Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / b382b1029eb22053bfe89c2042f46369d29cf821 / . / mailcow / src / mailcow-dockerized / data / web / inc / functions.admin.inc.php
blob: bb0400e532561c88c339ab00d9bcee95dff4111d [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame^]1<?php
2function admin($_action, $_data = null) {
3 if ($_SESSION['mailcow_cc_role'] != "admin") {
4 $_SESSION['return'][] = array(
5 'type' => 'danger',
6 'log' => array(__FUNCTION__, $_action, $_data_log),
7 'msg' => 'access_denied'
8 );
9 return false;
10 }
11 global $pdo;
12 global $lang;
13 $_data_log = $_data;
14 !isset($_data_log['password']) ?: $_data_log['password'] = '*';
15 !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
16 switch ($_action) {
17 case 'add':
18 $username = strtolower(trim($_data['username']));
19 $password = $_data['password'];
20 $password2 = $_data['password2'];
21 $active = intval($_data['active']);
22 if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username)) || empty ($username) || $username == 'API') {
23 $_SESSION['return'][] = array(
24 'type' => 'danger',
25 'log' => array(__FUNCTION__, $_action, $_data_log),
26 'msg' => array('username_invalid', $username)
27 );
28 return false;
29 }
30
31 $stmt = $pdo->prepare("SELECT `username` FROM `admin`
32 WHERE `username` = :username");
33 $stmt->execute(array(':username' => $username));
34 $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
35
36 $stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
37 WHERE `username` = :username");
38 $stmt->execute(array(':username' => $username));
39 $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
40
41 foreach ($num_results as $num_results_each) {
42 if ($num_results_each != 0) {
43 $_SESSION['return'][] = array(
44 'type' => 'danger',
45 'log' => array(__FUNCTION__, $_action, $_data_log),
46 'msg' => array('object_exists', htmlspecialchars($username))
47 );
48 return false;
49 }
50 }
51 if (!empty($password) && !empty($password2)) {
52 if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
53 $_SESSION['return'][] = array(
54 'type' => 'danger',
55 'log' => array(__FUNCTION__, $_action, $_data_log),
56 'msg' => 'password_complexity'
57 );
58 return false;
59 }
60 if ($password != $password2) {
61 $_SESSION['return'][] = array(
62 'type' => 'danger',
63 'log' => array(__FUNCTION__, $_action, $_data_log),
64 'msg' => 'password_mismatch'
65 );
66 return false;
67 }
68 $password_hashed = hash_password($password);
69 $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
70 VALUES (:username, :password_hashed, '1', :active)");
71 $stmt->execute(array(
72 ':username' => $username,
73 ':password_hashed' => $password_hashed,
74 ':active' => $active
75 ));
76 }
77 else {
78 $_SESSION['return'][] = array(
79 'type' => 'danger',
80 'log' => array(__FUNCTION__, $_action, $_data_log),
81 'msg' => 'password_empty'
82 );
83 return false;
84 }
85 $_SESSION['return'][] = array(
86 'type' => 'success',
87 'log' => array(__FUNCTION__, $_action, $_data_log),
88 'msg' => array('admin_added', htmlspecialchars($username))
89 );
90 break;
91 case 'edit':
92 if (!is_array($_data['username'])) {
93 $usernames = array();
94 $usernames[] = $_data['username'];
95 }
96 else {
97 $usernames = $_data['username'];
98 }
99 foreach ($usernames as $username) {
100 $is_now = admin('details', $username);
101 if (!empty($is_now)) {
102 $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
103 $username_new = (!empty($_data['username_new'])) ? $_data['username_new'] : $is_now['username'];
104 }
105 else {
106 $_SESSION['return'][] = array(
107 'type' => 'danger',
108 'log' => array(__FUNCTION__, $_action, $_data_log),
109 'msg' => 'access_denied'
110 );
111 continue;
112 }
113 $password = $_data['password'];
114 $password2 = $_data['password2'];
115 if ($active == 0) {
116 $left_active = 0;
117 foreach (admin('get') as $admin) {
118 $left_active = $left_active + admin('details', $admin)['active'];
119 }
120 if ($left_active == 1) {
121 $_SESSION['return'][] = array(
122 'type' => 'warning',
123 'log' => array(__FUNCTION__, $_action, $_data_log),
124 'msg' => 'no_active_admin'
125 );
126 continue;
127 }
128 }
129 if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username_new))) {
130 $_SESSION['return'][] = array(
131 'type' => 'danger',
132 'log' => array(__FUNCTION__, $_action, $_data_log),
133 'msg' => array('username_invalid', $username_new)
134 );
135 continue;
136 }
137 if ($username_new != $username) {
138 if (!empty(admin('details', $username_new)['username'])) {
139 $_SESSION['return'][] = array(
140 'type' => 'danger',
141 'log' => array(__FUNCTION__, $_action, $_data_log),
142 'msg' => array('username_invalid', $username_new)
143 );
144 continue;
145 }
146 }
147 if (!empty($password) && !empty($password2)) {
148 if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
149 $_SESSION['return'][] = array(
150 'type' => 'danger',
151 'log' => array(__FUNCTION__, $_action, $_data_log),
152 'msg' => 'password_complexity'
153 );
154 continue;
155 }
156 if ($password != $password2) {
157 $_SESSION['return'][] = array(
158 'type' => 'danger',
159 'log' => array(__FUNCTION__, $_action, $_data_log),
160 'msg' => 'password_mismatch'
161 );
162 continue;
163 }
164 $password_hashed = hash_password($password);
165 $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active, `password` = :password_hashed WHERE `username` = :username");
166 $stmt->execute(array(
167 ':password_hashed' => $password_hashed,
168 ':username_new' => $username_new,
169 ':username' => $username,
170 ':active' => $active
171 ));
172 if (isset($_data['disable_tfa'])) {
173 $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
174 $stmt->execute(array(':username' => $username));
175 }
176 else {
177 $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
178 $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
179 }
180 }
181 else {
182 $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active WHERE `username` = :username");
183 $stmt->execute(array(
184 ':username_new' => $username_new,
185 ':username' => $username,
186 ':active' => $active
187 ));
188 if (isset($_data['disable_tfa'])) {
189 $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
190 $stmt->execute(array(':username' => $username));
191 }
192 else {
193 $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
194 $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
195 }
196 }
197 $_SESSION['return'][] = array(
198 'type' => 'success',
199 'log' => array(__FUNCTION__, $_action, $_data_log),
200 'msg' => array('admin_modified', htmlspecialchars($username))
201 );
202 }
203 return true;
204 break;
205 case 'delete':
206 $usernames = (array)$_data['username'];
207 foreach ($usernames as $username) {
208 if ($_SESSION['mailcow_cc_username'] == $username) {
209 $_SESSION['return'][] = array(
210 'type' => 'warning',
211 'log' => array(__FUNCTION__, $_action, $_data_log),
212 'msg' => 'cannot_delete_self'
213 );
214 continue;
215 }
216 if (empty(admin('details', $username))) {
217 $_SESSION['return'][] = array(
218 'type' => 'danger',
219 'log' => array(__FUNCTION__, $_action, $_data_log),
220 'msg' => array('username_invalid', $username)
221 );
222 continue;
223 }
224 $stmt = $pdo->prepare("DELETE FROM `admin` WHERE `username` = :username");
225 $stmt->execute(array(
226 ':username' => $username,
227 ));
228 $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
229 $stmt->execute(array(
230 ':username' => $username,
231 ));
232 $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
233 $stmt->execute(array(
234 ':username' => $username,
235 ));
236 $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
237 $stmt->execute(array(
238 ':username' => $username,
239 ));
240 $_SESSION['return'][] = array(
241 'type' => 'success',
242 'log' => array(__FUNCTION__, $_action, $_data_log),
243 'msg' => array('admin_removed', htmlspecialchars($username))
244 );
245 }
246 break;
247 case 'get':
248 $admins = array();
249 $stmt = $pdo->query("SELECT `username` FROM `admin` WHERE `superadmin` = '1'");
250 $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
251 while ($row = array_shift($rows)) {
252 $admins[] = $row['username'];
253 }
254 return $admins;
255 break;
256 case 'details':
257 $admindata = array();
258 $stmt = $pdo->prepare("SELECT
259 `tfa`.`active` AS `tfa_active`,
260 `admin`.`username`,
261 `admin`.`created`,
262 `admin`.`active` AS `active`
263 FROM `admin`
264 LEFT OUTER JOIN `tfa` ON `tfa`.`username`=`admin`.`username`
265 WHERE `admin`.`username`= :admin AND `superadmin` = '1'");
266 $stmt->execute(array(
267 ':admin' => $_data
268 ));
269 $row = $stmt->fetch(PDO::FETCH_ASSOC);
270 if (empty($row)) {
271 return false;
272 }
273 $admindata['username'] = $row['username'];
274 $admindata['tfa_active'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
275 $admindata['tfa_active_int'] = (is_null($row['tfa_active'])) ? 0 : $row['tfa_active'];
276 $admindata['active'] = $row['active'];
277 $admindata['active_int'] = $row['active'];
278 $admindata['created'] = $row['created'];
279 return $admindata;
280 break;
281 }
282}