<?php
/*****************************************************************************
IP Reg, a PHP/MySQL IPAM tool
Copyright (C) 2007-2009 Wietse Warendorff (up to v0.5)
Copyright (C) 2011-2023 Thomas Hooge
SPDX-License-Identifier: GPL-3.0-or-later
*****************************************************************************/
include("includes.php");
if (($_SESSION['suser_role_admin'] == 0) and ($_SESSION['suser_role_manage'] == 0)) {
$g_error->add('Access denied!');
$action = ACT_ERR_DENIED;
}
if (isset($_REQUEST['id'])) {
$id = (int) $_REQUEST['id'] or $id = 0;
}
function makepwd($length) {
mt_srand((double) microtime() * 1000000);
$digits = "0123456789";
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$umlauts = "ÄÖÜäöüß";
$specials = "!§$%&/()=?[]{}+~*#.,;:<>|";
$vocals = "AEIOUaeiou";
$consonants = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz";
$passwd = '';
$possible = $chars . $digits;
$l = strlen($possible)-1;
for ($k = 0; $k < $length; $k += 1) {
$passwd .= $possible[mt_rand(0, $l)];
}
return $passwd;
}
// ========== ACTIONS START ===================================================
switch ($submit = form_get_action()) {
case NULL: break;
case 'add': $action = ACT_ADD; break;
case 'view': $action = ACT_VIEW; break;
case 'edit': $action = ACT_EDIT; break;
case 'del': $action = ACT_DELETE; break;
case 'pass':
// Create new random password to display once
$newpass = makepwd(8);
$sql = "UPDATE user SET user_pass=:pass WHERE user_id=:id";
$sth = $dbh->prepare($sql);
$sth->bindValue(':id', $id, PDO::PARAM_INT);
$sth->bindValue(':pass', password_hash($newpass, PASSWORD_BCRYPT), PDO::PARAM_STR);
try {
$sth->execute();
} catch (PDOException $e) {
$g_warning->Add($e->getMessage());
}
$smarty->assign('newpass', $newpass);
$action = ACT_VIEW;
break;
case 'insert':
$user_name = strtolower(sanitize($_POST['user_name']));
$user_displayname = sanitize($_POST['user_displayname']);
$user_password = md5(sanitize($_POST['user_password']));
// check if username exists
$sth = $dbh->prepare("SELECT COUNT(*) FROM user WHERE user_name=?");
$sth->execute([$user_name]);
if ($sth->fetchColumn() == 0) {
$sql = "INSERT INTO user (user_name, user_displayname, user_pass)
VALUE (?, ?, ?)";
$sth = $dbh->prepare($sql);
$sth->execute([$user_name, $user_displayname, $user_password]);
$id = $dbh->lastInsertId();
$action = ACT_VIEW;
} else {
$g_error->Add(_("Username already in use."));
$action = ACT_ADD;
}
break;
case 'update':
$user_name = sanitize($_POST['user_name']);
$user_displayname = sanitize($_POST['user_displayname']);
$user_realm = sanitize($_POST['user_realm']);
// roles
$role_add = sanitize($_POST['role_add']);
$role_edit = sanitize($_POST['role_edit']);
$role_delete = sanitize($_POST['role_delete']);
$role_manage = sanitize($_POST['role_manage']);
$role_admin = sanitize($_POST['role_admin']);
// construct role set
$role = array();
if ($role_add) $role[] = 'add';
if ($role_edit) $role[] = 'edit';
if ($role_delete) $role[] = 'delete';
if ($role_manage) $role[] = 'manage';
if ($role_admin) $role[] = 'admin';
$role = empty($role) ? NULL : implode(',', $role);
$sql = "UPDATE user SET
user_name=?, user_displayname=?, user_realm=?,
user_role=?
WHERE user_id=?";
$sth = $dbh->prepare($sql);
$sth->execute([$user_name ,$user_displayname, $user_realm,
$role, $id]);
$action = ACT_VIEW;
break;
case 'delete':
$sth = $dbh->prepare("DELETE FROM user WHERE user_id=?");
$sth->execute([$id]);
$g_message->Add(_("User deleted."));
$action = ACT_DEFAULT;
break;
default:
$g_error->Add(submit_error($submit));
$valid = FALSE;
}
// ========== ACTIONS END =====================================================
include("header.php");
if ($action == ACT_DEFAULT):
// ========== VARIANT: default behavior =======================================
$sql = "SELECT user_id AS id, user_name AS name,
user_displayname AS displayname, user_realm AS realm,
user_role AS role
FROM user
ORDER BY user_name";
$sth = $dbh->query($sql);
// role: convert db set to array
$users = $sth->fetchAll(PDO::FETCH_ASSOC);
for($i = 0; $i < count($users); $i++) {
$users[$i]['role'] = explode(',', $users[$i]['role'] );
}
$smarty->assign("users", $users);
$smarty->display("user.tpl");
elseif ($action == ACT_ADD):
// ========== VARIANT: add record =============================================
$realms = db_load_enum('user','user_realm');
$smarty->assign("realm_ids", $realms);
$smarty->assign("realm_names", $realms);
$smarty->assign("realm_selected", $realms[0]);
$smarty->display("useradd.tpl");
elseif ($action == ACT_VIEW):
// ========== VARIANT: view single record =====================================
$sql = "SELECT user_id AS id, user_name AS name, user_displayname AS displayname,
user_realm as realm, user_role AS role, user_flags AS flags
FROM user
WHERE user_id=?";
$sth = $dbh->prepare($sql);
$sth->execute([$id]);
$user = $sth->fetch(PDO::FETCH_OBJ);
$user->role = explode(',', $user->role);
$user->flags = explode(',', $user->flags);
$smarty->assign("user", $user);
$smarty->display("userview.tpl");
elseif ($action == ACT_EDIT):
// ========== VARIANT: edit single record =====================================
$sql = "SELECT user_id AS id, user_name AS name, user_displayname AS displayname,
user_realm AS realm, user_role AS role, user_flags AS flags
FROM user
WHERE user_id=?";
$sth = $dbh->prepare($sql);
$sth->execute([$id]);
$user = $sth->fetch(PDO::FETCH_OBJ);
$user->role = explode(',', $user->role);
$smarty->assign("user", $user);
// auth realms
$smarty->assign("realm_ids", ['local', 'ldap']);
$smarty->assign("realm_names", ['Local', 'LDAP']);
$smarty->assign("realm_selected", $user->realm);
$smarty->display("useredit.tpl");
elseif ($action == ACT_DELETE):
// ========== VARIANT: delete record ==========================================
$sth = $dbh->prepare("SELECT user_id AS id, user_name AS name FROM user WHERE user_id=?");
$sth->execute([$id]);
$smarty->assign("user", $sth->fetch(PDO::FETCH_OBJ));
$smarty->display("userdel.tpl");
elseif ($action == ACT_ERR_DENIED):
// ========== ERROR ACCESS TO PAGE DENIED =====================================
if (isset($_SERVER['HTTP_REFERER'])) {
echo '<p"><a href="', $_SERVER['HTTP_REFERER'], '">', "Back to last page</a></p>\n";
}
echo "<p></p>";
else:
// ========== ERROR UNKNOWN VARIANT ===========================================
echo "<p>Unknown function call: Please report to system development!</p>\n";
endif; // $action == ...
// ========== END OF VARIANTS =================================================
$smarty->display('footer.tpl');