crt
/
fusionpbx-ldap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Fork of FusionPBX but with LDAP kinda working
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 Commits
1 Branch
0 Tags
28 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
fusionpbx-ldap/resources/check_auth.php

335 lines
12 KiB
Raw Permalink Normal View History

initial clone
2 years ago
  1. <?php
  2. /*
  3. FusionPBX
  4. Version: MPL 1.1
  6. The contents of this file are subject to the Mozilla Public License Version
  7. 1.1 (the "License"); you may not use this file except in compliance with
  8. the License. You may obtain a copy of the License at
  9. http://www.mozilla.org/MPL/
  11. Software distributed under the License is distributed on an "AS IS" basis,
  12. WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  13. for the specific language governing rights and limitations under the
  14. License.
  16. The Original Code is FusionPBX
  18. The Initial Developer of the Original Code is
  19. Mark J Crane <markjcrane@fusionpbx.com>
  20. Portions created by the Initial Developer are Copyright (C) 2008-2021
  21. the Initial Developer. All Rights Reserved.
  23. Contributor(s):
  24. Mark J Crane <markjcrane@fusionpbx.com>
  25. */
  27. //includes
  28. require_once "resources/require.php";
  30. //add multi-lingual support
  31. $language = new text;
  32. $text = $language->get(null, 'resources');
  34. //for compatibility require this library if less than version 5.5
  35. if (version_compare(phpversion(), '5.5', '<')) {
  36. require_once "resources/functions/password.php";
  37. }
  39. //start the session
  40. if (!isset($_SESSION)) { session_start(); }
  42. //define variables
  43. if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; }
  45. //if the username is not provided then send to login.php
  46. if (strlen($_SESSION['username']) == 0 && strlen($_REQUEST["username"]) == 0 && strlen($_REQUEST["key"]) == 0) {
  47. $target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["REQUEST_URI"];
  48. header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path));
  49. exit;
  50. }
  52. //if the username session is not set the check username and password
  53. if (strlen($_SESSION['username']) == 0) {
  55. //clear the menu
  56. unset($_SESSION["menu"]);
  58. //clear the template only if the template has not been assigned by the superadmin
  59. if (strlen($_SESSION['domain']['template']['name']) == 0) {
  60. $_SESSION["template_content"] = '';
  61. }
  63. //validate the username and password
  64. $auth = new authentication;
  65. if (isset($_REQUEST["username"]) && isset($_REQUEST["password"])) {
  66. $auth->username = $_REQUEST["username"];
  67. $auth->password = $_REQUEST["password"];
  68. }
  69. if (isset($_REQUEST["key"])) {
  70. $auth->key = $_REQUEST["key"];
  71. }
  72. $auth->debug = false;
  73. $result = $auth->validate();
  74. if ($result["authorized"] === "true") {
  76. //get the user settings
  77. $sql = "select * from v_user_settings ";
  78. $sql .= "where domain_uuid = :domain_uuid ";
  79. $sql .= "and user_uuid = :user_uuid ";
  80. $sql .= "and user_setting_enabled = 'true' ";
  81. $parameters['domain_uuid'] = $result["domain_uuid"];
  82. $parameters['user_uuid'] = $result["user_uuid"];
  83. $database = new database;
  84. $user_settings = $database->select($sql, $parameters, 'all');
  85. unset($sql, $parameters);
  87. //build the user cidr array
  88. if (is_array($user_settings) && @sizeof($user_settings) != 0) {
  89. foreach ($user_settings as $row) {
  90. if ($row['user_setting_category'] == "domain" && $row['user_setting_subcategory'] == "cidr" && $row['user_setting_name'] == "array") {
  91. $cidr_array[] = $row['user_setting_value'];
  92. }
  93. }
  94. }
  96. //check to see if user address is in the cidr array
  97. if (isset($cidr_array) && !defined('STDIN')) {
  98. $found = false;
  99. foreach($cidr_array as $cidr) {
  100. if (check_cidr($cidr, $_SERVER['REMOTE_ADDR'])) {
  101. $found = true;
  102. break;
  103. }
  104. }
  105. if (!$found) {
  106. //destroy session
  107. session_unset();
  108. session_destroy();
  110. //send http 403
  111. header('HTTP/1.0 403 Forbidden', true, 403);
  113. //redirect to the root of the website
  114. header("Location: ".PROJECT_PATH."/login.php");
  116. //exit the code
  117. exit();
  118. }
  119. }
  121. //set the session variables
  122. $_SESSION["domain_uuid"] = $result["domain_uuid"];
  123. //$_SESSION["domain_name"] = $result["domain_name"];
  124. $_SESSION["user_uuid"] = $result["user_uuid"];
  125. $_SESSION["context"] = $result['domain_name'];
  127. //user session array
  128. $_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
  129. $_SESSION["user"]["domain_name"] = $result["domain_name"];
  130. $_SESSION["user"]["user_uuid"] = $result["user_uuid"];
  131. $_SESSION["user"]["username"] = $result["username"];
  132. $_SESSION["user"]["contact_uuid"] = $result["contact_uuid"];
  133. }
  134. else {
  135. //debug
  136. if ($debug) {
  137. view_array($result);
  138. }
  140. //log the failed auth attempt to the system, to be available for fail2ban.
  141. openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
  142. syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);
  143. closelog();
  145. //redirect the user to the login page
  146. $target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"];
  147. message::add($text['message-invalid_credentials'], 'negative');
  148. header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path));
  149. exit;
  150. }
  152. //get the groups assigned to the user and then set the groups in $_SESSION["groups"]
  153. $sql = "select ";
  154. $sql .= "u.user_group_uuid, ";
  155. $sql .= "u.domain_uuid, ";
  156. $sql .= "u.user_uuid, ";
  157. $sql .= "u.group_uuid, ";
  158. $sql .= "g.group_name, ";
  159. $sql .= "g.group_level ";
  160. $sql .= "from ";
  161. $sql .= "v_user_groups as u, ";
  162. $sql .= "v_groups as g ";
  163. $sql .= "where u.domain_uuid = :domain_uuid ";
  164. $sql .= "and u.user_uuid = :user_uuid ";
  165. $sql .= "and u.group_uuid = g.group_uuid ";
  166. $parameters['domain_uuid'] = $_SESSION["domain_uuid"];
  167. $parameters['user_uuid'] = $_SESSION["user_uuid"];
  168. $database = new database;
  169. $result = $database->select($sql, $parameters, 'all');
  170. $_SESSION["groups"] = $result;
  171. $_SESSION["user"]["groups"] = $result;
  172. unset($sql, $parameters);
  174. //get the users group level
  175. $_SESSION["user"]["group_level"] = 0;
  176. foreach ($_SESSION['user']['groups'] as $row) {
  177. if ($_SESSION["user"]["group_level"] < $row['group_level']) {
  178. $_SESSION["user"]["group_level"] = $row['group_level'];
  179. }
  180. }
  182. //get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions']
  183. if (is_array($_SESSION["groups"]) && @sizeof($_SESSION["groups"]) != 0) {
  184. $x = 0;
  185. $sql = "select distinct(permission_name) from v_group_permissions ";
  186. $sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
  187. foreach ($_SESSION["groups"] as $field) {
  188. if (strlen($field['group_name']) > 0) {
  189. $sql_where_or[] = "group_name = :group_name_".$x;
  190. $parameters['group_name_'.$x] = $field['group_name'];
  191. $x++;
  192. }
  193. }
  194. if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) {
  195. $sql .= "and (".implode(' or ', $sql_where_or).") ";
  196. }
  197. $sql .= "and permission_assigned = 'true' ";
  198. $parameters['domain_uuid'] = $_SESSION["domain_uuid"];
  199. $database = new database;
  200. $result = $database->select($sql, $parameters, 'all');
  201. if (is_array($result) && @sizeof($result) != 0) {
  202. foreach ($result as $row) {
  203. $_SESSION['permissions'][$row["permission_name"]] = true;
  204. $_SESSION["user"]["permissions"][$row["permission_name"]] = true;
  205. }
  206. }
  207. unset($sql, $parameters, $result, $row);
  208. }
  210. //get the domains
  211. if (file_exists($_SERVER["PROJECT_ROOT"]."/app/domains/app_config.php") && !is_cli()){
  212. require_once "app/domains/resources/domains.php";
  213. }
  215. //get the user settings
  216. if (is_array($user_settings) && @sizeof($user_settings) != 0) {
  217. foreach ($user_settings as $row) {
  218. $name = $row['user_setting_name'];
  219. $category = $row['user_setting_category'];
  220. $subcategory = $row['user_setting_subcategory'];
  221. if (strlen($row['user_setting_value']) > 0) {
  222. if (strlen($subcategory) == 0) {
  223. //$$category[$name] = $row['domain_setting_value'];
  224. if ($name == "array") {
  225. $_SESSION[$category][] = $row['user_setting_value'];
  226. }
  227. else {
  228. $_SESSION[$category][$name] = $row['user_setting_value'];
  229. }
  230. }
  231. else {
  232. //$$category[$subcategory][$name] = $row['domain_setting_value'];
  233. if ($name == "array") {
  234. $_SESSION[$category][$subcategory][] = $row['user_setting_value'];
  235. }
  236. else {
  237. $_SESSION[$category][$subcategory][$name] = $row['user_setting_value'];
  238. }
  239. }
  240. }
  241. }
  242. }
  243. unset($user_settings);
  245. //get the extensions that are assigned to this user
  246. if (file_exists($_SERVER["PROJECT_ROOT"]."/app/extensions/app_config.php")) {
  247. if (isset($_SESSION["user"]) && is_uuid($_SESSION["user_uuid"]) && is_uuid($_SESSION["domain_uuid"]) && !isset($_SESSION['user']['extension'])) {
  248. //get the user extension list
  249. $_SESSION['user']['extension'] = null;
  250. $sql = "select ";
  251. $sql .= "e.extension_uuid, ";
  252. $sql .= "e.extension, ";
  253. $sql .= "e.number_alias, ";
  254. $sql .= "e.user_context, ";
  255. $sql .= "e.outbound_caller_id_name, ";
  256. $sql .= "e.outbound_caller_id_number, ";
  257. $sql .= "e.description ";
  258. $sql .= "from ";
  259. $sql .= "v_extension_users as u, ";
  260. $sql .= "v_extensions as e ";
  261. $sql .= "where ";
  262. $sql .= "e.domain_uuid = :domain_uuid ";
  263. $sql .= "and e.extension_uuid = u.extension_uuid ";
  264. $sql .= "and u.user_uuid = :user_uuid ";
  265. $sql .= "and e.enabled = 'true' ";
  266. $sql .= "order by ";
  267. $sql .= "e.extension asc ";
  268. $parameters['domain_uuid'] = $_SESSION['domain_uuid'];
  269. $parameters['user_uuid'] = $_SESSION['user_uuid'];
  270. $database = new database;
  271. $result = $database->select($sql, $parameters, 'all');
  272. if (is_array($result) && @sizeof($result) != 0) {
  273. foreach($result as $x => $row) {
  274. //set the destination
  275. $destination = $row['extension'];
  276. if (strlen($row['number_alias']) > 0) {
  277. $destination = $row['number_alias'];
  278. }
  280. //build the user array
  281. $_SESSION['user']['extension'][$x]['user'] = $row['extension'];
  282. $_SESSION['user']['extension'][$x]['number_alias'] = $row['number_alias'];
  283. $_SESSION['user']['extension'][$x]['destination'] = $destination;
  284. $_SESSION['user']['extension'][$x]['extension_uuid'] = $row['extension_uuid'];
  285. $_SESSION['user']['extension'][$x]['outbound_caller_id_name'] = $row['outbound_caller_id_name'];
  286. $_SESSION['user']['extension'][$x]['outbound_caller_id_number'] = $row['outbound_caller_id_number'];
  287. $_SESSION['user']['extension'][$x]['user_context'] = $row['user_context'];
  288. $_SESSION['user']['extension'][$x]['description'] = $row['description'];
  290. //set the context
  291. $_SESSION['user']['user_context'] = $row["user_context"];
  292. $_SESSION['user_context'] = $row["user_context"];
  293. }
  294. }
  295. unset($sql, $parameters, $result, $row);
  296. }
  297. }
  299. //if logged in, redirect to login destination
  300. if (!isset($_REQUEST["key"])) {
  301. if (isset($_SESSION['redirect_path'])) {
  302. $redirect_path = $_SESSION['redirect_path'];
  303. unset($_SESSION['redirect_path']);
  304. // prevent open redirect attacks. redirect url shouldn't contain a hostname
  305. $parsed_url = parse_url($redirect_path);
  306. if ($parsed_url['host']) {
  307. die("Was someone trying to hack you?");
  308. }
  309. header("Location: ".$redirect_path);
  310. }
  311. elseif (isset($_SESSION['login']['destination']['url'])) {
  312. header("Location: ".$_SESSION['login']['destination']['url']);
  313. } elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) {
  314. header("Location: ".PROJECT_PATH."/core/dashboard/");
  315. }
  316. else {
  317. require_once "resources/header.php";
  318. require_once "resources/footer.php";
  319. }
  320. }
  322. }
  324. //set the time zone
  325. if (!isset($_SESSION["time_zone"]["user"])) { $_SESSION["time_zone"]["user"] = null; }
  326. if (strlen($_SESSION["time_zone"]["user"]) == 0) {
  327. //set the domain time zone as the default time zone
  328. date_default_timezone_set($_SESSION['domain']['time_zone']['name']);
  329. }
  330. else {
  331. //set the user defined time zone
  332. date_default_timezone_set($_SESSION["time_zone"]["user"]);
  333. }
  335. ?>