2 /** Relating to Panel Access: Can add, delete and edit users. Big boss. */
3 define('PERMISSION_MANAGE_USERS', 'manage_users');
4 /** Relating to Users tab: Can ban users connected to IRC */
5 define('PERMISSION_BAN_USERS', 'ban_users');
6 /** Change properties of a user, i.e. vhost, modes and more */
7 define('PERMISSION_EDIT_USER', 'edit_user');
8 /** Change properties of a channel, i.e. topic, modes and more */
9 define('PERMISSION_EDIT_CHANNEL', 'edit_channel');
10 /** Change properties of a user on a channel i.e give/remove voice or ops and more */
11 define('PERMISSION_EDIT_CHANNEL_USER', 'edit_channel_user');
12 /** Can add manual bans, including G-Lines, Z-Lines and more */
13 define('PERMISSION_SERVER_BAN_ADD', 'tkl_add');
14 /** Can remove set bans, including G-Lines, Z-Lines and more */
15 define('PERMISSION_SERVER_BAN_DEL', 'tkl_del');
16 /** Can add Name Bans (Q-Lines) */
17 define('PERMISSION_NAME_BAN_ADD', 'nb_add');
18 /** Can delete Name Bans (Q-Lines) */
19 define('PERMISSION_NAME_BAN_DEL', 'nb_del');
20 /** Can add ban exceptions (E-Lines) */
21 define('PERMISSION_BAN_EXCEPTION_ADD', 'be_add');
22 /** Can delete ban exceptions (E-Lines) */
23 define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del');
24 /** Can add spamfilter entries */
25 define('PERMISSION_SPAMFILTER_ADD', 'sf_add');
26 /** Can delete spamfilter entries */
27 define('PERMISSION_SPAMFILTER_DEL', 'sf_del');
28 /** Can rehash servers */
29 define('PERMISSION_REHASH', 'rhs');
30 /** Can install and uninstall plugins */
31 define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
34 * This is the User class for the SQL_Auth plugin
39 public $username = NULL;
40 private $passhash = NULL;
41 public $first_name = NULL;
42 public $last_name = NULL;
43 public $created = NULL;
44 public $user_meta = [];
49 * Find a user in the database by name or ID
53 function __construct(string $name = NULL, int $id = NULL)
55 $user["name"] = $name;
57 $user["object"] = NULL;
58 Hook
::run(HOOKTYPE_USER_LOOKUP
, $user);
59 if ($user['object'] === null)
60 return; /* no auth module loaded? */
61 foreach ($user['object'] as $key => $value)
66 * Verify a user's password
67 * @param string $input
70 function password_verify(string $password, bool &$hash_needs_updating = false) : bool
73 $hash_needs_updating = false;
75 if (str_starts_with($this->passhash
, "peppered:"))
77 /* Argon2 with pepper */
78 $password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
79 if (password_verify($password, substr($this->passhash
,9)))
81 $this->HIBP(sha1($p2));
87 /* Old standard argon2 */
88 if (password_verify($password, $this->passhash
))
90 $this->HIBP(sha1($p2));
91 $hash_needs_updating = true;
99 * Generate hash of user's password
100 * @param string $password
103 public static function password_hash(string $password) : string
106 $input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
107 return "peppered:".password_hash($input, PASSWORD_ARGON2ID
);
112 * If using an array for the first param then you
113 * must also use an array for the second param
114 * @param array|string $key
115 * @param array|string|int|bool|null $value
117 function add_meta(array|string $key, array|string|int|bool|null $value)
125 foreach ($key as $i => $k)
126 $arr[$k] = $value[$i];
131 foreach($arr as $k => $v)
139 $array['meta'] = $meta;
140 $array['user'] = $this;
141 Hook
::run(HOOKTYPE_USERMETA_ADD
, $array);
147 * Delete user meta data by key
150 function delete_meta(string $key)
159 $array['meta'] = $meta;
160 $array['user'] = $this;
161 Hook
::run(HOOKTYPE_USERMETA_DEL
, $array);
167 function add_permission($permission)
169 $meta = (isset($this->user_meta
['permissions'])) ? unserialize($this->user_meta
['permissions']) : [];
170 if (!in_array($permission,$meta))
171 $meta[] = $permission;
172 $this->add_meta("permissions", serialize($meta)); // updet de dettabess
173 $this->user_meta
['permissions'] = serialize($meta); // put it back in our object in case it still needs to be used
175 function delete_permission($permission)
177 $meta = (isset($this->user_meta
['permissions'])) ? unserialize($this->user_meta
['permissions']) : [];
178 foreach($meta as $key => $value)
180 if (!strcmp($permission, $value))
183 $this->add_meta("permissions", serialize($meta));
184 $this->user_meta
['permissions'] = serialize($meta);
187 /** Updates core user info.
188 * CAUTION: Updating a non-existent column will crash
191 function update_core_info($array)
193 $arr = ['info' => $array, 'user' => $this];
194 Hook
::run(HOOKTYPE_EDIT_USER
, $arr);
197 /** Have I Been Pwned
198 * Check password against HIBP to let them know about their
200 * @param string $password_hash This should be a pre-hashed sha1 password
202 function HIBP($password_hash)
204 if (get_config("hibp") == false)
206 $url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
207 $end = substr($password_hash,5);
208 $ch = curl_init($url);
210 curl_setopt($ch, CURLOPT_RETURNTRANSFER
, true);
212 $response = curl_exec($ch);
216 error_log("[error] Could not check against Have I Been Pwned API");
219 $data = explode("\r\n",$response);
221 $count = count($data);
223 foreach($data as $dat)
225 $result = explode(":",$dat);
226 error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5));
227 if ($result[0] == strtoupper($end))
230 $this->add_meta("hibp", $result[1]);
240 * This class looks up and returns any user meta.
241 * This is used by PanelUser, so you won't need to
242 * call it separately from PanelUser.
247 function __construct($id)
251 $arr['meta'] = &$array;
252 Hook
::run(HOOKTYPE_USERMETA_GET
, $arr);
253 $this->list = $arr['meta'];
273 function create_new_user(array &$user) : bool
275 if (!isset($user['user_name']) || !isset($user['user_pass']))
276 throw new Exception("Attempted to add user without specifying user_name or user_pass");
278 $user['user_name'] = htmlspecialchars($user['user_name']);
279 $user['user_pass'] = PanelUser
::password_hash($user['user_pass']);
280 $user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
281 $last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
282 $user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
283 $user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL;
285 if (($u = new PanelUser($user['user_name']))->id
)
287 $user['err'] = "User already exists";
291 $user['success'] = false;
292 $user['errmsg'] = [];
294 Hook
::run(HOOKTYPE_USER_CREATE
, $user);
295 if (!$user['success'])
302 * Gets the user object for the current session
303 * @return PanelUser|bool
305 function unreal_get_current_user() : PanelUser
|bool
307 if (isset($_SESSION) && isset($_SESSION['id']))
309 $user = new PanelUser(NULL, $_SESSION['id']);
317 * Checks if a user can do something
318 * @param string $permission
321 function current_user_can($permission) : bool
323 $user = unreal_get_current_user();
326 return user_can($user, $permission);
330 * Checks if a user can do something
331 * @param string $permission
334 function user_can(PanelUser
$user, $permission) : bool
340 if (isset($user->user_meta
['role']))
342 if ($user->user_meta
['role'] == "Super-Admin")
345 else if ($user->user_meta
['role'] == "Read-Only")
348 else if (in_array($permission, $config['user_roles'][$user->user_meta
['role']]))
354 /* compatibility fallback */
355 if (isset($user->user_meta
['permissions']))
357 $perms = unserialize($user->user_meta
['permissions']);
358 if (in_array($permission, $perms))
365 * Delete a user and related meta
366 * @param int $id The ID of the user in the SQL database.
367 * @param array $info This will fill with a response.
371 * 1 The user was successfully deleted.
372 * 0 The user was not found
373 * -1 The admin does not have permission to delete users [TODO]
375 function delete_user(int $id, &$info = []) : int
377 $user = new PanelUser(NULL, $id);
379 $info[] = "Could not find user";
382 $arr = ["user" => $user, "info" => &$info, "boolint" => 0];
383 Hook
::run(HOOKTYPE_USER_DELETE
, $arr);
384 return $arr["boolint"];
387 function get_panel_user_permission_list()
390 "Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS
,
391 "Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS
,
392 "Can ban/kill IRC users" => PERMISSION_BAN_USERS
,
393 "Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER
,
394 "Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL
,
395 "Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER
,
396 "Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD
,
397 "Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL
,
398 "Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD
,
399 "Can unforbid usernames and channels" => PERMISSION_NAME_BAN_DEL
,
400 "Can add server ban exceptions" => PERMISSION_BAN_EXCEPTION_ADD
,
401 "Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL
,
402 "Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD
,
403 "Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL
406 Hook
::run(HOOKTYPE_USER_PERMISSION_LIST
, $list); // so plugin writers can add their own permissions
410 function generate_panel_user_permission_table($user)
413 $list = get_panel_user_permission_list();
414 foreach($list as $desc => $slug)
417 $attributes .= (current_user_can(PERMISSION_MANAGE_USERS
)) ? "" : "disabled ";
419 <div
class="input-group">
420 <div
class="input-group-prepend">
421 <div
class="input-group-text">
423 $attributes .= (user_can($user, $slug)) ? "checked" : "";
425 ?> name
="permissions[]" value
="<?php echo $slug; ?>" type
="checkbox">
428 <input type
="text" readonly
class="form-control" value
="<?php echo "$desc ($slug)"; ?>">
435 function get_panel_user_roles_list()
441 "Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
442 "Read-Only" => [], // Read Only can do nothing
445 if (isset($config["user_roles"]))
446 foreach($config['user_roles'] as $r => $role)
452 function generate_role_list($list)
454 $list2 = get_panel_user_permission_list();
458 <div
class="container-xxl" style
="max-width: 1430px;">
459 <div
class="accordion" id
="roles_accord">
461 <?php
foreach($list as $role => $slug) {?>
463 <div
class="card-header" id
="<?php echo to_slug($role); ?>_heading">
464 <div
class="btn-header-link btn-block text-left collapsed" type
="button" data
-toggle
="collapse" data
-target
="#collapse_<?php echo to_slug($role); ?>" aria
-expanded
="true" aria
-controls
="collapse_<?php echo to_slug($role); ?>">
470 <div id
="collapse_<?php echo to_slug($role); ?>" class="collapse" aria
-labelledby
="<?php echo to_slug($role); ?>_heading" data
-parent
="#roles_accord">
471 <div id
="results_rpc" class="card-body">
473 <?php
if ($role !== "Super-Admin" && $role !== "Read-Only") { ?>
474 <div
class="container row mb-2">
475 <button id
="update_role" name
="update_role" value
="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update
</button
>
476 <button id
="delete_role" name
="del_role_name" value
="<?php echo $role ?>" class="btn btn-danger"><i
class="fa fa-trash fa-1" aria
-hidden
="true"></i
></button
>
480 <div id
="<?php echo $role; ?>_input_area"><?php
481 foreach($list2 as $desc => $slug)
484 $attributes .= ($role == "Super-Admin" || $role == "Read-Only") ? "disabled " : "";
487 <div
class="input-group">
488 <div
class="input-group-prepend">
489 <div
class="input-group-text">
491 $attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
493 ?> name
="permissions[]" value
="<?php echo $slug; ?>" type
="checkbox">
496 <input type
="text" readonly
class="form-control" value
="<?php echo "$desc ($slug)"; ?>">