X-Git-Url: https://jfr.im/git/irc/unrealircd/unrealircd-webpanel.git/blobdiff_plain/2405dc8ef2aead4638a7d792c5f424bcee283ac4..cd26522ba6ff68c18e1504b022ca92f4d01827be:/Classes/class-paneluser.php

diff --git a/Classes/class-paneluser.php b/Classes/class-paneluser.php
index fc8337b..d6350f0 100644
--- a/Classes/class-paneluser.php
+++ b/Classes/class-paneluser.php
@@ -25,6 +25,10 @@ define('PERMISSION_BAN_EXCEPTION_DEL', 'be_del');
 define('PERMISSION_SPAMFILTER_ADD', 'sf_add'); 
 /** Can delete spamfilter entries */
 define('PERMISSION_SPAMFILTER_DEL', 'sf_del'); 
+/** Can rehash servers */
+define('PERMISSION_REHASH', 'rhs');
+/** Can install and uninstall plugins */
+define('PERMISSION_MANAGE_PLUGINS', 'mng_plg');
 /**
  * PanelUser
  * This is the User class for the SQL_Auth plugin
@@ -51,8 +55,9 @@ class PanelUser
 		$user["name"] = $name;
 		$user["id"] = $id;
 		$user["object"] = NULL;
-
 		Hook::run(HOOKTYPE_USER_LOOKUP, $user);
+		if ($user['object'] === null)
+			return; /* no auth module loaded? */
 		foreach ($user['object'] as $key => $value)
 			$this->$key = $value;
 	}
@@ -62,33 +67,79 @@ class PanelUser
 	 * @param string $input
 	 * @return bool
 	 */
-	function password_verify(string $input) : bool
+	function password_verify(string $password, bool &$hash_needs_updating = false) : bool
 	{
-		if (password_verify($input, $this->passhash))
-			return true;
+		GLOBAL $config;
+		$hash_needs_updating = false;
+		$p2 = $password;
+		if (str_starts_with($this->passhash, "peppered:"))
+		{
+			/* Argon2 with pepper */
+			$password = hash_hmac("sha256", $password, $config['secrets']['pepper']);
+			if (password_verify($password, substr($this->passhash,9)))
+			{
+				$this->HIBP(sha1($p2));
+				return true;
+			}
+		}
+		else
+		{
+			/* Old standard argon2 */
+			if (password_verify($password, $this->passhash))
+			{
+				$this->HIBP(sha1($p2));
+				$hash_needs_updating = true;
+				return true;
+			}
+		}
 		return false;
 	}
 
+	/**
+	 * Generate hash of user's password
+	 * @param string $password
+	 * @return string
+	 */
+	public static function password_hash(string $password) : string
+	{
+		GLOBAL $config;
+		$input = hash_hmac("sha256", $password, $config['secrets']['pepper']);
+		return "peppered:".password_hash($input, PASSWORD_ARGON2ID);
+	}
+
 	/**
 	 * Add user meta data
-	 * @param string $key
-	 * @param string $value
+	 * If using an array for the first param then you
+	 * must also use an array for the second param
+	 * @param array|string $key
+	 * @param array|string|int|bool|null $value
 	 */
-	function add_meta(string $key, string $value)
+	function add_meta(array|string $key, array|string|int|bool|null $value)
 	{
 		
-		if (!$key || !$value)
+		if (!$key)
 			return false;
 
-		$meta = [
-			"id" => $this->id,
-			"key" => $key,
-			"value" => $value
-		];
+		if (is_array($key))
+		{
+			foreach ($key as $i => $k)
+				$arr[$k] = $value[$i];
+		} else {
+			$arr[$key] = $value;
+		}
 
-		$array['meta'] = $meta;
-		$array['user'] = $this;
-		Hook::run(HOOKTYPE_USERMETA_ADD, $array);
+		foreach($arr as $k => $v)
+		{
+			$meta = [
+				"id" => $this->id,
+				"key" => $k,
+				"value" => $v
+			];
+
+			$array['meta'] = $meta;
+			$array['user'] = $this;
+			Hook::run(HOOKTYPE_USERMETA_ADD, $array);
+		}
 		
 	}
 
@@ -105,7 +156,9 @@ class PanelUser
 			"id" => $this->id,
 			"key" => $key,
 		];
-		Hook::run(HOOKTYPE_USERMETA_DEL, $meta);
+		$array['meta'] = $meta;
+		$array['user'] = $this;
+		Hook::run(HOOKTYPE_USERMETA_DEL, $array);
 
 	}
 
@@ -131,6 +184,53 @@ class PanelUser
 		$this->user_meta['permissions'] = serialize($meta);
 	}
 
+	/** Updates core user info.
+	 * CAUTION: Updating a non-existent column will crash
+	 * your shit
+	 */
+	function update_core_info($array)
+	{
+		$arr = ['info' => $array, 'user' => $this];
+		Hook::run(HOOKTYPE_EDIT_USER, $arr);
+	}
+
+	/** Have I Been Pwned
+	 * Check password against HIBP to let them know about their
+	 * leaked password.
+	 * @param string $password_hash This should be a pre-hashed sha1 password
+	 */
+	function HIBP($password_hash)
+	{
+		if (get_config("hibp") == false)
+			return;
+		$url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
+		$end = substr($password_hash,5);
+		$ch = curl_init($url);
+
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+
+		$response = curl_exec($ch);
+
+		if (curl_errno($ch))
+		{
+			error_log("[error] Could not check against Have I Been Pwned API");
+			return;
+		}
+		$data = explode("\r\n",$response);
+		curl_close($ch);
+		$count = count($data);
+		$i = 1;
+		foreach($data as $dat)
+		{
+			$result = explode(":",$dat);
+			if ($result[0] == strtoupper($end))
+			{
+				$this->add_meta("hibp", $result[1]);
+				return;
+			}
+			$i++;
+		}
+	}
 }
 
 
@@ -148,7 +248,6 @@ class PanelUser_Meta
 		$arr["id"] = $id;
 		$arr['meta'] = &$array;
 		Hook::run(HOOKTYPE_USERMETA_GET, $arr);
-		do_log($array);
 		$this->list = $arr['meta'];
 		
 	}
@@ -175,10 +274,11 @@ function create_new_user(array &$user) : bool
 		throw new Exception("Attempted to add user without specifying user_name or user_pass");
 
 	$user['user_name'] = htmlspecialchars($user['user_name']);
-	$user['user_pass'] = password_hash($user['user_pass'], PASSWORD_ARGON2ID);
+	$user['user_pass'] = PanelUser::password_hash($user['user_pass']);
 	$user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL;
 	$last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL;
 	$user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL;
+	$user['email'] = (isset($user['user_email'])) ? htmlspecialchars($user['user_email']) : NULL;
 
 	if (($u = new PanelUser($user['user_name']))->id)
 	{
@@ -202,12 +302,7 @@ function create_new_user(array &$user) : bool
  */
 function unreal_get_current_user() : PanelUser|bool
 {
-	if (!isset($_SESSION))
-	{
-		session_set_cookie_params(3600);
-		session_start();
-	}
-	if (isset($_SESSION['id']))
+	if (isset($_SESSION) && isset($_SESSION['id']))
 	{
 		$user = new PanelUser(NULL, $_SESSION['id']);
 		if ($user->id)
@@ -224,6 +319,8 @@ function unreal_get_current_user() : PanelUser|bool
 function current_user_can($permission) : bool
 {
 	$user = unreal_get_current_user();
+	if (!$user)
+		return false;
 	return user_can($user, $permission);
 }
 
@@ -234,9 +331,25 @@ function current_user_can($permission) : bool
  */
 function user_can(PanelUser $user, $permission) : bool
 {
+	global $config;
 	if (!$user)
 		return false;
 
+	if (isset($user->user_meta['role']))
+	{
+		if ($user->user_meta['role'] == "Super-Admin")
+			return true;
+
+		else if ($user->user_meta['role'] == "Read-Only")
+			return false;
+
+		else if (in_array($permission, $config['user_roles'][$user->user_meta['role']]))
+			return true;
+			
+		return false;
+	}
+
+	/* compatibility fallback */
 	if (isset($user->user_meta['permissions']))
 	{
 		$perms = unserialize($user->user_meta['permissions']);
@@ -273,10 +386,11 @@ function get_panel_user_permission_list()
 {
 	$list = [
 		"Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS,
+		"Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS,
 		"Can ban/kill IRC users" => PERMISSION_BAN_USERS,
-		"Can hange properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
+		"Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER,
 		"Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL,
-		"Change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER,
+		"Can change properties of a user on a channel i.e give/remove voice or ops and more" => PERMISSION_EDIT_CHANNEL_USER,
 		"Can add manual bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_ADD,
 		"Can remove set bans, including G-Lines, Z-Lines and more" => PERMISSION_SERVER_BAN_DEL,
 		"Can forbid usernames and channels" => PERMISSION_NAME_BAN_ADD,
@@ -285,6 +399,7 @@ function get_panel_user_permission_list()
 		"Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL,
 		"Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD,
 		"Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL
+
 	];
 	Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions
 	return $list;
@@ -313,4 +428,83 @@ function generate_panel_user_permission_table($user)
 
 		<?php
 	}
-}
\ No newline at end of file
+}
+
+function get_panel_user_roles_list()
+{
+	GLOBAL $config;
+
+	/* Defaults */
+	$list = [
+	        "Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything
+	        "Read-Only" => [], // Read Only can do nothing
+	];
+
+	if (isset($config["user_roles"]))
+		foreach($config['user_roles'] as $r => $role)
+			$list[$r] = $role;
+
+	return $list;
+}
+
+function generate_role_list($list)
+{
+	$list2 = get_panel_user_permission_list();
+	?>
+		<h5>Roles List:</h5>
+		<div id="permlist">
+		<div class="container-xxl" style="max-width: 1430px;">
+		<div class="accordion" id="roles_accord">
+
+<?php foreach($list as $role => $slug) {?>
+	<div class="card">
+		<div class="card-header" id="<?php echo to_slug($role); ?>_heading">
+			<div class="btn-header-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#collapse_<?php echo to_slug($role); ?>" aria-expanded="true" aria-controls="collapse_<?php echo to_slug($role); ?>">
+				<?php echo $role ?>
+				
+			</div>
+		</div>
+
+		<div id="collapse_<?php echo to_slug($role); ?>" class="collapse" aria-labelledby="<?php echo to_slug($role); ?>_heading" data-parent="#roles_accord">
+			<div id="results_rpc" class="card-body">
+				<form method="post">
+				<?php if ($role !== "Super-Admin" && $role !== "Read-Only") { ?>
+					<div class="container row mb-2">
+						<button id="update_role" name="update_role" value="<?php echo $role ?>" class="btn btn-primary ml-1 mr-2" >Update</button>
+						<button id="delete_role" name="del_role_name" value="<?php echo $role ?>" class="btn btn-danger"><i class="fa fa-trash fa-1" aria-hidden="true"></i></button>
+					</div>
+					
+				<?php } ?>
+				<div id="<?php echo $role; ?>_input_area"><?php
+					foreach($list2 as $desc => $slug)
+					{
+					$attributes = "";
+					$attributes .= ($role == "Super-Admin" || $role == "Read-Only") ? "disabled " : "";
+
+						?>
+						<div class="input-group">
+							<div class="input-group-prepend">
+								<div class="input-group-text">
+									<input <?php
+										$attributes .= (in_array($slug, $list[$role])) ? "checked" : "";
+										echo $attributes;
+									?> name="permissions[]" value="<?php echo $slug; ?>" type="checkbox">
+								</div>
+							</div>
+							<input type="text" readonly class="form-control" value="<?php echo "$desc ($slug)"; ?>">
+						</div>
+				
+						<?php
+					}
+				?>	</div>
+				</form>
+			</div>
+		</div>
+	</div>
+<?php }?>
+
+		</div></div><br>
+			
+</div><?php
+
+}