230 | $this->add_meta("hibp", $result[1]); | |
231 | return; | |
232 | } | |
233 | $i++; | |
234 | } | |
235 | } | |
4d634d0a | 236 | } |
a3151e7c | 237 | |
6b3d3f83 VP |
238 | |
239 | /** | |
240 | * This class looks up and returns any user meta. | |
6930484c VP |
241 | * This is used by PanelUser, so you won't need to |
242 | * call it separately from PanelUser. | |
6b3d3f83 | 243 | */ |
6930484c | 244 | class PanelUser_Meta |
4d634d0a | 245 | { |
d72d1923 VP |
246 | public $list = []; |
247 | function __construct($id) | |
248 | { | |
6930484c VP |
249 | $array = []; |
250 | $arr["id"] = $id; | |
251 | $arr['meta'] = &$array; | |
252 | Hook::run(HOOKTYPE_USERMETA_GET, $arr); | |
6930484c VP |
253 | $this->list = $arr['meta']; |
254 | ||
d72d1923 | 255 | } |
a3151e7c VP |
256 | } |
257 | ||
4225314c VP |
258 | /** |
259 | * Array of user | |
260 | * | |
261 | * Required: | |
262 | * user_name | |
263 | * user_pass | |
264 | * | |
265 | * Optional: | |
266 | * user_fname | |
267 | * user_lname | |
268 | * | |
269 | * @param array $user | |
270 | * @throws Exception | |
271 | * @return bool | |
272 | */ | |
180b8ec1 | 273 | function create_new_user(array &$user) : bool |
4d634d0a | 274 | { |
d72d1923 VP |
275 | if (!isset($user['user_name']) || !isset($user['user_pass'])) |
276 | throw new Exception("Attempted to add user without specifying user_name or user_pass"); | |
277 | ||
180b8ec1 | 278 | $user['user_name'] = htmlspecialchars($user['user_name']); |
6b08fcb9 | 279 | $user['user_pass'] = PanelUser::password_hash($user['user_pass']); |
180b8ec1 VP |
280 | $user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL; |
281 | $last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL; | |
282 | $user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL; | |
9a674833 | 283 | $user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL; |
d72d1923 | 284 | |
180b8ec1 VP |
285 | if (($u = new PanelUser($user['user_name']))->id) |
286 | { | |
287 | $user['err'] = "User already exists"; | |
288 | return false; | |
289 | } | |
290 | // internal use | |
291 | $user['success'] = false; | |
292 | $user['errmsg'] = []; | |
293 | ||
294 | Hook::run(HOOKTYPE_USER_CREATE, $user); | |
295 | if (!$user['success']) | |
296 | return false; | |
d72d1923 VP |
297 | |
298 | return true; | |
4d634d0a VP |
299 | } |
300 | ||
301 | /** | |
302 | * Gets the user object for the current session | |
6930484c | 303 | * @return PanelUser|bool |
4d634d0a | 304 | */ |
6930484c | 305 | function unreal_get_current_user() : PanelUser|bool |
a3151e7c | 306 | { |
d3e3ec08 | 307 | if (isset($_SESSION) && isset($_SESSION['id'])) |
d72d1923 | 308 | { |
6930484c | 309 | $user = new PanelUser(NULL, $_SESSION['id']); |
d72d1923 VP |
310 | if ($user->id) |
311 | return $user; | |
312 | } | |
313 | return false; | |
4d634d0a VP |
314 | } |
315 | ||
316 | /** | |
317 | * Checks if a user can do something | |
318 | * @param string $permission | |
319 | * @return bool | |
320 | */ | |
d72d1923 | 321 | function current_user_can($permission) : bool |
4d634d0a | 322 | { |
d72d1923 | 323 | $user = unreal_get_current_user(); |
6c67bf53 VP |
324 | if (!$user) |
325 | return false; | |
2405dc8e VP |
326 | return user_can($user, $permission); |
327 | } | |
328 | ||
329 | /** | |
330 | * Checks if a user can do something | |
331 | * @param string $permission | |
332 | * @return bool | |
333 | */ | |
334 | function user_can(PanelUser $user, $permission) : bool | |
335 | { | |
6f0e7ce4 | 336 | global $config; |
d72d1923 VP |
337 | if (!$user) |
338 | return false; | |
2405dc8e | 339 | |
6f0e7ce4 VP |
340 | if (isset($user->user_meta['role'])) |
341 | { | |
342 | if ($user->user_meta['role'] == "Super-Admin") | |
343 | return true; | |
344 | ||
345 | else if ($user->user_meta['role'] == "Read-Only") | |
346 | return false; | |
347 | ||
348 | else if (in_array($permission, $config['user_roles'][$user->user_meta['role']])) | |
349 | return true; | |
350 | ||
351 | return false; | |
352 | } | |
353 | ||
354 | /* compatibility fallback */ | |
d72d1923 VP |
355 | if (isset($user->user_meta['permissions'])) |
356 | { | |
357 | $perms = unserialize($user->user_meta['permissions']); | |
358 | if (in_array($permission, $perms)) | |
d72d1923 | 359 | return true; |
d72d1923 VP |
360 | } |
361 | return false; | |
4d634d0a VP |
362 | } |
363 | ||
7aad7c29 VP |
364 | /** |
365 | * Delete a user and related meta | |
366 | * @param int $id The ID of the user in the SQL database. | |
d72d1923 | 367 | * @param array $info This will fill with a response. |
7aad7c29 VP |
368 | * @return int |
369 | * | |
370 | * Return values: | |
371 | * 1 The user was successfully deleted. | |
372 | * 0 The user was not found | |
373 | * -1 The admin does not have permission to delete users [TODO] | |
374 | */ | |
375 | function delete_user(int $id, &$info = []) : int | |
376 | { | |
6930484c | 377 | $user = new PanelUser(NULL, $id); |
d72d1923 VP |
378 | if (!$user->id) { |
379 | $info[] = "Could not find user"; | |
380 | return 0; | |
381 | } | |
180b8ec1 VP |
382 | $arr = ["user" => $user, "info" => &$info, "boolint" => 0]; |
383 | Hook::run(HOOKTYPE_USER_DELETE, $arr); | |
384 | return $arr["boolint"]; | |
54b5ea90 VP |
385 | } |
386 | ||
2405dc8e VP |
387 | function get_panel_user_permission_list() |
388 | { | |
389 | $list = [ | |
390 | "Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS, | |
fae5cd15 | 391 | "Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS, |
2405dc8e | 392 | "Can ban/kill IRC users" => PERMISSION_BAN_USERS, |
9616b8e6 | 393 | "Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER, |
2405dc8e | 394 | "Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL, |
462bd723 | 395 | "Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER, |
2405dc8e VP |
396 | "Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD, |
397 | "Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL, | |
398 | "Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD, | |
399 | "Can unforbid usernames and channels" => PERMISSION_NAME_BAN_DEL, | |
400 | "Can add server ban exceptions" => PERMISSION_BAN_EXCEPTION_ADD, | |
401 | "Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL, | |
402 | "Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD, | |
403 | "Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL | |
fae5cd15 | 404 | |
2405dc8e VP |
405 | ]; |
406 | Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions | |
407 | return $list; | |
408 | } | |
409 | ||
410 | function generate_panel_user_permission_table($user) | |
411 | { | |
412 | ||
413 | $list = get_panel_user_permission_list(); | |
414 | foreach($list as $desc => $slug) | |
415 | { | |
416 | $attributes = ""; | |
417 | $attributes .= (current_user_can(PERMISSION_MANAGE_USERS)) ? "" : "disabled "; | |
418 | ?> | |
419 | <div class="input-group"> | |
420 | <div class="input-group-prepend"> | |
421 | <div class="input-group-text"> | |
422 | <input <?php | |
423 | $attributes .= (user_can($user, $slug)) ? "checked" : ""; | |
424 | echo $attributes; | |
425 | ?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox"> | |
426 | </div> | |
427 | </div> | |
428 | <input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>"> | |
429 | </div> | |
430 | ||
431 | <?php | |
432 | } | |
9616b8e6 | 433 | } |
4b48b46f VP |
434 | |
435 | function get_panel_user_roles_list() | |
436 | { | |
8c415815 BM |
437 | GLOBAL $config; |
438 | ||
4b48b46f VP |
439 | /* Defaults */ |
440 | $list = [ | |
8c415815 BM |
441 | "Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything |
442 | "Read-Only" => [], // Read Only can do nothing | |
4b48b46f VP |
443 | ]; |
444 | ||
8c415815 BM |
445 | if (isset($config["user_roles"])) |
446 | foreach($config['user_roles'] as $r => $role) | |
447 | $list[$r] = $role; | |
448 | ||
4b48b46f VP |
449 | return $list; |
450 | } | |
451 | ||
452 | function generate_role_list($list) | |
453 | { | |
454 | $list2 = get_panel_user_permission_list(); | |
455 | ?> | |
456 | <h5>Roles List:</h5> | |
457 | <div id="permlist"> | |
088733d4 | 458 | <div class="container-xxl" style="max-width: 1430px;"> |
4b48b46f VP |
459 | <div class="accordion" id="roles_accord"> |
460 | ||
461 | <?php foreach($list as $role => $slug) {?> | |
462 | <div class="card"> | |
463 | <div class="card-header" id="<?php echo to_slug($role); ?>_heading"> | |
464 | <div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>"> | |
465 | <?php echo $role ?> | |
1634b6ac | 466 | |
4b48b46f VP |
467 | </div> |
468 | </div> | |
469 | ||
470 | <div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord"> | |
471 | <div id="results_rpc" class="card-body"> | |
1634b6ac | 472 | <form method="post"> |
6f0e7ce4 | 473 | <?php if ($role !== "Super-Admin" && $role !== "Read-Only") { ?> |
1634b6ac VP |
474 | <div class="container row mb-2"> |
475 | <button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button> | |
476 | <button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button> | |
477 | </div> | |
478 | ||
479 | <?php } ?> | |
480 | <div id="<?php echo $role; ?>_input_area"><?php | |
4b48b46f VP |
481 | foreach($list2 as $desc => $slug) |
482 | { | |
483 | $attributes = ""; | |
6f0e7ce4 | 484 | $attributes .= ($role == "Super-Admin" || $role == "Read-Only") ? "disabled " : ""; |
4b48b46f VP |
485 | |
486 | ?> | |
487 | <div class="input-group"> | |
488 | <div class="input-group-prepend"> | |
489 | <div class="input-group-text"> | |
490 | <input <?php | |
491 | $attributes .= (in_array($slug, $list[$role])) ? "checked" : ""; | |
492 | echo $attributes; | |
1634b6ac | 493 | ?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox"> |
4b48b46f VP |
494 | </div> |
495 | </div> | |
496 | <input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>"> | |
497 | </div> | |
498 | ||
499 | <?php | |
500 | } | |
1634b6ac VP |
501 | ?> </div> |
502 | </form> | |
4b48b46f VP |
503 | </div> |
504 | </div> | |
505 | </div> | |
506 | <?php }?> | |
507 | ||
508 | </div></div><br> | |
1634b6ac | 509 | |
4b48b46f VP |
510 | </div><?php |
511 | ||
512 | } |