198995ae10a5686dee2201ef647306850404e2f1
[mailer.git] / inc / modules / admin.php
1 <?php
2 /************************************************************************
3  * MXChange v0.2.1                                    Start: 08/31/2003 *
4  * ===============                              Last change: 07/02/2004 *
5  *                                                                      *
6  * -------------------------------------------------------------------- *
7  * File              : admin.php                                        *
8  * -------------------------------------------------------------------- *
9  * Short description : Administration module                            *
10  * -------------------------------------------------------------------- *
11  * Kurzbeschreibung  : Administrationsmodul                             *
12  * -------------------------------------------------------------------- *
13  *                                                                      *
14  * -------------------------------------------------------------------- *
15  * Copyright (c) 2003 - 2008 by Roland Haeder                           *
16  * For more information visit: http://www.mxchange.org                  *
17  *                                                                      *
18  * This program is free software; you can redistribute it and/or modify *
19  * it under the terms of the GNU General Public License as published by *
20  * the Free Software Foundation; either version 2 of the License, or    *
21  * (at your option) any later version.                                  *
22  *                                                                      *
23  * This program is distributed in the hope that it will be useful,      *
24  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
25  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
26  * GNU General Public License for more details.                         *
27  *                                                                      *
28  * You should have received a copy of the GNU General Public License    *
29  * along with this program; if not, write to the Free Software          *
30  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
31  * MA  02110-1301  USA                                                  *
32  ************************************************************************/
33
34 // Some security stuff...
35 if (!defined('__SECURITY')) {
36         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php";
37         require($INC);
38 }
39
40 // Login is default
41 if ((empty($GLOBALS['action'])) && (CHECK_MODULE($GLOBALS['module']) == "admin_only")) {
42         // Redirect to right URL
43         LOAD_URL("modules.php?module=admin&amp;action=login");
44 } // END - if
45
46 // Load include file
47 LOAD_INC_ONCE("inc/modules/admin/admin-inc.php");
48
49 // Fix "deleted" cookies in PHP4 (PHP5 does remove them, PHP4 sets them to deleted!)
50 FIX_DELETED_COOKIES(array('admin_login', 'admin_md5', 'admin_last', 'admin_to'));
51
52 // Init return value
53 $ret = "init";
54
55 // Is no admin registered?
56 if (!isAdminRegistered()) {
57         // Admin is not registered so we have to inform the user
58         if ((IS_FORM_SENT()) && ((!REQUEST_ISSET_POST(('login'))) || (!REQUEST_ISSET_POST(('pass'))) || (strlen(REQUEST_POST('pass')) < 4))) {
59                 REQUEST_SET_POST('ok', "***");
60         }
61
62         if ((IS_FORM_SENT()) && (REQUEST_POST('ok') != "***")) {
63                 // Hash the password with the old function because we are here in install mode
64                 $hashedPass = md5(REQUEST_POST('pass'));
65
66                 // Kill maybe existing session variables
67                 destroyAdminSession(false);
68
69                 // Do registration
70                 $ret = REGISTER_ADMIN(REQUEST_POST('login'), $hashedPass);
71                 switch ($ret)
72                 {
73                 case "done":
74                         changeDataInFile(constant('PATH')."inc/config.php", "ADMIN-SETUP", "define('admin_registered', ", ");", "true", 0);
75                         if (!constant('_FATAL')) {
76                                 // Registering is done
77                                 LOAD_URL("modules.php?module=admin&amp;action=login&register=done");
78                         } else {
79                                 $ret = getMessage('ADMIN_CANNOT_COMPLETE');
80                         }
81                         break;
82
83                 case "failed":
84                         $ret = getMessage('ADMIN_REGISTER_FAILED');
85                         break;
86
87                 case "already":
88                 default:
89                         if ($ret == "already") {
90                                 // Admin does already exists!
91                                 $ret = getMessage('ADMIN_LOGIN_ALREADY_REG');
92                         } else {
93                                 // Any other kind will be logged and interpreted as 'done'
94                                 DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown return code %s from CHECK_ADMIN_LOGIN()", $ret));
95                                 // @TODO Why is this set to 'done'?
96                                 $ret = "done";
97                         }
98
99                         // Admin still not registered?
100                         if (!isAdminRegistered()) {
101                                 // Write to config that registration is done
102                                 changeDataInFile(constant('PATH')."inc/config.php", "ADMIN-SETUP", "define('admin_registered', ", ");", "true", 0);
103
104                                 // Load URL for login
105                                 LOAD_URL("modules.php?module=admin&amp;action=login");
106                         } // END - if
107                         break;
108                 }
109         }
110
111         // Whas that action okay?
112         if ($ret != "done") {
113                 // Fixes another "Notice"
114                 if (REQUEST_ISSET_POST(('login'))) {
115                         define('__LOGIN_VALUE', REQUEST_POST('login'));
116                 } else {
117                         define('__LOGIN_VALUE', "");
118                 }
119
120                 // Yet-another "Notice" fix
121                 if ((IS_FORM_SENT()) && (REQUEST_POST('ok') == "***")) {
122                         // No login entered?
123                         if (!REQUEST_ISSET_POST(('login'))) $MSG1 = getMessage('ADMIN_NO_LOGIN');
124
125                         // An error comes back from registration?
126                         if (!empty($ret)) $MSG1 = $ret;
127
128                         // No password entered?
129                         if (!REQUEST_ISSET_POST(('pass'))) $MSG2 = getMessage('ADMIN_NO_PASS');
130
131                         // Or password too short?
132                         if (strlen(REQUEST_POST('pass')) < 4) $MSG2 = getMessage('ADMIN_SHORT_PASS');
133
134                         // Output error messages
135                         define('__MSG_LOGIN', LOAD_TEMPLATE("admin_login_msg", true, $MSG1));
136                         define('__MSG_PASS',  LOAD_TEMPLATE("admin_login_msg", true, $MSG2));
137
138                         // Reset variables
139                         $MSG1 = ""; $MSG2 = "";
140                 } else {
141                         // Reset values to nothing
142                         define('__MSG_LOGIN', "");
143                         define('__MSG_PASS' , "");
144                 }
145
146                 // Load register template
147                 LOAD_TEMPLATE("admin_reg_form");
148         }
149 } elseif (REQUEST_ISSET_GET(('reset_pass'))) {
150         // Is the form submitted?
151         if ((REQUEST_ISSET_POST(('send_link'))) && (REQUEST_ISSET_POST(('email')))) {
152                 // Try to send the link out
153                 $OUT = ADMIN_SEND_PASSWORD_RESET_LINK(REQUEST_POST('email'));
154
155                 // Output result
156                 LOAD_TEMPLATE("admin_settings_saved", false, $OUT);
157         } elseif (REQUEST_ISSET_GET(('hash'))) {
158                 // Output form for hash validation
159                 LOAD_TEMPLATE("admin_validate_reset_hash_form", false, REQUEST_GET('hash'));
160         } elseif ((REQUEST_ISSET_POST(('validate_hash'))) && (REQUEST_ISSET_POST(('login'))) && (REQUEST_ISSET_POST(('hash')))) {
161                 // Validate the login data and hash
162                 $valid = ADMIN_VALIDATE_RESET_LINK_HASH_LOGIN(REQUEST_POST('hash'), REQUEST_POST('login'));
163
164                 // Valid?
165                 if ($valid === true) {
166                         // Prepare content first
167                         $content = array(
168                                 'hash'  => SQL_ESCAPE(REQUEST_POST('hash')),
169                                 'login' => SQL_ESCAPE(REQUEST_POST('login'))
170                         );
171
172                         // Validation okay so display form for final password change
173                         LOAD_TEMPLATE("admin_reset_password_form", false, $content);
174                 } else {
175                         // Cannot validate the login data and hash
176                         LOAD_TEMPLATE("admin_settings_saved", false, getMessage('ADMIN_VALIDATION_RESET_LOGIN_HASH_FAILED'));
177                 }
178         } elseif ((REQUEST_ISSET_POST(('reset_pass'))) && (REQUEST_ISSET_POST(('hash'))) && (REQUEST_ISSET_POST(('login'))) && (REQUEST_ISSET_POST(('pass1'))) && (REQUEST_POST('pass1') == REQUEST_POST('pass2'))) {
179                 // Okay, we shall the admin password here. So first revalidate the hash
180                 if (ADMIN_VALIDATE_RESET_LINK_HASH_LOGIN(REQUEST_POST('hash'), REQUEST_POST('login'))) {
181                         // Set the password now
182                         $OUT = ADMIN_RESET_PASSWORD(REQUEST_POST('login'), REQUEST_POST('pass1'));
183
184                         // Output result
185                         LOAD_TEMPLATE("admin_reset_pass_done", false, $OUT);
186                 } else {
187                         // Validation failed
188                         LOAD_TEMPLATE("admin_settings_saved", false, getMessage('ADMIN_VALIDATION_RESET_LOGIN_HASH_FAILED2'));
189                 }
190         } else {
191                 // Output reset password form
192                 LOAD_TEMPLATE("admin_send_reset_link");
193         }
194 } elseif ((!isSessionVariableSet('admin_login')) || (!isSessionVariableSet('admin_md5')) || (!isSessionVariableSet('admin_last')) || (!isSessionVariableSet('admin_to')) || ((get_session('admin_last') + bigintval(get_session('admin_to')) * 3600 * 24) < time())) {
195         // At leat one administrator account was created
196         if ((isSessionVariableSet('admin_login')) && (isSessionVariableSet('admin_md5')) && (isSessionVariableSet('admin_last')) && (isSessionVariableSet('admin_to'))) {
197                 // Timeout for last login, we have to logout first!
198                 LOAD_URL("modules.php?module=admin&amp;action=login&amp;logout=1");
199         } // END - if
200
201         if (REQUEST_ISSET_GET(('register'))) {
202                 // Registration of first admin is done
203                 if (REQUEST_GET('register') == "done") LOAD_TEMPLATE("admin_settings_saved", false, getMessage('ADMIN_REGISTER_DONE'));
204         } // END - if
205
206         // Check if the admin has submitted data or not
207         if ((IS_FORM_SENT()) && ((!REQUEST_ISSET_POST(('login'))) || (!REQUEST_ISSET_POST(('pass'))) || (strlen(REQUEST_POST('pass')) < 4))) {
208                 REQUEST_SET_POST('ok', "***");
209         }
210
211         if ((IS_FORM_SENT()) && (REQUEST_POST('ok') != "***")) {
212                 // All required data was entered so we check his account
213                 $ret = CHECK_ADMIN_LOGIN(REQUEST_POST('login'), REQUEST_POST('pass'));
214
215                 // Which status do we have?
216                 switch ($ret)
217                 {
218                 case "done": // Admin and password are okay, so we log in now
219                         // Construct URL and redirect
220                         $URL = "modules.php?module=admin&amp;";
221
222                         // Rewrite overview module
223                         if ($GLOBALS['what'] == "overview") {
224                                 $GLOBALS['action'] = GET_ACTION($GLOBALS['module'], $GLOBALS['what']);
225                         } // END - if
226
227                         // Add data to URL
228                         if (!empty($GLOBALS['what'])) $URL .= "what=".$GLOBALS['what'];
229                          elseif (!empty($GLOBALS['action'])) $URL .= "action=".$GLOBALS['action'];
230                          elseif (REQUEST_ISSET_GET(('area'))) $URL .= "area=".REQUEST_GET('area');
231
232                         // Load URL
233                         LOAD_URL($URL);
234                         break;
235
236                 case "404": // Administrator login not found
237                         REQUEST_SET_POST('ok', $ret);
238                         $ret = getMessage('ADMIN_NOT_FOUND');
239                         destroyAdminSession();
240                         break;
241
242                 case "pass": // Wrong password
243                         REQUEST_SET_POST('ok', $ret);
244                         $ret = "{--WRONG_PASS--} [<a href=\"{!URL!}/modules.php?module=admin&amp;reset_pass=1\">{--ADMIN_RESET_PASS--}</a>]\n";
245                         destroyAdminSession();
246                         break;
247
248                 default: // Others will be logged
249                         DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown return code %s from CHECK_ADMIN_LOGIN()", $ret));
250                         break;
251                 } // END - switch
252         } // END - if
253
254         // Error detected?
255         if ($ret != "done") {
256                 if (REQUEST_ISSET_POST(('login'))) {
257                         define('__LOGIN_VALUE', REQUEST_POST('login'));
258                 } else {
259                         define('__LOGIN_VALUE', "");
260                 }
261
262                 if (IS_FORM_SENT()) {
263                         // Set messages to zero
264                         $MSG1 = ""; $MSG2 = "";
265
266                         // No login entered?
267                         if (!REQUEST_ISSET_POST(('login'))) $MSG1 = getMessage('ADMIN_NO_LOGIN');
268
269                         // An error comes back from login?
270                         if ((!empty($ret)) && (REQUEST_POST('ok') == "404")) $MSG1 = $ret;
271
272                         // No password entered?
273                         if (!REQUEST_ISSET_POST(('pass'))) $MSG2 = getMessage('ADMIN_NO_PASS');
274
275                         // Or password too short?
276                         if (strlen(REQUEST_POST('pass')) < 4) $MSG2 = getMessage('ADMIN_SHORT_PASS');
277
278                         // An error comes back from login?
279                         if ((!empty($ret)) && (REQUEST_POST('ok') == "pass")) $MSG2 = $ret;
280
281                         // Load message template
282                         define('__MSG_LOGIN', LOAD_TEMPLATE("admin_login_msg", true, $MSG1));
283                         define('__MSG_PASS' , LOAD_TEMPLATE("admin_login_msg", true, $MSG2));
284
285                         // Reset variables
286                         $MSG1 = ""; $MSG2 = "";
287                 } else {
288                         // Set constants to empty for hiding them
289                         define('__MSG_LOGIN', "");
290                         define('__MSG_PASS' , "");
291                 }
292
293                 // Load login form
294                 if (!empty($GLOBALS['what'])) {
295                         // Restore old what value
296                         $content = array('target' => "what", 'value' => $GLOBALS['what']);
297                 } elseif (!empty($GLOBALS['action'])) {
298                         if ($GLOBALS['action'] != "logout") {
299                                 // Restore old action value
300                                 $content = array('target' => "action", 'value' => $GLOBALS['action']);
301                         } else {
302                                 // Set default values
303                                 $content = array('target' => "action", 'value' => "login");
304                         }
305                 } elseif (REQUEST_ISSET_GET(('area'))) {
306                         // Restore old area value
307                         $content = array('target' => "area", 'value' => REQUEST_GET('area'));
308                 } else {
309                         // Set default values
310                         $content = array('target' => "action", 'value' => "login");
311                 }
312
313                 // Load login form template
314                 LOAD_TEMPLATE("admin_login_form", false, $content);
315         } // END - if
316 } elseif (REQUEST_ISSET_GET(('logout'))) {
317         // Only try to remove cookies
318         if (destroyAdminSession()) {
319                 // Load logout template
320                 if (REQUEST_ISSET_GET(('register'))) {
321                         // Secure input
322                         $register = REQUEST_GET(('register'));
323
324                         // Special logout redirect for installation of given extension
325                         LOAD_TEMPLATE(sprintf("admin_logout_%s_install", $register));
326                 } elseif (REQUEST_ISSET_GET(('remove'))) {
327                         // Secure input
328                         $remove = REQUEST_GET(('remove'));
329
330                         // Special logout redirect for removal of given extension
331                         LOAD_TEMPLATE(sprintf("admin_logout_%s_remove", $remove));
332                 } else {
333                         // Logged out normally
334                         LOAD_TEMPLATE("admin_logout");
335                 }
336         } else {
337                 // Something went wrong here...
338                 LOAD_TEMPLATE("admin_settings_saved", false, "<div class=\"admin_fatal\">{--ADMIN_LOGOUT_FAILED--}</div>");
339
340                 // Add fatal message
341                 addFatalMessage(getMessage('CANNOT_UNREG_SESS'));
342         }
343 } else {
344         // Maybe an Admin want's to login?
345         $ret = CHECK_ADMIN_COOKIES(get_session('admin_login'), get_session('admin_md5'));
346         switch ($ret)
347         {
348         case "done":
349                 // Check for access control line of current menu entry
350                 define('__ACL_ALLOW', RUN_FILTER('check_admin_acl'));
351
352                 // When type of admin menu is not set fallback to old menu system
353                 if (!isConfigEntrySet('admin_menu')) setConfigEntry('admin_menu', "OLD");
354
355                 // Check for version and switch between old menu system and new "intelligent menu system"
356                 if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (INCLUDE_READABLE("inc/modules/admin/lasys-inc.php"))) {
357                         // Default area is the entrance, of course
358                         $area = "entrance";
359
360                         // Check for similar URL variable
361                         if (REQUEST_ISSET_GET(('area'))) $area = REQUEST_GET(('area'));
362
363                         // Load "logical-area menu-system" file
364                         LOAD_INC_ONCE("inc/modules/admin/lasys-inc.php");
365
366                         // Create new-style menu system will "logical areas"
367                         ADMIN_LOGICAL_AREA_SYSTEM($area, $act, $GLOBALS['what']);
368                 } else {
369                         // This little call constructs the whole default old and lacky menu system
370                         // on left side
371                         ADMIN_DO_ACTION($GLOBALS['what']);
372                 }
373                 break;
374
375         case "404": // Administrator login not found
376                 REQUEST_SET_POST('ok', $ret);
377                 destroyAdminSession();
378                 addFatalMessage(getMessage('ADMIN_NOT_FOUND'));
379                 break;
380
381         case "pass": // Wrong password
382                 REQUEST_SET_POST('ok', $ret);
383                 destroyAdminSession();
384                 addFatalMessage(getMessage('WRONG_PASS'));
385                 break;
386
387         default: // Others will be logged
388                 DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown return code %s from CHECK_ADMIN_COOKIES()", $ret));
389                 break;
390         }
391 }
392
393 //
394 ?>