main.php 9.79 KB
Newer Older
1
2
3
4
<?php
/*
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
  Copyright (C) 2003-2010  Cajus Pollmeier
5
  Copyright (C) 2011-2018  FusionDirectory
6
7
8
9
10
11
12
13
14
15
16
17
18

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
19
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
20
21
22
23
24
*/

/* Basic setup, remove eventually registered sessions */
require_once ("../include/php_setup.inc");
require_once ("functions.inc");
25
require_once ("variables.inc");
26

27
28
29
30
/* Set headers */
header('Content-type: text/html; charset=UTF-8');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
31
header('X-Frame-Options: deny');
32

33
34
/* Set the text domain as 'fusiondirectory' */
$domain = 'fusiondirectory';
35
36
37
38
39
bindtextdomain($domain, LOCALE_DIR);
textdomain($domain);

/* Remember everything we did after the last click */
session::start();
40
reset_errors();
41

42
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
43
  @DEBUG(DEBUG_POST, __LINE__, __FUNCTION__, __FILE__, $_POST, '_POST');
44
}
45
@DEBUG(DEBUG_SESSION, __LINE__, __FUNCTION__, __FILE__, $_SESSION, '_SESSION');
46
47

/* Logged in? Simple security check */
48
if (!session::global_is_set('connected')) {
49
  logging::log('security', 'login', '', array(), 'main.php called without session - logging out');
50
  header('Location: index.php?message=nosession');
51
  exit;
52
}
53

54
55
CSRFProtection::check();

56
$ui     = session::global_get('ui');
57
$config = session::global_get('config');
58
59

/* If SSL is forced, just forward to the SSL enabled site */
60
if (($config->get_cfg_value('forcessl') == 'TRUE') && ($ssl != '')) {
61
  header("Location: $ssl");
62
63
64
  exit;
}

65
timezone::setDefaultTimezoneFromConfig();
66
67

/* Check for invalid sessions */
68
if (session::global_get('_LAST_PAGE_REQUEST') != '') {
69
  /* check FusionDirectory.conf for defined session lifetime */
70
  $max_life = $config->get_cfg_value('sessionLifetime', 60 * 60 * 2);
71

72
73
74
75
76
77
78
79
80
81
  if ($max_life > 0) {
    /* get time difference between last page reload */
    $request_time = (time() - session::global_get('_LAST_PAGE_REQUEST'));

    /* If page wasn't reloaded for more than max_life seconds
     * kill session
     */
    if ($request_time > $max_life) {
      session::destroy();
      logging::log('security', 'login', '', array(), 'main.php called with expired session - logging out');
82
      header('Location: index.php?signout=1&message=expired');
83
84
      exit;
    }
85
86
  }
}
87
session::global_set('_LAST_PAGE_REQUEST', time());
88
89


90
@DEBUG(DEBUG_CONFIG, __LINE__, __FUNCTION__, __FILE__, $config->data, "config");
91
92

/* Set template compile directory */
93
$smarty->compile_dir = $config->get_cfg_value("templateCompileDirectory", SPOOL_DIR);
94

95
Language::init();
96
97

/* Prepare plugin list */
98
pluglist::load();
99

100
101
102
/* Check previous plugin index */
if (session::global_is_set('plugin_index')) {
  $old_plugin_index = session::global_get('plugin_index');
103
} else {
104
  $old_plugin_index = '';
105
106
107
108
109
110
}

$plist->gen_menu();

/* check if we are using account expiration */
$smarty->assign("hideMenus", FALSE);
111
if ($config->get_cfg_value("handleExpiredAccounts") == "TRUE") {
112
  $expired = $ui->expired_status();
113
  if (($expired == POSIX_WARN_ABOUT_EXPIRATION) && !session::is_set('POSIX_WARN_ABOUT_EXPIRATION__DONE')) {
114
    @DEBUG(DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $expired, 'This user account ('.$ui->uid.') is about to expire');
115
116

    // The users password is about to xpire soon, display a warning message.
117
118
    logging::log('security', 'fusiondirectory', '', array(), 'password for user "'.$ui->uid.'" is about to expire');
    msg_dialog::display(_('Password change'), _('Your password is about to expire, please change your password!'), INFO_DIALOG);
119
120
    session::set('POSIX_WARN_ABOUT_EXPIRATION__DONE', TRUE);
  } elseif ($expired == POSIX_FORCE_PASSWORD_CHANGE) {
121
    @DEBUG(DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $expired, "This user account expired");
122
123
124
125
126
127
128

    // The password is expired, we are now going to enforce a new one from the user.

    // Hide the FusionDirectory menus to avoid leaving the enforced password change dialog.
    $smarty->assign("hideMenus", TRUE);
    $plug = (isset($_GET['plug'])) ? $_GET['plug'] : NULL;

129
    // Search for the 'user' class and set its id as active plug.
130
    foreach ($plist->dirlist as $key => $value) {
131
      if ($value == 'user') {
132
        if (!isset($_GET['plug']) || ($_GET['plug'] != $key)) {
133
          $_GET['plug'] = $key;
134
          msg_dialog::display(_('Warning'), _('Your password has expired, please set a new one.'), WARNING_DIALOG);
135
        }
136
137
        break;
      }
138
    }
139
  }
140
141
}

142
if (isset($_GET['plug']) && $plist->plugin_access_allowed($_GET['plug'])) {
143
  $plugin_index = validate($_GET['plug']);
144
145
} else {
  /* set to welcome page as default plugin */
146
  $plugin_index = 'welcome';
147
}
148
session::global_set('plugin_index', $plugin_index);
149
150

/* Handle plugin locks.
151
    - Remove the plugin from session if we switched to another. (cleanup)
152
153
154
    - Remove all created locks if "reset" was posted.
    - Remove all created locks if we switched to another plugin.
*/
155
156
$cleanup      = FALSE;
$remove_lock  = FALSE;
157

158
159
160
/* Check if we have changed the selected plugin */
if (!empty($old_plugin_index) && ($old_plugin_index != $plugin_index)) {
  pluglist::runMainInc($old_plugin_index, TRUE);
161
162
} elseif ((isset($_GET['reset']) && $_GET['reset'] == 1) || isset($_POST['delete_lock'])) {
  /* Reset was posted, remove all created locks for the current plugin */
163
164
165
166
  $remove_lock = TRUE;
}

/* Check for sizelimits */
167
$ui->getSizeLimitHandler()->update();
168
169

/* Check for memory */
170
171
if (memory_get_usage() > (to_byte(ini_get('memory_limit')) - 2048000 )) {
  msg_dialog::display(_("Configuration error"), _("Running out of memory!"), WARNING_DIALOG);
172
173
174
175
}

/* Load department list when plugin has changed. That is some kind of
   compromise between speed and beeing up to date */
176
if (isset($_GET['reset'])) {
177
178
179
180
  set_object_info();
}

/* show web frontend */
181
$smarty->assign("date", date("l, dS F Y H:i:s O"));
182
$lang = session::global_get('lang');
183
184
185
$smarty->assign('lang',  preg_replace('/_.*$/', '', $lang));
$smarty->assign('rtl',   Language::isRTL($lang));
$smarty->assign('must',  '<span class="must">*</span>');
186
187
if (isset($plugin_index)) {
  $plug = "?plug=$plugin_index";
188
} else {
189
  $plug = "";
190
191
}

192
if ($ui->ignore_acl_for_current_user()) {
193
  $smarty->assign('username', '<div style="color:#FF0000;">'._('User ACL checks disabled').'</div>&nbsp;'.$ui->uid);
194
} else {
195
  $smarty->assign('username', $ui->uid);
196
}
197
198
$smarty->assign("menu", $plist->menu);
$smarty->assign("plug", "$plug");
199
200
201
202

$smarty->assign("usePrototype", "false");

/* React on clicks */
203
if (($_SERVER['REQUEST_METHOD'] == 'POST')
204
  && (isset($_POST['delete_lock']) || isset($_POST['open_readonly']))) {
205

206
207
208
209
  /* Set old Post data */
  if (session::global_is_set('LOCK_VARS_USED_GET')) {
    foreach (session::global_get('LOCK_VARS_USED_GET') as $name => $value) {
      $_GET[$name]  = $value;
210
    }
211
212
213
214
  }
  if (session::global_is_set('LOCK_VARS_USED_POST')) {
    foreach (session::global_get('LOCK_VARS_USED_POST') as $name => $value) {
      $_POST[$name] = $value;
215
    }
216
217
218
219
  }
  if (session::global_is_set('LOCK_VARS_USED_REQUEST')) {
    foreach (session::global_get('LOCK_VARS_USED_REQUEST') as $name => $value) {
      $_REQUEST[$name] = $value;
220
221
222
223
224
    }
  }
}

/* Load plugin */
225
pluglist::runMainInc($plugin_index);
226
227
228
229

/* Print_out last ErrorMessage repeated string. */
$smarty->assign("msg_dialogs", msg_dialog::get_dialogs());
$smarty->assign("contents", $display);
230
$smarty->assign("sessionLifetime", $config->get_cfg_value("sessionLifetime", 60 * 60 * 2));
231
232

/* If there's some post, take a look if everything is there... */
233
234
235
236
237
238
239
if (isset($_POST) && count($_POST) && !isset($_POST['php_c_check'])) {
  msg_dialog::display(
    _('Configuration Error'),
    sprintf(_('Fatal error: not all POST variables have been transfered by PHP - please inform your administrator!')),
    FATAL_ERROR_DIALOG
  );
  exit();
240
241
}

242
/* Assign errors to smarty */
243
if ($error_collector != "") {
244
  $smarty->assign("php_errors", preg_replace("/%BUGBODY%/", $error_collector_mailto, $error_collector)."</div>");
245
246
247
248
} else {
  $smarty->assign("php_errors", "");
}

249
250
251
$focus = '<script type="text/javascript">';
$focus .= 'next_msg_dialog();';
$focus .= '</script>';
252
253
$smarty->assign('focus',      $focus);
$smarty->assign('CSRFtoken',  CSRFProtection::getToken());
254
255

/* Set channel if needed */
256
257
258
259
260
261
262
263
264
//TODO: * move all global session calls to global_
//      * create a new channel where needed (mostly management dialogues)
//      * remove regulary created channels when not needed anymore
//      * take a look at external php calls (i.e. get fax, ldif, etc.)
//      * handle aborted sessions (by pressing anachors i.e. Main, Menu, etc.)
//      * check lock removals, is "dn" global or not in this case?
//      * last page request -> global or not?
//      * check that filters are still global
//      * maxC global?
265
if (isset($_POST['_channel_'])) {
266
267
  echo "DEBUG - current channel: ".$_POST['_channel_'];
  $smarty->assign("channel", $_POST['_channel_']);
268
} else {
269
  $smarty->assign("channel", "");
270
}
271
272

if (class_available('Game')) {
273
274
275
  $smarty->assign('game_screen', Game::run());
} else {
  $smarty->assign('game_screen', '');
276
277
}

278
$display  = $smarty->fetch(get_template_path('headers.tpl')).
279
            $smarty->fetch(get_template_path('framework.tpl'));
280
281
282
283
284

/* Show page... */
echo $display;

/* Save plist and config */
285
286
session::global_set('plist', $plist);
session::global_set('config', $config);
287
reset_errors();