Merge ssh://source.netsyms.com:2322/Business/BusinessAppTemplate

# Conflicts:
#	.gitignore
#	README.md
#	action.php
#	api.php
#	app.php
#	composer.json
#	composer.lock
#	index.php
#	lang/en_us.php
#	lang/messages.php
#	lib/iputils.php
#	lib/login.php
#	lib/userinfo.php
#	mobile/index.php
#	nbproject/project.properties
#	nbproject/project.xml
#	pages.php
#	pages/404.php
#	pages/home.php
#	required.php
#	settings.template.php
#	static/css/app.css
#	static/img/logo.png
#	static/img/logo.svg
#	static/js/app.js
master
Skylar Ittner 6 år sedan
förälder bf332b7559 35e531a56b
incheckning 99a852787d

2
.gitignore vendored

@ -2,4 +2,4 @@ vendor
settings.php
nbproject/private
*.sync-conflict*
database.mwb.bak
database.mwb.bak

@ -16,4 +16,4 @@ Installing
4. Set the location of the AccountHub API in `settings.php` (see "PORTAL_API") and enter an API key ("PORTAL_KEY")
5. Set the location of the AccountHub home page ("PORTAL_URL")
6. Set the URL of this app ("URL")
7. Run `composer install` (or `composer.phar install`) to install dependency libraries.
7. Run `composer install` (or `composer.phar install`) to install dependency libraries.

@ -256,4 +256,4 @@ switch ($VARS['action']) {
die("Logged out.");
default:
die("Invalid action");
}
}

@ -38,4 +38,4 @@ switch ($VARS['action']) {
default:
header("HTTP/1.1 400 Bad Request");
die("\"400 Bad Request\"");
}
}

@ -18,6 +18,12 @@ if (!is_empty($_GET['page'])) {
$pageid = "404";
}
}
header("Link: <static/css/bootstrap.min.css>; rel=preload; as=style", false);
header("Link: <static/css/material-color/material-color.min.css>; rel=preload; as=style", false);
header("Link: <static/css/app.css>; rel=preload; as=style", false);
header("Link: <static/js/jquery-3.3.1.min.js>; rel=preload; as=script", false);
header("Link: <static/js/bootstrap.min.js>; rel=preload; as=script", false);
?>
<!DOCTYPE html>
<html>
@ -43,6 +49,7 @@ if (!is_empty($_GET['page'])) {
if (isset(PAGES[$pageid]['styles'])) {
foreach (PAGES[$pageid]['styles'] as $style) {
echo "<link href=\"$style\" rel=\"stylesheet\">\n";
header("Link: <$style>; rel=preload; as=style", false);
}
}
?>
@ -169,8 +176,9 @@ END;
if (isset(PAGES[$pageid]['scripts'])) {
foreach (PAGES[$pageid]['scripts'] as $script) {
echo "<script src=\"$script\"></script>\n";
header("Link: <$script>; rel=preload; as=script", false);
}
}
?>
</body>
</html>
</html>

@ -72,6 +72,11 @@ if (checkLoginServer()) {
} else {
$alert = lang("login server unavailable", false);
}
header("Link: <static/css/bootstrap.min.css>; rel=preload; as=style", false);
header("Link: <static/css/material-color/material-color.min.css>; rel=preload; as=style", false);
header("Link: <static/css/index.css>; rel=preload; as=style", false);
header("Link: <static/js/jquery-3.3.1.min.js>; rel=preload; as=script", false);
header("Link: <static/js/bootstrap.min.js>; rel=preload; as=script", false);
?>
<!DOCTYPE html>
<html>
@ -147,4 +152,4 @@ if (checkLoginServer()) {
<script src="static/js/jquery-3.3.1.min.js"></script>
<script src="static/js/bootstrap.min.js"></script>
</body>
</html>
</html>

@ -136,4 +136,4 @@ define("STRINGS", [
"group assignments" => "Group Assignments",
"group id" => "Group ID",
"group name" => "Group Name"
]);
]);

@ -25,7 +25,7 @@ function ip4_in_cidr($ip, $cidr) {
* @param string $ip IP to check in IPV6 format
* @param string $cidr CIDR netmask
* @return boolean true if the IP is in this range, false otherwise.
* @author MW. <https://stackoverflow.com/a/7952169>
* @author MW. <https://stackoverflow.com/a/7952169/2534036>
*/
function ip6_in_cidr($ip, $cidr) {
$address = inet_pton($ip);

@ -40,6 +40,33 @@ function checkLoginServer() {
}
}
/**
* Checks if the given AccountHub API key is valid by attempting to
* access the API with it.
* @param String $key The API key to check
* @return boolean TRUE if the key is valid, FALSE if invalid or something went wrong
*/
function checkAPIKey($key) {
try {
$client = new GuzzleHttp\Client();
$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => $key,
'action' => "ping"
]
]);
if ($response->getStatusCode() === 200) {
return true;
}
return false;
} catch (Exception $e) {
return false;
}
}
////////////////////////////////////////////////////////////////////////////////
// Account handling //
////////////////////////////////////////////////////////////////////////////////

@ -124,4 +124,4 @@ function getManagedUIDs($manageruid) {
} else {
return [];
}
}
}

@ -9,6 +9,10 @@
* Mobile app API
*/
// The name of the permission needed to log in.
// Set to null if you don't need it.
$access_permission = "ADMIN";
require __DIR__ . "/../required.php";
require __DIR__ . "/../lib/login.php";
@ -93,9 +97,9 @@ switch ($VARS['action']) {
if (user_exists($VARS['username'])) {
if (get_account_status($VARS['username']) == "NORMAL") {
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
if (account_has_permission($VARS['username'], "ADMIN")) {
if (is_null($access_permission) || account_has_permission($VARS['username'], $access_permission)) {
doLoginUser($VARS['username'], $VARS['password']);
$_SESSION['mobile'] = TRUE;
$_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"]));
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("no admin permission", false)]));
@ -107,4 +111,4 @@ switch ($VARS['action']) {
default:
http_response_code(404);
die(json_encode(["status" => "ERROR", "msg" => "The requested action is not available."]));
}
}

@ -2,4 +2,4 @@
<div class="col-12 col-sm-6 col-md-4 col-lg-4">
<div class="alert alert-warning"><b><?php lang("404 error");?></b><br /> <?php lang("page not found"); ?></div>
</div>
</div>
</div>

@ -35,4 +35,4 @@ redirectifnotloggedin();
<a href="app.php?page=authlog" class="text-dark"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view security log'); ?></a>
</div>
</div>
</div>
</div>

@ -12,10 +12,12 @@ ob_start(); // allow sending headers after content
// Unicode, solves almost all stupid encoding problems
header('Content-Type: text/html; charset=utf-8');
// l33t $ecurity h4x
// Strip PHP version
header('X-Powered-By: PHP');
// Security
header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block');
header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
header('X-Frame-Options: "DENY"');
header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
$SECURE_NONCE = base64_encode(random_bytes(8));
@ -81,7 +83,7 @@ function sendError($error) {
. "<h1>A fatal application error has occurred.</h1>"
. "<i>(This isn't your fault.)</i>"
. "<h2>Details:</h2>"
. "<p>". htmlspecialchars($error) . "</p>");
. "<p>" . htmlspecialchars($error) . "</p>");
}
date_default_timezone_set(TIMEZONE);

@ -63,4 +63,4 @@ define('LANGUAGE', "en_us");
define("FOOTER_TEXT", "");
define("COPYRIGHT_NAME", "Netsyms Technologies");
define("COPYRIGHT_NAME", "Netsyms Technologies");

@ -65,4 +65,4 @@ body {
.mobile-app-display {
display: none;
}
}

@ -23,4 +23,4 @@ try {
window.history.replaceState("", "", getniceurl());
} catch (ex) {
}
}

Laddar…
Avbryt
Spara