Rewrite/Refactoring

- add a lot of permission checks:
  zone edits were completely unchecked (after login); only list and creation were
  protected.
- reduce regular expression usage
- don't use user provided names/ids/urls for requests; instead use them
  to search for the zone in the list of all zones.
- rename 'label' to 'name' in template records ('name' is used in all
  other places)
- make 'localhost' default $apisid
- add 'soa_edit' default
- remove gen_pw/pwgen caller; use openssl instead for random password
- fix a lot of bugs (editrecord, TXT quoting, name checking, ...)
- improve record sorting

includes/misc.inc.php

@@ -2,6 +2,22 @@
 
 include('config.inc.php');
 
+function string_starts_with($string, $prefix)
+{
+    $length = strlen($prefix);
+    return (substr($string, 0, $length) === $prefix);
+}
+
+function string_ends_with($string, $suffix)
+{
+    $length = strlen($suffix);
+    if ($length == 0) {
+        return true;
+    }
+
+    return (substr($string, -$length) === $suffix);
+}
+
 function get_db() {
     global $authdb;
 
@@ -11,17 +27,11 @@ function get_db() {
     return $db;
 }
 
-function gen_pw() {
-    $password = exec('/usr/bin/pwgen -s -B -c -n 10 -1');
-    return $password;
-}
-
 function get_all_users() {
     $db = get_db();
     $r = $db->query('SELECT id, emailaddress, isadmin FROM users');
     $ret = array();
-    while ($row = $r->fetchArray()) {
-        $row['emailaddress'] = htmlspecialchars($row['emailaddress']);
+    while ($row = $r->fetchArray(SQLITE3_ASSOC)) {
         array_push($ret, $row);
     }
 
@@ -39,6 +49,10 @@ function get_user_info($u) {
     return $userinfo;
 }
 
+function user_exists($u) {
+    return (bool) get_user_info($u);
+}
+
 function do_db_auth($u, $p) {
     $db = get_db();
     $q = $db->prepare('SELECT * FROM users WHERE emailaddress = ?');
@@ -46,40 +60,52 @@ function do_db_auth($u, $p) {
     $result = $q->execute();
     $userinfo = $result->fetchArray(SQLITE3_ASSOC);
     $db->close();
-    if (isset($userinfo['password']) and (crypt($p, $userinfo['password']) == $userinfo['password'])) {
+
+    if ($userinfo and $userinfo['password'] and (crypt($p, $userinfo['password']) === $userinfo['password'])) {
         return TRUE;
     }
 
     return FALSE;
 }
 
-function get_pw($username) {
-    $db = get_db();
-    $q = $db->prepare('SELECT password FROM users WHERE emailaddress = ? LIMIT 1');
-    $q->bindValue(1, $username, SQLITE_TEXT);
-    $result = $q->execute();
-    $pw = $result->fetchArray(SQLITE3_ASSOC);
-    $db->close();
-    if (isset($pw['password'])) {
-        return $pw['password'];
+function add_user($username, $isadmin = FALSE, $password = '') {
+    if (!$password) {
+        $password = bin2hex(openssl_random_pseudo_bytes(32));
     }
-
-    return FALSE;
-}
-
-function add_user($username, $isadmin = '0', $password = FALSE) {
-    if ($password === FALSE or $password == "") {
-        $password = get_pw($username);
-    } elseif (!preg_match('/\$6\$/', $password)) {
+    if (!string_starts_with($password, '$6$')) {
         $salt = bin2hex(openssl_random_pseudo_bytes(16));
         $password = crypt($password, '$6$'.$salt);
     }
 
     $db = get_db();
-    $q = $db->prepare('INSERT OR REPLACE INTO users (emailaddress, password, isadmin) VALUES (?, ?, ?)');
+    $q = $db->prepare('INSERT INTO users (emailaddress, password, isadmin) VALUES (?, ?, ?)');
     $q->bindValue(1, $username, SQLITE3_TEXT);
     $q->bindValue(2, $password, SQLITE3_TEXT);
-    $q->bindValue(3, $isadmin, SQLITE3_INTEGER);
+    $q->bindValue(3, (int)(bool) $isadmin, SQLITE3_INTEGER);
+    $ret = $q->execute();
+    $db->close();
+
+    return $ret;
+}
+
+function update_user($username, $isadmin, $password) {
+    if ($password && !preg_match('/\$6\$/', $password)) {
+        $salt = bin2hex(openssl_random_pseudo_bytes(16));
+        $password = crypt($password, '$6$'.$salt);
+    }
+
+    $db = get_db();
+
+    if ($password) {
+        $q = $db->prepare('UPDATE users SET isadmin = ?, password = ? WHERE emailaddress = ?');
+        $q->bindValue(1, (int)(bool)$isadmin, SQLITE3_INTEGER);
+        $q->bindValue(2, $password, SQLITE3_TEXT);
+        $q->bindValue(3, $username, SQLITE3_TEXT); 
+    } else {
+        $q = $db->prepare('UPDATE users SET isadmin = ? WHERE emailaddress = ?');
+        $q->bindValue(1, (int)(bool)$isadmin, SQLITE3_INTEGER);
+        $q->bindValue(2, $username, SQLITE3_TEXT); 
+    }
     $ret = $q->execute();
     $db->close();
 
@@ -96,6 +122,10 @@ function delete_user($id) {
     return $ret;
 }
 
+function valid_user($name) {
+    return ( bool ) preg_match( "/^[a-z0-9@_.-]+$/i" , $name );
+}
+
 function jtable_respond($records, $method = 'multiple', $msg = 'Undefined errormessage') {
     $jTableResult = array();
     if ($method == 'error') {
@@ -119,13 +149,31 @@ function jtable_respond($records, $method = 'multiple', $msg = 'Undefined errorm
         $jTableResult['RecordCount'] = count($records);
     }
 
+    header('Content-Type: application/json');
     print json_encode($jTableResult);
     exit(0);
 }
 
-function valid_user($name) {
-    return ( bool ) preg_match( "/^[a-z0-9@_.-]+$/i" , $name );
+function user_template_list() {
+    global $templates;
+
+    $templatelist = array();
+    foreach ($templates as $template) {
+        if (is_adminuser()
+            or (isset($template['owner'])
+                and ($template['owner'] == get_sess_user() or $template['owner'] == 'public'))) {
+            array_push($templatelist, $template);
+        }
+    }
+    return $templatelist;
 }
 
+function user_template_names() {
+    $templatenames = array('None' => 'None');
+    foreach (user_template_list() as $template) {
+        $templatenames[$template['name']] = $template['name'];
+    }
+    return $templatenames;
+}
 
 ?>