addslashes() did escape also single quotes (') which breaks some banner rotation...

[mailer.git] / inc / modules / admin.php

<?php
/************************************************************************
 * MXChange v0.2.1                                    Start: 08/31/2003 *
 * ===============                              Last change: 07/02/2004 *
 *                                                                      *
 * -------------------------------------------------------------------- *
 * File              : admin.php                                        *
 * -------------------------------------------------------------------- *
 * Short description : Administration module                            *
 * -------------------------------------------------------------------- *
 * Kurzbeschreibung  : Administrationsmodul                             *
 * -------------------------------------------------------------------- *
 * $Revision::                                                        $ *
 * $Date::                                                            $ *
 * $Tag:: 0.2.1-FINAL                                                 $ *
 * $Author::                                                          $ *
 * Needs to be in all Files and every File needs "svn propset           *
 * svn:keywords Date Revision" (autoprobset!) at least!!!!!!            *
 * -------------------------------------------------------------------- *
 * Copyright (c) 2003 - 2009 by Roland Haeder                           *
 * For more information visit: http://www.mxchange.org                  *
 *                                                                      *
 * This program is free software; you can redistribute it and/or modify *
 * it under the terms of the GNU General Public License as published by *
 * the Free Software Foundation; either version 2 of the License, or    *
 * (at your option) any later version.                                  *
 *                                                                      *
 * This program is distributed in the hope that it will be useful,      *
 * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
 * GNU General Public License for more details.                         *
 *                                                                      *
 * You should have received a copy of the GNU General Public License    *
 * along with this program; if not, write to the Free Software          *
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
 * MA  02110-1301  USA                                                  *
 ************************************************************************/

// Some security stuff...
if (!defined('__SECURITY')) {
        die();
} // END - if

// Load include file
loadIncludeOnce('inc/modules/admin/admin-inc.php');

// Fix "deleted" cookies in PHP4 (PHP5 does remove them, PHP4 sets them to deleted!)
fixDeletedCookies(array('admin_login', 'admin_md5', 'admin_last', 'admin_to'));

// Init return value
$ret = 'init';

// Is no admin registered?
if (!isAdminRegistered()) {
        // Admin is not registered so we have to inform the user
        if ((isFormSent()) && ((!isPostRequestElementSet('login')) || (!isPostRequestElementSet('pass')) || (strlen(postRequestElement('pass')) < 4))) {
                setRequestPostElement('ok', '***');
        } // END - if

        if ((isFormSent()) && (postRequestElement('ok') != '***')) {
                // Hash the password with the old function because we are here in install mode
                $hashedPass = md5(postRequestElement('pass'));

                // Kill maybe existing session variables
                destroyAdminSession(false);

                // Do registration
                $ret = addAdminAccount(postRequestElement('login'), $hashedPass, getConfig('WEBMASTER'));

                // Check if registration wents fine
                switch ($ret) {
                        case 'done':
                                $done = changeDataInFile(getConfig('CACHE_PATH') . 'config-local.php', 'ADMIN-SETUP', "setConfigEntry('ADMIN_REGISTERED', '", "');", 'Y', 0);
                                if ($done === true) {
                                        // Registering is done
                                        redirectToUrl('modules.php?module=admin&amp;register=done');
                                } else {
                                        $ret = getMessage('ADMIN_CANNOT_COMPLETE');
                                }
                                break;

                        case 'failed':
                                $ret = getMessage('ADMIN_REGISTER_FAILED');
                                break;

                        case 'already':
                        default:
                                if ($ret == 'already') {
                                        // Admin does already exists!
                                        $ret = getMessage('ADMIN_LOGIN_ALREADY_REG');
                                } else {
                                        // Any other kind will be logged and interpreted as 'done'
                                        logDebugMessage(__FILE__, __LINE__, sprintf("Unknown return code %s from ifAdminLoginDataIsValid() and interpreted as 'done'!", $ret));
                                        // @TODO Why is this set to 'done'?
                                        $ret = 'done';
                                }

                                // Admin still not registered?
                                if (!isAdminRegistered()) {
                                        // Write to config that registration is done
                                        changeDataInFile(getConfig('CACHE_PATH') . 'config-local.php', 'ADMIN-SETUP', "setConfigEntry('ADMIN_REGISTERED', '", "');", 'Y', 0);

                                        // Load URL for login
                                        redirectToUrl('admin.php');
                                } // END - if
                                break;
                } // END - switch
        }

        // Whas that action okay?
        if ($ret != 'done') {
                // Fixes another notice
                $content['login'] = '';
                if (isPostRequestElementSet('login')) {
                        $content['login'] = postRequestElement('login');
                } // END - if

                // Init array elements
                $content['login_message']   = '';
                $content['pass_message']    = '';

                // Yet-another notice-fix
                if ((isFormSent()) && (postRequestElement('ok') == '***')) {
                        // No login entered?
                        if (!isPostRequestElementSet('login')) $loginMessage = getMessage('ADMIN_NO_LOGIN');

                        // An error comes back from registration?
                        if (!empty($ret)) $loginMessage = $ret;

                        // No password entered?
                        if (!isPostRequestElementSet('pass')) $passwdMessage = getMessage('ADMIN_NO_PASS');

                        // Or password too short?
                        if (strlen(postRequestElement('pass')) < 4) $passwdMessage = getMessage('ADMIN_SHORT_PASS');

                        // Output error messages
                        $content['login_message'] = loadTemplate('admin_login_msg', true, $loginMessage);
                        $content['pass_message']  = loadTemplate('admin_login_msg', true, $passwdMessage);

                        // Reset variables
                        $loginMessage = ''; $passwdMessage = '';
                } // END - if

                // Output message in seperate template
                loadTemplate('admin_settings_saved', false, getMessage('ADMIN_NOT_REGISTERED'));

                // Load register template
                loadTemplate('admin_reg_form', false, $content);
        }
} elseif (isGetRequestElementSet('reset_pass')) {
        // Is the form submitted?
        if ((isPostRequestElementSet('send_link')) && (isPostRequestElementSet('email'))) {
                // Output result
                loadTemplate('admin_settings_saved', false, sendAdminPasswordResetLink(postRequestElement('email')));
        } elseif (isGetRequestElementSet('hash')) {
                // Output form for hash validation
                loadTemplate('admin_validate_reset_hash_form', false, getRequestElement('hash'));
        } elseif ((isPostRequestElementSet('validate_hash')) && (isPostRequestElementSet('login')) && (isPostRequestElementSet('hash'))) {
                // Validate the login data and hash
                $valid = adminResetValidateHashLogin(postRequestElement('hash'), postRequestElement('login'));

                // Valid?
                if ($valid === true) {
                        // Prepare content first
                        $content = array(
                                'hash'  => secureString(postRequestElement('hash')),
                                'login' => secureString(postRequestElement('login'))
                        );

                        // Validation okay so display form for final password change
                        loadTemplate('admin_reset_password_form', false, $content);
                } else {
                        // Cannot validate the login data and hash
                        loadTemplate('admin_settings_saved', false, getMessage('ADMIN_VALIDATION_RESET_LOGIN_HASH_FAILED'));
                }
        } elseif ((isPostRequestElementSet('reset_pass')) && (isPostRequestElementSet('hash')) && (isPostRequestElementSet('login')) && (isPostRequestElementSet('pass1')) && (postRequestElement('pass1') == postRequestElement('pass2'))) {
                // Okay, we shall the admin password here. So first revalidate the hash
                if (adminResetValidateHashLogin(postRequestElement('hash'), postRequestElement('login'))) {
                        // Output result
                        loadTemplate('admin_reset_pass_done', false, doResetAdminPassword(postRequestElement('login'), postRequestElement('pass1')));
                } else {
                        // Validation failed
                        loadTemplate('admin_settings_saved', false, getMessage('ADMIN_VALIDATION_RESET_LOGIN_HASH_FAILED2'));
                }
        } else {
                // Output reset password form
                loadTemplate('admin_send_reset_link');
        }
} elseif ((!isSessionVariableSet('admin_login')) || (!isSessionVariableSet('admin_md5')) || (!isSessionVariableSet('admin_last')) || (!isSessionVariableSet('admin_to')) || ((getSession('admin_last') + bigintval(getSession('admin_to')) * 3600 * 24) < time())) {
        // At leat one administrator account was created
        if ((isSessionVariableSet('admin_login')) && (isSessionVariableSet('admin_md5')) && (isSessionVariableSet('admin_last')) && (isSessionVariableSet('admin_to'))) {
                // Timeout for last login, we have to logout first!
                redirectToUrl('modules.php?module=admin&amp;logout=1');
        } // END - if

        if (isGetRequestElementSet('register')) {
                // Registration of first admin is done
                if (getRequestElement('register') == 'done') loadTemplate('admin_settings_saved', false, getMessage('ADMIN_REGISTER_DONE'));
        } // END - if

        // Check if the admin has submitted data or not
        if ((isFormSent()) && ((!isPostRequestElementSet('login')) || (!isPostRequestElementSet('pass')) || (strlen(postRequestElement('pass')) < 4))) {
                setRequestPostElement('ok', '***');
        } // END - if

        if ((isFormSent()) && (postRequestElement('ok') != '***')) {
                // All required data was entered so we check his account
                $ret = ifAdminLoginDataIsValid(postRequestElement('login'), postRequestElement('pass'));

                // Which status do we have?
                switch ($ret) {
                        case 'done': // Admin and password are okay, so we log in now
                                // Construct URL and redirect
                                $URL = 'modules.php?module=admin&amp;';

                                // Rewrite overview module
                                if (getWhat() == 'overview') {
                                        setAction(getModeAction(getModule(), getWhat()));
                                } // END - if

                                // Add data to URL
                                if (isWhatSet())        $URL .= 'what='.getWhat();
                                 elseif (isActionSet()) $URL .= 'action='.getAction();
                                 elseif (isGetRequestElementSet('area'))  $URL .= 'area='.getRequestElement('area');

                         // Load URL
                         redirectToUrl($URL);
                         break;

                        case '404': // Administrator login not found
                                setRequestPostElement('ok', $ret);
                                $ret = sprintf(getMessage('ADMIN_404'), postRequestElement('login'));
                                destroyAdminSession();
                                break;

                        case 'pass': // Wrong password
                                setRequestPostElement('ok', $ret);
                                $ret = '{--WRONG_PASS--} [<a href="{?URL?}/modules.php?module=admin&amp;reset_pass=1">{--ADMIN_RESET_PASS--}</a>]';
                                destroyAdminSession();
                                break;

                        default: // Others will be logged
                                logDebugMessage(__FILE__, __LINE__, sprintf("Unknown return code %s from ifAdminLoginDataIsValid()", $ret));
                                break;
                } // END - switch
        } // END - if

        // Error detected?
        if ($ret != 'done') {
                $content['login'] = '';
                if (isPostRequestElementSet('login')) {
                        $content['login'] = postRequestElement('login');
                } // END - if

                // Init array elements
                $content['login_message'] = '';
                $content['pass_message']  = '';

                if (isFormSent()) {
                        // Set messages to zero
                        $loginMessage = ''; $passwdMessage = '';

                        // No login entered?
                        if (!isPostRequestElementSet('login')) $loginMessage = getMessage('ADMIN_NO_LOGIN');

                        // An error comes back from login?
                        if ((!empty($ret)) && (postRequestElement('ok') == '404')) $loginMessage = $ret;

                        // No password entered?
                        if (!isPostRequestElementSet('pass')) $passwdMessage = getMessage('ADMIN_NO_PASS');

                        // Or password too short?
                        if (strlen(postRequestElement('pass')) < 4) $passwdMessage = getMessage('ADMIN_SHORT_PASS');

                        // An error comes back from login?
                        if ((!empty($ret)) && (postRequestElement('ok') == 'pass')) $passwdMessage = $ret;

                        // Load message template
                        $content['login_message'] = loadTemplate('admin_login_msg', true, $loginMessage);
                        $content['pass_message']  = loadTemplate('admin_login_msg', true, $passwdMessage);

                        // Reset variables
                        unset($loginMessage);
                        unset($passwdMessage);
                } // END - if

                // Load login form
                if (isWhatSet()) {
                        // Restore old what value
                        $content = merge_array($content, array('target' => 'what', 'value' => getWhat()));
                } elseif (isActionSet()) {
                        if (getAction() != 'logout') {
                                // Restore old action value
                                $content = merge_array($content, array('target' => 'action', 'value' => getAction()));
                        } else {
                                // Set default values
                                $content = merge_array($content, array('target' => 'action', 'value' => 'login'));
                        }
                } elseif (isGetRequestElementSet('area')) {
                        // Restore old area value
                        $content = merge_array($content, array('target' => 'area', 'value' => getRequestElement('area')));
                } else {
                        // Set default values
                        $content = merge_array($content, array('target' => 'action', 'value' => 'login'));
                }

                // Load login form template
                loadTemplate('admin_login_form', false, $content);
        } // END - if
} elseif (isGetRequestElementSet('logout')) {
        // Only try to remove cookies
        if (destroyAdminSession()) {
                // Load logout template
                if (isGetRequestElementSet('register')) {
                        // Secure input
                        $register = getRequestElement('register');

                        // Special logout redirect for installation of given extension
                        loadTemplate(sprintf("admin_logout_%s_install", $register));
                } elseif (isGetRequestElementSet('remove')) {
                        // Secure input
                        $remove = getRequestElement('remove');

                        // Special logout redirect for removal of given extension
                        loadTemplate(sprintf("admin_logout_%s_remove", $remove));
                } else {
                        // Logged out normally
                        loadTemplate('admin_logout');
                }
        } else {
                // Something went wrong here...
                loadTemplate('admin_settings_saved', false, '<div class="admin_fatal">{--ADMIN_LOGOUT_FAILED--}</div>');

                // Add fatal message
                addFatalMessage(__FILE__, __LINE__, getMessage('CANNOT_UNREG_SESS'));
        }
} else {
        // Maybe an Admin want's to login?
        $ret = ifAdminCookiesAreValid(getSession('admin_login'), getSession('admin_md5'));

        // Check status
        switch ($ret) {
                case 'done':
                        // Check for access control line of current menu entry
                        runFilterChain('check_admin_acl');

                        // When type of admin menu is not set fallback to old menu system
                        if (!isConfigEntrySet('admin_menu')) setConfigEntry('admin_menu', 'OLD');

                        // Check for version and switch between old menu system and new intelligent menu system
                        if ((adminGetMenuMode() == 'NEW') && (isIncludeReadable('inc/modules/admin/lasys-inc.php'))) {
                                // Default area is the entrance, of course
                                $area = 'entrance';

                                // Check for similar URL variable
                                if (isGetRequestElementSet('area')) $area = getRequestElement('area');

                                // Load logical-area menu-system file
                                loadIncludeOnce('inc/modules/admin/lasys-inc.php');

                                // Create new-style menu system will logical areas
                                doAdminLogicalArea($area, $action, getWhat());
                        } else {
                                // This little call constructs the whole default old and lacky menu system
                                // on left side. It also renders the content on right side
                                doAdminAction();
                        }
                        break;

                case '404': // Administrator login not found
                        setRequestPostElement('ok', $ret);
                        loadTemplate('admin_settings_saved', false, sprintf(getMessage('ADMIN_404'), getSession('admin_login')));
                        destroyAdminSession();
                        break;

                case 'pass': // Wrong password
                        setRequestPostElement('ok', $ret);
                        loadTemplate('admin_settings_saved', false, getMessage('WRONG_PASS'));
                        destroyAdminSession();
                        break;

                default: // Others will be logged
                        logDebugMessage(__FILE__, __LINE__, sprintf("Unknown return code %s from ifAdminCookiesAreValid()", $ret));
                        break;
        } // END - switch
}

// [EOF]
?>