Possible further fix for #128
[mailer.git] / inc / modules / admin.php
1 <?php
2 /************************************************************************
3  * MXChange v0.2.1                                    Start: 08/31/2003 *
4  * ===============                              Last change: 07/02/2004 *
5  *                                                                      *
6  * -------------------------------------------------------------------- *
7  * File              : admin.php                                        *
8  * -------------------------------------------------------------------- *
9  * Short description : Administration module                            *
10  * -------------------------------------------------------------------- *
11  * Kurzbeschreibung  : Administrationsmodul                             *
12  * -------------------------------------------------------------------- *
13  * $Revision::                                                        $ *
14  * $Date::                                                            $ *
15  * $Tag:: 0.2.1-FINAL                                                 $ *
16  * $Author::                                                          $ *
17  * Needs to be in all Files and every File needs "svn propset           *
18  * svn:keywords Date Revision" (autoprobset!) at least!!!!!!            *
19  * -------------------------------------------------------------------- *
20  * Copyright (c) 2003 - 2008 by Roland Haeder                           *
21  * For more information visit: http://www.mxchange.org                  *
22  *                                                                      *
23  * This program is free software; you can redistribute it and/or modify *
24  * it under the terms of the GNU General Public License as published by *
25  * the Free Software Foundation; either version 2 of the License, or    *
26  * (at your option) any later version.                                  *
27  *                                                                      *
28  * This program is distributed in the hope that it will be useful,      *
29  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
30  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
31  * GNU General Public License for more details.                         *
32  *                                                                      *
33  * You should have received a copy of the GNU General Public License    *
34  * along with this program; if not, write to the Free Software          *
35  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
36  * MA  02110-1301  USA                                                  *
37  ************************************************************************/
38
39 // Some security stuff...
40 if (!defined('__SECURITY')) {
41         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), '/inc') + 4) . '/security.php';
42         require($INC);
43 } // END - if
44
45 // Load include file
46 loadIncludeOnce('inc/modules/admin/admin-inc.php');
47
48 // Fix "deleted" cookies in PHP4 (PHP5 does remove them, PHP4 sets them to deleted!)
49 fixDeletedCookies(array('admin_login', 'admin_md5', 'admin_last', 'admin_to'));
50
51 // Init return value
52 $ret = 'init';
53
54 // Is no admin registered?
55 if (!isAdminRegistered()) {
56         // Admin is not registered so we have to inform the user
57         if ((isFormSent()) && ((!REQUEST_ISSET_POST('login')) || (!REQUEST_ISSET_POST(('pass'))) || (strlen(REQUEST_POST('pass')) < 4))) {
58                 REQUEST_SET_POST('ok', '***');
59         } // END - if
60
61         if ((isFormSent()) && (REQUEST_POST('ok') != '***')) {
62                 // Hash the password with the old function because we are here in install mode
63                 $hashedPass = md5(REQUEST_POST('pass'));
64
65                 // Kill maybe existing session variables
66                 destroyAdminSession(false);
67
68                 // Do registration
69                 $ret = REGISTER_ADMIN(REQUEST_POST('login'), $hashedPass, constant('WEBMASTER'));
70
71                 // Check if registration wents fine
72                 switch ($ret) {
73                         case 'done':
74                                 $done = changeDataInFile(constant('PATH') . 'inc/cache/config-local.php', "ADMIN-SETUP", "setConfigEntry('ADMIN_REGISTERED', \"", "\");", 'Y', 0);
75                                 if ($done === true) {
76                                         // Registering is done
77                                         redirectToUrl('modules.php?module=admin&amp;register=done');
78                                 } else {
79                                         $ret = getMessage('ADMIN_CANNOT_COMPLETE');
80                                 }
81                                 break;
82
83                         case 'failed':
84                                 $ret = getMessage('ADMIN_REGISTER_FAILED');
85                                 break;
86
87                         case 'already':
88                         default:
89                                 if ($ret == 'already') {
90                                         // Admin does already exists!
91                                         $ret = getMessage('ADMIN_LOGIN_ALREADY_REG');
92                                 } else {
93                                         // Any other kind will be logged and interpreted as 'done'
94                                         DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown return code %s from CHECK_ADMIN_LOGIN() and interpreted as 'done'!", $ret));
95                                         // @TODO Why is this set to 'done'?
96                                         $ret = 'done';
97                                 }
98
99                                 // Admin still not registered?
100                                 if (!isAdminRegistered()) {
101                                         // Write to config that registration is done
102                                         changeDataInFile(constant('PATH') . 'inc/cache/config-local.php', "ADMIN-SETUP", "setConfigEntry('ADMIN_REGISTERED', \"", "\");", 'Y', 0);
103
104                                         // Load URL for login
105                                         redirectToUrl('modules.php?module=admin');
106                                 } // END - if
107                                 break;
108                 } // END - switch
109         }
110
111         // Whas that action okay?
112         if ($ret != 'done') {
113                 // Fixes another notice
114                 if (REQUEST_ISSET_POST('login')) {
115                         define('__LOGIN_VALUE', REQUEST_POST('login'));
116                 } else {
117                         define('__LOGIN_VALUE', '');
118                 }
119
120                 // Yet-another notice-fix
121                 if ((isFormSent()) && (REQUEST_POST('ok') == '***')) {
122                         // No login entered?
123                         if (!REQUEST_ISSET_POST('login')) $loginMessage = getMessage('ADMIN_NO_LOGIN');
124
125                         // An error comes back from registration?
126                         if (!empty($ret)) $loginMessage = $ret;
127
128                         // No password entered?
129                         if (!REQUEST_ISSET_POST(('pass'))) $passwdMessage = getMessage('ADMIN_NO_PASS');
130
131                         // Or password too short?
132                         if (strlen(REQUEST_POST('pass')) < 4) $passwdMessage = getMessage('ADMIN_SHORT_PASS');
133
134                         // Output error messages
135                         define('__MSG_LOGIN', LOAD_TEMPLATE('admin_login_msg', true, $loginMessage));
136                         define('__MSG_PASS',  LOAD_TEMPLATE('admin_login_msg', true, $passwdMessage));
137
138                         // Reset variables
139                         $loginMessage = ''; $passwdMessage = '';
140                 } else {
141                         // Reset values to nothing
142                         define('__MSG_LOGIN', '');
143                         define('__MSG_PASS' , '');
144                 }
145
146                 // Output message in seperate template
147                 LOAD_TEMPLATE('admin_settings_saved', false, getMessage('ADMIN_NOT_REGISTERED'));
148
149                 // Load register template
150                 LOAD_TEMPLATE('admin_reg_form');
151         }
152 } elseif (REQUEST_ISSET_GET('reset_pass')) {
153         // Is the form submitted?
154         if ((REQUEST_ISSET_POST('send_link')) && (REQUEST_ISSET_POST('email'))) {
155                 // Try to send the link out
156                 $OUT = ADMIN_SEND_PASSWORD_RESET_LINK(REQUEST_POST('email'));
157
158                 // Output result
159                 LOAD_TEMPLATE('admin_settings_saved', false, $OUT);
160         } elseif (REQUEST_ISSET_GET('hash')) {
161                 // Output form for hash validation
162                 LOAD_TEMPLATE('admin_validate_reset_hash_form', false, REQUEST_GET('hash'));
163         } elseif ((REQUEST_ISSET_POST('validate_hash')) && (REQUEST_ISSET_POST('login')) && (REQUEST_ISSET_POST('hash'))) {
164                 // Validate the login data and hash
165                 $valid = ADMIN_VALIDATE_RESET_LINK_HASH_LOGIN(REQUEST_POST('hash'), REQUEST_POST('login'));
166
167                 // Valid?
168                 if ($valid === true) {
169                         // Prepare content first
170                         $content = array(
171                                 'hash'  => SQL_ESCAPE(REQUEST_POST('hash')),
172                                 'login' => SQL_ESCAPE(REQUEST_POST('login'))
173                         );
174
175                         // Validation okay so display form for final password change
176                         LOAD_TEMPLATE('admin_reset_password_form', false, $content);
177                 } else {
178                         // Cannot validate the login data and hash
179                         LOAD_TEMPLATE('admin_settings_saved', false, getMessage('ADMIN_VALIDATION_RESET_LOGIN_HASH_FAILED'));
180                 }
181         } elseif ((REQUEST_ISSET_POST('reset_pass')) && (REQUEST_ISSET_POST('hash')) && (REQUEST_ISSET_POST('login')) && (REQUEST_ISSET_POST('pass1')) && (REQUEST_POST('pass1') == REQUEST_POST('pass2'))) {
182                 // Okay, we shall the admin password here. So first revalidate the hash
183                 if (ADMIN_VALIDATE_RESET_LINK_HASH_LOGIN(REQUEST_POST('hash'), REQUEST_POST('login'))) {
184                         // Set the password now
185                         $OUT = ADMIN_RESET_PASSWORD(REQUEST_POST('login'), REQUEST_POST('pass1'));
186
187                         // Output result
188                         LOAD_TEMPLATE('admin_reset_pass_done', false, $OUT);
189                 } else {
190                         // Validation failed
191                         LOAD_TEMPLATE('admin_settings_saved', false, getMessage('ADMIN_VALIDATION_RESET_LOGIN_HASH_FAILED2'));
192                 }
193         } else {
194                 // Output reset password form
195                 LOAD_TEMPLATE('admin_send_reset_link');
196         }
197 } elseif ((!isSessionVariableSet('admin_login')) || (!isSessionVariableSet('admin_md5')) || (!isSessionVariableSet('admin_last')) || (!isSessionVariableSet('admin_to')) || ((getSession('admin_last') + bigintval(getSession('admin_to')) * 3600 * 24) < time())) {
198         // At leat one administrator account was created
199         if ((isSessionVariableSet('admin_login')) && (isSessionVariableSet('admin_md5')) && (isSessionVariableSet('admin_last')) && (isSessionVariableSet('admin_to'))) {
200                 // Timeout for last login, we have to logout first!
201                 redirectToUrl('modules.php?module=admin&amp;logout=1');
202         } // END - if
203
204         if (REQUEST_ISSET_GET(('register'))) {
205                 // Registration of first admin is done
206                 if (REQUEST_GET('register') == 'done') LOAD_TEMPLATE('admin_settings_saved', false, getMessage('ADMIN_REGISTER_DONE'));
207         } // END - if
208
209         // Check if the admin has submitted data or not
210         if ((isFormSent()) && ((!REQUEST_ISSET_POST('login')) || (!REQUEST_ISSET_POST(('pass'))) || (strlen(REQUEST_POST('pass')) < 4))) {
211                 REQUEST_SET_POST('ok', '***');
212         } // END - if
213
214         if ((isFormSent()) && (REQUEST_POST('ok') != '***')) {
215                 // All required data was entered so we check his account
216                 $ret = CHECK_ADMIN_LOGIN(REQUEST_POST('login'), REQUEST_POST('pass'));
217
218                 // Which status do we have?
219                 switch ($ret) {
220                         case 'done': // Admin and password are okay, so we log in now
221                                 // Construct URL and redirect
222                                 $URL = 'modules.php?module=admin&amp;';
223
224                                 // Rewrite overview module
225                                 if (getWhat() == 'overview') {
226                                         setAction(getModeAction(getModule(), getWhat()));
227                                 } // END - if
228
229                                 // Add data to URL
230                                 if (isWhatSet())        $URL .= 'what='.getWhat();
231                                  elseif (isActionSet()) $URL .= 'action='.getAction();
232                                  elseif (REQUEST_ISSET_GET('area'))  $URL .= 'area='.REQUEST_GET('area');
233
234                          // Load URL
235                          redirectToUrl($URL);
236                          break;
237
238                         case '404': // Administrator login not found
239                                 REQUEST_SET_POST('ok', $ret);
240                                 $ret = getMessage('ADMIN_NOT_FOUND');
241                                 destroyAdminSession();
242                                 break;
243
244                         case 'pass': // Wrong password
245                                 REQUEST_SET_POST('ok', $ret);
246                                 $ret = '{--WRONG_PASS--} [<a href="{!URL!}/modules.php?module=admin&amp;reset_pass=1">{--ADMIN_RESET_PASS--}</a>]';
247                                 destroyAdminSession();
248                                 break;
249
250                         default: // Others will be logged
251                                 DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown return code %s from CHECK_ADMIN_LOGIN()", $ret));
252                                 break;
253                 } // END - switch
254         } // END - if
255
256         // Error detected?
257         // @TODO Rewrite all these constants
258         if ($ret != 'done') {
259                 if (REQUEST_ISSET_POST('login')) {
260                         define('__LOGIN_VALUE', REQUEST_POST('login'));
261                 } else {
262                         define('__LOGIN_VALUE', '');
263                 }
264
265                 if (isFormSent()) {
266                         // Set messages to zero
267                         $loginMessage = ''; $passwdMessage = '';
268
269                         // No login entered?
270                         if (!REQUEST_ISSET_POST('login')) $loginMessage = getMessage('ADMIN_NO_LOGIN');
271
272                         // An error comes back from login?
273                         if ((!empty($ret)) && (REQUEST_POST('ok') == '404')) $loginMessage = $ret;
274
275                         // No password entered?
276                         if (!REQUEST_ISSET_POST(('pass'))) $passwdMessage = getMessage('ADMIN_NO_PASS');
277
278                         // Or password too short?
279                         if (strlen(REQUEST_POST('pass')) < 4) $passwdMessage = getMessage('ADMIN_SHORT_PASS');
280
281                         // An error comes back from login?
282                         if ((!empty($ret)) && (REQUEST_POST('ok') == 'pass')) $passwdMessage = $ret;
283
284                         // Load message template
285                         define('__MSG_LOGIN', LOAD_TEMPLATE('admin_login_msg', true, $loginMessage));
286                         define('__MSG_PASS' , LOAD_TEMPLATE('admin_login_msg', true, $passwdMessage));
287
288                         // Reset variables
289                         unset($loginMessage);
290                         unset($passwdMessage);
291                 } else {
292                         // Set constants to empty for hiding them
293                         define('__MSG_LOGIN', '');
294                         define('__MSG_PASS' , '');
295                 }
296
297                 // Load login form
298                 if (isWhatSet()) {
299                         // Restore old what value
300                         $content = array('target' => 'what', 'value' => getWhat());
301                 } elseif (isActionSet()) {
302                         if (getAction() != 'logout') {
303                                 // Restore old action value
304                                 $content = array('target' => 'action', 'value' => getAction());
305                         } else {
306                                 // Set default values
307                                 $content = array('target' => 'action', 'value' => 'login');
308                         }
309                 } elseif (REQUEST_ISSET_GET('area')) {
310                         // Restore old area value
311                         $content = array('target' => 'area', 'value' => REQUEST_GET('area'));
312                 } else {
313                         // Set default values
314                         $content = array('target' => 'action', 'value' => 'login');
315                 }
316
317                 // Load login form template
318                 LOAD_TEMPLATE('admin_login_form', false, $content);
319         } // END - if
320 } elseif (REQUEST_ISSET_GET(('logout'))) {
321         // Only try to remove cookies
322         if (destroyAdminSession()) {
323                 // Load logout template
324                 if (REQUEST_ISSET_GET(('register'))) {
325                         // Secure input
326                         $register = REQUEST_GET(('register'));
327
328                         // Special logout redirect for installation of given extension
329                         LOAD_TEMPLATE(sprintf("admin_logout_%s_install", $register));
330                 } elseif (REQUEST_ISSET_GET('remove')) {
331                         // Secure input
332                         $remove = REQUEST_GET('remove');
333
334                         // Special logout redirect for removal of given extension
335                         LOAD_TEMPLATE(sprintf("admin_logout_%s_remove", $remove));
336                 } else {
337                         // Logged out normally
338                         LOAD_TEMPLATE('admin_logout');
339                 }
340         } else {
341                 // Something went wrong here...
342                 LOAD_TEMPLATE('admin_settings_saved', false, '<div class="admin_fatal">{--ADMIN_LOGOUT_FAILED--}</div>');
343
344                 // Add fatal message
345                 addFatalMessage(__FILE__, __LINE__, getMessage('CANNOT_UNREG_SESS'));
346         }
347 } else {
348         // Maybe an Admin want's to login?
349         $ret = CHECK_ADMIN_COOKIES(getSession('admin_login'), getSession('admin_md5'));
350         switch ($ret)
351         {
352                 case 'done':
353                         // Check for access control line of current menu entry
354                         $GLOBALS['acl_allow'] = runFilterChain('check_admin_acl');
355
356                         // When type of admin menu is not set fallback to old menu system
357                         if (!isConfigEntrySet('admin_menu')) setConfigEntry('admin_menu', 'OLD');
358
359                         // Check for version and switch between old menu system and new intelligent menu system
360                         if ((ADMIN_CHECK_MENU_MODE() == 'NEW') && (isIncludeReadable('inc/modules/admin/lasys-inc.php'))) {
361                                 // Default area is the entrance, of course
362                                 $area = 'entrance';
363
364                                 // Check for similar URL variable
365                                 if (REQUEST_ISSET_GET('area')) $area = REQUEST_GET('area');
366
367                                 // Load logical-area menu-system file
368                                 loadIncludeOnce('inc/modules/admin/lasys-inc.php');
369
370                                 // Create new-style menu system will logical areas
371                                 ADMIN_LOGICAL_AREA_SYSTEM($area, $act, getWhat());
372                         } else {
373                                 // This little call constructs the whole default old and lacky menu system
374                                 // on left side. It also renders the content on right side
375                                 ADMIN_DO_ACTION(getWhat());
376                         }
377                         break;
378
379                 case '404': // Administrator login not found
380                         REQUEST_SET_POST('ok', $ret);
381                         destroyAdminSession();
382                         addFatalMessage(__FILE__, __LINE__, getMessage('ADMIN_NOT_FOUND'));
383                         break;
384
385                 case 'pass': // Wrong password
386                         REQUEST_SET_POST('ok', $ret);
387                         destroyAdminSession();
388                         addFatalMessage(__FILE__, __LINE__, getMessage('WRONG_PASS'));
389                         break;
390
391                 default: // Others will be logged
392                         DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown return code %s from CHECK_ADMIN_COOKIES()", $ret));
393                         break;
394         }
395 }
396
397 //
398 ?>