Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
main.php 12.70 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4 
  Copyright (C) 2003-2010  Cajus Pollmeier
5 
  Copyright (C) 2011-2018  FusionDirectory
6
7 
  This program is free software; you can redistribute it and/or modify
8 
  it under the terms of the GNU General Public License as published by
9 
  the Free Software Foundation; either version 2 of the License, or
10 
  (at your option) any later version.
11
12 
  This program is distributed in the hope that it will be useful,
13 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
14 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 
  GNU General Public License for more details.
16
17 
  You should have received a copy of the GNU General Public License
18 
  along with this program; if not, write to the Free Software
19 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
20 
*/
21
22 
/* Save start time */
23 
$start = microtime();
24
25 
/* Basic setup, remove eventually registered sessions */
26 
require_once ("../include/php_setup.inc");
27 
require_once ("functions.inc");
28 
require_once ("variables.inc");
29
30 
/* Set headers */
31 
header('Content-type: text/html; charset=UTF-8');
32 
header('X-XSS-Protection: 1; mode=block');
33 
header('X-Content-Type-Options: nosniff');
34 
header('X-Frame-Options: deny');
35
36 
/* Set the text domain as 'fusiondirectory' */
37 
$domain = 'fusiondirectory';
38 
bindtextdomain($domain, LOCALE_DIR);
39 
textdomain($domain);
40
41 
/* Remember everything we did after the last click */
42 
session::start();
43 
session::set('errorsAlreadyPosted', array());
44 
session::global_set('runtime_cache', array());
45 
session::set('limit_exceeded', FALSE);
46
47 
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
48 
  @DEBUG (DEBUG_POST, __LINE__, __FUNCTION__, __FILE__, $_POST, '_POST');
49 
}
50 
@DEBUG (DEBUG_SESSION, __LINE__, __FUNCTION__, __FILE__, $_SESSION, '_SESSION');
51
52 
/* Logged in? Simple security check */
53 
if (!session::global_is_set('connected')) {
54 
  logging::log('security', 'login', '', array(), 'main.php called without session - logging out');
55 
  header ('Location: index.php?message=nosession');
56 
  exit;
57 
}
58
59 
CSRFProtection::check();
60
61 
$ui     = session::global_get('ui');
62 
$config = session::global_get('config');
63
64 
/* If SSL is forced, just forward to the SSL enabled site */
65 
if (($config->get_cfg_value('forcessl') == 'TRUE') && ($ssl != '')) {
66 
  header ("Location: $ssl");
67 
  exit;
68 
}
69
70 
timezone::setDefaultTimezoneFromConfig();
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
/* Check for invalid sessions */ if (session::global_get('_LAST_PAGE_REQUEST') != '') { /* check FusionDirectory.conf for defined session lifetime */ $max_life = $config->get_cfg_value('sessionLifetime', 60 * 60 * 2); if ($max_life > 0) { /* get time difference between last page reload */ $request_time = (time() - session::global_get('_LAST_PAGE_REQUEST')); /* If page wasn't reloaded for more than max_life seconds * kill session */ if ($request_time > $max_life) { session::destroy(); logging::log('security', 'login', '', array(), 'main.php called with expired session - logging out'); header ('Location: index.php?signout=1&message=expired'); exit; } } } session::global_set('_LAST_PAGE_REQUEST', time()); @DEBUG (DEBUG_CONFIG, __LINE__, __FUNCTION__, __FILE__, $config->data, "config"); /* Set template compile directory */ $smarty->compile_dir = $config->get_cfg_value("templateCompileDirectory", SPOOL_DIR); /* Preset current main base */ if (!session::global_is_set('CurrentMainBase')) { session::global_set('CurrentMainBase', get_base_from_people($ui->dn)); } Language::init(); /* Prepare plugin list */ $plist = load_plist(); /* Check for register globals */ if (isset($global_check) && $config->get_cfg_value("forceglobals") == "TRUE") { msg_dialog::display( _("PHP configuration"), _("Fatal error: Register globals is on. FusionDirectory will refuse to login unless this is fixed by an administrator."), FATAL_ERROR_DIALOG); logging::log('security', 'login', '', array(), 'Register globals is on. For security reasons, this should be turned off.'); session::destroy (); exit; } /* Check Plugin variable */ if (session::global_is_set('plugin_dir')) { $old_plugin_dir = session::global_get('plugin_dir'); } else { $old_plugin_dir = ""; } $plist->gen_menu(); /* check if we are using account expiration */ $smarty->assign("hideMenus", FALSE); if ($config->get_cfg_value("handleExpiredAccounts") == "TRUE") { $expired = $ui->expired_status(); if (($expired == POSIX_WARN_ABOUT_EXPIRATION) && !session::is_set('POSIX_WARN_ABOUT_EXPIRATION__DONE')) { @DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $expired, 'This user account ('.$ui->uid.') is about to expire'); // The users password is about to xpire soon, display a warning message. logging::log('security', 'fusiondirectory', '', array(), 'password for user "'.$ui->uid.'" is about to expire'); msg_dialog::display(_('Password change'), _('Your password is about to expire, please change your password!'), INFO_DIALOG);
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
session::set('POSIX_WARN_ABOUT_EXPIRATION__DONE', TRUE); } elseif ($expired == POSIX_FORCE_PASSWORD_CHANGE) { @DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $expired, "This user account expired"); // The password is expired, we are now going to enforce a new one from the user. // Hide the FusionDirectory menus to avoid leaving the enforced password change dialog. $smarty->assign("hideMenus", TRUE); $plug = (isset($_GET['plug'])) ? $_GET['plug'] : NULL; // Search for the 'user' class and set its id as active plug. foreach ($plist->dirlist as $key => $value) { if ($value == 'user') { if (!isset($_GET['plug']) || ($_GET['plug'] != $key)) { $_GET['plug'] = $key; msg_dialog::display(_('Warning'), _('Your password has expired, please set a new one.'), WARNING_DIALOG); } break; } } } } if (isset($_GET['plug']) && $plist->plugin_access_allowed($_GET['plug'])) { $plug = validate($_GET['plug']); $plugin_dir = $plist->get_path($plug); session::global_set('plugin_dir', $plugin_dir); if ($plugin_dir == '') { logging::log('security', 'fusiondirectory', '', array(), "main.php called with invalid plug parameter \"$plug\""); header ('Location: index.php?signout=1&message=invalidparameter&plug='.$plug); exit; } } else { /* set to welcome page as default plugin */ session::global_set('plugin_dir', 'welcome'); $plugin_dir = "$BASE_DIR/plugins/generic/welcome"; } /* Handle plugin locks. - Remove the plugin from session if we switched to another. (cleanup) - Remove all created locks if "reset" was posted. - Remove all created locks if we switched to another plugin. */ $cleanup = FALSE; $remove_lock = FALSE; /* Check if we have changed the selected plugin */ if ($old_plugin_dir != $plugin_dir && $old_plugin_dir != "") { if (is_file("$old_plugin_dir/main.inc")) { $cleanup = $remove_lock = TRUE; require ("$old_plugin_dir/main.inc"); $cleanup = $remove_lock = FALSE; } } elseif ((isset($_GET['reset']) && $_GET['reset'] == 1) || isset($_POST['delete_lock'])) { /* Reset was posted, remove all created locks for the current plugin */ $remove_lock = TRUE; } /* Check for sizelimits */ $ui->getSizeLimitHandler()->update(); /* Check for memory */ if (memory_get_usage() > (to_byte(ini_get('memory_limit')) - 2048000 )) { msg_dialog::display(_("Configuration error"), _("Running out of memory!"), WARNING_DIALOG); } if ($_SERVER['REQUEST_METHOD'] == 'POST') { /* Redirect on back event Look for button events that match /^back[0-9]+$/,
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
extract the number and step the correct plugin. */ foreach ($_POST as $key => $value) { if (preg_match("/^back[0-9]+$/", $key)) { $back = substr($key, 4); header ("Location: main.php?plug=$back"); exit; } } /* Redirect on password back event */ if (isset($_POST['password_back'])) { header ("Location: main.php"); exit; } } /* Load department list when plugin has changed. That is some kind of compromise between speed and beeing up to date */ if (isset($_GET['reset'])) { set_object_info(); } /* show web frontend */ $smarty->assign ("date", date("l, dS F Y H:i:s O")); $lang = session::global_get('lang'); $smarty->assign ('lang', preg_replace('/_.*$/', '', $lang)); $smarty->assign ('rtl', Language::isRTL($lang)); $smarty->assign ('must', '<span class="must">*</span>'); if (isset($plug)) { $plug = "?plug=$plug"; } else { $plug = ""; } if ($ui->ignore_acl_for_current_user()) { $smarty->assign ('username', '<div style="color:#FF0000;">'._('User ACL checks disabled').'</div>&nbsp;'.$ui->uid); } else { $smarty->assign ('username', $ui->uid); } $smarty->assign ("menu", $plist->menu); $smarty->assign ("plug", "$plug"); $smarty->assign("usePrototype", "false"); /* React on clicks */ if (($_SERVER['REQUEST_METHOD'] == 'POST') && (isset($_POST['delete_lock']) || isset($_POST['open_readonly']))) { /* Set old Post data */ if (session::global_is_set('LOCK_VARS_USED_GET')) { foreach (session::global_get('LOCK_VARS_USED_GET') as $name => $value) { $_GET[$name] = $value; } } if (session::global_is_set('LOCK_VARS_USED_POST')) { foreach (session::global_get('LOCK_VARS_USED_POST') as $name => $value) { $_POST[$name] = $value; } } if (session::global_is_set('LOCK_VARS_USED_REQUEST')) { foreach (session::global_get('LOCK_VARS_USED_REQUEST') as $name => $value) { $_REQUEST[$name] = $value; } } } /* Load plugin */ if (is_file("$plugin_dir/main.inc")) { $display = ""; try { require ("$plugin_dir/main.inc");
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
} catch (Exception $e) { $smarty->assign('header', print_header('geticon.php?context=status&icon=dialog-error&size=32', _('Fatal error!'))); $display = '<h1>'._('An unrecoverable error occurred. Please contact your administator.').'</h1><p>'; if (ini_get('display_errors') == 1) { $display .= nl2br(htmlentities((string)$e, ENT_COMPAT, 'UTF-8')); } else { $display .= 'Error detail display is turned off.'; } $display .= '</p>'."\n"; } } else { msg_dialog::display( _("Plugin"), sprintf(_("Fatal error: Cannot find any plugin definitions for plugin '%s' ('%s' is not a file)!"), $plug, "$plugin_dir/main.inc"), FATAL_ERROR_DIALOG); exit(); } /* Print_out last ErrorMessage repeated string. */ $smarty->assign("msg_dialogs", msg_dialog::get_dialogs()); $smarty->assign("contents", $display); $smarty->assign("sessionLifetime", $config->get_cfg_value("sessionLifetime", 60 * 60 * 2)); /* If there's some post, take a look if everything is there... */ if (isset($_POST) && count($_POST) && !isset($_POST['php_c_check'])) { msg_dialog::display( _('Configuration Error'), sprintf(_('Fatal error: not all POST variables have been transfered by PHP - please inform your administrator!')), FATAL_ERROR_DIALOG ); exit(); } /* Assign errors to smarty */ if (session::is_set('errors')) { $smarty->assign("errors", session::get('errors')); } if ($error_collector != "") { $smarty->assign("php_errors", preg_replace("/%BUGBODY%/", $error_collector_mailto, $error_collector)."</div>"); } else { $smarty->assign("php_errors", ""); } /* Set focus to the error button if we've an error message */ $focus = ""; if (session::is_set('errors') && session::get('errors') != "") { $focus = '<script type="text/javascript">'; $focus .= 'document.forms[0].error_accept.focus();'; $focus .= '</script>'; } $focus = '<script type="text/javascript">'; $focus .= 'next_msg_dialog();'; $focus .= '</script>'; $smarty->assign('focus', $focus); $smarty->assign('CSRFtoken', CSRFProtection::getToken()); /* Set channel if needed */ //TODO: * move all global session calls to global_ // * create a new channel where needed (mostly management dialogues) // * remove regulary created channels when not needed anymore // * take a look at external php calls (i.e. get fax, ldif, etc.) // * handle aborted sessions (by pressing anachors i.e. Main, Menu, etc.) // * check lock removals, is "dn" global or not in this case? // * last page request -> global or not? // * check that filters are still global // * maxC global? if (isset($_POST['_channel_'])) { echo "DEBUG - current channel: ".$_POST['_channel_'];
351352353354355356357358359360361362363364365366367368369370371372373374375
$smarty->assign("channel", $_POST['_channel_']); } else { $smarty->assign("channel", ""); } $smarty->assign ("title", "FusionDirectory"); if (class_available('Game')) { $smarty->assign('game_screen', Game::run()); } else { $smarty->assign('game_screen', ''); } $display = $smarty->fetch(get_template_path('headers.tpl')). $smarty->fetch(get_template_path('framework.tpl')); /* Show page... */ echo $display; /* Save plist and config */ session::global_set('plist', $plist); session::global_set('config', $config); session::set('errorsAlreadyPosted', array()); ?>