diff --git a/includes/misc.inc.php b/includes/misc.inc.php index 26f54a8..6c6cbde 100644 --- a/includes/misc.inc.php +++ b/includes/misc.inc.php @@ -2,7 +2,7 @@ include('config.inc.php'); -function _get_db() { +function get_db() { global $authdb; $db = new SQLite3($authdb, SQLITE3_OPEN_READWRITE); @@ -17,7 +17,7 @@ function gen_pw() { } function get_all_users() { - $db = _get_db(); + $db = get_db(); $r = $db->query('SELECT id, emailaddress, isadmin FROM users'); $ret = array(); while ($row = $r->fetchArray()) { @@ -29,7 +29,7 @@ function get_all_users() { } function get_pw($username) { - $db = _get_db(); + $db = get_db(); $pw = $db->querySingle("SELECT password FROM users WHERE emailaddress = '".$username."'"); $db->close(); return $pw; @@ -43,7 +43,7 @@ function add_user($username, $isadmin = '0', $password = FALSE) { $password = crypt($password, '$6$'.$salt); } - $db = _get_db(); + $db = get_db(); $ret = $db->exec("INSERT OR REPLACE INTO users (emailaddress, password, isadmin) VALUES ('".$username."', '".$password."', $isadmin)"); $db->close(); @@ -51,14 +51,14 @@ function add_user($username, $isadmin = '0', $password = FALSE) { } function delete_user($id) { - $db = _get_db(); + $db = get_db(); $ret = $db->exec("DELETE FROM users WHERE id = $id"); $db->close(); return $ret; } -function _jtable_respond($records, $method = 'multiple', $msg = 'Undefined errormessage') { +function jtable_respond($records, $method = 'multiple', $msg = 'Undefined errormessage') { $jTableResult = array(); if ($method == 'error') { $jTableResult['Result'] = "ERROR"; @@ -81,4 +81,10 @@ function _jtable_respond($records, $method = 'multiple', $msg = 'Undefined error print json_encode($jTableResult); exit(0); } + +function valid_user($name) { + return ( bool ) preg_match( "/^[a-z0-9@_.-]+$/i" , $name ); +} + + ?> diff --git a/includes/session.inc.php b/includes/session.inc.php index 784e3b1..d28f8a8 100644 --- a/includes/session.inc.php +++ b/includes/session.inc.php @@ -40,7 +40,10 @@ function logout() { function try_login() { if (isset($_POST['username']) and isset($_POST['password'])) { - $db = _get_db(); + if (valid_user($_POST['username']) === FALSE) { + return FALSE; + } + $db = get_db(); $userinfo = $db->querySingle("SELECT * FROM users WHERE emailaddress = '".$_POST['username']."'", 1); if (isset($userinfo['password']) and (crypt($_POST['password'], $userinfo['password']) == $userinfo['password'])) { set_logged_in($_POST['username']); diff --git a/users.php b/users.php index 97c1877..aae00b3 100644 --- a/users.php +++ b/users.php @@ -8,36 +8,35 @@ if (!is_logged_in()) { header("Location: index.php"); } +if (!is_adminuser()) { + jtable_respond(null, 'error', "You need adminprivileges to get here"); +} + if (isset($_GET['action'])) { $action = $_GET['action']; } else { - _jtable_respond(null, 'error', 'No action given'); + jtable_respond(null, 'error', 'No action given'); } -function _valid_user($name) { - return ( bool ) preg_match( "/^[a-z0-9@_.-]+$/i" , $name ); -} - - if ($action == "list") { $users = get_all_users(); - _jtable_respond($users); + jtable_respond($users); } elseif ($action == "create" or $action == "update") { - if (_valid_user($_POST['emailaddress']) === FALSE) { - _jtable_respond(null, 'error', "Please only use ^[a-z0-9@_.-]+$ for usernames"); + if (valid_user($_POST['emailaddress']) === FALSE) { + jtable_respond(null, 'error', "Please only use ^[a-z0-9@_.-]+$ for usernames"); } $isadmin = $_POST['isadmin'] ? $_POST['isadmin'] : '0'; if (add_user($_POST['emailaddress'], $isadmin, $_POST['password']) === TRUE) { unset($_POST['password']); - _jtable_respond($_POST, 'single'); + jtable_respond($_POST, 'single'); } else { - _jtable_respond(null, 'error', 'Could not add/change this user'); + jtable_respond(null, 'error', 'Could not add/change this user'); } } elseif ($action == "delete") { if (delete_user($_POST['id']) === TRUE) { - _jtable_respond(null, 'delete'); + jtable_respond(null, 'delete'); } else { - _jtable_respond(null, 'error', 'Could not delete this user'); + jtable_respond(null, 'error', 'Could not delete this user'); } } diff --git a/zones.php b/zones.php index ba63129..d25222b 100644 --- a/zones.php +++ b/zones.php @@ -35,7 +35,7 @@ function _do_curl($method, $opts = null, $type = 'post') { $return = curl_exec($ch); $json = json_decode($return, 1); if (isset($json['error'])) { - _jtable_respond(null, 'error', 'API Responds: '.$json['error']); + jtable_respond(null, 'error', 'API Responds: '.$json['error']); } else { return $return; } @@ -51,10 +51,10 @@ function _create_record($name, $records, $input, $zoneurl) { $content = ($input['type'] == "TXT") ? '"'.$input['content'].'"' : $input['content']; if (_valid_label($input['name']) === FALSE) { - _jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]"); + jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]"); } if (is_ascii($content) === FALSE or is_ascii($input['name']) === FALSE) { - _jtable_respond(null, 'error', "Please only use ASCII-characters in your fields"); + jtable_respond(null, 'error', "Please only use ASCII-characters in your fields"); } if (preg_match('/^TXT$/', $input['type'])) { @@ -111,13 +111,22 @@ function zonesort($a, $b) { } function add_db_zone($zone, $owner) { - $db = _get_db(); + if (valid_user($owner) === FALSE) { + jtable_respond(null, 'error', "$owner is not a valid username"); + } + if (_valid_label($zone) === FALSE) { + jtable_respond(null, 'error', "$zone is not a valid zonename"); + } + $db = get_db(); $zoneinfo = $db->querySingle("INSERT OR REPLACE INTO zones (zone, owner) VALUES ('".$zone."', (SELECT id FROM users WHERE emailaddress = '".$owner."'))"); $db->close(); } function get_zone_owner($zone) { - $db = _get_db(); + if (_valid_label($zone) === FALSE) { + jtable_respond(null, 'error', "$zone is not a valid zonename"); + } + $db = get_db(); $zoneinfo = $db->querySingle("SELECT u.emailaddress FROM users u, zones z WHERE z.owner = u.id AND z.zone = '".$zone."'", 1); $db->close(); if (isset($zoneinfo['emailaddress']) && $zoneinfo['emailaddress'] != NULL ) { @@ -160,7 +169,7 @@ function check_owner($zone) { if (isset($_GET['action'])) { $action = $_GET['action']; } else { - _jtable_respond(null, 'error', 'No action given'); + jtable_respond(null, 'error', 'No action given'); } if ($action == "list" or $action== "listslaves") { @@ -182,13 +191,13 @@ if ($action == "list" or $action== "listslaves") { } } usort($return, "zonesort"); - _jtable_respond($return); + jtable_respond($return); } elseif ($action == "create") { if (_valid_label($_POST['name']) === FALSE) { - _jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]"); + jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]"); } if (is_ascii($_POST['name']) === FALSE) { - _jtable_respond(null, 'error', "Please only use ASCII-characters in your domainname"); + jtable_respond(null, 'error', "Please only use ASCII-characters in your domainname"); } if ($_POST['kind'] != null and $_POST['name'] != null) { $nameservers = array(); @@ -199,7 +208,7 @@ if ($action == "list" or $action== "listslaves") { array_push($nameservers, $_POST['nameserver2']); } } else { - _jtable_respond(null, 'error', "Not enough data: ".print_r($_POST, 1)); + jtable_respond(null, 'error', "Not enough data: ".print_r($_POST, 1)); } $vars['soa_edit_api'] = $defaults['soa_edit_api']; } @@ -231,9 +240,9 @@ if ($action == "list" or $action== "listslaves") { $vars = $_POST; $vars['serial'] = 0; $vars['records'] = array(); - _jtable_respond($vars, 'single'); + jtable_respond($vars, 'single'); } else { - _jtable_respond(null, 'error', "Not enough data: ".print_r($_POST, 1)); + jtable_respond(null, 'error', "Not enough data: ".print_r($_POST, 1)); } } elseif ($action == "listrecords" && $_GET['zoneurl'] != null) { $rows = json_decode(_do_curl($_GET['zoneurl']), 1); @@ -254,10 +263,10 @@ if ($action == "list" or $action== "listslaves") { } $ret = array_merge($soa, $ns, $mx, $any); - _jtable_respond($ret); + jtable_respond($ret); } elseif ($action == "delete") { _do_curl("/servers/:serverid:/zones/".$_POST['id'], array(), 'delete'); - _jtable_respond(null, 'delete'); + jtable_respond(null, 'delete'); } elseif ($action == "createrecord" or $action == "editrecord") { $name = (!preg_match("/\.".$_POST['domain']."\.?$/", $_POST['name'])) ? $_POST['name'].'.'.$_POST['domain'] : $_POST['name']; $name = preg_replace("/\.$/", "", $name); @@ -268,7 +277,7 @@ if ($action == "list" or $action== "listslaves") { } $records =_create_record($name, $records, $_POST, $_GET['zoneurl']); - _jtable_respond($records[sizeof($records)-1], 'single'); + jtable_respond($records[sizeof($records)-1], 'single'); } elseif ($action == "deleterecord") { $todel = json_decode($_POST['id'], 1); $records = getrecords_by_name_type($_GET['zoneurl'], $todel['name'], $todel['type']); @@ -294,11 +303,11 @@ if ($action == "list" or $action== "listslaves") { 'type' => $todel['type'], 'name' => $todel['name'])); _do_curl($_GET['zoneurl'], $patch, 'patch'); - _jtable_respond(null, 'delete'); + jtable_respond(null, 'delete'); } elseif ($action == "update") { add_db_zone($_POST['name'], $_POST['owner']); - _jtable_respond($_POST, 'single'); + jtable_respond($_POST, 'single'); } else { - _jtable_respond(null, 'error', 'No such action'); + jtable_respond(null, 'error', 'No such action'); } ?>