Ejemplo n.º 1
0
function identifyUser($sentData)
{
    global $debugLdap, $debugDuo, $k;
    include $_SESSION['settings']['cpassman_dir'] . '/includes/settings.php';
    header("Content-type: text/html; charset=utf-8");
    error_reporting(E_ERROR);
    require_once $_SESSION['settings']['cpassman_dir'] . '/sources/main.functions.php';
    require_once $_SESSION['settings']['cpassman_dir'] . '/sources/SplClassLoader.php';
    if ($debugDuo == 1) {
        $dbgDuo = fopen($_SESSION['settings']['path_to_files_folder'] . "/duo.debug.txt", "a");
    }
    /*
    if (empty($sentData) && isset($_COOKIE['TeamPassC'])) {
    	$sentData = prepareExchangedData($_COOKIE['TeamPassC'], "encode");
    	setcookie('TeamPassC', "", time()-3600);
    }
    */
    if ($debugDuo == 1) {
        fputs($dbgDuo, "Content of data sent '" . $sentData . "'\n");
    }
    // connect to the server
    require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Database/Meekrodb/db.class.php';
    DB::$host = $server;
    DB::$user = $user;
    DB::$password = $pass;
    DB::$dbName = $database;
    DB::$port = $port;
    DB::$encoding = $encoding;
    DB::$error_handler = 'db_error_handler';
    $link = mysqli_connect($server, $user, $pass, $database, $port);
    $link->set_charset($encoding);
    //Load AES
    $aes = new SplClassLoader('Encryption\\Crypt', '../includes/libraries');
    $aes->register();
    // load passwordLib library
    $pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
    $pwdlib->register();
    $pwdlib = new PasswordLib\PasswordLib();
    // User's language loading
    $k['langage'] = @$_SESSION['user_language'];
    require_once $_SESSION['settings']['cpassman_dir'] . '/includes/language/' . $_SESSION['user_language'] . '.php';
    // decrypt and retreive data in JSON format
    $dataReceived = prepareExchangedData($sentData, "decode");
    // Prepare variables
    $passwordClear = htmlspecialchars_decode($dataReceived['pw']);
    $passwordOldEncryption = encryptOld(htmlspecialchars_decode($dataReceived['pw']));
    $username = htmlspecialchars_decode($dataReceived['login']);
    $logError = "";
    if ($debugDuo == 1) {
        fputs($dbgDuo, "Starting authentication of '" . $username . "'\n");
    }
    // GET SALT KEY LENGTH
    if (strlen(SALT) > 32) {
        $_SESSION['error']['salt'] = true;
    }
    $_SESSION['user_language'] = $k['langage'];
    $ldapConnection = false;
    /* LDAP connection */
    if ($debugLdap == 1) {
        // create temp file
        $dbgLdap = fopen($_SESSION['settings']['path_to_files_folder'] . "/ldap.debug.txt", "w");
        fputs($dbgLdap, "Get all LDAP params : \n" . 'mode : ' . $_SESSION['settings']['ldap_mode'] . "\n" . 'type : ' . $_SESSION['settings']['ldap_type'] . "\n" . 'base_dn : ' . $_SESSION['settings']['ldap_domain_dn'] . "\n" . 'search_base : ' . $_SESSION['settings']['ldap_search_base'] . "\n" . 'bind_dn : ' . $_SESSION['settings']['ldap_bind_dn'] . "\n" . 'bind_passwd : ' . $_SESSION['settings']['ldap_bind_passwd'] . "\n" . 'user_attribute : ' . $_SESSION['settings']['ldap_user_attribute'] . "\n" . 'account_suffix : ' . $_SESSION['settings']['ldap_suffix'] . "\n" . 'domain_controllers : ' . $_SESSION['settings']['ldap_domain_controler'] . "\n" . 'use_ssl : ' . $_SESSION['settings']['ldap_ssl'] . "\n" . 'use_tls : ' . $_SESSION['settings']['ldap_tls'] . "\n*********\n\n");
    }
    if ($debugDuo == 1) {
        fputs($dbgDuo, "LDAP status: " . $_SESSION['settings']['ldap_mode'] . "\n");
    }
    if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $username != "admin") {
        //Multiple Domain Names
        if (strpos(html_entity_decode($username), '\\') == true) {
            $ldap_suffix = "@" . substr(html_entity_decode($username), 0, strpos(html_entity_decode($username), '\\'));
            $username = substr(html_entity_decode($username), strpos(html_entity_decode($username), '\\') + 1);
        }
        if ($_SESSION['settings']['ldap_type'] == 'posix-search') {
            $ldapconn = ldap_connect($_SESSION['settings']['ldap_domain_controler']);
            if ($debugLdap == 1) {
                fputs($dbgLdap, "LDAP connection : " . ($ldapconn ? "Connected" : "Failed") . "\n");
            }
            ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
            if ($ldapconn) {
                $ldapbind = ldap_bind($ldapconn, $_SESSION['settings']['ldap_bind_dn'], $_SESSION['settings']['ldap_bind_passwd']);
                if ($debugLdap == 1) {
                    fputs($dbgLdap, "LDAP bind : " . ($ldapbind ? "Bound" : "Failed") . "\n");
                }
                if ($ldapbind) {
                    $filter = "(&(" . $_SESSION['settings']['ldap_user_attribute'] . "={$username})(objectClass=posixAccount))";
                    $result = ldap_search($ldapconn, $_SESSION['settings']['ldap_search_base'], $filter, array('dn'));
                    if ($debugLdap == 1) {
                        fputs($dbgLdap, 'Search filter : ' . $filter . "\n" . 'Results : ' . print_r(ldap_get_entries($ldapconn, $result), true) . "\n");
                    }
                    if (ldap_count_entries($ldapconn, $result)) {
                        // try auth
                        $result = ldap_get_entries($ldapconn, $result);
                        $user_dn = $result[0]['dn'];
                        $ldapbind = ldap_bind($ldapconn, $user_dn, $passwordClear);
                        if ($ldapbind) {
                            $ldapConnection = true;
                        } else {
                            $ldapConnection = false;
                        }
                    }
                } else {
                    $ldapConnection = false;
                }
            } else {
                $ldapConnection = false;
            }
        } else {
            if ($debugLdap == 1) {
                fputs($dbgLdap, "Get all ldap params : \n" . 'base_dn : ' . $_SESSION['settings']['ldap_domain_dn'] . "\n" . 'account_suffix : ' . $_SESSION['settings']['ldap_suffix'] . "\n" . 'domain_controllers : ' . $_SESSION['settings']['ldap_domain_controler'] . "\n" . 'use_ssl : ' . $_SESSION['settings']['ldap_ssl'] . "\n" . 'use_tls : ' . $_SESSION['settings']['ldap_tls'] . "\n*********\n\n");
            }
            $adldap = new SplClassLoader('LDAP\\adLDAP', '../includes/libraries');
            $adldap->register();
            // Posix style LDAP handles user searches a bit differently
            if ($_SESSION['settings']['ldap_type'] == 'posix') {
                $ldap_suffix = ',' . $_SESSION['settings']['ldap_suffix'] . ',' . $_SESSION['settings']['ldap_domain_dn'];
            } elseif ($_SESSION['settings']['ldap_type'] == 'windows' and $ldap_suffix == '') {
                //Multiple Domain Names
                $ldap_suffix = $_SESSION['settings']['ldap_suffix'];
            }
            $adldap = new LDAP\adLDAP\adLDAP(array('base_dn' => $_SESSION['settings']['ldap_domain_dn'], 'account_suffix' => $ldap_suffix, 'domain_controllers' => explode(",", $_SESSION['settings']['ldap_domain_controler']), 'use_ssl' => $_SESSION['settings']['ldap_ssl'], 'use_tls' => $_SESSION['settings']['ldap_tls']));
            if ($debugLdap == 1) {
                fputs($dbgLdap, "Create new adldap object : " . $adldap->get_last_error() . "\n\n\n");
                //Debug
            }
            // openLDAP expects an attribute=value pair
            if ($_SESSION['settings']['ldap_type'] == 'posix') {
                $auth_username = $_SESSION['settings']['ldap_user_attribute'] . '=' . $username;
            } else {
                $auth_username = $username;
            }
            // authenticate the user
            if ($adldap->authenticate($auth_username, html_entity_decode($passwordClear))) {
                $ldapConnection = true;
                //update user's password
                $data['pw'] = $pwdlib->createPasswordHash($passwordClear);
                DB::update(prefix_table('users'), array('pw' => $data['pw']), "login=%s", $username);
            } else {
                $ldapConnection = false;
            }
            if ($debugLdap == 1) {
                fputs($dbgLdap, "After authenticate : " . $adldap->get_last_error() . "\n\n\n" . "ldap status : " . $ldapConnection . "\n\n\n");
                //Debug
            }
        }
    } else {
        if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 2) {
            // nothing
        }
    }
    // Check if user exists
    $data = DB::queryFirstRow("SELECT * FROM " . prefix_table("users") . " WHERE login=%s_login", array('login' => $username));
    $counter = DB::count();
    if ($debugDuo == 1) {
        fputs($dbgDuo, "USer exists: " . $counter . "\n");
    }
    // Check PSK
    if (isset($_SESSION['settings']['psk_authentication']) && $_SESSION['settings']['psk_authentication'] == 1 && $data['admin'] != 1) {
        $psk = htmlspecialchars_decode($dataReceived['psk']);
        $pskConfirm = htmlspecialchars_decode($dataReceived['psk_confirm']);
        if (empty($psk)) {
            echo '[{"value" : "psk_required"}]';
            exit;
        } elseif (empty($data['psk'])) {
            if (empty($pskConfirm)) {
                echo '[{"value" : "bad_psk_confirmation"}]';
                exit;
            } else {
                $_SESSION['my_sk'] = $psk;
            }
        } elseif ($pwdlib->verifyPasswordHash($psk, $data['psk']) === true) {
            echo '[{"value" : "bad_psk"}]';
            exit;
        }
    }
    $proceedIdentification = false;
    if ($counter > 0) {
        $proceedIdentification = true;
    } elseif ($counter == 0 && $ldapConnection == true && isset($_SESSION['settings']['ldap_elusers']) && $_SESSION['settings']['ldap_elusers'] == 0) {
        // If LDAP enabled, create user in CPM if doesn't exist
        $data['pw'] = $pwdlib->createPasswordHash($passwordClear);
        // create passwordhash
        DB::insert(prefix_table('users'), array('login' => $username, 'pw' => $data['pw'], 'email' => "", 'admin' => '0', 'gestionnaire' => '0', 'personal_folder' => $_SESSION['settings']['enable_pf_feature'] == "1" ? '1' : '0', 'fonction_id' => '0', 'groupes_interdits' => '0', 'groupes_visibles' => '0', 'last_pw_change' => time(), 'user_language' => $_SESSION['settings']['default_language']));
        $newUserId = DB::insertId();
        // Create personnal folder
        if ($_SESSION['settings']['enable_pf_feature'] == "1") {
            DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => $newUserId, 'bloquer_creation' => '0', 'bloquer_modification' => '0', 'personal_folder' => '1'));
        }
        // Get info for user
        //$sql = "SELECT * FROM ".prefix_table("users")." WHERE login = '******'";
        //$row = $db->query($sql);
        $proceedIdentification = true;
    }
    // Check if user exists (and has been created in case of new LDAP user)
    $data = DB::queryFirstRow("SELECT * FROM " . prefix_table("users") . " WHERE login=%s_login", array('login' => $username));
    $counter = DB::count();
    if ($counter == 0) {
        echo '[{"value" : "user_not_exists", "text":""}]';
        exit;
    }
    if ($debugDuo == 1) {
        fputs($dbgDuo, "USer exists (confirm): " . $counter . "\n");
    }
    // check GA code
    if (isset($_SESSION['settings']['2factors_authentication']) && $_SESSION['settings']['2factors_authentication'] == 1 && $username != "admin") {
        if (isset($dataReceived['GACode']) && !empty($dataReceived['GACode'])) {
            include_once $_SESSION['settings']['cpassman_dir'] . "/includes/libraries/Authentication/GoogleAuthenticator/FixedBitNotation.php";
            include_once $_SESSION['settings']['cpassman_dir'] . "/includes/libraries/Authentication/GoogleAuthenticator/GoogleAuthenticator.php";
            $g = new Authentication\GoogleAuthenticator\GoogleAuthenticator();
            if ($g->checkCode($data['ga'], $dataReceived['GACode'])) {
                $proceedIdentification = true;
            } else {
                $proceedIdentification = false;
                $logError = "ga_code_wrong";
            }
        } else {
            $proceedIdentification = false;
            $logError = "ga_code_wrong";
        }
    }
    if ($debugDuo == 1) {
        fputs($dbgDuo, "Proceed with Ident: " . $proceedIdentification . "\n");
    }
    if ($proceedIdentification === true) {
        // User exists in the DB
        //$data = $db->fetchArray($row);
        //v2.1.17 -> change encryption for users password
        if ($passwordOldEncryption == $data['pw'] && !empty($data['pw'])) {
            //update user's password
            $data['pw'] = bCrypt($passwordClear, COST);
            DB::update(prefix_table('users'), array('pw' => $data['pw']), "id=%i", $data['id']);
        }
        if (crypt($passwordClear, $data['pw']) == $data['pw'] && !empty($data['pw'])) {
            //update user's password
            $data['pw'] = $pwdlib->createPasswordHash($passwordClear);
            DB::update(prefix_table('users'), array('pw' => $data['pw']), "id=%i", $data['id']);
        }
        // check the given password
        if ($pwdlib->verifyPasswordHash($passwordClear, $data['pw']) === true) {
            $userPasswordVerified = true;
        } else {
            $userPasswordVerified = false;
        }
        if ($debugDuo == 1) {
            fputs($dbgDuo, "User's password verified: " . $userPasswordVerified . "\n");
        }
        // Can connect if
        // 1- no LDAP mode + user enabled + pw ok
        // 2- LDAP mode + user enabled + ldap connection ok + user is not admin
        // 3-  LDAP mode + user enabled + pw ok + usre is admin
        // This in order to allow admin by default to connect even if LDAP is activated
        if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 0 && $userPasswordVerified == true && $data['disabled'] == 0 || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $ldapConnection == true && $data['disabled'] == 0 && $username != "admin" || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 2 && $ldapConnection == true && $data['disabled'] == 0 && $username != "admin" || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $username == "admin" && $userPasswordVerified == true && $data['disabled'] == 0) {
            $_SESSION['autoriser'] = true;
            // Generate a ramdom ID
            $key = $pwdlib->getRandomToken(50);
            if ($debugDuo == 1) {
                fputs($dbgDuo, "User's token: " . $key . "\n");
            }
            // Log into DB the user's connection
            if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) {
                logEvents('user_connection', 'connection', $data['id']);
            }
            // Save account in SESSION
            $_SESSION['login'] = stripslashes($username);
            $_SESSION['name'] = stripslashes($data['name']);
            $_SESSION['lastname'] = stripslashes($data['lastname']);
            $_SESSION['user_id'] = $data['id'];
            $_SESSION['user_admin'] = $data['admin'];
            $_SESSION['user_manager'] = $data['gestionnaire'];
            $_SESSION['user_read_only'] = $data['read_only'];
            $_SESSION['last_pw_change'] = $data['last_pw_change'];
            $_SESSION['last_pw'] = $data['last_pw'];
            $_SESSION['can_create_root_folder'] = $data['can_create_root_folder'];
            $_SESSION['key'] = $key;
            $_SESSION['personal_folder'] = $data['personal_folder'];
            $_SESSION['user_language'] = $data['user_language'];
            $_SESSION['user_email'] = $data['email'];
            $_SESSION['user_ga'] = $data['ga'];
            $_SESSION['user_avatar'] = $data['avatar'];
            $_SESSION['user_avatar_thumb'] = $data['avatar_thumb'];
            $_SESSION['user_upgrade_needed'] = $data['upgrade_needed'];
            // manage session expiration
            $serverTime = time();
            if ($dataReceived['TimezoneOffset'] > 0) {
                $userTime = $serverTime + $dataReceived['TimezoneOffset'];
            } else {
                $userTime = $serverTime;
            }
            $_SESSION['fin_session'] = $userTime + $dataReceived['duree_session'] * 60;
            /* If this option is set user password MD5 is used as personal SALTKey */
            if (isset($_SESSION['settings']['use_md5_password_as_salt']) && $_SESSION['settings']['use_md5_password_as_salt'] == 1) {
                $_SESSION['my_sk'] = md5($passwordClear);
                setcookie("TeamPass_PFSK_" . md5($_SESSION['user_id']), encrypt($_SESSION['my_sk'], ""), time() + 60 * 60 * 24 * $_SESSION['settings']['personal_saltkey_cookie_duration'], '/');
            }
            @syslog(LOG_WARNING, "User logged in - " . $_SESSION['user_id'] . " - " . date("Y/m/d H:i:s") . " {$_SERVER['REMOTE_ADDR']} ({$_SERVER['HTTP_USER_AGENT']})");
            if (empty($data['last_connexion'])) {
                $_SESSION['derniere_connexion'] = time();
            } else {
                $_SESSION['derniere_connexion'] = $data['last_connexion'];
            }
            if (!empty($data['latest_items'])) {
                $_SESSION['latest_items'] = explode(';', $data['latest_items']);
            } else {
                $_SESSION['latest_items'] = array();
            }
            if (!empty($data['favourites'])) {
                $_SESSION['favourites'] = explode(';', $data['favourites']);
            } else {
                $_SESSION['favourites'] = array();
            }
            if (!empty($data['groupes_visibles'])) {
                $_SESSION['groupes_visibles'] = @implode(';', $data['groupes_visibles']);
            } else {
                $_SESSION['groupes_visibles'] = array();
            }
            if (!empty($data['groupes_interdits'])) {
                $_SESSION['groupes_interdits'] = @implode(';', $data['groupes_interdits']);
            } else {
                $_SESSION['groupes_interdits'] = array();
            }
            // User's roles
            $_SESSION['fonction_id'] = $data['fonction_id'];
            $_SESSION['user_roles'] = explode(";", $data['fonction_id']);
            // build array of roles
            $_SESSION['user_pw_complexity'] = 0;
            $_SESSION['arr_roles'] = array();
            foreach (array_filter(explode(';', $_SESSION['fonction_id'])) as $role) {
                $resRoles = DB::queryFirstRow("SELECT title, complexity FROM " . prefix_table("roles_title") . " WHERE id=%i", $role);
                $_SESSION['arr_roles'][$role] = array('id' => $role, 'title' => $resRoles['title']);
                // get highest complexity
                if ($_SESSION['user_pw_complexity'] < $resRoles['complexity']) {
                    $_SESSION['user_pw_complexity'] = $resRoles['complexity'];
                }
            }
            // build complete array of roles
            $_SESSION['arr_roles_full'] = array();
            $rows = DB::query("SELECT id, title FROM " . prefix_table("roles_title") . " ORDER BY title ASC");
            foreach ($rows as $record) {
                $_SESSION['arr_roles_full'][$record['id']] = array('id' => $record['id'], 'title' => $record['title']);
            }
            // Set some settings
            $_SESSION['user']['find_cookie'] = false;
            $_SESSION['settings']['update_needed'] = "";
            // Update table
            DB::update(prefix_table('users'), array('key_tempo' => $_SESSION['key'], 'last_connexion' => time(), 'timestamp' => time(), 'disabled' => 0, 'no_bad_attempts' => 0, 'session_end' => $_SESSION['fin_session'], 'psk' => $pwdlib->createPasswordHash(htmlspecialchars_decode($psk))), "id=%i", $data['id']);
            if ($debugDuo == 1) {
                fputs($dbgDuo, "Preparing to identify the user rights\n");
            }
            // Get user's rights
            identifyUserRights($data['groupes_visibles'], $_SESSION['groupes_interdits'], $data['admin'], $data['fonction_id'], false);
            // Get some more elements
            $_SESSION['screenHeight'] = $dataReceived['screenHeight'];
            // Get last seen items
            $_SESSION['latest_items_tab'][] = "";
            foreach ($_SESSION['latest_items'] as $item) {
                if (!empty($item)) {
                    $data = DB::queryFirstRow("SELECT id,label,id_tree FROM " . prefix_table("items") . " WHERE id=%i", $item);
                    $_SESSION['latest_items_tab'][$item] = array('id' => $item, 'label' => $data['label'], 'url' => 'index.php?page=items&amp;group=' . $data['id_tree'] . '&amp;id=' . $item);
                }
            }
            // send back the random key
            $return = $dataReceived['randomstring'];
            // Send email
            if (isset($_SESSION['settings']['enable_send_email_on_user_login']) && $_SESSION['settings']['enable_send_email_on_user_login'] == 1 && $_SESSION['user_admin'] != 1) {
                // get all Admin users
                $receivers = "";
                $rows = DB::query("SELECT email FROM " . prefix_table("users") . " WHERE admin = %i", 1);
                foreach ($rows as $record) {
                    if (empty($receivers)) {
                        $receivers = $record['email'];
                    } else {
                        $receivers = "," . $record['email'];
                    }
                }
                // Add email to table
                DB::insert(prefix_table("emails"), array('timestamp' => time(), 'subject' => $LANG['email_subject_on_user_login'], 'body' => str_replace(array('#tp_user#', '#tp_date#', '#tp_time#'), array(" " . $_SESSION['login'], date($_SESSION['settings']['date_format'], $_SESSION['derniere_connexion']), date($_SESSION['settings']['time_format'], $_SESSION['derniere_connexion'])), $LANG['email_body_on_user_login']), 'receivers' => $receivers, 'status' => "not sent"));
            }
        } elseif ($data['disabled'] == 1) {
            // User and password is okay but account is locked
            $return = "user_is_locked";
        } else {
            // User exists in the DB but Password is false
            // check if user is locked
            $userIsLocked = 0;
            $nbAttempts = intval($data['no_bad_attempts'] + 1);
            if ($_SESSION['settings']['nb_bad_authentication'] > 0 && intval($_SESSION['settings']['nb_bad_authentication']) < $nbAttempts) {
                $userIsLocked = 1;
                // log it
                if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) {
                    logEvents('user_locked', 'connection', $data['id']);
                }
            }
            DB::update(prefix_table('users'), array('key_tempo' => $_SESSION['key'], 'last_connexion' => time(), 'disabled' => $userIsLocked, 'no_bad_attempts' => $nbAttempts), "id=%i", $data['id']);
            // What return shoulb we do
            if ($userIsLocked == 1) {
                $return = "user_is_locked";
            } elseif ($_SESSION['settings']['nb_bad_authentication'] == 0) {
                $return = "false";
            } else {
                $return = $nbAttempts;
            }
        }
    } else {
        $return = "false";
    }
    if ($debugDuo == 1) {
        fputs($dbgDuo, "\n\n----\n" . "Identified : " . $return . "\n");
    }
    echo '[{"value" : "' . $return . '", "user_admin":"', isset($_SESSION['user_admin']) ? $_SESSION['user_admin'] : "", '", "initial_url" : "' . @$_SESSION['initial_url'] . '",
            "error" : "' . $logError . '"}]';
    $_SESSION['initial_url'] = "";
    if ($_SESSION['settings']['cpassman_dir'] == "..") {
        $_SESSION['settings']['cpassman_dir'] = ".";
    }
}
Ejemplo n.º 2
0
                 $y = $pdf->GetY();
                 //Draw
                 $pdf->Rect($x, $y, $w, $h);
                 //Write
                 $pdf->MultiCell($w, 5, stripslashes($record[$table[$i]]), 0, $a);
                 //go to right
                 $pdf->SetXY($x + $w, $y);
             }
             //return to line
             $pdf->Ln($h);
         }
         $pdf_file = "print_out_pdf_" . date("Y-m-d", mktime(0, 0, 0, date('m'), date('d'), date('y'))) . "_" . generateKey() . ".pdf";
         //send the file
         $pdf->Output($_SESSION['settings']['path_to_files_folder'] . "/" . $pdf_file);
         //log
         logEvents('pdf_export', "", $_SESSION['user_id'], $_SESSION['login']);
         //clean table
         DB::query("TRUNCATE TABLE " . prefix_table("export"));
         echo '[{"text":"<a href=\'' . $_SESSION['settings']['url_to_files_folder'] . '/' . $pdf_file . '\' target=\'_blank\'>' . $LANG['pdf_download'] . '</a>"}]';
     }
     break;
     //CASE export in CSV format
 //CASE export in CSV format
 case "export_to_csv_format":
     $full_listing = array();
     $full_listing[0] = array('id' => "id", 'label' => "label", 'description' => "description", 'pw' => "pw", 'login' => "login", 'restricted_to' => "restricted_to", 'perso' => "perso");
     $id_managed = '';
     $i = 1;
     $items_id_list = array();
     foreach (explode(';', $_POST['ids']) as $id) {
         if (!in_array($id, $_SESSION['forbiden_pfs']) && in_array($id, $_SESSION['groupes_visibles'])) {
Ejemplo n.º 3
0
         * UPDATE CAN CREATE ROOT FOLDER RIGHT
         */
        case "user_edit_login":
            // Check KEY
            if ($_POST['key'] != $_SESSION['key']) {
                // error
                exit;
            }
            DB::update(prefix_table("users"), array('login' => $_POST['login'], 'name' => $_POST['name'], 'lastname' => $_POST['lastname']), "id = %i", $_POST['id']);
            break;
    }
} elseif (!empty($_POST['newValue'])) {
    $value = explode('_', $_POST['id']);
    DB::update(prefix_table("users"), array($value[0] => $_POST['newValue']), "id = %i", $value[1]);
    // update LOG
    logEvents('user_mngt', 'at_user_new_' . $value[0] . ':' . $value[1], $_SESSION['user_id'], $_SESSION['login'], $_POST['id']);
    // refresh SESSION if requested
    if ($value[0] == "treeloadstrategy") {
        $_SESSION['user_settings']['treeloadstrategy'] = $_POST['newValue'];
    }
    // Display info
    echo $_POST['newValue'];
} elseif (isset($_POST['newadmin'])) {
    $id = explode('_', $_POST['id']);
    DB::update(prefix_table("users"), array('admin' => $_POST['newadmin']), "id = %i", $id[1]);
    // Display info
    if ($_POST['newadmin'] == "1") {
        echo "Oui";
    } else {
        echo "Non";
    }
Ejemplo n.º 4
0
    DB::$password = $pass;
    DB::$dbName = $database;
    DB::$port = $port;
    DB::$encoding = $encoding;
    DB::$error_handler = 'db_error_handler';
    $link = mysqli_connect($server, $user, $pass, $database, $port);
    $link->set_charset($encoding);
    // Include main functions used by TeamPass
    require_once 'sources/main.functions.php';
    // Update table by deleting ID
    if (isset($_SESSION['user_id'])) {
        DB::update($pre . "users", array('key_tempo' => ''), "id=%i", $_SESSION['user_id']);
    }
    //Log into DB the user's disconnection
    if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) {
        logEvents('user_connection', 'disconnection', $_SESSION['user_id'], $_SESSION['login']);
    }
} else {
    require_once $_SESSION['settings']['cpassman_dir'] . '/includes/language/english.php';
    echo '
    <div style="width:800px;margin:auto;">';
    if (@$_SESSION['error']['code'] == ERR_NOT_ALLOWED) {
        echo '
        <div class="ui-state-error ui-corner-all error" >' . $LANG['error_not_authorized'] . '</div>';
    } elseif (@$_SESSION['error']['code'] == ERR_NOT_EXIST) {
        echo '
        <div class="ui-state-error ui-corner-all error" >' . $LANG['error_not_exists'] . '</div>';
    } elseif (@$_SESSION['error']['code'] == ERR_SESS_EXPIRED) {
        echo '
        <div class="ui-state-error ui-corner-all error" style="text-align:center;" >' . $LANG['index_session_expired'] . '<br /><br /><a href="index.php" />' . $LANG['home'] . '</a></div>';
    } elseif (@$_SESSION['error']['code'] == ERR_NO_MCRYPT) {
Ejemplo n.º 5
0
 case "admin_email_send_backlog":
     require_once $_SESSION['settings']['cpassman_dir'] . '/sources/main.functions.php';
     $rows = DB::query("SELECT * FROM " . prefix_table("emails") . " WHERE status = %s OR status = %s", "not_sent", "");
     foreach ($rows as $record) {
         //send email
         $ret = json_decode(@sendEmail($record['subject'], $record['body'], $record['receivers']));
         if (!empty($ret['error'])) {
             //update item_id in files table
             DB::update(prefix_table("emails"), array('status' => "not_sent"), "timestamp = %s", $record['timestamp']);
         } else {
             //delete from DB
             DB::delete(prefix_table("emails"), "timestamp = %s", $record['timestamp']);
         }
     }
     //update LOG
     logEvents('admin_action', 'Emails backlog', $_SESSION['user_id'], $_SESSION['login']);
     echo '[{"result":"admin_email_send_backlog", ' . @sendEmail($LANG['admin_email_test_subject'], $LANG['admin_email_test_body'], $_SESSION['settings']['email_from']) . '}]';
     break;
     /*
      * Generate exchanges encryption keys
      */
 /*
  * Generate exchanges encryption keys
  */
 case "admin_action_generate_encrypt_keys":
     require_once "../includes/libraries/jCryption/jcryption.php";
     $keyLength = 1024;
     $jCryption = new jCryption();
     $numberOfPairs = 100;
     $arrKeyPairs = array();
     for ($i = 0; $i < $numberOfPairs; $i++) {
Ejemplo n.º 6
0
     //send back the random key
     $return = $data_received['randomstring'];
 } else {
     if ($data['disabled'] == 1) {
         //User and password is okay but account is locked
         $return = "user_is_locked";
     } else {
         //User exists in the DB but Password is false
         //check if user is locked
         $user_is_locked = 0;
         $nb_attempts = intval($data['no_bad_attempts'] + 1);
         if ($_SESSION['settings']['nb_bad_authentication'] > 0 && intval($_SESSION['settings']['nb_bad_authentication']) < $nb_attempts) {
             $user_is_locked = 1;
             //log it
             if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) {
                 logEvents('user_locked', 'connection', $data['id']);
             }
         }
         $db->query_update("users", array('key_tempo' => $_SESSION['key'], 'last_connexion' => mktime(date("h"), date("i"), date("s"), date("m"), date("d"), date("Y")), 'disabled' => $user_is_locked, 'no_bad_attempts' => $nb_attempts), "id=" . $data['id']);
         //What return shoulb we do
         if ($user_is_locked == 1) {
             $return = "user_is_locked";
         } else {
             if ($_SESSION['settings']['nb_bad_authentication'] == 0) {
                 $return = "false";
             } else {
                 $return = $nb_attempts;
             }
         }
     }
 }
Ejemplo n.º 7
0
function rest_get()
{
    $_SESSION['user_id'] = "'api'";
    if (!@count($GLOBALS['request']) == 0) {
        $request_uri = $GLOBALS['_SERVER']['REQUEST_URI'];
        preg_match('/\\/api(\\/index.php|)\\/(.*)\\?apikey=(.*)/', $request_uri, $matches);
        if (count($matches) == 0) {
            rest_error('REQUEST_SENT_NOT_UNDERSTANDABLE');
        }
        $GLOBALS['request'] = explode('/', $matches[2]);
    }
    if (apikey_checker($GLOBALS['apikey'])) {
        global $server, $user, $pass, $database, $pre, $link;
        teampass_connect();
        $category_query = "";
        if ($GLOBALS['request'][0] == "read") {
            if ($GLOBALS['request'][1] == "category") {
                // get ids
                if (strpos($GLOBALS['request'][2], ";") > 0) {
                    $condition = "id_tree IN %ls";
                    $condition_value = explode(';', $GLOBALS['request'][2]);
                } else {
                    $condition = "id_tree = %s";
                    $condition_value = $GLOBALS['request'][2];
                }
                DB::debugMode(false);
                // get items in this module
                $response = DB::query("SELECT id,label,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE " . $condition, $condition_value);
                foreach ($response as $data) {
                    // prepare output
                    $id = $data['id'];
                    $json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
                    $json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
                    $json[$id]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
                }
                /* load folders */
                $response = DB::query("SELECT id,parent_id,title,nleft,nright,nlevel FROM " . prefix_table("nested_tree") . " WHERE parent_id=%i ORDER BY `title` ASC", $GLOBALS['request'][2]);
                $rows = array();
                $i = 0;
                foreach ($response as $row) {
                    $response = DB::query("SELECT id,label,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE id_tree=%i", $row['id']);
                    foreach ($response as $data) {
                        // prepare output
                        $id = $data['id'];
                        $json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
                        $json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
                        $json[$id]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
                    }
                }
            } elseif ($GLOBALS['request'][1] == "items") {
                $array_items = explode(';', $GLOBALS['request'][2]);
                // check if not empty
                if (count($array_items) == 0) {
                    rest_error('NO_ITEM');
                }
                // only accepts numeric
                foreach ($array_items as $item) {
                    if (!is_numeric($item)) {
                        rest_error('ITEM_MALFORMED');
                    }
                }
                $response = DB::query("select id,label,login,pw, pw_iv, id_tree from " . prefix_table("items") . " where id IN %ls", $array_items);
                foreach ($response as $data) {
                    // prepare output
                    $id = $data['id'];
                    $json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
                    $json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
                    $json[$id]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
                }
            }
            if (isset($json) && $json) {
                echo json_encode($json);
            } else {
                rest_error('EMPTY');
            }
        } elseif ($GLOBALS['request'][0] == "find") {
            if ($GLOBALS['request'][1] == "item") {
                $array_category = explode(';', $GLOBALS['request'][2]);
                $item = $GLOBALS['request'][3];
                foreach ($array_category as $category) {
                    if (!preg_match_all("/^([\\w\\:\\'\\-\\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)\$/i", $category, $result)) {
                        rest_error('CATEGORY_MALFORMED');
                    }
                }
                if (!preg_match_all("/^([\\w\\:\\'\\-\\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)\$/i", $item, $result)) {
                    rest_error('ITEM_MALFORMED');
                } elseif (empty($item) || count($array_category) == 0) {
                    rest_error('MALFORMED');
                }
                if (count($array_category) > 1 && count($array_category) < 5) {
                    for ($i = count($array_category); $i > 0; $i--) {
                        $slot = $i - 1;
                        if (!$slot) {
                            $category_query .= "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[$slot] . "' AND parent_id = 0";
                        } else {
                            $category_query .= "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[$slot] . "' AND parent_id = (";
                        }
                    }
                    for ($i = 1; $i < count($array_category); $i++) {
                        $category_query .= ")";
                    }
                } elseif (count($array_category) == 1) {
                    $category_query = "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[0] . "' AND parent_id = 0";
                } else {
                    rest_error('NO_CATEGORY');
                }
                DB::debugMode(false);
                $response = DB::query("select id, label, login, pw, pw_iv, id_tree\n                    from " . prefix_table("items") . "\n                    where id_tree = (%s)\n                    and label LIKE %ss", $category_query, $item);
                foreach ($response as $data) {
                    // prepare output
                    $json['id'] = mb_convert_encoding($data['id'], mb_detect_encoding($data['id']), 'UTF-8');
                    $json['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
                    $json['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
                    $json['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
                    $json['folder_id'] = $data['id_tree'];
                    $json['status'] = utf8_encode("OK");
                }
                if (isset($json) && $json) {
                    echo json_encode($json);
                } else {
                    rest_error('EMPTY');
                }
            }
        } elseif ($GLOBALS['request'][0] == "add") {
            if ($GLOBALS['request'][1] == "item") {
                // get item definition
                $array_item = explode(';', urldecode($GLOBALS['request'][2]));
                if (count($array_item) != 9) {
                    rest_error('ITEMBADDEFINITION');
                }
                $item_label = $array_item[0];
                $item_pwd = $array_item[1];
                $item_desc = $array_item[2];
                $item_folder_id = $array_item[3];
                $item_login = $array_item[4];
                $item_email = $array_item[5];
                $item_url = $array_item[6];
                $item_tags = $array_item[7];
                $item_anyonecanmodify = $array_item[8];
                // added so one can sent data including the http or https !
                // anyway we have to urlencode this data
                $item_url = urldecode($item_url);
                // same for the email
                $item_email = urldecode($item_email);
                // do some checks
                if (!empty($item_label) && !empty($item_pwd) && !empty($item_folder_id)) {
                    // Check length
                    if (strlen($item_pwd) > 50) {
                        rest_error('PASSWORDTOOLONG');
                    }
                    // Check Folder ID
                    DB::query("SELECT * FROM " . prefix_table("nested_tree") . " WHERE id = %i", $item_folder_id);
                    $counter = DB::count();
                    if ($counter == 0) {
                        rest_error('NOSUCHFOLDER');
                    }
                    // check if element doesn't already exist
                    DB::query("SELECT * FROM " . prefix_table("items") . " WHERE label = %s AND inactif = %i", addslashes($item_label), "0");
                    $counter = DB::count();
                    if ($counter != 0) {
                        $itemExists = 1;
                        // prevent the error if the label already exists
                        // so lets just add the time() as a random factor
                        $item_label .= " (" . time() . ")";
                    } else {
                        $itemExists = 0;
                    }
                    if ($itemExists == 0) {
                        $encrypt = cryption($item_pwd, SALT, "", "encrypt");
                        if (empty($encrypt['string'])) {
                            rest_error('PASSWORDEMPTY');
                        }
                        // ADD item
                        try {
                            DB::insert(prefix_table("items"), array("label" => $item_label, "description" => $item_desc, 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], "email" => $item_email, "url" => $item_url, "id_tree" => intval($item_folder_id), "login" => $item_login, "inactif" => 0, "restricted_to" => "", "perso" => 0, "anyone_can_modify" => intval($item_anyonecanmodify)));
                            $newID = DB::InsertId();
                            // log
                            DB::insert(prefix_table("log_items"), array("id_item" => $newID, "date" => time(), "id_user" => "9999999", "action" => "at_creation"));
                            // Add tags
                            $tags = explode(' ', $item_tags);
                            foreach ((array) $tags as $tag) {
                                if (!empty($tag)) {
                                    DB::insert(prefix_table("tags"), array("item_id" => $newID, "tag" => strtolower($tag)));
                                }
                            }
                            // Update CACHE table
                            DB::insert(prefix_table("cache"), array("id" => $newID, "label" => $item_label, "description" => $item_desc, "tags" => $item_tags, "id_tree" => $item_folder_id, "perso" => "0", "restricted_to" => "", "login" => $item_login, "folder" => "", "author" => "9999999"));
                            echo '{"status":"item added"}';
                        } catch (PDOException $ex) {
                            echo '<br />' . $ex->getMessage();
                        }
                    } else {
                        rest_error('ITEMEXISTS');
                    }
                } else {
                    rest_error('ITEMMISSINGDATA');
                }
            } elseif ($GLOBALS['request'][1] == "user") {
                // get user definition
                $array_user = explode(';', $GLOBALS['request'][2]);
                if (count($array_user) != 11) {
                    rest_error('USERBADDEFINITION');
                }
                $login = $array_user[0];
                $name = $array_user[1];
                $lastname = $array_user[2];
                $password = $array_user[3];
                $email = $array_user[4];
                $adminby = $array_user[5];
                $isreadonly = $array_user[6];
                $roles = $array_user[7];
                $isadmin = $array_user[8];
                $ismanager = $array_user[9];
                $haspf = $array_user[10];
                // Empty user
                if (mysqli_escape_string($link, htmlspecialchars_decode($login)) == "") {
                    rest_error('USERLOGINEMPTY');
                }
                // Check if user already exists
                $data = DB::query("SELECT id, fonction_id, groupes_interdits, groupes_visibles FROM " . prefix_table("users") . "\n            WHERE login LIKE %ss", mysqli_escape_string($link, stripslashes($login)));
                if (DB::count() == 0) {
                    try {
                        // find AdminRole code in DB
                        $resRole = DB::queryFirstRow("SELECT id\n                            FROM " . prefix_table("roles_title") . "\n                            WHERE title LIKE %ss", mysqli_escape_string($link, stripslashes($adminby)));
                        // get default language
                        $lang = DB::queryFirstRow("SELECT `valeur` FROM " . prefix_table("misc") . " WHERE type = %s AND intitule = %s", "admin", "default_language");
                        // prepare roles list
                        $rolesList = "";
                        foreach (explode('|', $roles) as $role) {
                            echo $role . "-";
                            $tmp = DB::queryFirstRow("SELECT `id` FROM " . prefix_table("roles_title") . " WHERE title = %s", $role);
                            if (empty($rolesList)) {
                                $rolesList = $tmp['id'];
                            } else {
                                $rolesList .= ";" . $tmp['id'];
                            }
                        }
                        // Add user in DB
                        DB::insert(prefix_table("users"), array('login' => $login, 'name' => $name, 'lastname' => $lastname, 'pw' => bCrypt(stringUtf8Decode($password), COST), 'email' => $email, 'admin' => intval($isadmin), 'gestionnaire' => intval($ismanager), 'read_only' => intval($isreadonly), 'personal_folder' => intval($haspf), 'user_language' => $lang['valeur'], 'fonction_id' => $rolesList, 'groupes_interdits' => '0', 'groupes_visibles' => '0', 'isAdministratedByRole' => empty($resRole) ? '0' : $resRole['id']));
                        $new_user_id = DB::insertId();
                        // Create personnal folder
                        if (intval($haspf) == 1) {
                            DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => $new_user_id, 'bloquer_creation' => '0', 'bloquer_modification' => '0', 'personal_folder' => '1'));
                        }
                        // Send email to new user
                        @sendEmail($LANG['email_subject_new_user'], str_replace(array('#tp_login#', '#tp_pw#', '#tp_link#'), array(" " . addslashes($login), addslashes($password), $_SESSION['settings']['email_server_url']), $LANG['email_new_user_mail']), $email);
                        // update LOG
                        logEvents('user_mngt', 'at_user_added', 'api - ' . $GLOBALS['apikey'], $new_user_id);
                        echo '{"status":"user added"}';
                    } catch (PDOException $ex) {
                        echo '<br />' . $ex->getMessage();
                    }
                } else {
                    rest_error('USERALREADYEXISTS');
                }
            }
        } elseif ($GLOBALS['request'][0] == "auth") {
            /*
             ** FOR SECURITY PURPOSE, it is mandatory to use SSL to connect your teampass instance. The user password is not encrypted!
             **
             **
             ** Expected call format: .../api/index.php/auth/<PROTOCOL>/<URL>/<login>/<password>?apikey=<VALID API KEY>
             ** Example: https://127.0.0.1/teampass/api/index.php/auth/http/www.zadig-tge.adp.com/U1/test/76?apikey=chahthait5Aidood6johh6Avufieb6ohpaixain
             ** RESTRICTIONS:
             **              - <PROTOCOL>        ==> http|https|ftp|...
             **              - <URL>             ==> encode URL without protocol (example: http://www.teampass.net becomes www.teampass.net)
             **              - <login>           ==> user's login
             **              - <password>        ==> currently clear password
             **
             ** RETURNED ANSWER:
             **              - format sent back is JSON
             **              - Example: {"<item_id>":{"label":"<pass#1>","login":"******","pw":"<pwd#1>"},"<item_id>":{"label":"<pass#2>","login":"******","pw":"<pwd#2>"}}
             **
             */
            // get user credentials
            if (isset($GLOBALS['request'][3]) && isset($GLOBALS['request'][4])) {
                // get url
                if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2])) {
                    // is user granted?
                    $user = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][3]);
                    // load passwordLib library
                    $_SESSION['settings']['cpassman_dir'] = "..";
                    require_once '../sources/SplClassLoader.php';
                    $pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
                    $pwdlib->register();
                    $pwdlib = new PasswordLib\PasswordLib();
                    if ($pwdlib->verifyPasswordHash($GLOBALS['request'][4], $user['pw']) === true) {
                        // define the restriction of "id_tree" of this user
                        $userDef = DB::queryOneColumn('folder_id', "SELECT DISTINCT folder_id \n                            FROM " . prefix_table("roles_values") . "\n                            WHERE type IN ('R', 'W') ", empty($user['groupes_interdits']) ? "" : "\n                            AND folder_id NOT IN (" . str_replace(";", ",", $user['groupes_interdits']) . ")", " \n                            AND role_id IN %ls \n                            GROUP BY folder_id", explode(";", $user['groupes_interdits']));
                        // complete with "groupes_visibles"
                        foreach (explode(";", $user['groupes_visibles']) as $v) {
                            array_push($userDef, $v);
                        }
                        // find the item associated to the url
                        $response = DB::query("SELECT id, label, login, pw, pw_iv, id_tree, restricted_to\n                            FROM " . prefix_table("items") . " \n                            WHERE url LIKE %s\n                            AND id_tree IN (" . implode(",", $userDef) . ")\n                            ORDER BY id DESC", $GLOBALS['request'][1] . "://" . urldecode($GLOBALS['request'][2] . '%'));
                        $counter = DB::count();
                        if ($counter > 0) {
                            $json = "";
                            foreach ($response as $data) {
                                // check if item visible
                                if (empty($data['restricted_to']) || $data['restricted_to'] != "" && in_array($user['id'], explode(";", $data['restricted_to']))) {
                                    // prepare export
                                    $json[$data['id']]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
                                    $json[$data['id']]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
                                    $json[$data['id']]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
                                }
                            }
                            // prepare answer. If no access then inform
                            if (empty($json)) {
                                rest_error('AUTH_NO_DATA');
                            } else {
                                echo json_encode($json);
                            }
                        } else {
                            rest_error('AUTH_NO_DATA');
                        }
                    } else {
                        rest_error('AUTH_NOT_GRANTED');
                    }
                } else {
                    rest_error('AUTH_NO_URL');
                }
            } else {
                rest_error('AUTH_NO_IDENTIFIER');
            }
        } elseif ($GLOBALS['request'][0] == "set") {
            /*
             * Expected call format: .../api/index.php/set/<login_to_save>/<password_to_save>/<url>/<user_login>/<user_password>?apikey=<VALID API KEY>
             * Example: https://127.0.0.1/teampass/api/index.php/auth/myLogin/myPassword/USER1/test/76?apikey=chahthait5Aidood6johh6Avufieb6ohpaixain
             *
             * NEW ITEM WILL BE STORED IN SPECIFIC FOLDER
             */
            // get user credentials
            if (isset($GLOBALS['request'][4]) && isset($GLOBALS['request'][5])) {
                // get url
                if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) {
                    // is user granted?
                    $user = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][4]);
                    // load passwordLib library
                    $_SESSION['settings']['cpassman_dir'] = "..";
                    require_once '../sources/SplClassLoader.php';
                    $pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
                    $pwdlib->register();
                    $pwdlib = new PasswordLib\PasswordLib();
                    // is user identified?
                    if ($pwdlib->verifyPasswordHash($GLOBALS['request'][5], $user['pw']) === true) {
                        // does the personal folder of this user exists?
                        DB::queryFirstRow("SELECT `id`\n                            FROM " . $pre . "nested_tree\n                            WHERE title = %s AND personal_folder = 1", $user['id']);
                        if (DB::count() > 0) {
                            // check if "teampass-connect" folder exists
                            // if not create it
                            $folder = DB::queryFirstRow("SELECT `id`\n                                FROM " . $pre . "nested_tree\n                                WHERE title = %s", "teampass-connect");
                            if (DB::count() == 0) {
                                DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => "teampass-connect"));
                                $tpc_folder_id = DB::insertId();
                                //Add complexity
                                DB::insert(prefix_table("misc"), array('type' => 'complex', 'intitule' => $tpc_folder_id, 'valeur' => '0'));
                                // rebuild tree
                                $tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
                                $tree->rebuild();
                            } else {
                                $tpc_folder_id = $folder['id'];
                            }
                            // encrypt password
                            $encrypt = cryption($GLOBALS['request'][2], SALT, "", "encrypt");
                            // add new item
                            DB::insert(prefix_table("items"), array('label' => "Credentials for " . urldecode($GLOBALS['request'][3] . '%'), 'description' => "Imported with Teampass-Connect", 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], 'email' => "", 'url' => urldecode($GLOBALS['request'][3] . '%'), 'id_tree' => $tpc_folder_id, 'login' => $GLOBALS['request'][1], 'inactif' => '0', 'restricted_to' => $user['id'], 'perso' => '0', 'anyone_can_modify' => '0', 'complexity_level' => '0'));
                            $newID = DB::insertId();
                            // log
                            logItems($newID, "Credentials for " . urldecode($GLOBALS['request'][3] . '%'), $user['id'], 'at_creation', $GLOBALS['request'][1]);
                            $json['status'] = "ok";
                            // prepare answer. If no access then inform
                            if (empty($json)) {
                                rest_error('AUTH_NO_DATA');
                            } else {
                                echo json_encode($json);
                            }
                        } else {
                            rest_error('NO_PF_EXIST_FOR_USER');
                        }
                    } else {
                        rest_error('AUTH_NOT_GRANTED');
                    }
                } else {
                    rest_error('SET_NO_DATA');
                }
            } else {
                rest_error('AUTH_NO_IDENTIFIER');
            }
        } else {
            rest_error('METHOD');
        }
    }
}
Ejemplo n.º 8
0
             }
         }
         // update cron time
         DB::update(prefix_table("misc"), array('valeur' => time()), "intitule = %s AND type = %s", "sending_emails", "cron");
     }
     break;
     /**
      * Store error
      */
 /**
  * Store error
  */
 case "store_error":
     if (!empty($_SESSION['user_id'])) {
         // update DB
         logEvents('error', urldecode($_POST['error']), $_SESSION['user_id'], $_SESSION['login']);
     }
     break;
     /**
      * Generate a password generic
      */
 /**
  * Generate a password generic
  */
 case "generate_a_password":
     if ($_POST['size'] > $_SESSION['settings']['pwd_maximum_length']) {
         echo prepareExchangedData(array("error_msg" => "Password length is too long!", "error" => "true"), "encode");
         break;
     }
     //Load PWGEN
     $pwgen = new SplClassLoader('Encryption\\PwGen', '../includes/libraries');
Ejemplo n.º 9
0
                     if ($i == 3) {
                         $item[$i] = html_entity_decode(htmlspecialchars_decode(str_replace("<br />", "\n", $item[$i]), ENT_QUOTES));
                     }
                     $pdf->MultiCell($w, 5, $item[$i], 0, $a);
                     //go to right
                     $pdf->SetXY($x + $w, $y);
                 }
                 //return to line
                 $pdf->Ln($h);
             }
         }
         $pdf_file = "print_out_pdf_" . date("Y-m-d", mktime(0, 0, 0, date('m'), date('d'), date('y'))) . "_" . generateKey() . ".pdf";
         //send the file
         $pdf->Output($_SESSION['settings']['path_to_files_folder'] . "/" . $pdf_file);
         //log
         logEvents('pdf_export', implode(';', $printed_ids), $_SESSION['user_id']);
         echo '[{"text":"<a href=\'' . $_SESSION['settings']['url_to_files_folder'] . '/' . $pdf_file . '\' target=\'_blank\'>' . $LANG['pdf_download'] . '</a>"}]';
     }
     break;
     //CASE export in CSV format
 //CASE export in CSV format
 case "export_to_csv_format":
     $full_listing = array();
     $full_listing[0] = array('id' => "id", 'label' => "label", 'description' => "description", 'pw' => "pw", 'login' => "login", 'restricted_to' => "restricted_to", 'perso' => "perso");
     $id_managed = '';
     $i = 1;
     $items_id_list = array();
     foreach (explode(';', $_POST['ids']) as $id) {
         if (!in_array($id, $_SESSION['forbiden_pfs']) && in_array($id, $_SESSION['groupes_visibles'])) {
             $rows = DB::query("SELECT i.id as id, i.restricted_to as restricted_to, i.perso as perso, i.label as label, i.description as description, i.pw as pw, i.login as login,\n                       l.date as date,\n                       n.renewal_period as renewal_period,\n                       k.rand_key\n                    FROM " . $pre . "items as i\n                    INNER JOIN " . $pre . "nested_tree as n ON (i.id_tree = n.id)\n                    INNER JOIN " . $pre . "log_items as l ON (i.id = l.id_item)\n                    INNER JOIN " . $pre . "keys as k ON (i.id = k.id)\n                    WHERE i.inactif = %i\n                    AND i.id_tree= %i\n                    AND (l.action = %s OR (l.action = %s AND l.raison LIKE %s))\n                    ORDER BY i.label ASC, l.date DESC", "0", intval($id), "at_creation", "at_modification", "at_pw :%");
             foreach ($rows as $reccord) {