diff --git a/pandora_console/index.php b/pandora_console/index.php index 1a0f617f4c..fa99a340b3 100755 --- a/pandora_console/index.php +++ b/pandora_console/index.php @@ -36,7 +36,7 @@ if ($develop_bypass != 1) { exit; } } - + if (filesize("include/config.php") == 0) { include ("install.php"); exit; @@ -99,7 +99,7 @@ if (!empty ($config["https"]) && empty ($_SERVER['HTTPS'])) { if (sizeof ($_REQUEST)) //Some (old) browsers don't like the ?&key=var $query .= '?1=1'; - + //We don't clean these variables up as they're only being passed along foreach ($_GET as $key => $value) { if ($key == 1) @@ -110,11 +110,11 @@ if (!empty ($config["https"]) && empty ($_SERVER['HTTPS'])) { $query .= '&'.$key.'='.$value; } $url = ui_get_full_url($query); - + // Prevent HTTP response splitting attacks // http://en.wikipedia.org/wiki/HTTP_response_splitting $url = str_replace ("\n", "", $url); - + header ('Location: '.$url); exit; //Always exit after sending location headers } @@ -140,10 +140,10 @@ echo '<head>' . "\n"; //This starts the page head. In the call back function, things from $page['head'] array will be processed into the head ob_start ('ui_process_page_head'); -// Enterprise main +// Enterprise main enterprise_include ('index.php'); -// This tag is included in the buffer passed to ui_process_page_head so +// This tag is included in the buffer passed to ui_process_page_head so // technically it can be stripped echo '</head>' . "\n"; @@ -165,12 +165,12 @@ $process_login = false; $change_pass = get_parameter_post('renew_password', 0); if ($change_pass == 1) { - + $password_old = (string) get_parameter_post ('old_password', ''); $password_new = (string) get_parameter_post ('new_password', ''); $password_confirm = (string) get_parameter_post ('confirm_new_password', ''); $id = (string) get_parameter_post ('login', ''); - + $changed_pass = login_update_password_check ($password_old, $password_new, $password_confirm, $id); } @@ -188,40 +188,40 @@ if (strlen($search) > 0) { if (! isset ($config['id_user'])) { if (isset ($_GET["login"])) { include_once('include/functions_db.php'); //Include it to use escape_string_sql function - + $config["auth_error"] = ""; //Set this to the error message from the authorization mechanism $nick = get_parameter_post ("nick"); //This is the variable with the login $pass = get_parameter_post ("pass"); //This is the variable with the password $nick = db_escape_string_sql($nick); $pass = db_escape_string_sql($pass); - + //Since now, only the $pass variable are needed unset ($_GET['pass'], $_POST['pass'], $_REQUEST['pass']); - + // If the auth_code exists, we assume the user has come through the double auth page if (isset ($_POST['auth_code'])) { $double_auth_success = false; - + // The double authentication is activated and the user has surpassed the first step (the login). // Now the authentication code provided will be checked. if (isset ($_SESSION['prepared_login_da'])) { if (isset ($_SESSION['prepared_login_da']['id_user']) && isset ($_SESSION['prepared_login_da']['timestamp'])) { - + // The user has a maximum of 5 minutes to introduce the double auth code $dauth_period = SECONDS_2MINUTES; $now = time(); $dauth_time = $_SESSION['prepared_login_da']['timestamp']; - + if ($now - $dauth_period < $dauth_time) { // Nick $nick = $_SESSION["prepared_login_da"]['id_user']; // Code $code = (string) get_parameter_post ("auth_code"); - + if (!empty($code)) { $result = validate_double_auth_code($nick, $code); - + if ($result === true) { // Double auth success $double_auth_success = true; @@ -231,7 +231,7 @@ if (! isset ($config['id_user'])) { $login_screen = 'double_auth'; // Error message $config["auth_error"] = __("Invalid code"); - + if (!isset($_SESSION['prepared_login_da']['attempts'])) $_SESSION['prepared_login_da']['attempts'] = 0; $_SESSION['prepared_login_da']['attempts']++; @@ -242,7 +242,7 @@ if (! isset ($config['id_user'])) { $login_screen = 'double_auth'; // Error message $config["auth_error"] = __("The code shouldn't be empty"); - + if (!isset($_SESSION['prepared_login_da']['attempts'])) $_SESSION['prepared_login_da']['attempts'] = 0; $_SESSION['prepared_login_da']['attempts']++; @@ -251,7 +251,7 @@ if (! isset ($config['id_user'])) { else { // Expired login unset ($_SESSION['prepared_login_da']); - + // Error message $config["auth_error"] = __('Expired login'); } @@ -259,7 +259,7 @@ if (! isset ($config['id_user'])) { else { // If the code doesn't exist, remove the prepared login unset ($_SESSION['prepared_login_da']); - + // Error message $config["auth_error"] = __('Login error'); } @@ -269,10 +269,10 @@ if (! isset ($config['id_user'])) { // Error message $config["auth_error"] = __('Login error'); } - + // Remove the authenticator code unset ($_POST['auth_code'], $code); - + if (!$double_auth_success) { $login_failed = true; require_once ('general/login_page.php'); @@ -288,15 +288,10 @@ if (! isset ($config['id_user'])) { $nick_in_db = $_SESSION["prepared_login_da"]['id_user']; $expired_pass = false; } - else if (($config['auth'] == 'saml') && $login_button_saml) { - if (is_user_admin($nick)) { - $nick_in_db = $nick; - } - else { - include_once(ENTERPRISE_DIR . "/include/auth/saml.php"); - $saml_user_id = saml_process_user_login(); - $nick_in_db = $saml_user_id; - } + else if (($config['auth'] == 'saml') && $login_button_saml && !is_user_admin($nick)) { + include_once(ENTERPRISE_DIR . "/include/auth/saml.php"); + $saml_user_id = saml_process_user_login(); + $nick_in_db = $saml_user_id; } else { // process_user_login is a virtual function which should be defined in each auth file. @@ -304,27 +299,27 @@ if (! isset ($config['id_user'])) { // The auth file can set $config["auth_error"] to an informative error output or reference their internal error messages to it // process_user_login should return false in case of errors or invalid login, the nickname if correct $nick_in_db = process_user_login ($nick, $pass); - + $expired_pass = false; - + if (($nick_in_db != false) && ((!is_user_admin($nick) || $config['enable_pass_policy_admin'])) && (defined('PANDORA_ENTERPRISE')) && ($config['enable_pass_policy'])) { include_once(ENTERPRISE_DIR . "/include/auth/mysql.php"); - + $blocked = login_check_blocked($nick); - + if ($blocked) { require_once ('general/login_page.php'); db_pandora_audit("Password expired", "Password expired: ".$nick, $nick); while (@ob_end_flush ()); exit ("</html>"); } - + //Checks if password has expired $check_status = check_pass_status($nick, $pass); - + switch ($check_status) { case PASSSWORD_POLICIES_FIRST_CHANGE: //first change case PASSSWORD_POLICIES_EXPIRED: //pass expired @@ -334,10 +329,10 @@ if (! isset ($config['id_user'])) { } } } - + if (($nick_in_db !== false) && $expired_pass) { //login ok and password has expired - + require_once ('general/login_page.php'); db_pandora_audit("Password expired", "Password expired: " . $nick, $nick); @@ -346,7 +341,7 @@ if (! isset ($config['id_user'])) { } else if (($nick_in_db !== false) && (!$expired_pass)) { //login ok and password has not expired - + // Double auth check if ((!isset ($double_auth_success) || !$double_auth_success) && is_double_auth_enabled($nick_in_db)) { // Store this values in the session to know if the user login was correct @@ -355,24 +350,24 @@ if (! isset ($config['id_user'])) { 'timestamp' => time(), 'attempts' => 0 ); - + // Load the page to introduce the double auth code $login_screen = 'double_auth'; require_once ('general/login_page.php'); while (@ob_end_flush ()); exit ("</html>"); } - + //login ok and password has not expired $process_login = true; - + echo "<script type='text/javascript'>var process_login_ok = 1;</script>"; - + if (!isset($_GET["sec2"]) && !isset($_GET["sec"])) { // Avoid the show homepage when the user go to // a specific section of pandora // for example when timeout the sesion - + unset ($_GET["sec2"]); $_GET["sec"] = "general/logon_ok"; $home_page =''; @@ -424,24 +419,24 @@ if (! isset ($config['id_user'])) { $_GET["sec"] = "general/logon_ok"; } } - + } - + db_logon ($nick_in_db, $_SERVER['REMOTE_ADDR']); $_SESSION['id_usuario'] = $nick_in_db; $config['id_user'] = $nick_in_db; - + //========================================================== //-------- SET THE CUSTOM CONFIGS OF USER ------------------ - + config_user_set_custom_config(); //========================================================== - + //Remove everything that might have to do with people's passwords or logins unset ($pass, $login_good); - + $user_language = get_user_language($config['id_user']); - + $l10n = NULL; if (file_exists ('./include/languages/' . $user_language . '.mo')) { $l10n = new gettext_reader (new CachedFileReader ('./include/languages/'.$user_language.'.mo')); @@ -450,11 +445,11 @@ if (! isset ($config['id_user'])) { } else { //login wrong $blocked = false; - + if ((!is_user_admin($nick) || $config['enable_pass_policy_admin']) && defined('PANDORA_ENTERPRISE')) { $blocked = login_check_blocked($nick); } - + if (!$blocked) { if (defined('PANDORA_ENTERPRISE')) { login_check_failed($nick); //Checks failed attempts @@ -477,7 +472,7 @@ if (! isset ($config['id_user'])) { elseif (isset ($_GET["loginhash"])) { $loginhash_data = get_parameter("loginhash_data", ""); $loginhash_user = str_rot13(get_parameter("loginhash_user", "")); - + if ($config["loginhash_pwd"] != "" && $loginhash_data == md5($loginhash_user.io_output_password($config["loginhash_pwd"]))) { db_logon ($loginhash_user, $_SERVER['REMOTE_ADDR']); $_SESSION['id_usuario'] = $loginhash_user; @@ -530,12 +525,12 @@ extensions_load_extensions ($process_login); if ($process_login) { /* Call all extensions login function */ extensions_call_login_function (); - + unset($_SESSION['new_update']); - + require_once("include/functions_update_manager.php"); enterprise_include_once("include/functions_update_manager.php"); - + if ($config["autoupdate"] == 1) { if (enterprise_installed()) { $result = update_manager_check_online_enterprise_packages_available(); @@ -545,12 +540,12 @@ if ($process_login) { } if ($result) $_SESSION['new_update'] = 'new'; - + } - + //Set the initial global counter for chat. users_get_last_global_counter('session'); - + $config['logged'] = true; } //---------------------------------------------------------------------- @@ -564,7 +559,7 @@ if (isset($_SERVER['HTTP_REFERER'])) $chunks = explode('?', $old_page); if (count($chunks) == 2) { $chunks = explode('&', $chunks[1]); - + foreach ($chunks as $chunk) { if (strstr($chunk, 'sec=') !== false) { $old_sec = str_replace('sec=', '', $chunk); @@ -599,15 +594,15 @@ if ($old_global_counter_chat != $now_global_counter_chat) { if (get_parameter ('login', 0) !== 0) { // Display news dialog include_once("general/news_dialog.php"); - + // Display login help info dialog // If it's configured to not skip this if (!isset($config['skip_login_help_dialog']) || $config['skip_login_help_dialog'] == 0) { - + include_once("general/login_help_dialog.php"); } - + } // Header @@ -643,7 +638,7 @@ if ($searchPage) { } else { if ($page != "") { - + $main_sec = get_sec($sec); if ($main_sec == false) { if ($sec == 'extensions') @@ -657,19 +652,19 @@ else { $sec2 = ''; } $page .= '.php'; - + // Enterprise ACL check if (enterprise_hook ('enterprise_acl', array ($config['id_user'], $main_sec, $sec, true,$sec2)) == false) { - + require ("general/noaccess.php"); - + } else { $sec = $main_sec; if (file_exists ($page)) { if (! extensions_is_extension ($page)) { - + require_once($page); } else { @@ -678,12 +673,12 @@ else { else extensions_call_main_function (basename ($page)); } - } + } else { ui_print_error_message(__('Sorry! I can\'t find the page!')); } } - } + } else { //home screen chosen by the user $home_page =''; @@ -692,9 +687,9 @@ else { $home_page = io_safe_output($user_info['section']); $home_url = $user_info['data_section']; } - - - + + + if ($home_page != '') { switch ($home_page) { case 'Event list': @@ -726,7 +721,7 @@ else { if (($home_url == '') || ($id_visualc == false)) { $str = 'sec=visualc&sec2=operation/visual_console/index&refr=60'; } - else + else $str = 'sec=visualc&sec2=operation/visual_console/render_view&id='.$id_visualc .'&refr=60'; parse_str($str, $res); foreach ($res as $key => $param) { @@ -742,7 +737,7 @@ else { } if (isset($_GET['sec2'])) { $file = $_GET['sec2'] . '.php'; - + if (!file_exists ($file)) { unset($_GET['sec2']); require('general/logon_ok.php'); @@ -803,15 +798,15 @@ require('include/php_to_js_values.php'); <script type="text/javascript" language="javascript"> //Initial load of page $(document).ready(adjustFooter); - + //Every resize of window $(window).resize(adjustFooter); - + //Every show/hide call may need footer re-layout (function() { var oShow = jQuery.fn.show; var oHide = jQuery.fn.hide; - + jQuery.fn.show = function () { var rv = oShow.apply(this, arguments); adjustFooter(); @@ -823,7 +818,7 @@ require('include/php_to_js_values.php'); return rv; }; })(); - + //Dynamically assign footer position and width. function adjustFooter() { /*