Startsida Utforska Hjälp
Logga in
fusionpbx
/
fusionpbx-framework
spegling av https://github.com/fusionpbx/fusionpbx-framework.git
2
0
Fork 0
Filer Ärenden 0 Wiki
Träd: 18e8a5c9e2
Grenar Taggar
fusionpbx-frame...
/
resources
/
check_auth.php

check_auth.php 10 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 
  1. <?php
    2. 

  2. /*
    3. 

  3. 	FusionPBX
    4. 

  4. 	Version: MPL 1.1
    5. 

  5. 

  6. 	The contents of this file are subject to the Mozilla Public License Version
    7. 

  7. 	1.1 (the "License"); you may not use this file except in compliance with
    8. 

  8. 	the License. You may obtain a copy of the License at
    9. 

  9. 	http://www.mozilla.org/MPL/
    10. 

  10. 

  11. 	Software distributed under the License is distributed on an "AS IS" basis,
    12. 

  12. 	WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
    13. 

  13. 	for the specific language governing rights and limitations under the
    14. 

  14. 	License.
    15. 

  15. 

  16. 	The Original Code is FusionPBX
    17. 

  17. 

  18. 	The Initial Developer of the Original Code is
    19. 

  19. 	Mark J Crane <[email protected]>
    20. 

  20. 	Portions created by the Initial Developer are Copyright (C) 2008-2019
    21. 

  21. 	the Initial Developer. All Rights Reserved.
    22. 

  22. 

  23. 	Contributor(s):
    24. 

  24. 	Mark J Crane <[email protected]>
    25. 

  25. */
    26. 

  26. //includes
    27. 

  27. 	require_once "resources/require.php";
    28. 

  28. 

  29. //add multi-lingual support
    30. 

  30. 	$language = new text;
    31. 

  31. 	$text = $language->get(null, 'resources');
    32. 

  32. 

  33. //for compatibility require this library if less than version 5.5
    34. 

  34. 	if (version_compare(phpversion(), '5.5', '<')) {
    35. 

  35. 		require_once "resources/functions/password.php";
    36. 

  36. 	}
    37. 

  37. 

  38. //start the session
    39. 

  39. 	ini_set("session.use_only_cookies", True);
    40. 

  40. 	ini_set("session.cookie_httponly", True);
    41. 

  41. 	if ($_SERVER["HTTPS"] == "on") { ini_set("session.cookie_secure", True); }
    42. 

  42. 	if (!isset($_SESSION)) { session_start(); }
    43. 

  43. 

  44. //define variables
    45. 

  45. 	if (!isset($_SESSION['login']['destination']['url'])) { $_SESSION['login']['destination']['url'] = null; }
    46. 

  46. 	if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; }
    47. 

  47. 

  48. //if the username is not provided then send to login.php
    49. 

  49. 	if (strlen($_SESSION['username']) == 0 && strlen($_REQUEST["username"]) == 0 && strlen($_REQUEST["key"]) == 0) {
    50. 

  50. 		$target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["REQUEST_URI"];
    51. 

  51. 		header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path));
    52. 

  52. 		exit;
    53. 

  53. 	}
    54. 

  54. 

  55. //if the username session is not set the check username and password
    56. 

  56. 	if (strlen($_SESSION['username']) == 0) {
    57. 

  57. 

  58. 		//clear the menu
    59. 

  59. 			unset($_SESSION["menu"]);
    60. 

  60. 

  61. 		//clear the template only if the template has not been assigned by the superadmin
    62. 

  62. 			if (strlen($_SESSION['domain']['template']['name']) == 0) {
    63. 

  63. 				$_SESSION["template_content"] = '';
    64. 

  64. 			}
    65. 

  65. 

  66. 		//validate the username and password
    67. 

  67. 			$auth = new authentication;
    68. 

  68. 			if (isset($_REQUEST["username"]) && isset($_REQUEST["password"])) {
    69. 

  69. 				$auth->username = $_REQUEST["username"];
    70. 

  70. 				$auth->password = $_REQUEST["password"];
    71. 

  71. 			}
    72. 

  72. 			if (isset($_REQUEST["key"])) {
    73. 

  73. 				$auth->key = $_REQUEST["key"];
    74. 

  74. 			}
    75. 

  75. 			$auth->debug = false;
    76. 

  76. 			$result = $auth->validate();
    77. 

  77. 			if ($result["authorized"] == "true") {
    78. 

  78. 				//set the session variables
    79. 

  79. 					$_SESSION["domain_uuid"] = $result["domain_uuid"];
    80. 

  80. 					$_SESSION["user_uuid"] = $result["user_uuid"];
    81. 

  81. 

  82. 				//user session array
    83. 

  83. 					$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
    84. 

  84. 					$_SESSION["user"]["user_uuid"] = $result["user_uuid"];
    85. 

  85. 					$_SESSION["user"]["username"] = $result["username"];
    86. 

  86. 					$_SESSION["user"]["contact_uuid"] = $result["contact_uuid"];
    87. 

  87. 			}
    88. 

  88. 			else {
    89. 

  89. 				//debug
    90. 

  90. 					if ($debug) {
    91. 

  91. 						echo "<pre>";
    92. 

  92. 						print_r($result);
    93. 

  93. 						echo "</pre>";
    94. 

  94. 						exit;
    95. 

  95. 					}
    96. 

  96. 

  97. 				//log the failed auth attempt to the system, to be available for fail2ban.
    98. 

  98. 					openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
    99. 

  99. 					syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);
    100. 

  100. 					closelog();
    101. 

  101. 

  102. 				//redirect the user to the login page
    103. 

  103. 					$target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"];
    104. 

  104. 					message::add($text['message-invalid_credentials'], 'negative');
    105. 

  105. 					header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path));
    106. 

  106. 					exit;
    107. 

  107. 			}
    108. 

  108. 

  109. 		//get the groups assigned to the user and then set the groups in $_SESSION["groups"]
    110. 

  110. 			$sql = "select u.user_group_uuid, u.domain_uuid, u.user_uuid, u.group_uuid, g.group_name, g.group_level ";
    111. 

  111. 			$sql .= "from v_user_groups as u, v_groups as g  ";
    112. 

  112. 			$sql .= "where u.domain_uuid = :domain_uuid ";
    113. 

  113. 			$sql .= "and u.user_uuid = :user_uuid ";
    114. 

  114. 			$sql .= "and u.group_uuid = g.group_uuid ";
    115. 

  115. 			$prep_statement = $db->prepare($sql);
    116. 

  116. 			$prep_statement->bindParam(':domain_uuid', $_SESSION["domain_uuid"] );
    117. 

  117. 			$prep_statement->bindParam(':user_uuid', $_SESSION["user_uuid"]);
    118. 

  118. 			$prep_statement->execute();
    119. 

  119. 			$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
    120. 

  120. 			$_SESSION["groups"] = $result;
    121. 

  121. 			$_SESSION["user"]["groups"] = $result;
    122. 

  122. 			unset($sql, $row_count, $prep_statement);
    123. 

  123. 

  124. 		//get the users group level
    125. 

  125. 			$_SESSION["user"]["group_level"] = 0;
    126. 

  126. 			foreach ($_SESSION['user']['groups'] as $row) {
    127. 

  127. 				if ($_SESSION["user"]["group_level"] < $row['group_level']) {
    128. 

  128. 					$_SESSION["user"]["group_level"] = $row['group_level'];
    129. 

  129. 				}
    130. 

  130. 			}
    131. 

  131. 

  132. 		//get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions']
    133. 

  133. 			if (count($_SESSION["groups"]) > 0) {
    134. 

  134. 				$x = 0;
    135. 

  135. 				$sql = "select distinct(permission_name) from v_group_permissions ";
    136. 

  136. 				foreach($_SESSION["groups"] as $field) {
    137. 

  137. 					if (strlen($field['group_name']) > 0) {
    138. 

  138. 						if ($x == 0) {
    139. 

  139. 							$sql .= "where (domain_uuid = '".$_SESSION["domain_uuid"]."' and domain_uuid = null) ";
    140. 

  140. 						}
    141. 

  141. 						else {
    142. 

  142. 							$sql .= "or (domain_uuid = '".$_SESSION["domain_uuid"]."' and domain_uuid = null) ";
    143. 

  143. 						}
    144. 

  144. 						$sql .= "or group_name = '".$field['group_name']."' ";
    145. 

  145. 						$x++;
    146. 

  146. 					}
    147. 

  147. 				}
    148. 

  148. 				$prep_statement_sub = $db->prepare($sql);
    149. 

  149. 				$prep_statement_sub->execute();
    150. 

  150. 				$result = $prep_statement_sub->fetchAll(PDO::FETCH_NAMED);
    151. 

  151. 				if (is_array($result)) {
    152. 

  152. 					foreach ($result as $row) {
    153. 

  153. 						$_SESSION['permissions'][$row["permission_name"]] = true;
    154. 

  154. 						$_SESSION["user"]["permissions"][$row["permission_name"]] = true;
    155. 

  155. 					}
    156. 

  156. 				}
    157. 

  157. 				unset($sql, $prep_statement_sub);
    158. 

  158. 			}
    159. 

  159. 

  160. 		//get the user settings
    161. 

  161. 			$sql = "select * from v_user_settings ";
    162. 

  162. 			$sql .= "where domain_uuid = '" . $_SESSION["domain_uuid"] . "' ";
    163. 

  163. 			$sql .= "and user_uuid = '" . $_SESSION["user_uuid"] . "' ";
    164. 

  164. 			$sql .= "and user_setting_enabled = 'true' ";
    165. 

  165. 			$prep_statement = $db->prepare($sql);
    166. 

  166. 			if ($prep_statement) {
    167. 

  167. 				$prep_statement->execute();
    168. 

  168. 				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
    169. 

  169. 				foreach ($result as $row) {
    170. 

  170. 					$name = $row['user_setting_name'];
    171. 

  171. 					$category = $row['user_setting_category'];
    172. 

  172. 					$subcategory = $row['user_setting_subcategory'];
    173. 

  173. 					if (strlen($row['user_setting_value']) > 0) {
    174. 

  174. 						if (strlen($subcategory) == 0) {
    175. 

  175. 							//$$category[$name] = $row['domain_setting_value'];
    176. 

  176. 							if ($name == "array") {
    177. 

  177. 								$_SESSION[$category][] = $row['user_setting_value'];
    178. 

  178. 							}
    179. 

  179. 							else {
    180. 

  180. 								$_SESSION[$category][$name] = $row['user_setting_value'];
    181. 

  181. 							}
    182. 

  182. 						} else {
    183. 

  183. 							//$$category[$subcategory][$name] = $row['domain_setting_value'];
    184. 

  184. 							if ($name == "array") {
    185. 

  185. 								$_SESSION[$category][$subcategory][] = $row['user_setting_value'];
    186. 

  186. 							}
    187. 

  187. 							else {
    188. 

  188. 								$_SESSION[$category][$subcategory][$name] = $row['user_setting_value'];
    189. 

  189. 							}
    190. 

  190. 						}
    191. 

  191. 					}
    192. 

  192. 				}
    193. 

  193. 			}
    194. 

  194. 

  195. 		//get the extensions that are assigned to this user
    196. 

  196. 			if (file_exists($_SERVER["PROJECT_ROOT"]."/app/extensions/app_config.php")) {
    197. 

  197. 				if (isset($_SESSION["user"]) && isset($_SESSION["user_uuid"]) && $db && strlen($_SESSION["domain_uuid"]) > 0 && strlen($_SESSION["user_uuid"]) > 0 && count($_SESSION['user']['extension']) == 0) {
    198. 

  198. 					//get the user extension list
    199. 

  199. 						$_SESSION['user']['extension'] = null;
    200. 

  200. 						$sql = "select ";
    201. 

  201. 						$sql .= "	e.extension_uuid, ";
    202. 

  202. 						$sql .= "	e.extension, ";
    203. 

  203. 						$sql .= "	e.number_alias, ";
    204. 

  204. 						$sql .= "	e.user_context, ";
    205. 

  205. 						$sql .= "	e.outbound_caller_id_name, ";
    206. 

  206. 						$sql .= "	e.outbound_caller_id_number, ";
    207. 

  207. 						$sql .= "	e.description ";
    208. 

  208. 						$sql .= "from ";
    209. 

  209. 						$sql .= "	v_extension_users as u, ";
    210. 

  210. 						$sql .= "	v_extensions as e ";
    211. 

  211. 						$sql .= "where ";
    212. 

  212. 						$sql .= "	e.domain_uuid = '".$_SESSION['domain_uuid']."' ";
    213. 

  213. 						$sql .= "	and e.extension_uuid = u.extension_uuid ";
    214. 

  214. 						$sql .= "	and u.user_uuid = '".$_SESSION['user_uuid']."' ";
    215. 

  215. 						$sql .= "	and e.enabled = 'true' ";
    216. 

  216. 						$sql .= "order by ";
    217. 

  217. 						$sql .= "	e.extension asc ";
    218. 

  218. 						$query = $db->query($sql);
    219. 

  219. 						if($query !== false) {
    220. 

  220. 							$result = $db->query($sql)->fetchAll(PDO::FETCH_ASSOC);
    221. 

  221. 							$x = 0;
    222. 

  222. 							foreach($result as $row) {
    223. 

  223. 								//set the destination
    224. 

  224. 								$destination = $row['extension'];
    225. 

  225. 								if (strlen($row['number_alias']) > 0) {
    226. 

  226. 									$destination = $row['number_alias'];
    227. 

  227. 								}
    228. 

  228. 

  229. 								//build the uers array
    230. 

  230. 								$_SESSION['user']['extension'][$x]['user'] = $row['extension'];
    231. 

  231. 								$_SESSION['user']['extension'][$x]['number_alias'] = $row['number_alias'];
    232. 

  232. 								$_SESSION['user']['extension'][$x]['destination'] = $destination;
    233. 

  233. 								$_SESSION['user']['extension'][$x]['extension_uuid'] = $row['extension_uuid'];
    234. 

  234. 								$_SESSION['user']['extension'][$x]['outbound_caller_id_name'] = $row['outbound_caller_id_name'];
    235. 

  235. 								$_SESSION['user']['extension'][$x]['outbound_caller_id_number'] = $row['outbound_caller_id_number'];
    236. 

  236. 								$_SESSION['user']['extension'][$x]['user_context'] = $row['user_context'];
    237. 

  237. 								$_SESSION['user']['extension'][$x]['description'] = $row['description'];
    238. 

  238. 

  239. 								//set the user context
    240. 

  240. 								$_SESSION['user']['user_context'] = $row["user_context"];
    241. 

  241. 								$_SESSION['user_context'] = $row["user_context"];
    242. 

  242. 								$x++;
    243. 

  243. 							}
    244. 

  244. 						}
    245. 

  245. 				}
    246. 

  246. 			}
    247. 

  247. 

  248. 		//redirect the user
    249. 

  249. 			if (check_str($_REQUEST["rdr"]) !== 'n'){
    250. 

  250. 				$path = check_str($_POST["path"]);
    251. 

  251. 				if (isset($path) && !empty($path) && $path!="index2.php" && $path!="/install.php") {
    252. 

  252. 					header("Location: ".$path);
    253. 

  253. 					exit();
    254. 

  254. 				}
    255. 

  255. 				else if ($_SESSION['login']['destination']['url'] != '') {
    256. 

  256. 					header("Location: ".$_SESSION['login']['destination']['url']);
    257. 

  257. 					exit();
    258. 

  258. 				}
    259. 

  259. 			}
    260. 

  260. 

  261. 		//get the domains
    262. 

  262. 			if (file_exists($_SERVER["PROJECT_ROOT"]."/app/domains/app_config.php") && !is_cli()){
    263. 

  263. 				require_once "app/domains/resources/domains.php";
    264. 

  264. 			}
    265. 

  265. 

  266. 	}
    267. 

  267. 

  268. //set the time zone
    269. 

  269. 	if (!isset($_SESSION["time_zone"]["user"])) { $_SESSION["time_zone"]["user"] = null; }
    270. 

  270. 	if (strlen($_SESSION["time_zone"]["user"]) == 0) {
    271. 

  271. 		//set the domain time zone as the default time zone
    272. 

  272. 		date_default_timezone_set($_SESSION['domain']['time_zone']['name']);
    273. 

  273. 	}
    274. 

  274. 	else {
    275. 

  275. 		//set the user defined time zone
    276. 

  276. 		date_default_timezone_set($_SESSION["time_zone"]["user"]);
    277. 

  277. 	}
    278. 

  278. 

  279. //hide the path unless logged in as a superadmin.
    280. 

  280. 	if (!if_group("superadmin")) {
    281. 

  281. 		$v_path_show = false;
    282. 

  282. 	}
    283. 

  283. 

  284. ?>
    285.