define('PERMISSION_SPAMFILTER_DEL', 'sf_del');
/** Can rehash servers */
define('PERMISSION_REHASH', 'rhs');
+/** Can install and uninstall plugins */
+define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
/**
* PanelUser
* This is the User class for the SQL_Auth plugin
* @param string $input
* @return bool
*/
- function password_verify(string $input) : bool
+ function password_verify(string $password, bool &$hash_needs_updating = false) : bool
{
- if (password_verify($input, $this->passhash))
- return true;
+ GLOBAL $config;
+ $hash_needs_updating = false;
+
+ if (str_starts_with($this->passhash, "peppered:"))
+ {
+ /* Argon2 with pepper */
+ $password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
+ if (password_verify($password, substr($this->passhash,9)))
+ return true;
+ } else {
+ /* Old standard argon2 */
+ if (password_verify($password, $this->passhash))
+ {
+ $hash_needs_updating = true;
+ return true;
+ }
+ }
return false;
}
+ /**
+ * Generate hash of user's password
+ * @param string $password
+ * @return string
+ */
+ public static function password_hash(string $password) : string
+ {
+ GLOBAL $config;
+ $input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
+ return "peppered:".password_hash($input, PASSWORD_ARGON2ID);
+ }
+
/**
* Add user meta data
- * @param string $key
- * @param string $value
+ * If using an array for the first param then you
+ * must also use an array for the second param
+ * @param array|string $key
+ * @param array|string|int|bool|null $value
*/
- function add_meta(string $key, string $value)
+ function add_meta(array|string $key, array|string|int|bool|null $value)
{
- if (!$key || !$value)
+ if (!$key)
return false;
- $meta = [
- "id" => $this->id,
- "key" => $key,
- "value" => $value
- ];
+ if (is_array($key))
+ {
+ foreach ($key as $i => $k)
+ $arr[$k] = $value[$i];
+ } else {
+ $arr[$key] = $value;
+ }
- $array['meta'] = $meta;
- $array['user'] = $this;
- Hook::run(HOOKTYPE_USERMETA_ADD, $array);
+ foreach($arr as $k => $v)
+ {
+ $meta = [
+ "id" => $this->id,
+ "key" => $k,
+ "value" => $v
+ ];
+
+ $array['meta'] = $meta;
+ $array['user'] = $this;
+ Hook::run(HOOKTYPE_USERMETA_ADD, $array);
+ }
}
"id" => $this->id,
"key" => $key,
];
- Hook::run(HOOKTYPE_USERMETA_DEL, $meta);
+ $array['meta'] = $meta;
+ $array['user'] = $this;
+ Hook::run(HOOKTYPE_USERMETA_DEL, $array);
}
throw new Exception("Attempted to add user without specifying user_name or user_pass");
$user['user_name'] = htmlspecialchars($user['user_name']);
- $user['user_pass'] = password_hash($user['user_pass'], PASSWORD_ARGON2ID);
+ $user['user_pass'] = PanelUser::password_hash($user['user_pass']);
$user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
$last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
$user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
*/
function user_can(PanelUser $user, $permission) : bool
{
+ global $config;
if (!$user)
return false;
+ if (isset($user->user_meta['role']))
+ {
+ if ($user->user_meta['role'] == "Super-Admin")
+ return true;
+
+ else if ($user->user_meta['role'] == "Read-Only")
+ return false;
+
+ else if (in_array($permission, $config['user_roles'][$user->user_meta['role']]))
+ return true;
+
+ return false;
+ }
+
+ /* compatibility fallback */
if (isset($user->user_meta['permissions']))
{
$perms = unserialize($user->user_meta['permissions']);
{
$list = [
"Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
+ "Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS,
"Can ban/kill IRC users" => PERMISSION_BAN_USERS,
"Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
"Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
"Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
"Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
"Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL
+
];
Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
return $list;
function get_panel_user_roles_list()
{
+ GLOBAL $config;
+
/* Defaults */
$list = [
- "Super Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
- "Read Only" => [], // Read Only can do nothing
+ "Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
+ "Read-Only" => [], // Read Only can do nothing
];
- Hook::run(HOOKTYPE_USER_ROLE_LIST, $list);
+ if (isset($config["user_roles"]))
+ foreach($config['user_roles'] as $r => $role)
+ $list[$r] = $role;
+
return $list;
}
<div class="card-header" id="<?php echo to_slug($role); ?>_heading">
<div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>">
<?php echo $role ?>
- <i style="padding-top:-30px;padding-bottom: -30px;"class="fa fa-trash fa-1" aria-hidden="true"></i>
+
</div>
</div>
<div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord">
<div id="results_rpc" class="card-body">
- <?php
+ <form method="post">
+ <?php if ($role !== "Super-Admin" && $role !== "Read-Only") { ?>
+ <div class="container row mb-2">
+ <button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button>
+ <button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button>
+ </div>
+
+ <?php } ?>
+ <div id="<?php echo $role; ?>_input_area"><?php
foreach($list2 as $desc => $slug)
{
$attributes = "";
- $attributes .= ($role == "Super Admin" || $role == "Read Only") ? "disabled " : "";
+ $attributes .= ($role == "Super-Admin" || $role == "Read-Only") ? "disabled " : "";
?>
<div class="input-group">
<input <?php
$attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
echo $attributes;
- ?> name="<?php echo to_slug($role); ?>_permissions[]" value="<?php echo $slug; ?>" type="checkbox">
+ ?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
</div>
</div>
<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
<?php
}
- ?>
+ ?> </div>
+ </form>
</div>
</div>
</div>
<?php }?>
</div></div><br>
- <button type="submit" class="btn btn-primary">Save changes</div>
+
</div><?php
}