wernis extension is now alpha code (only listing in admin area is missing), naming...
[mailer.git] / inc / modules / admin.php
1 <?php
2 /************************************************************************
3  * MXChange v0.2.1                                    Start: 08/31/2003 *
4  * ===============                              Last change: 07/02/2004 *
5  *                                                                      *
6  * -------------------------------------------------------------------- *
7  * File              : admin.php                                        *
8  * -------------------------------------------------------------------- *
9  * Short description : Administration module                            *
10  * -------------------------------------------------------------------- *
11  * Kurzbeschreibung  : Administrationsmodul                             *
12  * -------------------------------------------------------------------- *
13  *                                                                      *
14  * -------------------------------------------------------------------- *
15  * Copyright (c) 2003 - 2008 by Roland Haeder                           *
16  * For more information visit: http://www.mxchange.org                  *
17  *                                                                      *
18  * This program is free software; you can redistribute it and/or modify *
19  * it under the terms of the GNU General Public License as published by *
20  * the Free Software Foundation; either version 2 of the License, or    *
21  * (at your option) any later version.                                  *
22  *                                                                      *
23  * This program is distributed in the hope that it will be useful,      *
24  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
25  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
26  * GNU General Public License for more details.                         *
27  *                                                                      *
28  * You should have received a copy of the GNU General Public License    *
29  * along with this program; if not, write to the Free Software          *
30  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
31  * MA  02110-1301  USA                                                  *
32  ************************************************************************/
33
34 // Some security stuff...
35 if (ereg(basename(__FILE__), $_SERVER['PHP_SELF']))
36 {
37         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php";
38         require($INC);
39 }
40
41 // Login is default
42 if ((empty($GLOBALS['action'])) && ($check == "admin_only"))
43 {
44         // Redirect to right URL
45         LOAD_URL("modules.php?module=admin&amp;action=login");
46 }
47
48 // Load include file
49 require_once(PATH."inc/modules/admin/admin-inc.php");
50
51 // Fix "deleted" cookies in PHP4 (PHP5 does remove them, PHP4 sets them to deleted!)
52 FIX_DELETED_COOKIES(array('admin_login', 'admin_md5', 'admin_last', 'admin_to'));
53
54 // Is the logout empty?
55 if (empty($_GET['logout'])) $_GET['logout'] = "";
56
57 if (!admin_registered)
58 {
59         // Admin is not registered so we have to inform the user
60         if ((isset($_POST['ok'])) && ((empty($_POST['login'])) || (empty($_POST['pass'])) || (strlen($_POST['pass']) < 4))) $_POST['ok'] = "***";
61         if ((isset($_POST['ok'])) && ($_POST['ok'] != "***"))
62         {
63                 // Hash the password with our new generateHash() function
64                 $hashedPass = generateHash($_POST['pass']);
65
66                 // If the password has not been hashed we have to fall-back to md5()
67                 if ($hashedPass == $_POST['pass']) $hashedPass = md5($hashedPass);
68
69                 // Do registration
70                 $ret = REGISTER_ADMIN($_POST['login'], $hashedPass);
71                 switch ($ret)
72                 {
73                 case "done":
74                         admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define ('admin_registered', ", ");", "true", 0);
75                         if (!_FATAL)
76                         {
77                                 $URL = URL."/modules.php?module=admin&amp;action=login&register=done";
78                                 LOAD_URL($URL);
79                                 die($URL);
80                         }
81                          else
82                         {
83                                 $ret = ADMIN_CANNOT_COMPLETE;
84                         }
85                         break;
86
87                 case "failed":
88                         $ret = ADMIN_REGISTER_FAILED;
89                         break;
90
91                 case "already":
92                 default:
93                         if ($ret == "already")
94                         {
95                                 // Admin does already exists!
96                                 $ret = ADMIN_LOGIN_ALREADY_REG;
97                         }
98                          else
99                         {
100                                 // Any other kind
101                                 $ret = "done";
102                         }
103                         if (!admin_registered)
104                         {
105                                 // Write to config that registration is done
106                                 admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define ('admin_registered', ", ");", "true", 0);
107
108                                 // Load URL for login
109                                 $URL = URL."/modules.php?module=admin&amp;action=login";
110                                 LOAD_URL($URL);
111                         }
112                         break;
113                 }
114         }
115         if ($ret != "done")
116         {
117                 // Fixes another "Notice"
118                 if (!empty($_POST['login'])) {
119                         define('__LOGIN_VALUE', $_POST['login']);
120                 } else {
121                         define('__LOGIN_VALUE', "");
122                 }
123
124                 // Yet-another "Notice" fix
125                 if ((!empty($_POST['ok'])) && ($_POST['ok'] == "***"))
126                 {
127                         // No login entered?
128                         if (empty($_POST['login'])) $MSG1 = ADMIN_NO_LOGIN;
129
130                         // An error comes back from registration?
131                         if (!empty($ret)) $MSG1 = $ret;
132
133                         // No password entered?
134                         if (empty($_POST['pass'])) $MSG2 = ADMIN_NO_PASS;
135
136                         // Or password too short?
137                         if (strlen($_POST['pass']) < 4) $MSG2 = ADMIN_SHORT_PASS;
138
139                         // Output error messages
140                         define('__MSG_LOGIN', LOAD_TEMPLATE("admin_login_msg", true, $MSG1));
141                         define('__MSG_PASS',  LOAD_TEMPLATE("admin_login_msg", true, $MSG2));
142
143                         // Reset variables
144                         $MSG1 = ""; $MSG2 = "";
145                 }
146                  else
147                 {
148                         // Reset values to nothing
149                         define('__MSG_LOGIN', "");
150                         define('__MSG_PASS' , "");
151                 }
152
153                 // Load register template
154                 LOAD_TEMPLATE("admin_reg_form");
155         }
156 }
157  elseif ((empty($_COOKIE['admin_login'])) || (empty($_COOKIE['admin_md5'])) || (empty($_COOKIE['admin_last'])) || (empty($_COOKIE['admin_to'])) || (($_COOKIE['admin_last'] + bigintval($_COOKIE['admin_to']) * 3600 * 24) < time()))
158 {
159         // At leat one administrator account was created
160         if ((!empty($_COOKIE['admin_login'])) && (!empty($_COOKIE['admin_md5'])) && (!empty($_COOKIE['admin_last'])) && (!empty($_COOKIE['admin_to'])))
161         {
162                 // Timeout for last login, we have to logout first!
163                 $URL = URL."/modules.php?module=admin&amp;action=login&amp;logout=1";
164                 LOAD_URL($URL);
165         }
166         if (!empty($_GET['register']))
167         {
168                 // Registration of first admin is done
169                 if ($_GET['register'] == "done") OUTPUT_HTML("<STRONG class=\"admin\">".ADMIN_REGISTER_DONE."</STRONG>");
170         }
171
172         // Check if the admin has submitted data or not
173         $ret = "";
174         if ((isset($_POST['ok'])) && ((empty($_POST['login'])) || (empty($_POST['pass'])) || (strlen($_POST['pass']) < 4))) $_POST['ok'] = "***";
175         if ((isset($_POST['ok'])) && ($_POST['ok'] != "***"))
176         {
177                 // All required data was entered so we check his account
178                 $ret = CHECK_ADMIN_LOGIN($_POST['login'], $_POST['pass']);
179                 switch ($ret)
180                 {
181                 case "done": // Admin and password are okay, so we log in now
182                         $TIMEOUT = time() + (3600 * 24 * $_POST['timeout']);
183                         if ((@setcookie("admin_md5", generatePassString(generateHash($_POST['pass'], __SALT)), $TIMEOUT, COOKIE_PATH)) && (@setcookie("admin_login", $_POST['login'], $TIMEOUT, COOKIE_PATH)) && (@setcookie("admin_last", time(), $TIMEOUT, COOKIE_PATH)) && (@setcookie("admin_to", $_POST['timeout'], $TIMEOUT, COOKIE_PATH)))
184                         {
185                                 // Construct URL and redirect
186                                 $URL = URL."/modules.php?module=admin&amp;";
187
188                                 // Rewrite overview module
189                                 if ($GLOBALS['what'] == "overview") {
190                                         $GLOBALS['action'] = GET_ACTION($GLOBALS['module'], $GLOBALS['what']);
191                                 }
192
193                                 // Add data to URL
194                                 if (!empty($GLOBALS['what'])) $URL .= "what=".$GLOBALS['what'];
195                                  elseif (!empty($GLOBALS['action'])) $URL .= "action=".$GLOBALS['action'];
196                                  elseif (!empty($_GET['area'])) $URL .= "area=".$_GET['area'];
197
198                                 // Load URL
199                                 LOAD_URL($URL);
200                         }
201                          else
202                         {
203                                 OUTPUT_HTML("<STRONG class=\"admin_fatal\">".ADMIN_LOGIN_FAILED."</STRONG>");
204                                 ADD_FATAL(CANNOT_REGISTER_SESS);
205                         }
206                         break;
207
208                 case "404": // Administrator login not found
209                         $_POST['ok'] = $ret;
210                         $ret = ADMIN_NOT_FOUND;
211                         break;
212
213                 case "pass": // Wrong password
214                         $_POST['ok'] = $ret;
215                         $ret = WRONG_PASS;
216                         break;
217                 }
218         }
219         if ($ret != "done")
220         {
221                 if (!empty($_POST['login']))
222                 {
223                         define('__LOGIN_VALUE', $_POST['login']);
224                 }
225                  else
226                 {
227                         define('__LOGIN_VALUE', "");
228                 }
229
230                 if (isset($_POST['ok']))
231                 {
232                         // Set messages to zero
233
234                         $MSG1 = ""; $MSG2 = "";
235                         // No login entered?
236                         if (empty($_POST['login'])) $MSG1 = ADMIN_NO_LOGIN;
237
238                         // An error comes back from login?
239                         if ((!empty($ret)) && ($_POST['ok'] == "404")) $MSG1 = $ret;
240
241                         // No password entered?
242                         if (empty($_POST['pass'])) $MSG2 = ADMIN_NO_PASS;
243
244                         // Or password too short?
245                         if (strlen($_POST['pass']) < 4) $MSG2 = ADMIN_SHORT_PASS;
246
247                         // An error comes back from login?
248                         if ((!empty($ret)) && ($_POST['ok'] == "pass")) $MSG2 = $ret;
249
250                         // Load message template
251                         define('__MSG_LOGIN', LOAD_TEMPLATE("admin_login_msg", true, $MSG1));
252                         define('__MSG_PASS' , LOAD_TEMPLATE("admin_login_msg", true, $MSG2));
253
254                         // Reset variables
255                         $MSG1 = ""; $MSG2 = "";
256                 }
257                  else
258                 {
259                         // Set constants to empty for hiding them
260                         define('__MSG_LOGIN', "");
261                         define('__MSG_PASS' , "");
262                 }
263
264                 // Load login form
265                 if (!empty($GLOBALS['what']))
266                 {
267                         // Restore old what value
268                         $content = array('target' => "what", 'value' => $GLOBALS['what']);
269                 }
270                  elseif (!empty($GLOBALS['action']))
271                 {
272                         if ($GLOBALS['action'] != "logout")
273                         {
274                                 // Restore old action value
275                                 $content = array('target' => "action", 'value' => $GLOBALS['action']);
276                         }
277                          else
278                         {
279                                 // Set default values
280                                 $content = array('target' => "action", 'value' => "login");
281                         }
282                 }
283                  elseif (!empty($_GET['area']))
284                 {
285                         // Restore old area value
286                         $content = array('target' => "area", 'value' => $_GET['area']);
287                 }
288                  else
289                 {
290                         // Set default values
291                         $content = array('target' => "action", 'value' => "login");
292                 }
293
294                 // Load login form template
295                 LOAD_TEMPLATE("admin_login_form", false, $content);
296         }
297 }
298  elseif ($_GET['logout'] == "1")
299 {
300         // Only try to remove cookies
301         if (@setcookie("admin_login", "", (time() - 3600), COOKIE_PATH) && @setcookie("admin_md5", "", (time() - 3600), COOKIE_PATH) && @setcookie("admin_last", "", (time() - 3600), COOKIE_PATH) && @setcookie("admin_to", "", (time() - 3600), COOKIE_PATH))
302         {
303                 // Also remove array elements
304                 unset($_COOKIE['admin_login']);
305                 unset($_COOKIE['admin_md5']);
306                 unset($_COOKIE['admin_last']);
307                 unset($_COOKIE['admin_to']);
308
309                 // Destroy session
310                 @session_destroy();
311
312                 // Load logout template
313                 LOAD_TEMPLATE("admin_logout");
314         }
315          else
316         {
317                 // Something went wrong here...
318                 OUTPUT_HTML("<STRONG class=\"admin_fatal\">".ADMIN_LOGOUT_FAILED."</STRONG>");
319
320                 // Add fatal message
321                 ADD_FATAL(CANNOT_UNREG_SESS);
322         }
323 }
324  else
325 {
326         // Maybe an Admin want's to login?
327         $ret = CHECK_ADMIN_COOKIES(SQL_ESCAPE($_COOKIE['admin_login']), SQL_ESCAPE($_COOKIE['admin_md5']));
328         switch ($ret)
329         {
330         case "done":
331                 // Cookie-Data accepted
332                 $TIMEOUT = time() + bigintval($_COOKIE['admin_to']);
333                 if ((@setcookie("admin_md5", SQL_ESCAPE($_COOKIE['admin_md5']), $TIMEOUT, COOKIE_PATH)) && (@setcookie("admin_login", SQL_ESCAPE($_COOKIE['admin_login']), $TIMEOUT, COOKIE_PATH)) && (@setcookie("admin_last", time(), $TIMEOUT, COOKIE_PATH)) && (@setcookie("admin_to", bigintval($_COOKIE['admin_to']), $TIMEOUT, COOKIE_PATH)))
334                 {
335                         // Ok, Cookie-Update done
336                         if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2"))
337                         {
338                                 // Check if action GET variable was set
339                                 $act = SQL_ESCAPE($GLOBALS['action']);
340                                 if (!empty($GLOBALS['what'])) {
341                                         // Get action value by what-value
342                                         $act = GET_ACTION("admin", $GLOBALS['what']);
343                                 }
344
345                                 // Check for access control line of current menu entry
346                                 define('__ACL_ALLOW', ADMINS_CHECK_ACL($act, $GLOBALS['what']));
347                         }
348                          else
349                         {
350                                 // Extension not installed so it's always allowed to access everywhere!
351                                 define('__ACL_ALLOW', true);
352                         }
353
354                         // When type of admin menu is not set fallback to old menu system
355                         if (empty($_CONFIG['admin_menu'])) $_CONFIG['admin_menu'] = "OLD";
356
357                         // Check for version and switch between old menu system and new "intelligent menu system"
358                         if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (file_exists(PATH."inc/modules/admin/la_sys-inc.php")))
359                         {
360                                 // Default area is the entrance, of course
361                                 $area = "entrance";
362
363                                 // Check for similar URL variable
364                                 if (!empty($_GET['area'])) $area = $_GET['area'];
365
366                                 // Load "logical-area menu-system" file
367                                 require_once(PATH."inc/modules/admin/la_sys-inc.php");
368
369                                 // Create new-style menu system will "logical areas"
370                                 ADMIN_LOGICAL_AREA_SYSTEM($area, $act, $GLOBALS['what']);
371                         }
372                          else
373                         {
374                                 // This little call constructs the whole default old and lacky menu system
375                                 // on left side
376                                 ADMIN_DO_ACTION($GLOBALS['what']);
377                         }
378                 }
379                  else
380                 {
381                         // Login failed (cookies enabled?)
382                         OUTPUT_HTML("<STRONG class=\"admin_fatal\">".ADMIN_LOGIN_FAILED."</STRONG>");
383                         ADD_FATAL(CANNOT_RE_REGISTER_SESS);
384                 }
385                 break;
386
387         case "404": // Administrator login not found
388                 $_POST['ok'] = $ret;
389                 ADD_FATAL(ADMIN_NOT_FOUND);
390                 break;
391
392         case "pass": // Wrong password
393                 $_POST['ok'] = $ret;
394                 ADD_FATAL(WRONG_PASS);
395                 break;
396         }
397 }
398
399 if (admin_registered)
400 {
401         // Check config.php and inc directory for right access rights
402         if (is_INCWritable("config"))     ADD_FATAL(FATAL_CONFIG_WRITABLE);
403         if (is_INCWritable("dummy"))      ADD_FATAL(FATAL_INC_WRITABLE);
404 }
405 //
406 ?>