define('PERMISSION_SPAMFILTER_DEL', 'sf_del');
/** Can rehash servers */
define('PERMISSION_REHASH', 'rhs');
+/** Can install and uninstall plugins */
+define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
/**
* PanelUser
* This is the User class for the SQL_Auth plugin
{
GLOBAL $config;
$hash_needs_updating = false;
-
+ $p2 = $password;
if (str_starts_with($this->passhash, "peppered:"))
{
/* Argon2 with pepper */
$password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
if (password_verify($password, substr($this->passhash,9)))
+ {
+ $this->HIBP(sha1($p2));
return true;
- } else {
+ }
+ }
+ else
+ {
/* Old standard argon2 */
if (password_verify($password, $this->passhash))
{
+ $this->HIBP(sha1($p2));
$hash_needs_updating = true;
return true;
}
/**
* Add user meta data
- * You may use arrays or strings but both parameter types must match
+ * If using an array for the first param then you
+ * must also use an array for the second param
* @param array|string $key
- * @param array|string $value
+ * @param array|string|int|bool|null $value
*/
- function add_meta(array|string $key, array|string $value)
+ function add_meta(array|string $key, array|string|int|bool|null $value)
{
- if (!$key || !$value)
+ if (!$key)
return false;
- if (is_string($key) && is_string($value))
- $arr[$key] = $value;
-
- else
+ if (is_array($key))
+ {
foreach ($key as $i => $k)
$arr[$k] = $value[$i];
-
+ } else {
+ $arr[$key] = $value;
+ }
+
foreach($arr as $k => $v)
{
$meta = [
$arr = ['info' => $array, 'user' => $this];
Hook::run(HOOKTYPE_EDIT_USER, $arr);
}
+
+ /** Have I Been Pwned
+ * Check password against HIBP to let them know about their
+ * leaked password.
+ * @param string $password_hash This should be a pre-hashed sha1 password
+ */
+ function HIBP($password_hash)
+ {
+ if (get_config("hibp") == false)
+ return;
+ $url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
+ $end = substr($password_hash,5);
+ $ch = curl_init($url);
+
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+
+ $response = curl_exec($ch);
+
+ if (curl_errno($ch))
+ {
+ error_log("[error] Could not check against Have I Been Pwned API");
+ return;
+ }
+ $data = explode("\r\n",$response);
+ curl_close($ch);
+ $count = count($data);
+ $i = 1;
+ foreach($data as $dat)
+ {
+ $result = explode(":",$dat);
+ error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5));
+ if ($result[0] == strtoupper($end))
+ {
+ error_log("FOUND");
+ $this->add_meta("hibp", $result[1]);
+ return;
+ }
+ $i++;
+ }
+ }
}
{
$list = [
"Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
+ "Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS,
"Can ban/kill IRC users" => PERMISSION_BAN_USERS,
"Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
"Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
"Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
"Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
"Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL
+
];
Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
return $list;
projects / irc / unrealircd / unrealircd-webpanel.git / blobdiff