Users: Scratch the "Secure" column, as it's less useful nowadays that

[irc/unrealircd/unrealircd-webpanel.git] / Classes / class-paneluser.php

diff --git a/Classes/class-paneluser.php b/Classes/class-paneluser.php
index 8d44bbc7cfd7b6681ad99a63137da6de149d16f0..217226f11fa46420854b4545987479bdfa40e857 100644 (file)
--- a/Classes/class-paneluser.php
+++ b/Classes/class-paneluser.php
@@ -25,6 +25,8 @@ define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del');
 define('PERMISSION_SPAMFILTER_ADD', 'sf_add'); 
 /** Can delete spamfilter entries */
 define('PERMISSION_SPAMFILTER_DEL', 'sf_del'); 
+/** Can rehash servers */
+define('PERMISSION_REHASH', 'rhs');
 /**
  * PanelUser
  * This is the User class for the SQL_Auth plugin
@@ -51,8 +53,9 @@ class PanelUser
                $user["name"] = $name;
                $user["id"] = $id;
                $user["object"] = NULL;
-
                Hook::run(HOOKTYPE_USER_LOOKUP, $user);
+               if ($user['object'] === null)
+                       return; /* no auth module loaded? */
                foreach ($user['object'] as $key => $value)
                        $this->$key = $value;
        }
@@ -62,13 +65,40 @@ class PanelUser
         * @param string $input
         * @return bool
         */
-       function password_verify(string $input) : bool
+       function password_verify(string $password, bool &$hash_needs_updating = false) : bool
        {
-               if (password_verify($input, $this->passhash))
-                       return true;
+               GLOBAL $config;
+               $hash_needs_updating = false;
+
+               if (str_starts_with($this->passhash, "peppered:"))
+               {
+                       /* Argon2 with pepper */
+                       $password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
+                       if (password_verify($password, substr($this->passhash,9)))
+                               return true;
+               } else {
+                       /* Old standard argon2 */
+                       if (password_verify($password, $this->passhash))
+                       {
+                               $hash_needs_updating = true;
+                               return true;
+                       }
+               }
                return false;
        }
 
+       /**
+        * Generate hash of user's password
+        * @param string $password
+        * @return string
+        */
+       public static function password_hash(string $password) : string
+       {
+               GLOBAL $config;
+               $input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
+               return "peppered:".password_hash($input, PASSWORD_ARGON2ID);
+       }
+
        /**
         * Add user meta data
         * @param string $key
@@ -131,6 +161,15 @@ class PanelUser
                $this->user_meta['permissions'] = serialize($meta);
        }
 
+       /** Updates core user info.
+        * CAUTION: Updating a non-existent column will crash
+        * your shit
+        */
+       function update_core_info($array)
+       {
+               $arr = ['info' => $array, 'user' => $this];
+               Hook::run(HOOKTYPE_EDIT_USER, $arr);
+       }
 }
 
 
@@ -148,7 +187,6 @@ class PanelUser_Meta
                $arr["id"] = $id;
                $arr['meta'] = &$array;
                Hook::run(HOOKTYPE_USERMETA_GET, $arr);
-               do_log($array);
                $this->list = $arr['meta'];
                
        }
@@ -175,10 +213,11 @@ function create_new_user(array &$user) : bool
                throw new Exception("Attempted to add user without specifying user_name or user_pass");
 
        $user['user_name'] = htmlspecialchars($user['user_name']);
-       $user['user_pass'] = password_hash($user['user_pass'], PASSWORD_ARGON2ID);
+       $user['user_pass'] = PanelUser::password_hash($user['user_pass']);
        $user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
        $last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
        $user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
+       $user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL;
 
        if (($u = new PanelUser($user['user_name']))->id)
        {
@@ -202,12 +241,7 @@ function create_new_user(array &$user) : bool
  */
 function unreal_get_current_user() : PanelUser|bool
 {
-       if (!isset($_SESSION))
-       {
-               session_set_cookie_params(3600);
-               session_start();
-       }
-       if (isset($_SESSION['id']))
+       if (isset($_SESSION) && isset($_SESSION['id']))
        {
                $user = new PanelUser(NULL, $_SESSION['id']);
                if ($user->id)
@@ -224,17 +258,26 @@ function unreal_get_current_user() : PanelUser|bool
 function current_user_can($permission) : bool
 {
        $user = unreal_get_current_user();
-       do_log($user);
        if (!$user)
                return false;
-       do_log($user);
+       return user_can($user, $permission);
+}
+
+/**
+ * Checks if a user can do something
+ * @param string $permission
+ * @return bool
+ */
+function user_can(PanelUser $user, $permission) : bool
+{
+       if (!$user)
+               return false;
+
        if (isset($user->user_meta['permissions']))
        {
                $perms = unserialize($user->user_meta['permissions']);
                if (in_array($permission, $perms))
-               {
                        return true;
-               }
        }
        return false;
 }
@@ -262,3 +305,122 @@ function delete_user(int $id, &$info = []) : int
        return $arr["boolint"];
 }
 
+function get_panel_user_permission_list()
+{
+       $list = [
+               "Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
+               "Can ban/kill IRC users" => PERMISSION_BAN_USERS,
+               "Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
+               "Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
+               "Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER,
+               "Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD,
+               "Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL,
+               "Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD,
+               "Can unforbid usernames and channels" => PERMISSION_NAME_BAN_DEL,
+               "Can add server ban exceptions" => PERMISSION_BAN_EXCEPTION_ADD,
+               "Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
+               "Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
+               "Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL
+       ];
+       Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
+       return $list;
+}
+
+function generate_panel_user_permission_table($user)
+{
+       
+       $list = get_panel_user_permission_list();
+       foreach($list as $desc => $slug)
+       {
+               $attributes = "";
+               $attributes .= (current_user_can(PERMISSION_MANAGE_USERS)) ? "" : "disabled ";
+               ?>
+               <div class="input-group">
+                       <div class="input-group-prepend">
+                               <div class="input-group-text">
+                                       <input <?php
+                                               $attributes .= (user_can($user, $slug)) ? "checked" : "";
+                                               echo $attributes;
+                                       ?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
+                               </div>
+                       </div>
+                       <input type="text" readonly  class="form-control" value="<?php echo "$desc ($slug)"; ?>">
+               </div>
+
+               <?php
+       }
+}
+
+function get_panel_user_roles_list()
+{
+       /* Defaults */
+       $list = [
+        "Super Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
+        "Read Only" => [], // Read Only can do nothing
+       ];
+
+       Hook::run(HOOKTYPE_USER_ROLE_LIST, $list);
+       return $list;
+}
+
+function generate_role_list($list)
+{
+       $list2 = get_panel_user_permission_list();
+       ?>
+               <h5>Roles List:</h5>
+               <div id="permlist">
+               <div class="container-xxl" style="max-width: 1430px;">
+               <div class="accordion" id="roles_accord">
+
+<?php foreach($list as $role => $slug) {?>
+       <div class="card">
+               <div class="card-header" id="<?php echo to_slug($role); ?>_heading">
+                       <div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>">
+                               <?php echo $role ?>
+                               
+                       </div>
+               </div>
+
+               <div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord">
+                       <div id="results_rpc" class="card-body">
+                               <form method="post">
+                               <?php if ($role !== "Super Admin" && $role !== "Read Only") { ?>
+                                       <div class="container row mb-2">
+                                               <button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button>
+                                               <button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button>
+                                       </div>
+                                       
+                               <?php } ?>
+                               <div id="<?php echo $role; ?>_input_area"><?php
+                                       foreach($list2 as $desc => $slug)
+                                       {
+                                       $attributes = "";
+                                       $attributes .= ($role == "Super Admin" || $role == "Read Only") ? "disabled " : "";
+
+                                               ?>
+                                               <div class="input-group">
+                                                       <div class="input-group-prepend">
+                                                               <div class="input-group-text">
+                                                                       <input <?php
+                                                                               $attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
+                                                                               echo $attributes;
+                                                                       ?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
+                                                               </div>
+                                                       </div>
+                                                       <input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
+                                               </div>
+                               
+                                               <?php
+                                       }
+                               ?>      </div>
+                               </form>
+                       </div>
+               </div>
+       </div>
+<?php }?>
+
+               </div></div><br>
+                       
+</div><?php
+
+}