function edit_block()
{
global $COLLATE;
global $block_id;
include 'include/validation_functions.php';
$dbo = getdbo();
$edit = empty($_GET['edit']) ? '' : clean($_GET['edit']);
$value = empty($_POST['value']) ? '' : clean($_POST['value']);
$username = isset($COLLATE['user']['username']) ? $COLLATE['user']['username'] : '******';
if ($edit == 'name') {
$return = validate_text($value, 'blockname');
if ($return['0'] === false) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected'][$return['error']];
exit;
} else {
$value = $return['1'];
}
$sql = "SELECT id FROM blocks WHERE name='{$value}'";
$result = $dbo->query($sql);
if ($result->rowCount() != '0') {
# a block by this name exists already
$existing_block_id = $result->fetchColumn();
if ($existing_block_id !== $block_id) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected']['duplicatename'];
exit;
}
}
$sql = "SELECT name FROM blocks WHERE id='{$block_id}'";
$result = $dbo->query($sql);
$name = $result->fetchColumn();
collate_log('4', "Block {$name} has been updated to {$value}");
$sql = "UPDATE blocks SET name='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$block_id}'";
} elseif ($edit == 'note') {
$return = validate_text($value, 'note');
if ($return['0'] === false) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected'][$return['error']];
exit;
} else {
$value = $return['1'];
}
$sql = "SELECT name FROM blocks WHERE id='{$block_id}'";
$result = $dbo->query($sql);
$name = $result->fetchColumn();
collate_log('4', "Block {$name} note edited");
$sql = "UPDATE blocks SET note='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$block_id}'";
} else {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected']['invalidrequest'];
exit;
}
$dbo->query($sql);
echo $value;
}
function edit_subnet()
{
global $COLLATE;
global $dbo;
include 'include/validation_functions.php';
$subnet_id = empty($_GET['subnet_id']) ? '' : $_GET['subnet_id'];
$edit = empty($_GET['edit']) ? '' : $_GET['edit'];
$value = empty($_POST['value']) ? '' : $_POST['value'];
$username = isset($COLLATE['user']['username']) ? $COLLATE['user']['username'] : '******';
if (empty($subnet_id) || !is_numeric($subnet_id) || !preg_match('/name|note/', $edit)) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected']['invalidrequest'];
exit;
}
if ($edit == 'name') {
$return = validate_text($value, 'subnetname');
} else {
$return = validate_text($value, 'note');
}
if ($return['0'] === false) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected'][$return['error']];
exit;
} else {
$value = $return['1'];
}
$sql = "SELECT name, start_ip, mask FROM subnets WHERE id='{$subnet_id}'";
$result = $dbo->query($sql);
list($name, $subnet, $mask) = $result->fetch(PDO::FETCH_NUM);
$cidr = subnet2cidr($subnet, $mask);
if ($edit == 'name') {
collate_log('3', "Subnet {$name} ({$cidr}) name changed to {$value}");
$sql = "UPDATE subnets SET name='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$subnet_id}'";
} elseif ($edit == 'note') {
collate_log('3', "Subnet {$name} ({$cidr}) note edited");
$sql = "UPDATE subnets SET note='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$subnet_id}'";
} else {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected']['shortsubnetname'];
exit;
}
$dbo->query($sql);
echo $value;
}
function submit_subnet()
{
global $dbo;
include 'include/validation_functions.php';
$block_id = isset($_POST['block_id']) && is_numeric($_POST['block_id']) ? $_POST['block_id'] : '';
$name = isset($_POST['name']) ? $_POST['name'] : '';
$ip = isset($_POST['ip']) ? $_POST['ip'] : '';
$gateway = isset($_POST['gateway']) ? $_POST['gateway'] : '';
$acl_name = isset($_POST['acl_name']) ? $_POST['acl_name'] : '';
$acl_start = isset($_POST['acl_start']) ? $_POST['acl_start'] : '';
$acl_end = isset($_POST['acl_end']) ? $_POST['acl_end'] : '';
$note = isset($_POST['note']) ? $_POST['note'] : '';
$guidance = isset($_POST['guidance']) ? $_POST['guidance'] : '';
if (empty($block_id)) {
$notice = 'invalidrequest';
header("Location: blocks.php?notice={$notice}");
exit;
}
if (empty($name) || empty($ip)) {
$notice = "blankfield-notice";
$guidance = urlencode($guidance);
header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}");
exit;
}
$result = validate_text($name, 'subnetname');
if ($result['0'] === false) {
$notice = $result['error'];
$guidance = urlencode($guidance);
header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}");
exit;
} else {
$name = $result['1'];
}
$result = validate_network($ip);
if ($result['0'] === false) {
$notice = $result['error'];
$guidance = urlencode($guidance);
header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}");
exit;
} else {
$start_ip = $result['start_ip'];
$end_ip = $result['end_ip'];
$mask = $result['mask'];
$long_start_ip = $result['long_start_ip'];
$long_end_ip = $result['long_end_ip'];
$long_mask = $result['long_mask'];
}
$dbo->beginTransaction();
$username = !isset($COLLATE['user']['username']) ? 'system' : $COLLATE['user']['username'];
$sql = "INSERT INTO subnets (name, start_ip, end_ip, mask, note, block_id, modified_by, modified_at, guidance) \r\n VALUES('{$name}', '{$long_start_ip}', '{$long_end_ip}', '{$long_mask}', '{$note}', '{$block_id}', '{$username}', now(), '{$guidance}')";
$dbo->query($sql);
$subnet_id = $dbo->lastInsertId();
if (!empty($acl_start) && !empty($acl_end)) {
$result = validate_ip_range($acl_start, $acl_end, 'acl');
if ($result['0'] === false) {
$dbo->rollBack();
$notice = $result['error'];
$guidance = urlencode($guidance);
header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}");
exit;
} else {
$long_acl_start = $result['long_start_ip'];
$long_acl_end = $result['long_end_ip'];
}
// Add an ACL for the acl range so users don't assign a static IP inside a acl scope.
$sql = "INSERT INTO acl (name, start_ip, end_ip, subnet_id) VALUES('{$acl_name}', '{$long_acl_start}', '{$long_acl_end}', '{$subnet_id}')";
$dbo->query($sql);
}
// Add static IP for the Default Gateway
if (!empty($gateway)) {
$long_gateway = ip2decimal($gateway);
$subnet_test = $long_gateway & $long_mask;
if ($subnet_test !== $long_start_ip) {
$dbo->rollBack();
$notice = 'invalidip';
$guidance = urlencode($guidance);
header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}");
exit;
}
$validate_gateway = validate_static_ip($gateway);
if ($validate_gateway['0'] === false) {
$dbo->rollBack();
$notice = $validate_gateway['error'];
$guidance = urlencode($guidance);
header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}");
exit;
}
$sql = "INSERT INTO statics (ip, name, contact, note, subnet_id, modified_by, modified_at) \r\n VALUES('{$long_gateway}', 'Gateway', 'Network Admin', 'Default Gateway', '{$subnet_id}', '{$username}', now())";
$dbo->query($sql);
}
$dbo->commit();
$cidr = subnet2cidr($long_start_ip, $long_mask);
$accesslevel = "3";
$message = "Subnet {$name} ({$cidr}) has been created";
AccessControl($accesslevel, $message);
// No need to generate logs when nothing is really happening. This
// goes down here where we know stuff has actually been written. Access
// Control actually happened before submit_subnet() was called.
$notice = "subnetadded-notice";
header("Location: subnets.php?block_id={$block_id}¬ice={$notice}");
exit;
}
function edit_acl()
{
global $COLLATE;
$dbo = getdbo();
include 'include/validation_functions.php';
$acl_id = isset($_GET['acl_id']) && is_numeric($_GET['acl_id']) ? $_GET['acl_id'] : '';
$value = isset($_POST['value']) ? $_POST['value'] : '';
if (empty($acl_id)) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected']['invalidrequest'];
exit;
}
$result = validate_text($value, 'aclname');
if ($result['0'] === false) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected'][$result['error']];
exit;
} else {
$value = $result['1'];
}
$sql = "SELECT name FROM subnets WHERE id=(SELECT subnet_id FROM acl WHERE id='{$acl_id}')";
$result = $dbo->query($sql);
if ($result->rowCount() != '1') {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected']['invalidrequest'];
exit;
}
$subnet_name = $result->fetchColumn();
collate_log('3', "ACL statement name updated in {$subnet_name} subnet");
$sql = "UPDATE acl SET name='{$value}' where id='{$acl_id}'";
$dbo->query($sql);
echo $value;
exit;
}
// was really submitted.
if (isset($_POST['addcoupon'])) {
$selectproduct = $_COOKIE['selectproduct'];
//get values from the form
$name = $_POST['name'];
$amount = $_POST['amount'];
$sdate = $_POST['sdate'];
$edate = $_POST['edate'];
//validation
if (!validate_discount($amount)) {
error_message("Can't create zero value coupon!");
$valid_discount = 0;
} else {
$valid_discount = 1;
}
if (!validate_text($name)) {
error_message("Name can't be blank!");
$valid_name = 0;
} else {
$valid_name = 1;
}
if (!validate_cost($amount)) {
error_message("Amount can't be blank!");
$valid_amount = 0;
} else {
$valid_amount = 1;
}
if (!validate_date($sdate)) {
error_message("Start date can't be blank!");
$valid_sdate = 0;
} else {
//if validation is successful
if (!validate_name(htmlspecialchars($_POST['firstname']))) {
error_message("Check entry for first name<br/>");
$valid_fname = 0;
} else {
$firstname = htmlspecialchars($_POST['firstname']);
$valid_fname = 1;
}
if (!validate_name(htmlspecialchars($_POST['lastname']))) {
error_message("Check entry for last name<br/>");
$valid_lname = 0;
} else {
$lastname = htmlspecialchars($_POST['lastname']);
$valid_lname = 1;
}
if (!validate_text(0, htmlspecialchars($_POST['logonName']))) {
error_message("Check entry for Logon Username<br/>");
$valid_logonName = 0;
} else {
$logonName = htmlspecialchars($_POST['logonName']);
$valid_logonName = 1;
}
if (!empty($_POST['password'])) {
if ($_POST['password'] != $_POST['confirmpassword']) {
error_message("Passwords do not match!");
$valid_password = 0;
}
if (!validate_password(htmlspecialchars($_POST['password']))) {
error_message("Check entry for password");
$valid_password = 0;
} else {
function validate_caption($val)
{
return validate_text($val);
}
function chk_address($val)
{
require_once 'Tuxedo/inc/forbidden_words.inc.php';
if (strlen($val) > 80) {
$this->CI->error->set_error('10058');
return false;
}
if (!validate_text($val)) {
$this->CI->error->set_error('10049');
return false;
}
return true;
}
function edit_api_key_description()
{
global $COLLATE;
$dbo = getdbo();
include 'include/validation_functions.php';
$apikey = isset($_GET['apikey']) ? $_GET['apikey'] : '';
$value = isset($_POST['value']) ? $_POST['value'] : '';
$return = validate_api_key($apikey);
if ($return['0'] === false) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected'][$return['error']];
exit;
} else {
$old_description = $return['description'];
}
$return = validate_text($value, 'apidescription');
if ($return['0'] === false) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected'][$return['error']];
exit;
} else {
$value = $return['1'];
}
$sql = "update `api-keys` set description='{$value}' where apikey='{$apikey}'";
$result = $dbo->query($sql);
echo $value;
collate_log('5', "Settings Updated: API key description changed from \"{$old_description}\" to \"{$value}\"");
exit;
}
function submit_acl()
{
global $dbo;
include 'include/validation_functions.php';
$subnet_id = isset($_GET['subnet_id']) && is_numeric($_GET['subnet_id']) ? $_GET['subnet_id'] : '';
$acl_name = isset($_POST['acl_name']) ? $_POST['acl_name'] : '';
$acl_start = isset($_POST['acl_start']) ? $_POST['acl_start'] : '';
$acl_end = isset($_POST['acl_end']) ? $_POST['acl_end'] : '';
if (empty($subnet_id)) {
$notice = "invalidrequest";
header("Location: blocks.php?notice={$notice}");
exit;
}
if (empty($acl_name) || empty($acl_start) || empty($acl_end)) {
$notice = "blankfield-notice";
header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}");
exit;
}
$result = validate_text($acl_name, 'aclname');
if ($result['0'] === false) {
$notice = $result['error'];
header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}");
exit;
} else {
$acl_name = $result['1'];
}
$result = validate_ip_range($acl_start, $acl_end, 'acl', $subnet_id);
if ($result['0'] === false) {
$notice = $result['error'];
header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}");
exit;
} else {
$long_acl_start = $result['long_start_ip'];
$long_acl_end = $result['long_end_ip'];
$subnet_name = $result['subnet_name'];
}
AccessControl('3', "{$acl_name} ACL for {$subnet_name} subnet edited");
$sql = "INSERT INTO acl (name, start_ip, end_ip, subnet_id) VALUES ('{$acl_name}', '{$long_acl_start}', '{$long_acl_end}', '{$subnet_id}')";
$dbo->query($sql);
$notice = "acladded-notice";
header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}");
exit;
}
function read_in_csv_row($row)
{
global $COLLATE;
global $dbo;
$recordtype = $row['0'];
$fieldcount = count($row);
$result = array();
/*
* Record format:
* block: (5 fields)
* 'block','$block_name','$start_ip','$end_ip','$block_note'
*
* subnet: (5 fields)
* 'subnet','$block_name','$subnet_name','$subnet','$subnet_note'
*
* acl: (4 fields)
* 'acl','$acl_name','$start_ip','$end_ip'
*
* static ip: (5 fields)
* 'static','$static_name','$ip_address','$static_contact','$static_note'
*/
if ($recordtype == 'block' && $fieldcount != '5' || $recordtype == 'subnet' && $fieldcount != '5' || $recordtype == 'acl' && $fieldcount != '4' || $recordtype == 'static' && $fieldcount != '5') {
$result['error'] = true;
$result['errormessage'] = 'badfieldcount';
return $result;
}
$last_modified_by = !isset($COLLATE['user']['username']) ? 'system' : $COLLATE['user']['username'];
if ($recordtype == 'block') {
$block_name = $row['1'];
$block_start_ip = $row['2'];
$block_end_ip = $row['3'];
$block_note = $row['4'];
$validate = validate_text($block_name, 'blockname');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$block_name = $validate['1'];
}
$query_result = $dbo->query("SELECT id from blocks where name='{$block_name}'");
if ($query_result->rowCount() != '0') {
$result['error'] = true;
$result['errormessage'] = 'duplicatename';
return $result;
}
if (preg_match('/^\\s*$/', $block_start_ip) && preg_match('/^\\s*$/', $block_end_ip)) {
// block with no associated IP information
$block_start_ip = '';
$block_long_start_ip = '';
$block_end_ip = '';
$block_long_end_ip = '';
} elseif (empty($block_end_ip) || ip2decimal($block_end_ip) === false) {
// subnet
$validate = validate_network($block_start_ip, 'block');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$block_start_ip = $validate['start_ip'];
$block_long_start_ip = $validate['long_start_ip'];
$block_end_ip = $validate['end_ip'];
$block_long_end_ip = $validate['long_end_ip'];
}
} else {
// range
$validate = validate_ip_range($block_start_ip, $block_end_ip, 'block');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$block_start_ip = $validate['start_ip'];
$block_long_start_ip = $validate['long_start_ip'];
$block_end_ip = $validate['end_ip'];
$block_long_end_ip = $validate['long_end_ip'];
}
}
$validate = validate_text($block_note, 'note');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$block_note = $validate['1'];
}
$row_result['error'] = false;
$row_result['sql'] = "INSERT INTO blocks (name, start_ip, end_ip, note, modified_by, modified_at) \r\n\t VALUES('{$block_name}', '{$block_long_start_ip}', '{$block_long_end_ip}', '{$block_note}', '{$last_modified_by}', now())";
return $row_result;
} elseif ($recordtype == 'subnet') {
$block_name = $row['1'];
$subnet_name = $row['2'];
$subnet = $row['3'];
$subnet_note = $row['4'];
$validate = validate_text($block_name, 'blockname');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$block_name = $validate['1'];
}
$query_result = $dbo->query("SELECT id from blocks where name='{$block_name}'");
if ($query_result->rowCount() != '1') {
$result['error'] = true;
$result['errormessage'] = 'blocknotfound';
return $result;
} else {
$block_id = $query_result->fetchColumn();
}
$validate = validate_text($subnet_name, 'subnetname');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$subnet_name = $validate['1'];
}
$validate = validate_network($subnet);
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$subnet_start_ip = $validate['start_ip'];
$subnet_long_start_ip = $validate['long_start_ip'];
$subnet_end_ip = $validate['end_ip'];
$subnet_long_end_ip = $validate['long_end_ip'];
$subnet_mask = $validate['mask'];
$subnet_long_mask = $validate['long_mask'];
}
$validate = validate_text($subnet_note, 'note');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$subnet_note = $validate['1'];
}
$return['error'] = false;
$return['sql'] = "INSERT INTO subnets (name, start_ip, end_ip, mask, note, block_id, modified_by, modified_at) \r\n VALUES('{$subnet_name}', '{$subnet_long_start_ip}', '{$subnet_long_end_ip}', '{$subnet_long_mask}', \r\n\t\t\t\t\t '{$subnet_note}', '{$block_id}', '{$last_modified_by}', now())";
return $return;
} elseif ($recordtype == 'acl') {
$acl_name = $row['1'];
$acl_start_ip = $row['2'];
$acl_end_ip = $row['3'];
$validate = validate_text($acl_name, 'blockname');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$acl_name = $validate['1'];
}
$validate = validate_ip_range($acl_start_ip, $acl_end_ip, 'acl', null);
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$subnet_id = $validate['subnet_id'];
$acl_start_ip = $validate['start_ip'];
$acl_long_start_ip = $validate['long_start_ip'];
$acl_end_ip = $validate['end_ip'];
$acl_long_end_ip = $validate['long_end_ip'];
}
$return['error'] = false;
$return['sql'] = "INSERT INTO acl (name, start_ip, end_ip, subnet_id) \r\n\t VALUES ('{$acl_name}', '{$acl_long_start_ip}', '{$acl_long_end_ip}', '{$subnet_id}')";
return $return;
} else {
// $recordtype == static
$static_name = $row['1'];
$static_ip = $row['2'];
$static_long_ip = ip2decimal($static_ip);
$static_contact = $row['3'];
$static_note = $row['4'];
$validate = validate_text($static_name, 'staticname');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$static_name = $validate['1'];
}
if ($static_long_ip === false) {
$result['error'] = true;
$result['errormessage'] = 'invalidip';
return $result;
}
$sql = "SELECT id from subnets where CAST('{$static_long_ip}' AS UNSIGNED) & CAST(mask AS UNSIGNED) = CAST(start_ip AS UNSIGNED)";
$subnet_result = $dbo->query($sql);
if ($subnet_result->rowCount() != '1') {
$result['error'] = true;
$result['errormessage'] = 'subnetnotfound';
return $result;
} else {
$subnet_id = $subnet_result->fetchColumn();
}
// Make sure the static IP isn't in use already or excluded from use via an ACL
$validate = validate_static_ip($static_ip);
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
}
$validate = validate_text($static_contact, 'contact');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$static_contact = $validate['1'];
}
$validate = validate_text($static_note, 'note');
if ($validate['0'] === false) {
$result['error'] = true;
$result['errormessage'] = $validate['error'];
return $result;
} else {
$static_note = $validate['1'];
}
$return['error'] = false;
$return['sql'] = "INSERT INTO statics (ip, name, contact, note, subnet_id, modified_by, modified_at)\r\n VALUES('{$static_long_ip}', '{$static_name}', '{$static_contact}', '{$static_note}', \r\n\t\t\t\t\t '{$subnet_id}', '{$last_modified_by}', now())";
return $return;
}
// We should never get here
exit;
}
function submit_block()
{
#validation here might look messy, but it's essentially in order of parameters listed below by
# 1. all checks that don't require db lookups
# 2. all other checks
global $COLLATE;
global $dbo;
include 'include/validation_functions.php';
$block_id = isset($_POST['block_id']) ? $_POST['block_id'] : '';
$name = isset($_POST['name']) ? $_POST['name'] : '';
$note = isset($_POST['note']) ? $_POST['note'] : '';
# this input is optional
$ip = isset($_POST['ip']) ? $_POST['ip'] : '';
$end_ip = isset($_POST['end_ip']) ? $_POST['end_ip'] : '';
$username = empty($_SESSION['username']) ? 'system' : $_SESSION['username'];
$update_block = isset($_POST['update_block']) ? $_POST['update_block'] : false;
$submit_op = $update_block == 'true' ? "modify&block_id={$block_id}" : 'add';
$parent_block = isset($_POST['parent_block']) ? $_POST['parent_block'] : '';
$block_type = isset($_POST['block_type']) ? $_POST['block_type'] : '';
if ($block_type == 'container') {
#containers don't have IP ranges associated with them
$ip = '';
$end_ip = '';
}
if (empty($name) || !empty($end_ip) && empty($ip) || empty($block_type)) {
$notice = "missingfield-notice";
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}");
exit;
}
if (empty($parent_block) || !preg_match("/[0-9]*/", $parent_block) && $parent_block != 'null') {
$notice = "invalidrequest";
header("Location: blocks.php?notice={$notice}");
exit;
}
$return = validate_text($name, 'blockname');
if ($return['0'] === false) {
$notice = $return['error'];
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}");
exit;
} else {
$name = $return['1'];
}
unset($return);
if (!preg_match('/^container$|^ipv4$/', $block_type)) {
$notice = 'invalidrequest';
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&parent_block={$parent_block}¬ice={$notice}");
exit;
}
if ($update_block === false) {
# checking for duplicate block name
$sql = "SELECT id from blocks where name='{$name}'";
$result = $dbo->query($sql);
if ($result->rowCount() != '0') {
header("HTTP/1.1 400 Bad Request");
$notice = 'duplicatename';
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}");
exit;
}
} else {
# checking that we're updating a block that actually exists
$sql = "SELECT name FROM blocks WHERE id='{$block_id}'";
$result = $dbo->query($sql);
if ($result->rowCount() != '1') {
header("HTTP/1.1 400 Bad Request");
$notice = 'selectblock';
header("Location: blocks.php?notice={$notice}");
exit;
}
$old_block_name = $result->fetchColumn();
}
$return = validate_text($note, 'note');
if ($return['0'] === false) {
$notice = $return['error'];
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}");
exit;
} else {
$note = $return['1'];
}
unset($return);
if (empty($end_ip) && !empty($ip)) {
# subnet supplied
$return = validate_network($ip, 'block', $block_id);
} elseif (!empty($ip)) {
# range supplied
$return = validate_ip_range($ip, $end_ip, 'block', $block_id);
}
if (isset($return) && $return['0'] === false) {
$notice = $return['error'];
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}");
exit;
} elseif (isset($return)) {
$long_start_ip = $return['long_start_ip'];
$long_end_ip = $return['long_end_ip'];
}
unset($return);
$result = '';
if ($parent_block != 'null') {
$sql = "SELECT id FROM blocks WHERE id='{$parent_block}'";
$result = $dbo->query($sql);
if ($result->rowCount() != '1') {
$notice = "invalidrequest";
header("Location: blocks.php?notice={$notice}");
exit;
}
$parent_id = "'{$parent_block}'";
} else {
$parent_id = 'null';
}
if ($update_block === false) {
# new block
$old_parent_block = $parent_block;
#we're going to redirect the user to the block they put this block into
} else {
$sql = "SELECT parent_id FROM blocks WHERE id='{$block_id}'";
$result = $dbo->query($sql);
$old_parent_block = $result->fetchColumn();
}
# If we're changing an existing block, we must make sure we don't orphan a child object
if ($update_block !== false) {
if ($block_type == 'ipv4' && find_child_blocks($block_id) !== false) {
$notice = 'wouldorphanblocks';
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}¬ice={$notice}");
exit;
} elseif ($block_type == 'container') {
# just check this block for subnets
$sql = "SELECT count(*) FROM subnets where block_id='{$block_id}'";
$result = $dbo->query($sql);
if ($result->fetchColumn() != '0') {
$notice = 'wouldorphansubnets';
header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&parent_block={$parent_block}¬ice={$notice}");
exit;
}
}
}
if ($update_block) {
$sql = "UPDATE blocks SET name='{$name}', start_ip='{$long_start_ip}', end_ip='{$long_end_ip}', note='{$note}', modified_by='{$username}', modified_at=now(),\r\n parent_id={$parent_id}, type='{$block_type}' WHERE id='{$block_id}'";
} else {
$sql = "INSERT INTO blocks (name, start_ip, end_ip, note, modified_by, modified_at, parent_id, type) \r\n\t VALUES('{$name}', '{$long_start_ip}', '{$long_end_ip}', '{$note}', '{$username}', now(), {$parent_id}, '{$block_type}')";
}
$accesslevel = "4";
$message = $update_block ? "IP Block updated: {$name}" : "IP Block added: {$name}";
$message .= $name != $old_block_name ? "(previously {$old_block_name})" : '';
AccessControl($accesslevel, $message);
// We don't want to generate logs when nothing is really happening, so this goes down here.
$dbo->query($sql);
$notice = $update_block ? 'blockupdated-notice' : 'blockadded-notice';
if ($old_parent_block == 'null') {
header("Location: blocks.php?notice={$notice}");
} else {
header("Location: blocks.php?block_id={$old_parent_block}¬ice={$notice}");
}
exit;
}
<?php
require_once 'include/common.php';
AccessControl('5', null, false);
# null means no log, false means don't redirect
include 'include/validation_functions.php';
$op = empty($_GET['op']) ? 'default' : $_GET['op'];
$username = isset($_GET['username']) ? $_GET['username'] : '';
$result = validate_text($username, 'username');
if ($result['0'] === false) {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected'][$result['error']];
exit;
} else {
$username = $result['1'];
}
$sql = "select count(*) from users where username='******'";
$result = $dbo->query($sql);
$count = $result->fetchColumn();
if ($count != '1') {
header("HTTP/1.1 400 Bad Request");
echo $COLLATE['languages']['selected']['invalidrequest'];
exit;
}
switch ($op) {
case "deleteuser":
delete_user();
break;
default:
exit;
}
function submit_user()
{
global $COLLATE;
global $dbo;
include 'include/validation_functions.php';
# validations are organized by all checks that don't require db lookups, then all that do
# in the order that the vars are listed below
$username = isset($_POST['username']) ? $_POST['username'] : '';
$tmppasswd = isset($_POST['tmppasswd']) && !empty($_POST['tmppasswd']) ? sha1(clean($_POST['tmppasswd'])) : '';
$phone = isset($_POST['phone']) ? $_POST['phone'] : '';
$email = isset($_POST['email']) ? $_POST['email'] : '';
$language = isset($_POST['languages']) ? $_POST['languages'] : '';
$perms = isset($_POST['perms']) && preg_match("/^[012345]{1}\$/", $_POST['perms']) ? $_POST['perms'] : '';
$locked = isset($_POST['locked']) ? 'on' : 'off';
$loginattempts = $locked == 'on' ? '9' : '0';
$ldapexempt = isset($_POST['ldapexempt']) && $_POST['ldapexempt'] == "on" ? true : false;
$edit = isset($_GET['edit']) && preg_match("/true|false/", $_GET['edit']) ? true : false;
$logged_in_user = isset($COLLATE['user']['username']) ? $COLLATE['user']['username'] : '';
if ($logged_in_user != $username) {
AccessControl('5', null);
}
if ($edit === false) {
$return = validate_text($username, 'username');
if ($return['0'] === false) {
$notice = $return['error'];
header("Location: users.php?op=add&username={$username}&phone={$phone}&email={$email}¬ice={$notice}");
exit;
}
$action = 'add';
} else {
$action = 'edit';
}
$return = validate_text($phone, 'phone');
if ($return['0'] === false) {
$notice = $return['error'];
header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice={$notice}");
exit;
}
$return = validate_text($email, 'email');
if ($return['0'] === false) {
$notice = $return['error'];
header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice={$notice}");
exit;
}
if (empty($email) && empty($phone)) {
$notice = "onecontact";
header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice={$notice}");
exit;
}
foreach (glob("languages/*.php") as $filename) {
include $filename;
}
if (!isset($languages[$language]['isocode']) || $language != $languages[$language]['isocode']) {
header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice=invalidrequest");
exit;
}
$test = $dbo->query("SELECT id FROM users WHERE username='******'");
if ($test->rowCount() > "0" && $edit === false) {
#duplicate user
$notice = "nameconflict-notice";
header("Location: users.php?op=add&username={$username}&phone={$phone}&email={$email}¬ice={$notice}");
exit;
} elseif ($test->rowCount() !== 1 && $edit !== false) {
#can't edit a user that doesn't exist
$notice = "invalidrequest";
header("Location: users.php?op=add&username={$username}&phone={$phone}&email={$email}¬ice={$notice}");
exit;
}
if ($edit === false) {
$sql = "INSERT INTO users (username, tmppasswd, accesslevel, phone, email, loginattempts, ldapexempt, language) \r\n VALUES('{$username}', '{$tmppasswd}', '{$perms}', '{$phone}', '{$email}', '{$loginattempts}', '{$ldapexempt}', '{$language}')";
} else {
if ($COLLATE['user']['accesslevel'] == '5' || $COLLATE['settings']['perms'] > '5') {
#can update all vars
if (empty($tmppasswd)) {
$sql = "UPDATE users SET accesslevel='{$perms}', phone='{$phone}', email='{$email}', loginattempts='{$loginattempts}', \r\n\t\t ldapexempt='{$ldapexempt}', language='{$language}' \r\n\t WHERE username='******'";
} else {
$sql = "UPDATE users SET tmppasswd='{$tmppasswd}', accesslevel='{$perms}', phone='{$phone}',\r\n\t email='{$email}', loginattempts='{$loginattempts}', ldapexempt='{$ldapexempt}', language='{$language}' \r\n\t WHERE username='******'";
}
} else {
# can only update basic info
$sql = "UPDATE users SET username='******', phone='{$phone}', email='{$email}', language='{$language}' \r\n\t WHERE username='******'";
}
}
if ($edit === false) {
$message = "User added: {$username}";
$notice = "useradded-notice";
} else {
$message = "User updated: {$username}";
$notice = "userupdated-notice";
}
collate_log('5', $message);
// adds and modifications are always logged
$dbo->query($sql);
header("Location: users.php?op=edit&username={$username}¬ice={$notice}");
exit;
}
