]>
Commit | Line | Data |
---|---|---|
1 | <?php | |
2 | ||
3 | require_once "SQL/sql.php"; | |
4 | require_once "SQL/settings.php"; | |
5 | ||
6 | class sql_auth | |
7 | { | |
8 | public $name = "SQLAuth"; | |
9 | public $author = "Valware"; | |
10 | public $version = "1.0"; | |
11 | public $description = "Provides a User Auth and Management Panel with an SQL backend"; | |
12 | public $email = "v.a.pond@outlook.com"; | |
13 | ||
14 | function __construct() | |
15 | { | |
16 | self::create_tables(); | |
17 | Hook::func(HOOKTYPE_PRE_HEADER, 'sql_auth::session_start'); | |
18 | Hook::func(HOOKTYPE_FOOTER, 'sql_auth::add_footer_info'); | |
19 | Hook::func(HOOKTYPE_USER_LOOKUP, 'sql_auth::get_user'); | |
20 | Hook::func(HOOKTYPE_USERMETA_ADD, 'sql_auth::add_usermeta'); | |
21 | Hook::func(HOOKTYPE_USERMETA_DEL, 'sql_auth::del_usermeta'); | |
22 | Hook::func(HOOKTYPE_USERMETA_GET, 'sql_auth::get_usermeta'); | |
23 | Hook::func(HOOKTYPE_USER_CREATE, 'sql_auth::user_create'); | |
24 | Hook::func(HOOKTYPE_GET_USER_LIST, 'sql_auth::get_user_list'); | |
25 | Hook::func(HOOKTYPE_USER_DELETE, 'sql_auth::user_delete'); | |
26 | Hook::func(HOOKTYPE_EDIT_USER, 'sql_auth::edit_core'); | |
27 | Hook::func(HOOKTYPE_PRE_OVERVIEW_CARD, 'sql_auth::add_pre_overview_card'); | |
28 | AuthModLoaded::$status = 1; | |
29 | ||
30 | if (defined('SQL_DEFAULT_USER')) // we've got a default account | |
31 | { | |
32 | $lkup = new PanelUser(SQL_DEFAULT_USER['username']); | |
33 | ||
34 | if (!$lkup->id) // doesn't exist, add it with full privileges | |
35 | { | |
36 | $user = []; | |
37 | $user['user_name'] = SQL_DEFAULT_USER['username']; | |
38 | $user['user_pass'] = SQL_DEFAULT_USER['password']; | |
39 | $user['err'] = ""; | |
40 | create_new_user($user); | |
41 | } | |
42 | $lkup = new PanelUser(SQL_DEFAULT_USER['username']); | |
43 | if (!user_can($lkup, PERMISSION_MANAGE_USERS)) | |
44 | $lkup->add_permission(PERMISSION_MANAGE_USERS); | |
45 | } | |
46 | } | |
47 | ||
48 | ||
49 | public static function add_footer_info($empty) | |
50 | { | |
51 | if (!($user = unreal_get_current_user())) | |
52 | return; | |
53 | ||
54 | else { | |
55 | echo "<code>Admin Panel v" . WEBPANEL_VERSION . "</code>"; | |
56 | } | |
57 | } | |
58 | ||
59 | public static function add_pre_overview_card($empty) | |
60 | { | |
61 | if (defined('SQL_DEFAULT_USER')) | |
62 | Message::Fail("Warning: SQL_DEFAULT_USER is set in config.php. You should remove that item now, as it is only used during installation."); | |
63 | } | |
64 | ||
65 | /* pre-Header hook */ | |
66 | public static function session_start($n) | |
67 | { | |
68 | $current_page = $_SERVER['REQUEST_URI']; | |
69 | if (str_ends_with($current_page,"setup.php")) | |
70 | return; | |
71 | ||
72 | if (!isset($_SESSION)) | |
73 | { | |
74 | session_set_cookie_params(3600); | |
75 | session_start(); | |
76 | } | |
77 | if (!isset($_SESSION['id']) || empty($_SESSION)) | |
78 | { | |
79 | ||
80 | $tok = split($_SERVER['SCRIPT_FILENAME'], "/"); | |
81 | if ($check = security_check() && $tok[count($tok) - 1] !== "error.php") { | |
82 | header("Location: " . BASE_URL . "plugins/sql_auth/error.php"); | |
83 | die(); | |
84 | } | |
85 | header("Location: ".BASE_URL."login/?redirect=".urlencode($current_page)); | |
86 | die(); | |
87 | } | |
88 | else | |
89 | { | |
90 | if (!unreal_get_current_user()) // user no longer exists | |
91 | { | |
92 | session_destroy(); | |
93 | header("Location: ".BASE_URL."login"); | |
94 | die(); | |
95 | } | |
96 | // you'll be automatically logged out after one hour of inactivity | |
97 | } | |
98 | } | |
99 | ||
100 | /** | |
101 | * Create the tables we'll be using in the SQLdb | |
102 | * @return void | |
103 | */ | |
104 | public static function create_tables() | |
105 | { | |
106 | $script = $_SERVER['SCRIPT_FILENAME']; | |
107 | if (str_ends_with($script,"setup.php")) | |
108 | return; | |
109 | $conn = sqlnew(); | |
110 | $stmt = $conn->query("SHOW TABLES LIKE '".SQL_PREFIX."%'"); | |
111 | if ($stmt->rowCount() < 5) | |
112 | { | |
113 | header("Location: ".BASE_URL."plugins/sql_auth/setup.php"); | |
114 | die(); | |
115 | } | |
116 | } | |
117 | ||
118 | /* We convert $u with a full user as an object ;D*/ | |
119 | public static function get_user(&$u) | |
120 | { | |
121 | $id = $u['id']; | |
122 | $name = $u['name']; | |
123 | $conn = sqlnew(); | |
124 | ||
125 | if ($id) | |
126 | { | |
127 | $prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE user_id = :id LIMIT 1"); | |
128 | $prep->execute(["id" => strtolower($id)]); | |
129 | } | |
130 | elseif ($name) | |
131 | { | |
132 | $prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE LOWER(user_name) = :name LIMIT 1"); | |
133 | $prep->execute(["name" => strtolower($name)]); | |
134 | } | |
135 | $data = NULL; | |
136 | $obj = (object) []; | |
137 | if ($prep) | |
138 | $data = $prep->fetchAll(); | |
139 | if (isset($data[0]) && $data = $data[0]) | |
140 | { | |
141 | $obj->id = $data['user_id']; | |
142 | $obj->username = $data['user_name']; | |
143 | $obj->passhash = $data['user_pass']; | |
144 | $obj->first_name = $data['user_fname'] ?? NULL; | |
145 | $obj->last_name = $data['user_lname'] ?? NULL; | |
146 | $obj->created = $data['created']; | |
147 | $obj->bio = $data['user_bio']; | |
148 | $obj->email = $data['user_email']; | |
149 | $obj->user_meta = (new PanelUser_Meta($obj->id))->list; | |
150 | } | |
151 | $u['object'] = $obj; | |
152 | } | |
153 | ||
154 | public static function get_usermeta(&$u) | |
155 | { | |
156 | $list = &$u['meta']; | |
157 | $id = $u['id']; | |
158 | $conn = sqlnew(); | |
159 | if (isset($id)) | |
160 | { | |
161 | $prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id"); | |
162 | $prep->execute(["id" => $id]); | |
163 | } | |
164 | foreach ($prep->fetchAll() as $row) | |
165 | { | |
166 | $list[$row['meta_key']] = $row['meta_value']; | |
167 | } | |
168 | } | |
169 | ||
170 | public static function add_usermeta(&$meta) | |
171 | { | |
172 | $meta = $meta['meta']; | |
173 | $conn = sqlnew(); | |
174 | /* check if it exists first, update it if it does */ | |
175 | $query = "SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key"; | |
176 | $stmt = $conn->prepare($query); | |
177 | $stmt->execute(["id" => $meta['id'], "key" => $meta['key']]); | |
178 | if ($stmt->rowCount()) // it exists, update instead of insert | |
179 | { | |
180 | $query = "UPDATE " . SQL_PREFIX . "user_meta SET meta_value = :value WHERE user_id = :id AND meta_key = :key"; | |
181 | $stmt = $conn->prepare($query); | |
182 | $stmt->execute($meta); | |
183 | if ($stmt->rowCount()) | |
184 | return true; | |
185 | return false; | |
186 | } | |
187 | ||
188 | else | |
189 | { | |
190 | $query = "INSERT INTO " . SQL_PREFIX . "user_meta (user_id, meta_key, meta_value) VALUES (:id, :key, :value)"; | |
191 | $stmt = $conn->prepare($query); | |
192 | $stmt->execute($meta); | |
193 | if ($stmt->rowCount()) | |
194 | return true; | |
195 | return false; | |
196 | } | |
197 | } | |
198 | public static function del_usermeta(&$u) | |
199 | { | |
200 | $conn = sqlnew(); | |
201 | $query = "DELETE FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key"; | |
202 | $stmt = $conn->prepare($query); | |
203 | $stmt->execute($u['meta']); | |
204 | if ($stmt->rowCount()) | |
205 | return true; | |
206 | return false; | |
207 | } | |
208 | public static function user_create(&$u) | |
209 | { | |
210 | $username = $u['user_name']; | |
211 | $first_name = $u['fname'] ?? NULL; | |
212 | $last_name = $u['lname'] ?? NULL; | |
213 | $password = $u['user_pass'] ?? NULL; | |
214 | $user_bio = $u['user_bio'] ?? NULL; | |
215 | $user_email = $u['user_email'] ?? NULL; | |
216 | $conn = sqlnew(); | |
217 | $prep = $conn->prepare("INSERT INTO " . SQL_PREFIX . "users (user_name, user_pass, user_fname, user_lname, user_bio, user_email, created) VALUES (:name, :pass, :fname, :lname, :user_bio, :user_email, :created)"); | |
218 | $prep->execute(["name" => $username, "pass" => $password, "fname" => $first_name, "lname" => $last_name, "user_bio" => $user_bio, "user_email" => $user_email, "created" => date("Y-m-d H:i:s")]); | |
219 | if ($prep->rowCount()) | |
220 | $u['success'] = true; | |
221 | else | |
222 | $u['errmsg'][] = "Could not add user"; | |
223 | } | |
224 | ||
225 | public static function get_user_list(&$list) | |
226 | { | |
227 | $conn = sqlnew(); | |
228 | $result = $conn->query("SELECT user_id FROM " . SQL_PREFIX . "users"); | |
229 | if (!$result) // impossible | |
230 | { | |
231 | die("Something went wrong."); | |
232 | } | |
233 | $userlist = []; | |
234 | while($row = $result->fetch()) | |
235 | { | |
236 | $userlist[] = new PanelUser(NULL, $row['user_id']); | |
237 | } | |
238 | if (!empty($userlist)) | |
239 | $list = $userlist; | |
240 | ||
241 | } | |
242 | public static function user_delete(&$u) | |
243 | { | |
244 | $user = $u['user']; | |
245 | $query = "DELETE FROM " . SQL_PREFIX . "users WHERE user_id = :id"; | |
246 | $conn = sqlnew(); | |
247 | $stmt = $conn->prepare($query); | |
248 | $stmt->execute(["id" => $user->id]); | |
249 | $deleted = $stmt->rowCount(); | |
250 | if ($deleted) | |
251 | { | |
252 | $u['info'][] = "Successfully deleted user \"$user->username\""; | |
253 | $u['boolint'] = 1; | |
254 | } else { | |
255 | $u['info'][] = "Unknown error"; | |
256 | $u['boolint'] = 0; | |
257 | } | |
258 | } | |
259 | ||
260 | public static function edit_core($arr) | |
261 | { | |
262 | $conn = sqlnew(); | |
263 | $user = $arr['user']; | |
264 | $info = $arr['info']; | |
265 | foreach($info as $key => $val) | |
266 | { | |
267 | $value = NULL; | |
268 | if (!$val || !strlen($val) || BadPtr($val)) | |
269 | continue; | |
270 | if (!strcmp($key,"update_fname") && $val != $user->first_name) | |
271 | { | |
272 | $value = "user_fname"; | |
273 | $valuestr = "first name"; | |
274 | } | |
275 | elseif (!strcmp($key,"update_lname") && $val != $user->last_name) | |
276 | { | |
277 | $value = "user_lname"; | |
278 | $valuestr = "last name"; | |
279 | } | |
280 | elseif (!strcmp($key,"update_bio") && $val != $user->bio) | |
281 | { | |
282 | $value = "user_bio"; | |
283 | $valuestr = "bio"; | |
284 | } | |
285 | elseif (!strcmp($key,"update_pass") || !strcmp($key,"update_pass_conf")) | |
286 | { | |
287 | $value = "user_pass"; | |
288 | $valuestr = "password"; | |
289 | } | |
290 | elseif(!strcmp($key,"update_email") && $val != $user->email) | |
291 | { | |
292 | $value = "user_email"; | |
293 | $valuestr = "email address"; | |
294 | } | |
295 | ||
296 | if (!$value) | |
297 | continue; | |
298 | $query = "UPDATE " . SQL_PREFIX . "users SET $value=:value WHERE user_id = :id"; | |
299 | $stmt = $conn->prepare($query); | |
300 | $stmt->execute(["value" => $val, "id" => $user->id]); | |
301 | ||
302 | if (!$stmt->rowCount() && $stmt->errorInfo()[0] != "00000") | |
303 | Message::Fail("Could not update $valuestr for $user->username: ".$stmt->errorInfo()[0]." (CODE: ".$stmt->errorCode().")"); | |
304 | ||
305 | else | |
306 | Message::Success("Successfully updated the $valuestr for $user->username"); | |
307 | } | |
308 | } | |
309 | } | |
310 | ||
311 | ||
312 | function security_check() | |
313 | { | |
314 | $ip = $_SERVER['REMOTE_ADDR']; | |
315 | if (dnsbl_check($ip)) | |
316 | return true; | |
317 | ||
318 | else if (fail2ban_check($ip)) | |
319 | { | |
320 | ||
321 | } | |
322 | } | |
323 | ||
324 | function dnsbl_check($ip) | |
325 | { | |
326 | ||
327 | if (!defined('DNSBL')) | |
328 | return; | |
329 | $dnsbl_lookup = DNSBL; | |
330 | ||
331 | // clear variable just in case | |
332 | $listed = NULL; | |
333 | ||
334 | // if the IP was not given because you're an idiot, stop processing | |
335 | if (!$ip) { return; } | |
336 | ||
337 | // get the first two segments of the IPv4 | |
338 | $because = split($ip, "."); // why you | |
339 | $you = $because[1]; // gotta play | |
340 | $want = $because[2]; // that song | |
341 | $to = $you.".".$want."."; // so loud? | |
342 | ||
343 | // exempt local connections because sometimes they get a false positive | |
344 | if ($to == "192.168." || $to == "127.0.") { return NULL; } | |
345 | ||
346 | // you spin my IP right round, right round, to check the records baby, right round-round-round | |
347 | $reverse_ip = glue(array_reverse(split($ip, ".")), "."); | |
348 | ||
349 | // checkem | |
350 | foreach ($dnsbl_lookup as $host) { | |
351 | ||
352 | //if it was listed | |
353 | if (checkdnsrr($reverse_ip . "." . $host . ".", "A")) { | |
354 | ||
355 | //take note | |
356 | $listed = $host; | |
357 | } | |
358 | } | |
359 | ||
360 | // if it was safe, return NOTHING | |
361 | if (!$listed) { | |
362 | return NULL; | |
363 | } | |
364 | ||
365 | // else, you guessed it, return where it was listed | |
366 | else { | |
367 | return $listed; | |
368 | } | |
369 | } | |
370 | ||
371 | function fail2ban_check($ip) | |
372 | { | |
373 | ||
374 | } |