diff options
Diffstat (limited to 'etc/inc/authgui.inc')
-rw-r--r-- | etc/inc/authgui.inc | 405 |
1 files changed, 208 insertions, 197 deletions
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 12f45bc..7467ccd 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -41,243 +41,254 @@ require_once("functions.inc"); /* We only support htpasswd backed HTTP Basic auth and session * based backing methods at the moment. * session_auth - this will use session based authentication and timeout - * htpasswd_backed - this uses the "standard" .htpasswd file - * passwd_backed - this will use the system passwd file in /etc - * radius_backed - this will allow you to use a radius server - * pam_backed - this uses the system's PAM facility .htpasswd file + * htpasswd_backed - this uses the "standard" .htpasswd file + * passwd_backed - this will use the system passwd file in /etc + * radius_backed - this will allow you to use a radius server + * pam_backed - this uses the system's PAM facility .htpasswd file */ $auth_method="session_auth"; /* enable correct auth backend, default to htpasswd_backed */ - $ldapcase = $config['system']['webgui']['backend']; switch($ldapcase) { -case ldap: - $backing_method="ldap_backed"; - break; -case ldapother: - $backing_method="ldap_backed"; - break; -default: - $backing_method="htpasswd_backed"; + case ldap: + $backing_method="ldap_backed"; + break; + case ldapother: + $backing_method="ldap_backed"; + break; + default: + $backing_method="htpasswd_backed"; } /* Authenticate user - exit if failed */ -if (!$auth_method($backing_method)) { exit; } +if (!$auth_method($backing_method)) + exit; + +/* + * scriptname is set in headjs.php if the user tried to access + * a page other than index.php without beeing logged in. + * + * NOTE : This doesn't make sense to me. -mgrooms + */ +/* if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { + * pfSenseHeader("{$_POST['scriptname']}"); + * exit; + * } + */ + +/* + * Once here, the user has authenticated with the web server. + * We give them access only to the appropriate pages based on + * the user or group privileges. + */ +getAllowedPages($HTTP_SERVER_VARS['AUTH_USER']); -/* scriptname is set in headjs.php if the user did try to access a page other - * than index.php without beeing logged in. +/* + * get the group homepage, to be able to forward + * the user to this particular PHP page. + */ +$home = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['home']; +if (!$home) + $home = "/index.php"; + +/* + * If the user tries to explicitly access a particular + * page, set $home to that page instead. */ -if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { - pfSenseHeader("{$_POST['scriptname']}"); - exit; +if (isset($_POST['scriptname']) && + $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") { + $home = str_replace('/', '', basename($_POST['scriptname'])); + $pagereq = $home; } -// Once here, the user has authenticated with the web server. -// Now, we give them access only to the appropriate pages for their group. - -if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) { - $_SESSION['privs'] = getAllowedGroups($HTTP_SERVER_VARS['AUTH_USER']); - $allowed = $_SESSION['privs']; - - $allowed_groups = print_r($_SESSION['privs'],true); - $fdny = fopen("/tmp/groups", "w"); - fwrite($fdny, $allowed_groups); - fclose($fdny); - - $group = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']; - /* get the group homepage, to be able to forward - * the user to this particular PHP page. - */ - getGroupHomePage($group) == "" ? $home = "/index.php" : $home = "/" . getGroupHomePage($group); - - /* okay but if the user realy tries to explicitely access a particular - * page, set $home to that page instead. - */ - if (isset($_POST['scriptname']) && $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") { - $home = str_replace('/', '', basename($_POST['scriptname'])); - $pagereq = $home; - } - - // If the user is attempting to hit the default page, set it to specifically look for /index.php. - // Without this, any user would have access to the index page. - if ($_SERVER['SCRIPT_NAME'] == '/') - $_SERVER['SCRIPT_NAME'] = $home; - if ($pagereq == "") +/* + * If the user is attempting to hit the default page, set it to + * specifically look for /index.php. Without this, any user would + * have access to the index page. + */ +if ($_SERVER['SCRIPT_NAME'] == '/') + $_SERVER['SCRIPT_NAME'] = $home; +if ($pagereq == "") $pagereq = str_replace('/', '', basename($_SERVER['SCRIPT_NAME'])); - // Strip the leading / from the currently requested PHP page - if (!in_array($pagereq,$allowed) && !in_array("ANY", $allowed)) { - // The currently logged in user is not allowed to access the page - // they are attempting to go to. Redirect them to an allowed page. - - if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) { - echo "||Access to AJAX has been disallowed for this user."; - exit; - } - - if ($pagereq <> "" && (in_array($pagereq, $allowed) || in_array("ANY", $allowed))) { - pfSenseHeader("{$home}"); - exit; - } else { - header("HTTP/1.0 401 Unauthorized"); - header("Status: 401 Unauthorized"); - - echo display_error_form("401", "Unauthorized. You do not have access to the page {$pagereq}"); - exit; - } - } - - if (isset($_SESSION['Logged_In'])) { - /* - * only forward if the user has just logged in - * TODO: session auth based - may be an issue. - */ - if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) { - $_SESSION['First_Visit'] = "False"; - pfSenseHeader("{$home}"); - exit; - } - } +/* + * determine if the user is allowed access to the requested page + */ +if (!isAllowedPage($pagereq)) { + + /* + * The currently logged in user is not allowed to access the page + * they are attempting to view. Redirect them to an allowed page. + */ + if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) { + echo "||Access to AJAX has been disallowed for this user."; + exit; + } + + header("HTTP/1.0 401 Unauthorized"); + header("Status: 401 Unauthorized"); + display_error_form("401", "Unauthorized. You do not have access to the page {$pagereq}"); + exit; +} + +if (isset($_SESSION['Logged_In'])) { + /* + * only forward if the user has just logged in + * TODO: session auth based - may be an issue. + */ + if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) { + $_SESSION['First_Visit'] = "False"; + pfSenseHeader("{$home}"); + exit; + } } function display_error_form($http_code, $desc) { - global $config, $g; - $g['theme'] = $config['theme']; + global $config, $g; + $g['theme'] = $config['theme']; if(isAjax()) { echo "Error: {$http_code} Description: {$desc}"; return; } ?> + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> - <head> - <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> - <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> - <title>An error occurred: {$http_code}</title> - <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> - <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" /> - <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?> - <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" /> - <?php else: ?> - <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" /> - <?php endif; ?> - <script type="text/javascript"> - <title>An error occurred: {$http_code}</title> - <!-- - function page_load() { - NiftyCheck(); - Rounded("div#login inputerrors","bl br","transparent","#cccccc","smooth"); - Effect.Pulsate('errortext', { duration: 10 }); - } - <?php - require("headjs.php"); - echo getHeadJS(); - ?> - //--> - </script> - <script type="text/javascript" src="/themes/{$g['theme']}/javascript/niftyjsCode.js"></script> - </head> - <body onload="page_load();"> - <div id="errordesc"> - <h1> </h1> - <a href="/"> - <p id="errortext" style="vertical-align: middle; text-align: center;"><span style="color: #000000; font-weight: bold;">{$desc}</span></p> - </div> - </body> + <head> + <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> + <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> + <title><?=$http_code?></title> + <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> + <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" /> + <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?> + <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" /> + <?php else: ?> + <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" /> + <?php endif; ?> + <script type="text/javascript"> + <!-- + function page_load() {} + function clearError() { + if($('inputerrors')) + $('inputerrors').innerHTML=''; + } + <?php + require("headjs.php"); + echo getHeadJS(); + ?> + //--> + </script> + <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script> + </head> + <body onload="page_load();"> + <div id="errordesc"> + <h1> </h1> + <a href="/"> + <p id="errortext" style="vertical-align: middle; text-align: center;"> + <span style="color: #000000; font-weight: bold;"> + <?=$desc;?> + </span> + </p> + </div> + </body> </html> + <?php -} // end function +} // end function function display_login_form() { - require_once("globals.inc"); - global $config, $g; - $g['theme'] = $config['theme']; - - unset($input_errors); - - if(isAjax()) { - if (isset($_POST['login'])) { - if($_SESSION['Logged_In'] <> "True") { - isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason"; - echo "showajaxmessage('Invalid login ({$login_error}).');"; - } - if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) { - // TODO: add the IP from the user who did lock the device - $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock"); - echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');"; - } - } - exit; - } + require_once("globals.inc"); + global $config, $g; + $g['theme'] = $config['theme']; + + unset($input_errors); + + if(isAjax()) { + if (isset($_POST['login'])) { + if($_SESSION['Logged_In'] <> "True") { + isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason"; + echo "showajaxmessage('Invalid login ({$login_error}).');"; + } + if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) { + // TODO: add the IP from the user who did lock the device + $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock"); + echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');"; + } + } + exit; + } ?> + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> - <head> - <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> - <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> - <title><?=gettext("Login"); ?></title> - <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> - <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" /> - <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?> - <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" /> - <?php else: ?> - <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" /> - <?php endif; ?> - <script type="text/javascript"> - <!-- - function page_load() {} - function clearError() { - if($('inputerrors')) - $('inputerrors').innerHTML=''; - } - <?php - require("headjs.php"); - echo getHeadJS(); - ?> - //--> - </script> - <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script> - </head> - <body onload="page_load()"> - <div id="login"> - <form id="iform" name="login_iform" method="post" autocomplete="off" action="<?= $_SERVER['SCRIPT_NAME'] ?>"> - <h1> </h1> - <div id="inputerrors"></div> - <p> - <span style="text-align:left"> - <?=gettext("Username"); ?>:<br> - <input onclick="clearError();" onchange="clearError();" id="usernamefld" type="text" name="usernamefld" class="formfld user" tabindex="1" /> - </span> - </p> - <br> - <p> - <span style="text-align:left"> - <?=gettext("Password"); ?>: <br> - <input onclick="clearError();" onchange="clearError();" id="passwordfld" type="password" name="passwordfld" class="formfld pwd" tabindex="2" /> - </span> - </p> - <br> - <p> - <span style="text-align:center; font-weight: normal ; font-style: italic"><?=gettext("Enter username and password to login."); ?></span> - </p> - <p> - <span style="text-align:center"> - <input type="submit" name="login" class="formbtn" value="<?=gettext("Login"); ?>" tabindex="3" /> - </span> - </P> - </form> - </div> - </body> + <head> + <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> + <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> + <title><?=gettext("Login"); ?></title> + <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> + <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" /> + <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?> + <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" /> + <?php else: ?> + <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" /> + <?php endif; ?> + <script type="text/javascript"> + <!-- + function page_load() {} + function clearError() { + if($('inputerrors')) + $('inputerrors').innerHTML=''; + } + <?php + require("headjs.php"); + echo getHeadJS(); + ?> + //--> + </script> + <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script> + </head> + <body onload="page_load()"> + <div id="login"> + <form id="iform" name="login_iform" method="post" autocomplete="off" action="<?= $_SERVER['SCRIPT_NAME'] ?>"> + <h1></h1> + <div id="inputerrors"><?=$_SESSION['Login_Error'];?></div> + <p> + <span style="text-align:left"> + <?=gettext("Username"); ?>:<br> + <input onclick="clearError();" onchange="clearError();" id="usernamefld" type="text" name="usernamefld" class="formfld user" tabindex="1" /> + </span> + </p> + <br> + <p> + <span style="text-align:left"> + <?=gettext("Password"); ?>: <br> + <input onclick="clearError();" onchange="clearError();" id="passwordfld" type="password" name="passwordfld" class="formfld pwd" tabindex="2" /> + </span> + </p> + <br> + <p> + <span style="text-align:center; font-weight: normal ; font-style: italic"> + <?=gettext("Enter username and password to login."); ?> + </span> + </p> + <p> + <span style="text-align:center"> + <input type="submit" name="login" class="formbtn" value="<?=gettext("Login"); ?>" tabindex="3" /> + </span> + </P> + </form> + </div> + </body> </html> <?php } // end function -?>
\ No newline at end of file +?> |