Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | <?php
|
| 2 | function admin($_action, $_data = null) {
|
| 3 | if ($_SESSION['mailcow_cc_role'] != "admin") {
|
| 4 | $_SESSION['return'][] = array(
|
| 5 | 'type' => 'danger',
|
| 6 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 7 | 'msg' => 'access_denied'
|
| 8 | );
|
| 9 | return false;
|
| 10 | }
|
| 11 | global $pdo;
|
| 12 | global $lang;
|
| 13 | $_data_log = $_data;
|
| 14 | !isset($_data_log['password']) ?: $_data_log['password'] = '*';
|
| 15 | !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
|
| 16 | switch ($_action) {
|
| 17 | case 'add':
|
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame^] | 18 | $username = strtolower(trim($_data['username']));
|
| 19 | $password = $_data['password'];
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 20 | $password2 = $_data['password2'];
|
| 21 | $active = intval($_data['active']);
|
| 22 | if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username)) || empty ($username) || $username == 'API') {
|
| 23 | $_SESSION['return'][] = array(
|
| 24 | 'type' => 'danger',
|
| 25 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 26 | 'msg' => array('username_invalid', $username)
|
| 27 | );
|
| 28 | return false;
|
| 29 | }
|
| 30 |
|
| 31 | $stmt = $pdo->prepare("SELECT `username` FROM `admin`
|
| 32 | WHERE `username` = :username");
|
| 33 | $stmt->execute(array(':username' => $username));
|
| 34 | $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
|
| 35 |
|
| 36 | $stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
|
| 37 | WHERE `username` = :username");
|
| 38 | $stmt->execute(array(':username' => $username));
|
| 39 | $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
|
| 40 |
|
| 41 | foreach ($num_results as $num_results_each) {
|
| 42 | if ($num_results_each != 0) {
|
| 43 | $_SESSION['return'][] = array(
|
| 44 | 'type' => 'danger',
|
| 45 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 46 | 'msg' => array('object_exists', htmlspecialchars($username))
|
| 47 | );
|
| 48 | return false;
|
| 49 | }
|
| 50 | }
|
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 51 | if (password_check($password, $password2) !== true) {
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 52 | return false;
|
| 53 | }
|
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame^] | 54 | $password_hashed = hash_password($password);
|
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 55 | $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
|
| 56 | VALUES (:username, :password_hashed, '1', :active)");
|
| 57 | $stmt->execute(array(
|
| 58 | ':username' => $username,
|
| 59 | ':password_hashed' => $password_hashed,
|
| 60 | ':active' => $active
|
| 61 | ));
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 62 | $_SESSION['return'][] = array(
|
| 63 | 'type' => 'success',
|
| 64 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 65 | 'msg' => array('admin_added', htmlspecialchars($username))
|
| 66 | );
|
| 67 | break;
|
| 68 | case 'edit':
|
| 69 | if (!is_array($_data['username'])) {
|
| 70 | $usernames = array();
|
| 71 | $usernames[] = $_data['username'];
|
| 72 | }
|
| 73 | else {
|
| 74 | $usernames = $_data['username'];
|
| 75 | }
|
| 76 | foreach ($usernames as $username) {
|
| 77 | $is_now = admin('details', $username);
|
| 78 | if (!empty($is_now)) {
|
| 79 | $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
|
| 80 | $username_new = (!empty($_data['username_new'])) ? $_data['username_new'] : $is_now['username'];
|
| 81 | }
|
| 82 | else {
|
| 83 | $_SESSION['return'][] = array(
|
| 84 | 'type' => 'danger',
|
| 85 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 86 | 'msg' => 'access_denied'
|
| 87 | );
|
| 88 | continue;
|
| 89 | }
|
| 90 | $password = $_data['password'];
|
| 91 | $password2 = $_data['password2'];
|
| 92 | if ($active == 0) {
|
| 93 | $left_active = 0;
|
| 94 | foreach (admin('get') as $admin) {
|
| 95 | $left_active = $left_active + admin('details', $admin)['active'];
|
| 96 | }
|
| 97 | if ($left_active == 1) {
|
| 98 | $_SESSION['return'][] = array(
|
| 99 | 'type' => 'warning',
|
| 100 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 101 | 'msg' => 'no_active_admin'
|
| 102 | );
|
| 103 | continue;
|
| 104 | }
|
| 105 | }
|
| 106 | if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username_new))) {
|
| 107 | $_SESSION['return'][] = array(
|
| 108 | 'type' => 'danger',
|
| 109 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 110 | 'msg' => array('username_invalid', $username_new)
|
| 111 | );
|
| 112 | continue;
|
| 113 | }
|
| 114 | if ($username_new != $username) {
|
| 115 | if (!empty(admin('details', $username_new)['username'])) {
|
| 116 | $_SESSION['return'][] = array(
|
| 117 | 'type' => 'danger',
|
| 118 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 119 | 'msg' => array('username_invalid', $username_new)
|
| 120 | );
|
| 121 | continue;
|
| 122 | }
|
| 123 | }
|
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 124 | if (!empty($password)) {
|
| 125 | if (password_check($password, $password2) !== true) {
|
| 126 | return false;
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 127 | }
|
| 128 | $password_hashed = hash_password($password);
|
| 129 | $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active, `password` = :password_hashed WHERE `username` = :username");
|
| 130 | $stmt->execute(array(
|
| 131 | ':password_hashed' => $password_hashed,
|
| 132 | ':username_new' => $username_new,
|
| 133 | ':username' => $username,
|
| 134 | ':active' => $active
|
| 135 | ));
|
| 136 | if (isset($_data['disable_tfa'])) {
|
| 137 | $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
|
| 138 | $stmt->execute(array(':username' => $username));
|
| 139 | }
|
| 140 | else {
|
| 141 | $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
|
| 142 | $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
|
| 143 | }
|
| 144 | }
|
| 145 | else {
|
| 146 | $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active WHERE `username` = :username");
|
| 147 | $stmt->execute(array(
|
| 148 | ':username_new' => $username_new,
|
| 149 | ':username' => $username,
|
| 150 | ':active' => $active
|
| 151 | ));
|
| 152 | if (isset($_data['disable_tfa'])) {
|
| 153 | $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
|
| 154 | $stmt->execute(array(':username' => $username));
|
| 155 | }
|
| 156 | else {
|
| 157 | $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
|
| 158 | $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
|
| 159 | }
|
| 160 | }
|
| 161 | $_SESSION['return'][] = array(
|
| 162 | 'type' => 'success',
|
| 163 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 164 | 'msg' => array('admin_modified', htmlspecialchars($username))
|
| 165 | );
|
| 166 | }
|
| 167 | return true;
|
| 168 | break;
|
| 169 | case 'delete':
|
| 170 | $usernames = (array)$_data['username'];
|
| 171 | foreach ($usernames as $username) {
|
| 172 | if ($_SESSION['mailcow_cc_username'] == $username) {
|
| 173 | $_SESSION['return'][] = array(
|
| 174 | 'type' => 'warning',
|
| 175 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 176 | 'msg' => 'cannot_delete_self'
|
| 177 | );
|
| 178 | continue;
|
| 179 | }
|
| 180 | if (empty(admin('details', $username))) {
|
| 181 | $_SESSION['return'][] = array(
|
| 182 | 'type' => 'danger',
|
| 183 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 184 | 'msg' => array('username_invalid', $username)
|
| 185 | );
|
| 186 | continue;
|
| 187 | }
|
| 188 | $stmt = $pdo->prepare("DELETE FROM `admin` WHERE `username` = :username");
|
| 189 | $stmt->execute(array(
|
| 190 | ':username' => $username,
|
| 191 | ));
|
| 192 | $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
|
| 193 | $stmt->execute(array(
|
| 194 | ':username' => $username,
|
| 195 | ));
|
| 196 | $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
|
| 197 | $stmt->execute(array(
|
| 198 | ':username' => $username,
|
| 199 | ));
|
| 200 | $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
|
| 201 | $stmt->execute(array(
|
| 202 | ':username' => $username,
|
| 203 | ));
|
| 204 | $_SESSION['return'][] = array(
|
| 205 | 'type' => 'success',
|
| 206 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 207 | 'msg' => array('admin_removed', htmlspecialchars($username))
|
| 208 | );
|
| 209 | }
|
| 210 | break;
|
| 211 | case 'get':
|
| 212 | $admins = array();
|
| 213 | $stmt = $pdo->query("SELECT `username` FROM `admin` WHERE `superadmin` = '1'");
|
| 214 | $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
| 215 | while ($row = array_shift($rows)) {
|
| 216 | $admins[] = $row['username'];
|
| 217 | }
|
| 218 | return $admins;
|
| 219 | break;
|
| 220 | case 'details':
|
| 221 | $admindata = array();
|
| 222 | $stmt = $pdo->prepare("SELECT
|
| 223 | `tfa`.`active` AS `tfa_active`,
|
| 224 | `admin`.`username`,
|
| 225 | `admin`.`created`,
|
| 226 | `admin`.`active` AS `active`
|
| 227 | FROM `admin`
|
| 228 | LEFT OUTER JOIN `tfa` ON `tfa`.`username`=`admin`.`username`
|
| 229 | WHERE `admin`.`username`= :admin AND `superadmin` = '1'");
|
| 230 | $stmt->execute(array(
|
| 231 | ':admin' => $_data
|
| 232 | ));
|
| 233 | $row = $stmt->fetch(PDO::FETCH_ASSOC);
|
| 234 | if (empty($row)) {
|
| 235 | return false;
|
| 236 | }
|
| 237 | $admindata['username'] = $row['username'];
|
| 238 | $admindata['tfa_active'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
|
| 239 | $admindata['tfa_active_int'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
|
| 240 | $admindata['active'] = $row['active'];
|
| 241 | $admindata['active_int'] = $row['active'];
|
| 242 | $admindata['created'] = $row['created'];
|
| 243 | return $admindata;
|
| 244 | break;
|
| 245 | }
|
| 246 | }
|