1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
<?php
class Page_Session extends Page
{
protected function doPreprocess()
{
User::load();
$action = Request::post('action');
if ($action === 'login') {
// Login - see if already logged in
if (User::isLoggedIn()) // and then just redirect
Util::redirect('?do=main');
// Else, try to log in
if (User::login(Request::post('user'),
Request::post('pass'),
Request::post('fixedip', false, 'bool'))) {
Util::redirect('?do=main');
}
// Login credentials wrong - delay and show error message
sleep(1);
http_response_code(403);
Message::addError('loginfail');
} elseif ($action === 'logout') {
// Log user out (or do nothing if not logged in)
User::logout();
} elseif ($action === 'changepw') {
if (!User::isLoggedIn()) {
Util::redirect('?do=main');
}
// Now check if the user supplied the current password, and the new password twice
$old = Request::post('old', Request::REQUIRED, 'string');
$new = Request::post('newpass1', Request::REQUIRED, 'string');
if (!User::testPassword(User::getId(), $old)) {
sleep(1);
Message::addError('wrong-password');
Util::redirect('?do=session', 403);
}
if (strlen($new) < 4) {
Message::addError('pass-too-short');
Util::redirect('?do=session', 400);
}
if ($new !== Request::post('newpass2', false, 'string')) {
Message::addError('adduser.password-mismatch');
Util::redirect('?do=session', 400);
}
if (Request::post('kill-other-sessions', false, 'bool')) {
Session::deleteAllButCurrent();
}
if (User::updatePassword($new)) {
Message::addSuccess('password-changed');
} else {
Message::addWarning('password-unchanged');
}
Util::redirect('?do=session', 200);
} else {
// No action, change title
switch (Request::get('show', false, 'string')) {
case 'audit':
Render::setTitle(Dictionary::translate('page-title-audit-list'));;
break;
default:
Render::setTitle(Dictionary::translate('page-title-session-list'));
}
}
}
protected function doRender()
{
if (User::isLoggedIn()) {
$show = Request::get('show', false, 'string');
if ($show === 'audit') {
self::showAudit();
} else {
self::showSessions();
}
} else {
Render::addTemplate('page-login');
}
}
private static function showSessions()
{
$res = Database::simpleQuery("SELECT u.login, s.userid, s.dateline, s.lastip, s.fixedip
FROM session s
INNER JOIN user u USING (userid)
ORDER BY dateline DESC");
$sessions = [];
$perm = User::hasPermission('.adduser.user.*');
foreach ($res as $row) {
if ($perm || $row['userid'] == User::getId()) {
$row['dateline_s'] = Util::prettyTime($row['dateline']);
$sessions[] = $row;
}
}
Render::addTemplate('change-password', [
'sessions' => $sessions,
'link' => User::hasPermission('.adduser.user.edit'),
'audit' => User::hasPermission('.adduser.audit.show'),
]);
}
private static function showAudit()
{
User::assertPermission('.adduser.audit.show');
$user = Request::get('user', 0, 'int');
$args = [];
$extra = '';
$username = null;
if ($user > 0) {
$args['userid'] = $user;
$extra .= ' WHERE a.userid = :userid';
$row = Database::queryFirst("SELECT login FROM user WHERE userid = :userid", ['userid' => $user]);
if ($row === false) {
Message::addError('user-not-found', $user);
Util::redirect('?do=session&show=audit', 404);
}
$username = $row['login'];
}
$lines = array();
$paginate = new Paginate("SELECT u.userid, u.login,
a.action, a.dateline, a.ipaddr, a.data, a.module, a.response
FROM audit a
LEFT JOIN user u USING (userid)
$extra
ORDER BY dateline DESC", 50);
$res = $paginate->exec($args);
foreach ($res as $row) {
$row['dateline_s'] = Util::prettyTime($row['dateline']);
if ($row['response'] < 200 || $row['response'] >= 400) {
$row['class'] = 'text-danger slx-bold';
}
if ($username !== null) {
unset($row['login']);
}
$lines[] = $row;
}
$paginate->render('audit-list', ['list' => $lines, 'user' => $username]);
}
}
|
