/** * @param $actionId int El id de la acción * @param $authToken string El token de seguridad * @param null $userPass string La clave del usuario * @throws SPException */ public function __construct($actionId, $authToken, $userPass = null) { if (!Auth::checkAuthToken($actionId, $authToken)) { throw new SPException(SPException::SP_CRITICAL, _('Acceso no permitido')); } $this->_userId = ApiTokens::getUserIdForToken($authToken); $this->_actionId = $actionId; $this->_auth = true; if (!is_null($userPass)) { $userLogin = UserUtil::getUserLoginById($this->_userId); $User = new User(); $User->setUserId($this->_userId); $User->setUserLogin($userLogin); $User->setUserPass($userPass); if (Auth::authUserMySQL($userLogin, $userPass) && !UserUtil::checkUserIsDisabled($userLogin) && UserPass::checkUserMPass($User) && UserPass::checkUserUpdateMPass($userLogin) && !$User->isUserChangePass()) { $this->_mPass = $User->getUserMPass(true); } else { throw new SPException(SPException::SP_CRITICAL, _('Acceso no permitido')); } } Session::setUserId($this->_userId); }
$Log->writeLog(); SP\Response::printJSON(_('Clave maestra incorrecta'), 4); } } // Comprobar si se ha forzado un cambio de clave if ($User->isUserChangePass()) { $hash = SP\Util::generate_random_bytes(); if (UserPassRecover::addPassRecover($userLogin, $hash)) { $url = SP\Init::$WEBURI . '/index.php?a=passreset&h=' . $hash . '&t=' . time() . '&f=1'; SP\Response::printJSON($url, 0); } } // Obtenemos la clave maestra del usuario if ($User->getUserMPass()) { // Actualizar el último login del usuario UserUtil::setUserLastLogin($User->getUserId()); // Cargar las variables de sesión del usuario SessionUtil::loadUserSession($User); $Log->addDescription(sprintf('%s: %s', _('Usuario'), $userLogin)); $Log->addDescription(sprintf('%s: %s', _('Perfil'), SP\Profile::getProfileNameById($User->getUserProfileId()))); $Log->addDescription(sprintf('%s: %s', _('Grupo'), SP\Groups::getGroupNameById($User->getUserGroupId()))); $Log->writeLog(); } else { SP\Response::printJSON(_('Error interno')); } $UserPrefs = \SP\UserPreferences::getPreferences($User->getUserId()); if ($UserPrefs->isUse2Fa()) { SP\Session::set2FApassed(false); $url = SP\Init::$WEBURI . '/index.php?a=2fa&i=' . $User->getUserId() . '&t=' . time() . '&f=1'; SP\Response::printJSON($url, 0); } else {
/** * Obtener los datos para la ficha de usuario */ public function getUser() { $this->_module = self::ACTION_USR_USERS; $this->view->addTemplate('users'); $this->view->assign('user', UserUtil::getUserData($this->view->itemId)); $this->view->assign('isDisabled', $this->view->user['user_login'] === 'demo' && $this->view->isDemo || $this->view->actionId === self::ACTION_USR_USERS_VIEW ? 'disabled' : ''); $this->view->assign('groups', DB::getValuesForSelect('usrGroups', 'usergroup_id', 'usergroup_name')); $this->view->assign('profiles', DB::getValuesForSelect('usrProfiles', 'userprofile_id', 'userprofile_name')); $this->view->assign('ro', $this->view->user['checks']['user_isLdap'] ? 'READONLY' : ''); $this->getCustomFieldsForItem(); }
} } elseif ($actionId === \SP\Controller\ActionsInterface::ACTION_USR_USERS_EDITPASS) { if (SP\Util::demoIsEnabled() && UserUtil::getUserLoginById($itemId) == 'demo') { SP\Response::printJSON(_('Ey, esto es una DEMO!!')); } elseif (!$User->getUserPass() || !$userPassR) { SP\Response::printJSON(_('La clave no puede estar en blanco'), 2); } elseif ($User->getUserPass() != $userPassR) { SP\Response::printJSON(_('Las claves no coinciden'), 2); } if ($User->updateUserPass()) { SP\Response::printJSON(_('Clave actualizada'), 0); } SP\Response::printJSON(_('Error al modificar la clave')); // Eliminar usuario } elseif ($actionId === \SP\Controller\ActionsInterface::ACTION_USR_USERS_DELETE) { if (SP\Util::demoIsEnabled() && UserUtil::getUserLoginById($itemId) == 'demo') { SP\Response::printJSON(_('Ey, esto es una DEMO!!')); } elseif ($User->getUserId() == SP\Session::getUserId()) { SP\Response::printJSON(_('No es posible eliminar, usuario en uso')); } if ($User->deleteUser() && SP\CustomFields::deleteCustomFieldForItem($User->getUserId(), \SP\Controller\ActionsInterface::ACTION_USR_USERS)) { SP\Response::printJSON(_('Usuario eliminado'), 0, $doActionOnClose); } SP\Response::printJSON(_('Error al eliminar el usuario')); } } elseif ($actionId === \SP\Controller\ActionsInterface::ACTION_USR_GROUPS_NEW || $actionId === \SP\Controller\ActionsInterface::ACTION_USR_GROUPS_EDIT || $actionId === \SP\Controller\ActionsInterface::ACTION_USR_GROUPS_DELETE) { // Variables POST del formulario $frmGrpName = SP\Request::analyze('name'); $frmGrpDesc = SP\Request::analyze('description'); $frmGrpUsers = SP\Request::analyze('users'); if ($actionId === \SP\Controller\ActionsInterface::ACTION_USR_GROUPS_NEW || $actionId === \SP\Controller\ActionsInterface::ACTION_USR_GROUPS_EDIT) {
use SP\UserUtil; define('APP_ROOT', '..'); require_once APP_ROOT . DIRECTORY_SEPARATOR . 'inc' . DIRECTORY_SEPARATOR . 'Base.php'; SP\Request::checkReferer('POST'); if (!SP\Init::isLoggedIn()) { SP\Response::printJSON(_('La sesión no se ha iniciado o ha caducado'), 10); } $sk = SP\Request::analyze('sk', false); if (!$sk || !SessionUtil::checkSessionKey($sk)) { SP\Response::printJSON(_('CONSULTA INVÁLIDA')); } $frmAccountId = SP\Request::analyze('accountid', 0); $frmDescription = SP\Request::analyze('description'); if (!$frmDescription) { SP\Response::printJSON(_('Es necesaria una descripción')); } $accountRequestData = SP\Account::getAccountRequestData($frmAccountId); $recipients = array(UserUtil::getUserEmail($accountRequestData->account_userId), UserUtil::getUserEmail($accountRequestData->account_userEditId)); $requestUsername = SP\Session::getUserName(); $requestLogin = SP\Session::getUserLogin(); $log = new \SP\Log(_('Solicitud de Modificación de Cuenta')); $log->addDescription(SP\Html::strongText(_('Solicitante') . ': ') . $requestUsername . ' (' . $requestLogin . ')'); $log->addDescription(SP\Html::strongText(_('Cuenta') . ': ') . $accountRequestData->account_name); $log->addDescription(SP\Html::strongText(_('Cliente') . ': ') . $accountRequestData->customer_name); $log->addDescription(SP\Html::strongText(_('Descripción') . ': ') . $frmDescription); $mailto = implode(',', $recipients); if (strlen($mailto) > 1 && SP\Util::mailrequestIsEnabled() && SP\Email::sendEmail($log, $mailto)) { $log->writeLog(); SP\Response::printJSON(_('Solicitud enviada'), 0, "doAction('" . \SP\Controller\ActionsInterface::ACTION_ACC_SEARCH . "');"); } SP\Response::printJSON(_('Error al enviar la solicitud'));
/** * Actualizar un token * * @throws SPException */ public function updateToken() { $this->checkTokenExist(); if ($this->_refreshToken) { $this->refreshToken(); } $query = 'UPDATE authTokens ' . 'SET authtoken_userId = :userid,' . 'authtoken_actionId = :actionid,' . 'authtoken_createdBy = :createdby,' . 'authtoken_token = :token,' . 'authtoken_startDate = UNIX_TIMESTAMP() ' . 'WHERE authtoken_id = :id LIMIT 1'; $data['id'] = $this->_tokenId; $data['userid'] = $this->_userId; $data['actionid'] = $this->_actionId; $data['createdby'] = Session::getUserId(); $data['token'] = $this->getUserToken() ? $this->_token : sha1(uniqid() . time()); try { DB::getQuery($query, __FUNCTION__, $data); } catch (SPException $e) { throw new SPException(SPException::SP_CRITICAL, _('Error interno')); } $Log = new Log(_('Actualizar Autorización')); $Log->addDescription(sprintf('%s : %s', Html::strongText(_('Usuario')), UserUtil::getUserLoginById($this->_userId))); $Log->writeLog(); Email::sendEmail($Log); }
$userLogin = SP\Request::analyze('login'); $userEmail = SP\Request::analyze('email'); $userPass = SP\Request::analyzeEncrypted('pass'); $userPassR = SP\Request::analyzeEncrypted('passR'); $hash = SP\Request::analyze('hash'); $time = SP\Request::analyze('time'); $message['action'] = _('Recuperación de Clave'); if ($userLogin && $userEmail) { $log = new \SP\Log(_('Recuperación de Clave')); if (SP\Auth::mailPassRecover($userLogin, $userEmail)) { $log->addDescription(SP\Html::strongText(_('Solicitado para') . ': ') . ' ' . $userLogin . ' (' . $userEmail . ')'); SP\Response::printJSON(_('Solicitud enviada') . ';;' . _('En breve recibirá un correo para completar la solicitud.'), 0, 'goLogin();'); } else { $log->addDescription('ERROR'); $log->addDescription(SP\Html::strongText(_('Solicitado para') . ': ') . ' ' . $userLogin . ' (' . $userEmail . ')'); SP\Response::printJSON(_('No se ha podido realizar la solicitud. Consulte con el administrador.')); } $log->writeLog(); SP\Email::sendEmail($log); } elseif ($userPass && $userPassR && $userPass === $userPassR) { $userId = UserPassRecover::checkHashPassRecover($hash); if ($userId) { if (UserPass::updateUserPass($userId, $userPass) && UserPassRecover::updateHashPassRecover($hash)) { \SP\Log::writeNewLogAndEmail(_('Modificar Clave Usuario'), SP\Html::strongText(_('Login') . ': ') . UserUtil::getUserLoginById($userId)); SP\Response::printJSON(_('Clave actualizada'), 0, 'goLogin();'); } } SP\Response::printJSON(_('Error al modificar la clave')); } else { SP\Response::printJSON(_('La clave es incorrecta o no coincide')); }
// Forzar la detección del lenguaje tras actualizar SP\Language::setLanguage(true); SP\Themes::setTheme(true); // Actualizar las preferencias en la sesión y recargar la página SP\Session::setUserPreferences($UserPrefs); SP\Util::reload(); SP\Response::printJSON(_('Preferencias actualizadas'), 0, $doActionOnClose); } else { if ($actionId === SP\Controller\ActionsInterface::ACTION_USR_PREFERENCES_SECURITY) { if (SP\Util::demoIsEnabled() && \SP\Session::getUserLogin() === 'demo') { SP\Response::printJSON(_('Ey, esto es una DEMO!!')); } // Variables POST del formulario $twoFaEnabled = SP\Request::analyze('security_2faenabled', 0, false, 1); $pin = SP\Request::analyze('security_pin', 0); $userLogin = UserUtil::getUserLoginById($itemId); $twoFa = new \SP\Auth\Auth2FA($itemId, $userLogin); if (!$twoFa->verifyKey($pin)) { SP\Response::printJSON(_('Código incorrecto')); } // No se instancia la clase ya que es necesario guardar los atributos ya guardados $UserPrefs = \SP\UserPreferences::getPreferences($itemId); $UserPrefs->setId($itemId); $UserPrefs->setUse2Fa(\SP\Util::boolval($twoFaEnabled)); if (!$UserPrefs->updatePreferences()) { SP\Response::printJSON(_('Error al actualizar preferencias')); } SP\Response::printJSON(_('Preferencias actualizadas'), 0, $doActionOnClose); } else { SP\Response::printJSON(_('Acción Inválida')); }