require_once INCLUDE_DIR . 'class.ticket.php';
require_once INCLUDE_DIR . 'class.dept.php';
//clear some vars
$errors = array();
$msg = '';
$nav = null;
//Make sure the user is valid..before doing anything else.
$thisclient = UserAuthenticationBackend::getUser();
if (isset($_GET['lang']) && $_GET['lang']) {
if (Internationalization::getLanguageInfo($_GET['lang'])) {
$_SESSION['client:lang'] = $_GET['lang'];
}
}
// Bootstrap gettext translations as early as possible, but after attempting
// to sign on the agent
TextDomain::configureForUser($thisclient);
//is the user logged in?
if ($thisclient && $thisclient->getId() && $thisclient->isValid()) {
$thisclient->refreshSession();
} else {
$thisclient = null;
}
/******* CSRF Protectin *************/
// Enforce CSRF protection for POSTS
if ($_POST && !$ost->checkCSRFToken()) {
Http::redirect('index.php');
//just incase redirect fails
die('Action denied (400)!');
}
//Add token to the header - used on ajax calls [DO NOT CHANGE THE NAME]
$ost->addExtraHeader('<meta name="csrf_token" content="' . $ost->getCSRFToken() . '" />');
function update($vars, &$errors)
{
global $cfg;
$rtoken = $_SESSION['_client']['reset-token'];
if ($vars['passwd1'] || $vars['passwd2'] || $vars['cpasswd'] || $rtoken) {
if (!$vars['passwd1']) {
$errors['passwd1'] = __('New password is required');
} elseif ($vars['passwd1'] && strlen($vars['passwd1']) < 6) {
$errors['passwd1'] = __('Password must be at least 6 characters');
} elseif ($vars['passwd1'] && strcmp($vars['passwd1'], $vars['passwd2'])) {
$errors['passwd2'] = __('Passwords do not match');
}
if ($rtoken) {
$_config = new Config('pwreset');
if ($_config->get($rtoken) != $this->getUserId()) {
$errors['err'] = __('Invalid reset token. Logout and try again');
} elseif (!($ts = $_config->lastModified($rtoken)) && $cfg->getPwResetWindow() < time() - strtotime($ts)) {
$errors['err'] = __('Invalid reset token. Logout and try again');
}
} elseif ($this->get('passwd')) {
if (!$vars['cpasswd']) {
$errors['cpasswd'] = __('Current password is required');
} elseif (!$this->hasCurrentPassword($vars['cpasswd'])) {
$errors['cpasswd'] = __('Invalid current password!');
} elseif (!strcasecmp($vars['passwd1'], $vars['cpasswd'])) {
$errors['passwd1'] = __('New password MUST be different from the current password!');
}
}
}
if (!$vars['timezone_id']) {
$errors['timezone_id'] = __('Time zone selection is required');
}
if ($errors) {
return false;
}
$this->set('timezone_id', $vars['timezone_id']);
$this->set('dst', isset($vars['dst']) ? 1 : 0);
// Change language
$this->set('lang', $vars['lang'] ?: null);
$_SESSION['client:lang'] = null;
TextDomain::configureForUser($this);
if ($vars['backend']) {
$this->set('backend', $vars['backend']);
if ($vars['username']) {
$this->set('username', $vars['username']);
}
}
if ($vars['passwd1']) {
$this->set('passwd', Passwd::hash($vars['passwd1']));
$info = array('password' => $vars['passwd1']);
Signal::send('auth.pwchange', $this->getUser(), $info);
$this->cancelResetTokens();
$this->clearStatus(UserAccountStatus::REQUIRE_PASSWD_RESET);
}
return $this->save();
}
*/
if (!function_exists('staffLoginPage')) {
//Ajax interface can pre-declare the function to trap expired sessions.
function staffLoginPage($msg)
{
global $ost, $cfg;
$_SESSION['_staff']['auth']['dest'] = '/' . ltrim($_SERVER['REQUEST_URI'], '/');
$_SESSION['_staff']['auth']['msg'] = $msg;
require SCP_DIR . 'login.php';
exit;
}
}
$thisstaff = StaffAuthenticationBackend::getUser();
// Bootstrap gettext translations as early as possible, but after attempting
// to sign on the agent
TextDomain::configureForUser($thisstaff);
//1) is the user Logged in for real && is staff.
if (!$thisstaff || !$thisstaff->getId() || !$thisstaff->isValid()) {
if (isset($_SESSION['_staff']['auth']['msg'])) {
$msg = $_SESSION['_staff']['auth']['msg'];
unset($_SESSION['_staff']['auth']['msg']);
} elseif ($thisstaff && !$thisstaff->isValid()) {
$msg = __('Session timed out due to inactivity');
} else {
$msg = __('Ingresar usuario y contraseña');
}
staffLoginPage($msg);
exit;
}
//2) if not super admin..check system status and group status
if (!$thisstaff->isAdmin()) {
Peter Rotich <*****@*****.**>
Copyright (c) 2006-2013 osTicket
http://www.osticket.com
Released under the GNU General Public License WITHOUT ANY WARRANTY.
See LICENSE.TXT for details.
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require_once '../main.inc.php';
if (!defined('INCLUDE_DIR')) {
die('Fatal Error. Kwaheri!');
}
// Bootstrap gettext translations. Since no one is yet logged in, use the
// system or browser default
TextDomain::configureForUser();
require_once INCLUDE_DIR . 'class.staff.php';
require_once INCLUDE_DIR . 'class.csrf.php';
$content = Page::lookup(Page::getIdByType('banner-staff'));
$dest = $_SESSION['_staff']['auth']['dest'];
$msg = $_SESSION['_staff']['auth']['msg'];
$msg = $msg ?: ($content ? $content->getName() : __('Authentication Required'));
$dest = $dest && (!strstr($dest, 'login.php') && !strstr($dest, 'ajax.php')) ? $dest : 'index.php';
$show_reset = false;
if ($_POST) {
// Check the CSRF token, and ensure that future requests will have to
// use a different CSRF token. This will help ward off both parallel and
// serial brute force attacks, because new tokens will have to be
// requested for each attempt.
if (!$ost->checkCSRFToken()) {
Http::response(400, __('Valid CSRF Token Required'));
function updateProfile($vars, &$errors)
{
global $cfg;
$vars['firstname'] = Format::striptags($vars['firstname']);
$vars['lastname'] = Format::striptags($vars['lastname']);
if ($this->getId() != $vars['id']) {
$errors['err'] = __('Internal error occurred');
}
if (!$vars['firstname']) {
$errors['firstname'] = __('First name is required');
}
if (!$vars['lastname']) {
$errors['lastname'] = __('Last name is required');
}
if (!$vars['email'] || !Validator::is_valid_email($vars['email'])) {
$errors['email'] = __('Valid email is required');
} elseif (Email::getIdByEmail($vars['email'])) {
$errors['email'] = __('Already in-use as system email');
} elseif (($uid = Staff::getIdByEmail($vars['email'])) && $uid != $this->getId()) {
$errors['email'] = __('Email already in-use by another agent');
}
if ($vars['phone'] && !Validator::is_phone($vars['phone'])) {
$errors['phone'] = __('Valid phone number is required');
}
if ($vars['mobile'] && !Validator::is_phone($vars['mobile'])) {
$errors['mobile'] = __('Valid phone number is required');
}
if ($vars['passwd1'] || $vars['passwd2'] || $vars['cpasswd']) {
if (!$vars['passwd1']) {
$errors['passwd1'] = __('New password is required');
} elseif ($vars['passwd1'] && strlen($vars['passwd1']) < 6) {
$errors['passwd1'] = __('Password must be at least 6 characters');
} elseif ($vars['passwd1'] && strcmp($vars['passwd1'], $vars['passwd2'])) {
$errors['passwd2'] = __('Passwords do not match');
}
if ($rtoken = $_SESSION['_staff']['reset-token']) {
$_config = new Config('pwreset');
if ($_config->get($rtoken) != $this->getId()) {
$errors['err'] = __('Invalid reset token. Logout and try again');
} elseif (!($ts = $_config->lastModified($rtoken)) && $cfg->getPwResetWindow() < time() - strtotime($ts)) {
$errors['err'] = __('Invalid reset token. Logout and try again');
}
} elseif (!$vars['cpasswd']) {
$errors['cpasswd'] = __('Current password is required');
} elseif (!$this->cmp_passwd($vars['cpasswd'])) {
$errors['cpasswd'] = __('Invalid current password!');
} elseif (!strcasecmp($vars['passwd1'], $vars['cpasswd'])) {
$errors['passwd1'] = __('New password MUST be different from the current password!');
}
}
if (!$vars['timezone_id']) {
$errors['timezone_id'] = __('Time zone selection is required');
}
if ($vars['default_signature_type'] == 'mine' && !$vars['signature']) {
$errors['default_signature_type'] = __("You don't have a signature");
}
if ($errors) {
return false;
}
$this->config->set('lang', $vars['lang']);
$_SESSION['staff:lang'] = null;
TextDomain::configureForUser($this);
$sql = 'UPDATE ' . STAFF_TABLE . ' SET updated=NOW() ' . ' ,firstname=' . db_input($vars['firstname']) . ' ,lastname=' . db_input($vars['lastname']) . ' ,email=' . db_input($vars['email']) . ' ,phone="' . db_input(Format::phone($vars['phone']), false) . '"' . ' ,phone_ext=' . db_input($vars['phone_ext']) . ' ,mobile="' . db_input(Format::phone($vars['mobile']), false) . '"' . ' ,signature=' . db_input(Format::sanitize($vars['signature'])) . ' ,timezone_id=' . db_input($vars['timezone_id']) . ' ,daylight_saving=' . db_input(isset($vars['daylight_saving']) ? 1 : 0) . ' ,show_assigned_tickets=' . db_input(isset($vars['show_assigned_tickets']) ? 1 : 0) . ' ,max_page_size=' . db_input($vars['max_page_size']) . ' ,auto_refresh_rate=' . db_input($vars['auto_refresh_rate']) . ' ,default_signature_type=' . db_input($vars['default_signature_type']) . ' ,default_paper_size=' . db_input($vars['default_paper_size']);
if ($vars['passwd1']) {
$sql .= ' ,change_passwd=0, passwdreset=NOW(), passwd=' . db_input(Passwd::hash($vars['passwd1']));
$info = array('password' => $vars['passwd1']);
Signal::send('auth.pwchange', $this, $info);
$this->cancelResetTokens();
}
$sql .= ' WHERE staff_id=' . db_input($this->getId());
//echo $sql;
return db_query($sql);
}
