}
}
//Close dir
closedir($dir);
//Show done
echo '[{"result":"purge_old_files","nb_files_deleted":"' . $nbFilesDeleted . '"}]';
break;
/*
* Reload the Cache table
*/
/*
* Reload the Cache table
*/
case "admin_action_reload_cache_table":
require_once $_SESSION['settings']['cpassman_dir'] . '/sources/main.functions.php';
updateCacheTable("reload", "");
echo '[{"result":"cache_reload"}]';
break;
/*
* REBUILD CONFIG FILE
*/
/*
* REBUILD CONFIG FILE
*/
case "admin_action_rebuild_config_file":
$error = "";
require_once $_SESSION['settings']['cpassman_dir'] . '/sources/main.functions.php';
$ret = handleConfigFile("rebuild");
if ($ret !== true) {
$error = $ret;
} else {
updateCacheTable("update_value", $existing_item_id['id']);
// delete suggestion
DB::delete(prefix_table("suggestion"), "id = %i", $_POST['id']);
echo '[ { "status" : "done" } ]';
} else {
echo '[ { "status" : "error_when_updating" } ]';
}
} else {
// add as Item
DB::insert(prefix_table("items"), array('label' => $suggestion['label'], 'description' => $suggestion['description'], 'pw' => $suggestion['pw'], 'id_tree' => $suggestion['folder_id'], 'inactif' => '0', 'perso' => '0', 'anyone_can_modify' => '0', 'pw_iv' => $suggestion['pw_iv']));
$newID = DB::insertId();
if (is_numeric($newID)) {
// update log
DB::insert(prefix_table("log_items"), array('id_item' => $newID, 'date' => time(), 'id_user' => $suggestion['author_id'], 'action' => 'at_creation'));
// update cache table
updateCacheTable("add_value", $newID);
// delete suggestion
DB::delete(prefix_table("suggestion"), "id = %i", $_POST['id']);
echo '[ { "status" : "done" } ]';
} else {
echo '[ { "status" : "error_when_creating" } ]';
}
}
break;
case "get_complexity_level":
// Check KEY
if ($_POST['key'] != $_SESSION['key']) {
echo '[ { "error" : "key_not_conform" } ]';
break;
}
$data = DB::queryfirstrow("SELECT valeur FROM " . $pre . "misc WHERE intitule = %s AND type = %s", $_POST['folder_id'], "complex");
/*
* CASE
* Delete an item
*/
case "del_item":
// Check KEY and rights
if ($_POST['key'] != $_SESSION['key'] || $_SESSION['user_read_only'] == true) {
// error
break;
}
// delete item consists in disabling it
DB::update(prefix_table("items"), array('inactif' => '1'), "id = %i", $_POST['id']);
// log
DB::insert(prefix_table("log_items"), array('id_item' => $_POST['id'], 'date' => time(), 'id_user' => $_SESSION['user_id'], 'action' => 'at_delete'));
// Update CACHE table
updateCacheTable("delete_value", $_POST['id']);
break;
/*
* CASE
* Update a Group
*/
/*
* CASE
* Update a Group
*/
case "update_rep":
// Check KEY and rights
if ($_POST['key'] != $_SESSION['key'] || $_SESSION['user_read_only'] == true) {
// error
break;
}
DB::insert(prefix_table("misc"), array('type' => 'folder_deleted', 'intitule' => "f" . $folderId, 'valeur' => $folder->id . ', ' . $folder->parent_id . ', ' . $folder->title . ', ' . $folder->nleft . ', ' . $folder->nright . ', ' . $folder->nlevel . ', 0, 0, 0, 0'));
//delete folder
DB::delete(prefix_table("nested_tree"), "id = %i", $folder->id);
//delete items & logs
$items = DB::query("SELECT id FROM " . prefix_table("items") . " WHERE id_tree=%i", $folder->id);
foreach ($items as $item) {
DB::update(prefix_table("items"), array('inactif' => '1'), "id = %i", $item['id']);
//log
DB::insert(prefix_table("log_items"), array('id_item' => $item['id'], 'date' => time(), 'id_user' => $_SESSION['user_id'], 'action' => 'at_delete'));
}
//Actualize the variable
$_SESSION['nb_folders']--;
}
}
//Update CACHE table
updateCacheTable("delete_value", $folderId);
}
//rebuild tree
$tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
$tree->rebuild();
echo '[ { "error" : "' . $error . '" } ]';
break;
//CASE where ADDING a new group
//CASE where ADDING a new group
case "add_folder":
$error = "";
//decrypt and retreive data in JSON format
$dataReceived = prepareExchangedData($_POST['data'], "decode");
//Prepare variables
$title = htmlspecialchars_decode($dataReceived['title']);
$complexity = htmlspecialchars_decode($dataReceived['complexity']);
function rest_get()
{
$_SESSION['user_id'] = "'api'";
if (!@count($GLOBALS['request']) == 0) {
$request_uri = $GLOBALS['_SERVER']['REQUEST_URI'];
preg_match('/\\/api(\\/index.php|)\\/(.*)\\?apikey=(.*)/', $request_uri, $matches);
if (count($matches) == 0) {
rest_error('REQUEST_SENT_NOT_UNDERSTANDABLE');
}
$GLOBALS['request'] = explode('/', $matches[2]);
}
if (apikey_checker($GLOBALS['apikey'])) {
global $server, $user, $pass, $database, $pre, $link;
teampass_connect();
$category_query = "";
if ($GLOBALS['request'][0] == "read") {
if ($GLOBALS['request'][1] == "category") {
// get ids
if (strpos($GLOBALS['request'][2], ";") > 0) {
$condition = "id_tree IN %ls";
$condition_value = explode(';', $GLOBALS['request'][2]);
} else {
$condition = "id_tree = %s";
$condition_value = $GLOBALS['request'][2];
}
DB::debugMode(false);
// get items in this module
$response = DB::query("SELECT id,label,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE inactif='0' AND " . $condition, $condition_value);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['url'] = mb_convert_encoding($data['url'], mb_detect_encoding($data['url']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$id]['pw'] = $crypt_pw['string'];
}
/* load folders */
$response = DB::query("SELECT id,parent_id,title,nleft,nright,nlevel FROM " . prefix_table("nested_tree") . " WHERE parent_id=%i ORDER BY `title` ASC", $GLOBALS['request'][2]);
$rows = array();
$i = 0;
foreach ($response as $row) {
$response = DB::query("SELECT id,label,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE inactif = %i AND id_tree=%i", "0", $row['id']);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['url'] = mb_convert_encoding($data['url'], mb_detect_encoding($data['url']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$id]['pw'] = $crypt_pw['string'];
}
}
} else {
if ($GLOBALS['request'][1] == "userpw") {
$username = $GLOBALS['request'][2];
if (strcmp($username, "admin") == 0) {
// forbid admin access
}
$response = DB::query("SELECT fonction_id FROM " . prefix_table("users") . " WHERE login='******'");
foreach ($response as $data) {
$role_str = $data['fonction_id'];
}
$folder_arr = array();
$roles = explode(";", $role_str);
foreach ($roles as $role) {
$response = DB::query("SELECT folder_id FROM " . prefix_table("roles_values") . " WHERE role_id='" . $role . "'");
foreach ($response as $data) {
$folder_id = $data['folder_id'];
if (!array_key_exists($folder_id, $folder_arr)) {
array_push($folder_arr, $folder_id);
}
}
}
$folder_str = implode(";", $folder_arr);
// get ids
if (strpos($folder_str, ";") > 0) {
$condition = "id_tree IN %ls";
$condition_value = explode(';', $folder_str);
} else {
$condition = "id_tree = %s";
$condition_value = $folder_str;
}
DB::debugMode(false);
$data = "";
// get items in this module
$response = DB::query("SELECT id,label,url,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE inactif='0' AND " . $condition, $condition_value);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['url'] = mb_convert_encoding($data['url'], mb_detect_encoding($data['url']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$id]['pw'] = $crypt_pw['string'];
}
/* load folders */
$response = DB::query("SELECT id,parent_id,title,nleft,nright,nlevel FROM " . prefix_table("nested_tree") . " WHERE parent_id=%i ORDER BY `title` ASC", $folder_str);
$rows = array();
$i = 0;
foreach ($response as $row) {
$response = DB::query("SELECT id,label,url,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE inactif = %i AND id_tree=%i", "0", $row['id']);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['url'] = mb_convert_encoding($data['url'], mb_detect_encoding($data['url']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$id]['pw'] = $crypt_pw['string'];
}
}
} elseif ($GLOBALS['request'][1] == "items") {
$array_items = explode(';', $GLOBALS['request'][2]);
// check if not empty
if (count($array_items) == 0) {
rest_error('NO_ITEM');
}
// only accepts numeric
foreach ($array_items as $item) {
if (!is_numeric($item)) {
rest_error('ITEM_MALFORMED');
}
}
$response = DB::query("SELECT id,label,login,pw, pw_iv, id_tree FROM " . prefix_table("items") . " WHERE inactif = %i AND id IN %ls", "0", $array_items);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['url'] = mb_convert_encoding($data['url'], mb_detect_encoding($data['url']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$id]['pw'] = $crypt_pw['string'];
}
}
}
if (isset($json) && $json) {
echo json_encode($json);
} else {
rest_error('EMPTY');
}
} elseif ($GLOBALS['request'][0] == "find") {
if ($GLOBALS['request'][1] == "item") {
$array_category = explode(';', $GLOBALS['request'][2]);
$item = $GLOBALS['request'][3];
foreach ($array_category as $category) {
if (!preg_match_all("/^([\\w\\:\\'\\-\\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)\$/i", $category, $result)) {
rest_error('CATEGORY_MALFORMED');
}
}
if (!preg_match_all("/^([\\w\\:\\'\\-\\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)\$/i", $item, $result)) {
rest_error('ITEM_MALFORMED');
} elseif (empty($item) || count($array_category) == 0) {
rest_error('MALFORMED');
}
if (count($array_category) > 1 && count($array_category) < 5) {
for ($i = count($array_category); $i > 0; $i--) {
$slot = $i - 1;
if (!$slot) {
$category_query .= "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[$slot] . "' AND parent_id = 0";
} else {
$category_query .= "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[$slot] . "' AND parent_id = (";
}
}
for ($i = 1; $i < count($array_category); $i++) {
$category_query .= ")";
}
} elseif (count($array_category) == 1) {
$category_query = "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[0] . "' AND parent_id = 0";
} else {
rest_error('NO_CATEGORY');
}
DB::debugMode(false);
$response = DB::query("SELECT id, label, login, pw, pw_iv, id_tree\n FROM " . prefix_table("items") . "\n WHERE \n inactif = %i \n AND id_tree = (%s)\n AND label LIKE %ss", "0", $category_query, $item);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['id'] = mb_convert_encoding($data['id'], mb_detect_encoding($data['id']), 'UTF-8');
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['url'] = mb_convert_encoding($data['url'], mb_detect_encoding($data['url']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$id]['pw'] = $crypt_pw['string'];
$json[$id]['folder_id'] = $data['id_tree'];
$json[$id]['status'] = utf8_encode("OK");
}
if (isset($json) && $json) {
echo json_encode($json);
} else {
rest_error('EMPTY');
}
}
} elseif ($GLOBALS['request'][0] == "add") {
if ($GLOBALS['request'][1] == "item") {
// get item definition
$array_item = explode(';', urldecode($GLOBALS['request'][2]));
if (count($array_item) != 9) {
rest_error('ITEMBADDEFINITION');
}
$item_label = $array_item[0];
$item_pwd = $array_item[1];
$item_desc = $array_item[2];
$item_folder_id = $array_item[3];
$item_login = $array_item[4];
$item_email = $array_item[5];
$item_url = $array_item[6];
$item_tags = $array_item[7];
$item_anyonecanmodify = $array_item[8];
// added so one can sent data including the http or https !
// anyway we have to urlencode this data
$item_url = urldecode($item_url);
// same for the email
$item_email = urldecode($item_email);
// do some checks
if (!empty($item_label) && !empty($item_pwd) && !empty($item_folder_id)) {
// Check length
if (strlen($item_pwd) > 50) {
rest_error('PASSWORDTOOLONG');
}
// Check Folder ID
DB::query("SELECT * FROM " . prefix_table("nested_tree") . " WHERE id = %i", $item_folder_id);
$counter = DB::count();
if ($counter == 0) {
rest_error('NOSUCHFOLDER');
}
// check if element doesn't already exist
DB::query("SELECT * FROM " . prefix_table("items") . " WHERE label = %s AND inactif = %i", addslashes($item_label), "0");
$counter = DB::count();
if ($counter != 0) {
$itemExists = 1;
// prevent the error if the label already exists
// so lets just add the time() as a random factor
$item_label .= " (" . time() . ")";
} else {
$itemExists = 0;
}
if ($itemExists == 0) {
$encrypt = cryption($item_pwd, SALT, "", "encrypt");
if (empty($encrypt['string'])) {
rest_error('PASSWORDEMPTY');
}
// ADD item
try {
DB::insert(prefix_table("items"), array("label" => $item_label, "description" => $item_desc, 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], "email" => $item_email, "url" => $item_url, "id_tree" => intval($item_folder_id), "login" => $item_login, "inactif" => 0, "restricted_to" => "", "perso" => 0, "anyone_can_modify" => intval($item_anyonecanmodify)));
$newID = DB::InsertId();
// log
DB::insert(prefix_table("log_items"), array("id_item" => $newID, "date" => time(), "id_user" => API_USER_ID, "action" => "at_creation"));
// Add tags
$tags = explode(' ', $item_tags);
foreach ((array) $tags as $tag) {
if (!empty($tag)) {
DB::insert(prefix_table("tags"), array("item_id" => $newID, "tag" => strtolower($tag)));
}
}
// Update CACHE table
DB::insert(prefix_table("cache"), array("id" => $newID, "label" => $item_label, "description" => $item_desc, "tags" => $item_tags, "id_tree" => $item_folder_id, "perso" => "0", "restricted_to" => "", "login" => $item_login, "folder" => "", "author" => API_USER_ID, "renewal_period" => "0", "timestamp" => time(), "url" => "0"));
echo '{"status":"item added"}';
} catch (PDOException $ex) {
echo '<br />' . $ex->getMessage();
}
} else {
rest_error('ITEMEXISTS');
}
} else {
rest_error('ITEMMISSINGDATA');
}
} elseif ($GLOBALS['request'][1] == "user") {
// get user definition
$array_user = explode(';', $GLOBALS['request'][2]);
if (count($array_user) != 11) {
rest_error('USERBADDEFINITION');
}
$login = $array_user[0];
$name = $array_user[1];
$lastname = $array_user[2];
$password = $array_user[3];
$email = $array_user[4];
$adminby = urldecode($array_user[5]);
$isreadonly = urldecode($array_user[6]);
$roles = urldecode($array_user[7]);
$isadmin = $array_user[8];
$ismanager = $array_user[9];
$haspf = $array_user[10];
// Empty user
if (mysqli_escape_string($link, htmlspecialchars_decode($login)) == "") {
rest_error('USERLOGINEMPTY');
}
// Check if user already exists
$data = DB::query("SELECT id, fonction_id, groupes_interdits, groupes_visibles FROM " . prefix_table("users") . "\n WHERE login LIKE %ss", mysqli_escape_string($link, stripslashes($login)));
if (DB::count() == 0) {
try {
// find AdminRole code in DB
$resRole = DB::queryFirstRow("SELECT id\n FROM " . prefix_table("roles_title") . "\n WHERE title LIKE %ss", mysqli_escape_string($link, stripslashes($adminby)));
// get default language
$lang = DB::queryFirstRow("SELECT `valeur` FROM " . prefix_table("misc") . " WHERE type = %s AND intitule = %s", "admin", "default_language");
// prepare roles list
$rolesList = "";
foreach (explode(',', $roles) as $role) {
//echo $role."-";
$tmp = DB::queryFirstRow("SELECT `id` FROM " . prefix_table("roles_title") . " WHERE title = %s", $role);
if (empty($rolesList)) {
$rolesList = $tmp['id'];
} else {
$rolesList .= ";" . $tmp['id'];
}
}
// Add user in DB
DB::insert(prefix_table("users"), array('login' => $login, 'name' => $name, 'lastname' => $lastname, 'pw' => bCrypt(stringUtf8Decode($password), COST), 'email' => $email, 'admin' => intval($isadmin), 'gestionnaire' => intval($ismanager), 'read_only' => intval($isreadonly), 'personal_folder' => intval($haspf), 'user_language' => $lang['valeur'], 'fonction_id' => $rolesList, 'groupes_interdits' => '0', 'groupes_visibles' => '0', 'isAdministratedByRole' => empty($resRole) ? '0' : $resRole['id']));
$new_user_id = DB::insertId();
// Create personnal folder
if (intval($haspf) == 1) {
DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => $new_user_id, 'bloquer_creation' => '0', 'bloquer_modification' => '0', 'personal_folder' => '1'));
}
// load settings
loadSettings();
// Send email to new user
@sendEmail($LANG['email_subject_new_user'], str_replace(array('#tp_login#', '#tp_pw#', '#tp_link#'), array(" " . addslashes($login), addslashes($password), $_SESSION['settings']['email_server_url']), $LANG['email_new_user_mail']), $email, "");
// update LOG
logEvents('user_mngt', 'at_user_added', 'api - ' . $GLOBALS['apikey'], $new_user_id, "");
echo '{"status":"user added"}';
} catch (PDOException $ex) {
echo '<br />' . $ex->getMessage();
}
} else {
rest_error('USERALREADYEXISTS');
}
}
} elseif ($GLOBALS['request'][0] == "auth") {
/*
** FOR SECURITY PURPOSE, it is mandatory to use SSL to connect your teampass instance. The user password is not encrypted!
**
**
** Expected call format: .../api/index.php/auth/<PROTOCOL>/<URL>/<login>/<password>?apikey=<VALID API KEY>
** Example: https://127.0.0.1/teampass/api/index.php/auth/http/www.zadig-tge.adp.com/U1/test/76?apikey=chahthait5Aidood6johh6Avufieb6ohpaixain
** RESTRICTIONS:
** - <PROTOCOL> ==> http|https|ftp|...
** - <URL> ==> encode URL without protocol (example: http://www.teampass.net becomes www.teampass.net)
** - <login> ==> user's login
** - <password> ==> currently clear password
**
** RETURNED ANSWER:
** - format sent back is JSON
** - Example: {"<item_id>":{"label":"<pass#1>","login":"******","pw":"<pwd#1>"},"<item_id>":{"label":"<pass#2>","login":"******","pw":"<pwd#2>"}}
**
*/
// get user credentials
if (isset($GLOBALS['request'][3]) && isset($GLOBALS['request'][4])) {
// get url
if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2])) {
// is user granted?
$userData = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][3]);
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][4], $userData['pw']) === true) {
// define the restriction of "id_tree" of this user
//db::debugMode(true);
$userDef = DB::queryOneColumn('folder_id', "SELECT DISTINCT folder_id\n FROM " . prefix_table("roles_values") . "\n WHERE type IN ('R', 'W', 'ND', 'NE', 'NDNE', 'NEND') ", empty($userData['groupes_interdits']) ? "" : "\n AND folder_id NOT IN (" . str_replace(";", ",", $userData['groupes_interdits']) . ")", "\n AND role_id IN %ls\n GROUP BY folder_id", explode(";", $userData['groupes_interdits']));
// complete with "groupes_visibles"
foreach (explode(";", $userData['groupes_visibles']) as $v) {
array_push($userDef, $v);
}
// find the item associated to the url
$response = DB::query("SELECT id, label, login, pw, pw_iv, id_tree, restricted_to\n FROM " . prefix_table("items") . "\n WHERE url LIKE %s\n AND id_tree IN (" . implode(",", $userDef) . ")\n ORDER BY id DESC", $GLOBALS['request'][1] . "://" . urldecode($GLOBALS['request'][2] . '%'));
$counter = DB::count();
if ($counter > 0) {
$json = "";
foreach ($response as $data) {
// check if item visible
if (empty($data['restricted_to']) || $data['restricted_to'] != "" && in_array($userData['id'], explode(";", $data['restricted_to']))) {
// prepare export
$json[$data['id']]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$data['id']]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$data['id']]['pw'] = $crypt_pw['string'];
}
}
// prepare answer. If no access then inform
if (empty($json)) {
rest_error('AUTH_NO_DATA');
} else {
echo json_encode($json);
}
} else {
rest_error('NO_DATA_EXIST');
}
} else {
rest_error('AUTH_NOT_GRANTED');
}
} else {
rest_error('AUTH_NO_URL');
}
} else {
rest_error('AUTH_NO_IDENTIFIER');
}
} elseif ($GLOBALS['request'][0] == "auth_tpc") {
/*
** TO BE USED ONLY BY TEAMPASS-CONNECT
**
*/
// get user credentials
if (isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) {
// get url
if (isset($GLOBALS['request'][1])) {
// is user granted?
$userData = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][2]);
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][3], $userData['pw']) === true) {
// define the restriction of "id_tree" of this user
//db::debugMode(true);
$userDef = DB::queryOneColumn('folder_id', "SELECT DISTINCT folder_id\n FROM " . prefix_table("roles_values") . "\n WHERE type IN ('R', 'W', 'ND', 'NE', 'NDNE', 'NEND') ", empty($userData['groupes_interdits']) ? "" : "\n AND folder_id NOT IN (" . str_replace(";", ",", $userData['groupes_interdits']) . ")", "\n AND role_id IN %ls\n GROUP BY folder_id", explode(";", $userData['groupes_interdits']));
// complete with "groupes_visibles"
foreach (explode(";", $userData['groupes_visibles']) as $v) {
array_push($userDef, $v);
}
// decrypt url
$tpc_url = base64_decode($GLOBALS['request'][1]);
// find the item associated to the url
$response = DB::query("SELECT id, label, login, pw, pw_iv, id_tree, restricted_to\n FROM " . prefix_table("items") . "\n WHERE url LIKE %s\n AND id_tree IN (" . implode(",", $userDef) . ")\n ORDER BY id DESC", $tpc_url . '%');
$counter = DB::count();
if ($counter > 0) {
$json = "";
foreach ($response as $data) {
// check if item visible
if (empty($data['restricted_to']) || $data['restricted_to'] != "" && in_array($userData['id'], explode(";", $data['restricted_to']))) {
// prepare export
$json[$data['id']]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$data['id']]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$crypt_pw = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$data['id']]['pw'] = $crypt_pw['string'];
}
}
// prepare answer. If no access then inform
if (empty($json)) {
rest_error('AUTH_NO_DATA');
} else {
echo json_encode($json);
}
} else {
rest_error('NO_DATA_EXIST');
}
} else {
rest_error('AUTH_NOT_GRANTED');
}
} else {
rest_error('AUTH_NO_URL');
}
} else {
rest_error('AUTH_NO_IDENTIFIER');
}
} elseif ($GLOBALS['request'][0] == "set") {
/*
* Expected call format: .../api/index.php/set/<login_to_save>/<password_to_save>/<url>/<user_login>/<user_password>/<label>/<protocol>?apikey=<VALID API KEY>
* Example: https://127.0.0.1/teampass/api/index.php/set/newLogin/newPassword/newUrl/myLogin/myPassword?apikey=gu6Eexaewaishooph6iethoh5woh0yoit6ohquo
*
* NEW ITEM WILL BE STORED IN SPECIFIC FOLDER
*/
// get user credentials
if (isset($GLOBALS['request'][4]) && isset($GLOBALS['request'][5])) {
// get url
if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) {
// is user granted?
$userData = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][4]);
if (DB::count() == 0) {
rest_error('AUTH_NO_IDENTIFIER');
}
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
// is user identified?
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][5], $userData['pw']) === true) {
// does the personal folder of this user exists?
DB::queryFirstRow("SELECT `id`\n FROM " . $pre . "nested_tree\n WHERE title = %s AND personal_folder = 1", $userData['id']);
if (DB::count() > 0) {
// check if "teampass-connect" folder exists
// if not create it
$folder = DB::queryFirstRow("SELECT `id`\n FROM " . $pre . "nested_tree\n WHERE title = %s", "teampass-connect");
if (DB::count() == 0) {
DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => "teampass-connect"));
$tpc_folder_id = DB::insertId();
//Add complexity
DB::insert(prefix_table("misc"), array('type' => 'complex', 'intitule' => $tpc_folder_id, 'valeur' => '0'));
// rebuild tree
$tree = new SplClassLoader('Tree\\NestedTree', '../includes/libraries');
$tree->register();
$tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
$tree->rebuild();
} else {
$tpc_folder_id = $folder['id'];
}
// encrypt password
$encrypt = cryption($GLOBALS['request'][2], SALT, "", "encrypt");
// is there a protocol?
if (isset($GLOBALS['request'][7]) || empty($GLOBALS['request'][7])) {
$protocol = "http://";
} else {
$protocol = urldecode($GLOBALS['request'][7]) . "://";
}
// add new item
DB::insert(prefix_table("items"), array('label' => "Credentials for " . urldecode($GLOBALS['request'][3]), 'description' => "Imported with Teampass-Connect", 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], 'email' => "", 'url' => urldecode($GLOBALS['request'][3]), 'id_tree' => $tpc_folder_id, 'login' => $GLOBALS['request'][1], 'inactif' => '0', 'restricted_to' => $userData['id'], 'perso' => '0', 'anyone_can_modify' => '0', 'complexity_level' => '0'));
$newID = DB::insertId();
// log
logItems($newID, "Credentials for " . urldecode($GLOBALS['request'][3] . '%'), $userData['id'], 'at_creation', $GLOBALS['request'][1]);
$json['status'] = "ok";
// prepare answer. If no access then inform
if (empty($json)) {
rest_error('AUTH_NO_DATA');
} else {
echo json_encode($json);
}
} else {
rest_error('NO_PF_EXIST_FOR_USER');
}
} else {
rest_error('AUTH_NOT_GRANTED');
}
} else {
rest_error('SET_NO_DATA');
}
} else {
rest_error('AUTH_NO_IDENTIFIER');
}
} elseif ($GLOBALS['request'][0] == "set_tpc") {
/*
* TO BE USED ONLY BY TEAMPASS-CONNECT
*/
// get user credentials
if (isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) {
// get url
if (isset($GLOBALS['request'][1])) {
// is user granted?
$userData = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][2]);
if (DB::count() == 0) {
rest_error('AUTH_NO_IDENTIFIER');
}
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
// is user identified?
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][3], $userData['pw']) === true) {
// does the personal folder of this user exists?
DB::queryFirstRow("SELECT `id`\n FROM " . $pre . "nested_tree\n WHERE title = %s AND personal_folder = 1", $userData['id']);
if (DB::count() > 0) {
// check if "teampass-connect" folder exists
// if not create it
$folder = DB::queryFirstRow("SELECT `id`\n FROM " . $pre . "nested_tree\n WHERE title = %s", "teampass-connect");
if (DB::count() == 0) {
DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => "teampass-connect"));
$tpc_folder_id = DB::insertId();
//Add complexity
DB::insert(prefix_table("misc"), array('type' => 'complex', 'intitule' => $tpc_folder_id, 'valeur' => '0'));
// rebuild tree
$tree = new SplClassLoader('Tree\\NestedTree', '../includes/libraries');
$tree->register();
$tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
$tree->rebuild();
} else {
$tpc_folder_id = $folder['id'];
}
// prepare TPC parameters
$tpc_param = explode('/', base64_decode($GLOBALS['request'][1]));
// encrypt password
$encrypt = cryption(urldecode($tpc_param[1]), SALT, "", "encrypt");
// is there a label?
if (empty($tpc_param[3])) {
$label = "Credentials for " . urldecode($tpc_param[2]);
} else {
$label = urldecode($tpc_param[3]);
}
// add new item
DB::insert(prefix_table("items"), array('label' => $label, 'description' => "Imported with Teampass-Connect", 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], 'email' => "", 'url' => urldecode($tpc_param[2]), 'id_tree' => $tpc_folder_id, 'login' => urldecode($tpc_param[0]), 'inactif' => '0', 'restricted_to' => $userData['id'], 'perso' => '0', 'anyone_can_modify' => '0', 'complexity_level' => '0'));
$newID = DB::insertId();
// log
logItems($newID, $label, $userData['id'], 'at_creation', '');
$json['status'] = "ok";
// prepare answer. If no access then inform
if (empty($json)) {
rest_error('AUTH_NO_DATA');
} else {
echo json_encode($json);
}
} else {
rest_error('NO_PF_EXIST_FOR_USER');
}
} else {
rest_error('AUTH_NOT_GRANTED');
}
} else {
rest_error('SET_NO_DATA');
}
} else {
rest_error('AUTH_NO_IDENTIFIER');
}
} elseif ($GLOBALS['request'][0] == "delete") {
$_SESSION['settings']['cpassman_dir'] = "..";
if ($GLOBALS['request'][1] == "folder") {
$array_category = explode(';', $GLOBALS['request'][2]);
if (count($array_category) > 0 && count($array_category) < 5) {
// load passwordLib library
require_once '../sources/SplClassLoader.php';
// prepare tree
$tree = new SplClassLoader('Tree\\NestedTree', '../includes/libraries');
$tree->register();
$tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title', 'personal_folder');
// this will delete all sub folders and items associated
for ($i = 0; $i < count($array_category); $i++) {
// Get through each subfolder
$folders = $tree->getDescendants($array_category[$i], true);
print_r($folders);
if (count($folders) > 0) {
foreach ($folders as $folder) {
if (($folder->parent_id > 0 || $folder->parent_id == 0) && $folder->personal_folder != 1) {
//Store the deleted folder (recycled bin)
DB::insert(prefix_table("misc"), array('type' => 'folder_deleted', 'intitule' => "f" . $array_category[$i], 'valeur' => $folder->id . ', ' . $folder->parent_id . ', ' . $folder->title . ', ' . $folder->nleft . ', ' . $folder->nright . ', ' . $folder->nlevel . ', 0, 0, 0, 0'));
//delete folder
DB::delete(prefix_table("nested_tree"), "id = %i", $folder->id);
//delete items & logs
$items = DB::query("SELECT id\n FROM " . prefix_table("items") . "\n WHERE id_tree=%i", $folder->id);
foreach ($items as $item) {
DB::update(prefix_table("items"), array('inactif' => '1'), "id = %i", $item['id']);
//log
DB::insert(prefix_table("log_items"), array('id_item' => $item['id'], 'date' => time(), 'id_user' => API_USER_ID, 'action' => 'at_delete'));
}
//Update CACHE table
updateCacheTable("delete_value", $array_category[$i]);
}
}
}
}
} else {
rest_error('NO_CATEGORY');
}
$json['status'] = 'OK';
} elseif ($GLOBALS['request'][1] == "item") {
$array_items = explode(';', $GLOBALS['request'][2]);
for ($i = 0; $i < count($array_items); $i++) {
DB::update(prefix_table("items"), array('inactif' => '1'), "id = %i", $array_items[$i]);
//log
DB::insert(prefix_table("log_items"), array('id_item' => $array_items[$i], 'date' => time(), 'id_user' => API_USER_ID, 'action' => 'at_delete'));
//Update CACHE table
updateCacheTable("delete_value", $array_items[$i]);
}
$json['status'] = 'OK';
}
if ($json) {
echo json_encode($json);
} else {
rest_error('EMPTY');
}
} else {
rest_error('METHOD');
}
}
}
