/** * Check the given login credential against in the db stored account. * * * @param string $username * @param string $password * @param boolean $admin_only If true we will not search for RoleType::Users in table mailbox * @return boolean */ public function check_login_credentials($username, $password, $admin_only = FALSE) { // Check for the Root Account setup in config.php // and validate input for root account if (($root_login_hash = $this->config->item("root_login_hash")) !== NULL && ($root_hash_algo = $this->config->item("root_hash_algo")) !== NULL && strlen($root_login_hash) === $this->config->item("root_hash_length")) { // Check for valid root credentials if ($root_login_hash === hash($root_hash_algo, hash($root_hash_algo, $username) . hash($root_hash_algo, $password))) { // Root is there. $this->auth->initialize(array("type" => Auth::ROOT, "username" => $username, "name" => $this->config->item("root_name"), "emailaddress" => $this->config->item("root_emailaddress"))); return TRUE; } } // Load the pacrypt() method which comes from the original postfixadmin project $this->load->helper("pacrypt"); // check the login credentials against the admin accounts $query = $this->db->get_where(PA_NG_TABLE_ADMIN, ["username" => $username, "active" => TRUE]); if ($query->num_rows() > 0) { $result = $query->result(); $query->free_result(); // Check the password with the help of pacrypt() if ($result->password == pacrypt($password, $result->password)) { $result->type = Auth::ADMIN; $this->auth->initialize($result); return TRUE; } return FALSE; } if (!$admin_only) { /** * No Root, No Admin ?!?! * MayBe an normal mailbox user ??? * * !!! Do not allow deactivated users */ $query = $this->db->get_where(PA_NG_TABLE_MAILBOX, ["username" => $username, "active" => TRUE]); if ($query->num_rows() > 0) { $result = $query->result(); $query->free_result(); // Check password over pacrypt if ($result->password == pacrypt($password, $result->password)) { $result->type = Auth::USER; $this->auth->initialize($result); return TRUE; } } } return FALSE; }
/** * @return boolean true on success; false on failure * @param string $old_password * @param string $new_passwords * @param bool $match = true * * All passwords need to be plain text; they'll be hashed appropriately * as per the configuration in config.inc.php */ public function change_pw($new_password, $old_password, $match = true) { list(, $domain) = explode('@', $this->id); if ($match == true) { if (!$this->login($this->id, $old_password)) { db_log($domain, 'edit_password', "MATCH FAILURE: " . $this->id); $this->errormsg[] = Config::Lang('pPassword_password_current_text_error'); return false; } } $set = array('password' => pacrypt($new_password)); $result = db_update('mailbox', 'username', $this->id, $set); if ($result != 1) { db_log($domain, 'edit_password', "FAILURE: " . $this->id); $this->errormsg[] = Config::lang('pEdit_mailbox_result_error'); return false; } db_log($domain, 'edit_password', $this->id); return true; }
/** * Attempt to log a user in. * @param string $username * @param string $password * @return boolean true on successful login (i.e. password matches etc) */ public function login($username, $password) { $username = escape_string($username); $table = table_by_key($this->db_table); $active = db_get_boolean(True); $query = "SELECT password FROM {$table} WHERE " . $this->id_field . "='{$username}' AND active='{$active}'"; $result = db_query($query); if ($result['rows'] == 1) { $row = db_array($result['result']); $crypt_password = pacrypt($password, $row['password']); if ($row['password'] == $crypt_password) { return true; } } return false; }
if ($_SERVER['REQUEST_METHOD'] == "POST") { $fUsername = escape_string($_POST['fUsername']); $fPassword = escape_string($_POST['fPassword']); $lang = safepost('lang'); if ($lang != check_language(0)) { # only set cookie if language selection was changed setcookie('lang', $lang, time() + 60 * 60 * 24 * 30); # language cookie, lifetime 30 days # (language preference cookie is processed even if username and/or password are invalid) } $active = db_get_boolean(True); $query = "SELECT password FROM {$table_mailbox} WHERE username='******' AND active={$active}"; $result = db_query($query); if ($result['rows'] == 1) { $row = db_array($result['result']); $password = pacrypt($fPassword, $row['password']); $query = "SELECT * FROM {$table_mailbox} WHERE username='******' AND password='******' AND active={$active}"; $result = db_query($query); if ($result['rows'] != 1) { $error = 1; $tMessage = $PALANG['pLogin_password_incorrect']; $tUsername = $fUsername; } } else { $error = 1; $tMessage = $PALANG['pLogin_username_incorrect']; } if ($error != 1) { session_regenerate_id(); $_SESSION['sessid'] = array(); $_SESSION['sessid']['roles'] = array();
$tQuota = $fQuota; $tDomain = $fDomain; $pCreate_mailbox_quota_text = $PALANG['pCreate_mailbox_quota_text_error']; } } $result = db_query("SELECT * FROM {$table_alias} WHERE address='{$fUsername}'"); if ($result['rows'] == 1) { $error = 1; $tUsername = escape_string($_POST['fUsername']); $tName = $fName; $tQuota = $fQuota; $tDomain = $fDomain; $pCreate_mailbox_username_text = $PALANG['pCreate_mailbox_username_text_error2']; } if ($error != 1) { $password = pacrypt($fPassword); if ($CONF['domain_path'] == "YES") { if ($CONF['domain_in_mailbox'] == "YES") { $maildir = $fDomain . "/" . $fUsername . "/"; } else { $maildir = $fDomain . "/" . escape_string(strtolower($_POST['fUsername'])) . "/"; } } else { $maildir = $fUsername . "/"; } if (!empty($fQuota)) { $quota = multiply_quota($fQuota); } else { $quota = 0; } if ($fActive == "on") {
function create_admin($fUsername, $fPassword, $fPassword2, $fDomains, $no_generate_password = 0) { global $PALANG; global $CONF; $error = 0; $tMessage = ''; $pAdminCreate_admin_username_text = ''; $pAdminCreate_admin_password_text = ''; if (!check_email($fUsername)) { $error = 1; $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text_error1']; } if (empty($fUsername) or admin_exist($fUsername)) { $error = 1; $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text_error2']; } if (empty($fPassword) or empty($fPassword2) or $fPassword != $fPassword2) { if (empty($fPassword) and empty($fPassword2) and $CONF['generate_password'] == "YES" && $no_generate_password == 0) { $fPassword = generate_password(); } else { $error = 1; $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text']; $pAdminCreate_admin_password_text = $PALANG['pAdminCreate_admin_password_text_error']; } } if ($error != 1) { $password = pacrypt($fPassword); $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text']; $result = db_query("INSERT INTO " . table_by_key('admin') . " (username,password,created,modified) VALUES ('{$fUsername}','{$password}',NOW(),NOW())"); if ($result['rows'] != 1) { $tMessage = $PALANG['pAdminCreate_admin_result_error'] . "<br />({$fUsername})<br />"; } else { if (!empty($fDomains[0])) { for ($i = 0; $i < sizeof($fDomains); $i++) { $domain = $fDomains[$i]; $result = db_query("INSERT INTO " . table_by_key('domain_admins') . " (username,domain,created) VALUES ('{$fUsername}','{$domain}',NOW())"); } } $tMessage = $PALANG['pAdminCreate_admin_result_success'] . "<br />({$fUsername}"; if ($CONF['generate_password'] == "YES" && $no_generate_password == 0) { $tMessage .= " / {$fPassword})</br />"; } else { if ($CONF['show_password'] == "YES" && $no_generate_password == 0) { $tMessage .= " / {$fPassword})</br />"; } else { $tMessage .= ")</br />"; } } } } # TODO: should we log creation, editing and deletion of admins? # Note: needs special handling in viewlog, because domain is empty # db_log ($SESSID_USERNAME, '', 'create_admin', "$fUsername"); return array($error, $tMessage, $pAdminCreate_admin_username_text, $pAdminCreate_admin_password_text); }
/** * @param string $name * @param mixed $value */ public function __set($name, $value) { if (isset($this->{$name})) { if ($name == "password") { $this->password = pacrypt($pw); } else { $this->{$name} = $value; } } }
} if (isset($_POST['fQuota'])) { $fQuota = intval($_POST['fQuota']); } if (isset($_POST['fActive'])) { $fActive = escape_string($_POST['fActive']); } if ($fPassword != $user_details['password']) { $min_length = $CONF['min_password_length']; if ($fPassword == $fPassword2) { if ($fPassword != "") { if ($min_length > 0 && strlen($fPassword) < $min_length) { flash_error(sprintf($PALANG['pPasswordTooShort'], $CONF['min_password_length'])); $error = 1; } $formvars['password'] = pacrypt($fPassword); } } else { flash_error($PALANG['pEdit_mailbox_password_text_error']); $error = 1; } } if ($CONF['quota'] == "YES") { if (!check_quota($fQuota, $fDomain)) { $error = 1; $tName = $fName; $tQuota = $fQuota; $tActive = $fActive; $pEdit_mailbox_quota_text = $PALANG['pEdit_mailbox_quota_text_error']; } }