Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / 12a5735c15056e2807ac44a988868ac2244a19f1 / . / mailcow / src / mailcow-dockerized / data / web / inc / functions.admin.inc.php
blob: 9f42fd7219d6c18440b2dedb33171a329f3460f0 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]1<?php
2function admin($_action, $_data = null) {
3 if ($_SESSION['mailcow_cc_role'] != "admin") {
4 $_SESSION['return'][] = array(
5 'type' => 'danger',
6 'log' => array(__FUNCTION__, $_action, $_data_log),
7 'msg' => 'access_denied'
8 );
9 return false;
10 }
11 global $pdo;
12 global $lang;
13 $_data_log = $_data;
14 !isset($_data_log['password']) ?: $_data_log['password'] = '*';
15 !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
16 switch ($_action) {
17 case 'add':
Matthias Andreas Benkard12a57352021-12-28 18:02:04 +0100[diff] [blame^]18 $username = strtolower(trim($_data['username']));
19 $password = $_data['password'];
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]20 $password2 = $_data['password2'];
21 $active = intval($_data['active']);
22 if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username)) || empty ($username) || $username == 'API') {
23 $_SESSION['return'][] = array(
24 'type' => 'danger',
25 'log' => array(__FUNCTION__, $_action, $_data_log),
26 'msg' => array('username_invalid', $username)
27 );
28 return false;
29 }
30
31 $stmt = $pdo->prepare("SELECT `username` FROM `admin`
32 WHERE `username` = :username");
33 $stmt->execute(array(':username' => $username));
34 $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
35
36 $stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
37 WHERE `username` = :username");
38 $stmt->execute(array(':username' => $username));
39 $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
40
41 foreach ($num_results as $num_results_each) {
42 if ($num_results_each != 0) {
43 $_SESSION['return'][] = array(
44 'type' => 'danger',
45 'log' => array(__FUNCTION__, $_action, $_data_log),
46 'msg' => array('object_exists', htmlspecialchars($username))
47 );
48 return false;
49 }
50 }
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]51 if (password_check($password, $password2) !== true) {
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]52 return false;
53 }
Matthias Andreas Benkard12a57352021-12-28 18:02:04 +0100[diff] [blame^]54 $password_hashed = hash_password($password);
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]55 $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
56 VALUES (:username, :password_hashed, '1', :active)");
57 $stmt->execute(array(
58 ':username' => $username,
59 ':password_hashed' => $password_hashed,
60 ':active' => $active
61 ));
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]62 $_SESSION['return'][] = array(
63 'type' => 'success',
64 'log' => array(__FUNCTION__, $_action, $_data_log),
65 'msg' => array('admin_added', htmlspecialchars($username))
66 );
67 break;
68 case 'edit':
69 if (!is_array($_data['username'])) {
70 $usernames = array();
71 $usernames[] = $_data['username'];
72 }
73 else {
74 $usernames = $_data['username'];
75 }
76 foreach ($usernames as $username) {
77 $is_now = admin('details', $username);
78 if (!empty($is_now)) {
79 $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
80 $username_new = (!empty($_data['username_new'])) ? $_data['username_new'] : $is_now['username'];
81 }
82 else {
83 $_SESSION['return'][] = array(
84 'type' => 'danger',
85 'log' => array(__FUNCTION__, $_action, $_data_log),
86 'msg' => 'access_denied'
87 );
88 continue;
89 }
90 $password = $_data['password'];
91 $password2 = $_data['password2'];
92 if ($active == 0) {
93 $left_active = 0;
94 foreach (admin('get') as $admin) {
95 $left_active = $left_active + admin('details', $admin)['active'];
96 }
97 if ($left_active == 1) {
98 $_SESSION['return'][] = array(
99 'type' => 'warning',
100 'log' => array(__FUNCTION__, $_action, $_data_log),
101 'msg' => 'no_active_admin'
102 );
103 continue;
104 }
105 }
106 if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username_new))) {
107 $_SESSION['return'][] = array(
108 'type' => 'danger',
109 'log' => array(__FUNCTION__, $_action, $_data_log),
110 'msg' => array('username_invalid', $username_new)
111 );
112 continue;
113 }
114 if ($username_new != $username) {
115 if (!empty(admin('details', $username_new)['username'])) {
116 $_SESSION['return'][] = array(
117 'type' => 'danger',
118 'log' => array(__FUNCTION__, $_action, $_data_log),
119 'msg' => array('username_invalid', $username_new)
120 );
121 continue;
122 }
123 }
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]124 if (!empty($password)) {
125 if (password_check($password, $password2) !== true) {
126 return false;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]127 }
128 $password_hashed = hash_password($password);
129 $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active, `password` = :password_hashed WHERE `username` = :username");
130 $stmt->execute(array(
131 ':password_hashed' => $password_hashed,
132 ':username_new' => $username_new,
133 ':username' => $username,
134 ':active' => $active
135 ));
136 if (isset($_data['disable_tfa'])) {
137 $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
138 $stmt->execute(array(':username' => $username));
139 }
140 else {
141 $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
142 $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
143 }
144 }
145 else {
146 $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active WHERE `username` = :username");
147 $stmt->execute(array(
148 ':username_new' => $username_new,
149 ':username' => $username,
150 ':active' => $active
151 ));
152 if (isset($_data['disable_tfa'])) {
153 $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
154 $stmt->execute(array(':username' => $username));
155 }
156 else {
157 $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
158 $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
159 }
160 }
161 $_SESSION['return'][] = array(
162 'type' => 'success',
163 'log' => array(__FUNCTION__, $_action, $_data_log),
164 'msg' => array('admin_modified', htmlspecialchars($username))
165 );
166 }
167 return true;
168 break;
169 case 'delete':
170 $usernames = (array)$_data['username'];
171 foreach ($usernames as $username) {
172 if ($_SESSION['mailcow_cc_username'] == $username) {
173 $_SESSION['return'][] = array(
174 'type' => 'warning',
175 'log' => array(__FUNCTION__, $_action, $_data_log),
176 'msg' => 'cannot_delete_self'
177 );
178 continue;
179 }
180 if (empty(admin('details', $username))) {
181 $_SESSION['return'][] = array(
182 'type' => 'danger',
183 'log' => array(__FUNCTION__, $_action, $_data_log),
184 'msg' => array('username_invalid', $username)
185 );
186 continue;
187 }
188 $stmt = $pdo->prepare("DELETE FROM `admin` WHERE `username` = :username");
189 $stmt->execute(array(
190 ':username' => $username,
191 ));
192 $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
193 $stmt->execute(array(
194 ':username' => $username,
195 ));
196 $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
197 $stmt->execute(array(
198 ':username' => $username,
199 ));
200 $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
201 $stmt->execute(array(
202 ':username' => $username,
203 ));
204 $_SESSION['return'][] = array(
205 'type' => 'success',
206 'log' => array(__FUNCTION__, $_action, $_data_log),
207 'msg' => array('admin_removed', htmlspecialchars($username))
208 );
209 }
210 break;
211 case 'get':
212 $admins = array();
213 $stmt = $pdo->query("SELECT `username` FROM `admin` WHERE `superadmin` = '1'");
214 $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
215 while ($row = array_shift($rows)) {
216 $admins[] = $row['username'];
217 }
218 return $admins;
219 break;
220 case 'details':
221 $admindata = array();
222 $stmt = $pdo->prepare("SELECT
223 `tfa`.`active` AS `tfa_active`,
224 `admin`.`username`,
225 `admin`.`created`,
226 `admin`.`active` AS `active`
227 FROM `admin`
228 LEFT OUTER JOIN `tfa` ON `tfa`.`username`=`admin`.`username`
229 WHERE `admin`.`username`= :admin AND `superadmin` = '1'");
230 $stmt->execute(array(
231 ':admin' => $_data
232 ));
233 $row = $stmt->fetch(PDO::FETCH_ASSOC);
234 if (empty($row)) {
235 return false;
236 }
237 $admindata['username'] = $row['username'];
238 $admindata['tfa_active'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
239 $admindata['tfa_active_int'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
240 $admindata['active'] = $row['active'];
241 $admindata['active_int'] = $row['active'];
242 $admindata['created'] = $row['created'];
243 return $admindata;
244 break;
245 }
246}