Browse Source

Merge ../BusinessAppTemplate

# Conflicts:
#	README.md
#	langs/en/titles.json
#	pages.php
#	required.php
#	settings.template.php
master
Skylar Ittner 7 months ago
parent
commit
063c8398a9

+ 3
- 15
LICENSE.md View File

@@ -1,19 +1,7 @@
Copyright (c) 2018 Netsyms Technologies.
Copyright (c) 2017-2019 Netsyms Technologies. Some rights reserved.

If you modify and redistribute this project, you must replace the branding
assets with your own.

The branding assets include:
* the application icon
* the Netsyms N punchcard logo
* the Netsyms for Business graph logo

If you are unsure if your usage is allowed, please contact us:
https://netsyms.com/contact
legal@netsyms.com

All other portions of this application,
unless otherwise noted (in comments, headers, etc), are licensed as follows:
Licensed under the Mozilla Public License Version 2.0. Files without MPL header
comments, including third party code, may be under a different license.

Mozilla Public License Version 2.0
==================================

+ 1
- 1
README.md View File

@@ -39,4 +39,4 @@ Installing
8. Set the URL of this app ("URL")
9. Copy webroot.htaccess to your webroot and adjust paths if needed
10. Run `composer install` (or `composer.phar install`) to install dependency libraries
11. Run `git submodule init` and `git submodule update` to install other dependencies via git.
11. Run `git submodule init` and `git submodule update` to install other dependencies via git.

+ 14
- 14
action.php View File

@@ -22,11 +22,11 @@ if ($VARS['action'] !== "signout") {
*/
function returnToSender($msg, $arg = "") {
global $VARS;
if ($arg == "") {
header("Location: app.php?page=" . urlencode($VARS['source']) . "&msg=" . $msg);
} else {
header("Location: app.php?page=" . urlencode($VARS['source']) . "&msg=$msg&arg=$arg");
$header = "Location: app.php?page=" . urlencode($VARS['source']) . "&msg=$msg";
if ($arg != "") {
$header .= "&arg=$arg";
}
header($header);
die();
}

@@ -242,8 +242,8 @@ switch ($VARS['action']) {
if (!$user->hasPermission("SITEWRITER") && !$user->hasPermission("SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$destpath = FILE_UPLOAD_PATH . $VARS['path'];
if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) {
$destpath = $SETTINGS["file_upload_path"] . $VARS['path'];
if (strpos(realpath($destpath), $SETTINGS["file_upload_path"]) !== 0) {
returnToSender("file_security_error");
}
if (!file_exists($destpath) || !is_dir($destpath)) {
@@ -315,7 +315,7 @@ switch ($VARS['action']) {
returnToSender("no_permission");
}
$foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder']));
$newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername;
$newfolder = $SETTINGS["file_upload_path"] . $VARS['path'] . '/' . $foldername;

if (mkdir($newfolder, 0755)) {
returnToSender("folder_created", "&path=" . $VARS['path']);
@@ -326,15 +326,15 @@ switch ($VARS['action']) {
if (!$user->hasPermission("SITEWRITER") && !$user->hasPermission("SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$file = FILE_UPLOAD_PATH . $VARS['file'];
if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) {
$file = $SETTINGS["file_upload_path"] . $VARS['file'];
if (strpos(realpath($file), $SETTINGS["file_upload_path"]) !== 0) {
returnToSender("file_security_error");
}
if (!file_exists($file)) {
// Either way the file is gone
returnToSender("file_deleted");
}
if (!is_writable($file) || realpath($file) == realpath(FILE_UPLOAD_PATH)) {
if (!is_writable($file) || realpath($file) == realpath($SETTINGS["file_upload_path"])) {
returnToSender("undeletable_file");
}
if (is_dir($file)) {
@@ -350,9 +350,9 @@ switch ($VARS['action']) {
break;
case "unsplash_download":
Crew\Unsplash\HttpClient::init([
'applicationId' => UNSPLASH_ACCESSKEY,
'secret' => UNSPLASH_SECRETKEY,
'utmSource' => UNSPLASH_UTMSOURCE
'applicationId' => $SETTINGS["unsplash"]["accesskey"],
'secret' => $SETTINGS["unsplash"]["secretkey"],
'utmSource' => $SETTINGS["unsplash"]["utmsource"]
]);
Crew\Unsplash\Photo::find($VARS['imageid'])->download();
header('Content-Type: application/json');
@@ -360,6 +360,6 @@ switch ($VARS['action']) {
break;
case "signout":
session_destroy();
header('Location: index.php');
header('Location: index.php?logout=1');
die("Logged out.");
}

+ 2
- 31
api.php View File

@@ -4,35 +4,6 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/**
* Simple JSON API to allow other apps to access data from this app.
*
* Requests can be sent via either GET or POST requests. POST is recommended
* as it has a lower chance of being logged on the server, exposing unencrypted
* user passwords.
*/
require __DIR__ . '/required.php';
header("Content-Type: application/json");

$username = $VARS['username'];
$password = $VARS['password'];
$user = User::byUsername($username);
if ($user->exists() !== true || Login::auth($username, $password) !== Login::LOGIN_OK) {
header("HTTP/1.1 403 Unauthorized");
die("\"403 Unauthorized\"");
}

// query max results
$max = 20;
if (preg_match("/^[0-9]+$/", $VARS['max']) === 1 && $VARS['max'] <= 1000) {
$max = (int) $VARS['max'];
}

switch ($VARS['action']) {
case "ping":
$out = ["status" => "OK", "maxresults" => $max, "pong" => true];
exit(json_encode($out));
default:
header("HTTP/1.1 400 Bad Request");
die("\"400 Bad Request\"");
}
// Load in new API from legacy location (a.k.a. here)
require __DIR__ . "/api/index.php";

+ 5
- 0
api/.htaccess View File

@@ -0,0 +1,5 @@
# Rewrite for Nextcloud Notes API
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ([a-zA-Z0-9]+) index.php?action=$1 [PT]
</IfModule>

+ 9
- 0
api/actions/ping.php View File

@@ -0,0 +1,9 @@
<?php

/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

sendJsonResp();

+ 15
- 0
api/apisettings.php View File

@@ -0,0 +1,15 @@
<?php

/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

$APIS = [
"ping" => [
"load" => "ping.php",
"vars" => [
]
]
];

+ 149
- 0
api/functions.php View File

@@ -0,0 +1,149 @@
<?php

/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

/**
* Build and send a simple JSON response.
* @param string $msg A message
* @param string $status "OK" or "ERROR"
* @param array $data More JSON data
*/
function sendJsonResp(string $msg = null, string $status = "OK", array $data = null) {
$resp = [];
if (!is_null($data)) {
$resp = $data;
}
if (!is_null($msg)) {
$resp["msg"] = $msg;
}
$resp["status"] = $status;
header("Content-Type: application/json");
exit(json_encode($resp));
}

function exitWithJson(array $json) {
header("Content-Type: application/json");
exit(json_encode($json));
}

/**
* Get the API key with most of the characters replaced with *s.
* @global string $key
* @return string
*/
function getCensoredKey() {
global $key;
$resp = $key;
if (strlen($key) > 5) {
for ($i = 2; $i < strlen($key) - 2; $i++) {
$resp[$i] = "*";
}
}
return $resp;
}

/**
* Check if the request is allowed
* @global array $VARS
* @return bool true if the request should continue, false if the request is bad
*/
function authenticate(): bool {
global $VARS, $SETTINGS;
// HTTP basic auth
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
} else if (!empty($VARS['username']) && !empty($VARS['password'])) {
$username = $VARS['username'];
$password = $VARS['password'];
} else {
return false;
}
$user = User::byUsername($username);
if (!$user->exists()) {
return false;
}
if ($user->checkPassword($password, true)) {
// Check that the user has permission to access the app
$perms = is_array($SETTINGS['api_permissions']) ? $SETTINGS['api_permissions'] : $SETTINGS['permissions'];
foreach ($perms as $perm) {
if (!$user->hasPermission($perm)) {
return false;
}
}
return true;
}
return false;
}

/**
* Get the User whose credentials were used to make the request.
*/
function getRequestUser(): User {
global $VARS;
if (!empty($_SERVER['PHP_AUTH_USER'])) {
return User::byUsername($_SERVER['PHP_AUTH_USER']);
} else {
return User::byUsername($VARS['username']);
}
}

function checkVars($vars, $or = false) {
global $VARS;
$ok = [];
foreach ($vars as $key => $val) {
if (strpos($key, "OR") === 0) {
checkVars($vars[$key], true);
continue;
}

// Only check type of optional variables if they're set, and don't
// mark them as bad if they're not set
if (strpos($key, " (optional)") !== false) {
$key = str_replace(" (optional)", "", $key);
if (empty($VARS[$key])) {
continue;
}
} else {
if (empty($VARS[$key])) {
$ok[$key] = false;
continue;
}
}

if (strpos($val, "/") === 0) {
// regex
$ok[$key] = preg_match($val, $VARS[$key]) === 1;
} else {
$checkmethod = "is_$val";
$ok[$key] = !($checkmethod($VARS[$key]) !== true);
}
}
if ($or) {
$success = false;
$bad = "";
foreach ($ok as $k => $v) {
if ($v) {
$success = true;
break;
} else {
$bad = $k;
}
}
if (!$success) {
http_response_code(400);
die("400 Bad request: variable $bad is missing or invalid");
}
} else {
foreach ($ok as $key => $bool) {
if (!$bool) {
http_response_code(400);
die("400 Bad request: variable $key is missing or invalid");
}
}
}
}

+ 81
- 0
api/index.php View File

@@ -0,0 +1,81 @@
<?php

/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

require __DIR__ . '/../required.php';
require __DIR__ . '/functions.php';
require __DIR__ . '/apisettings.php';

header("Access-Control-Allow-Origin: *");

$VARS = $_GET;
if ($_SERVER['REQUEST_METHOD'] != "GET") {
$VARS = array_merge($VARS, $_POST);
}

$requestbody = file_get_contents('php://input');
$requestjson = json_decode($requestbody, TRUE);
if (json_last_error() == JSON_ERROR_NONE) {
$VARS = array_merge($VARS, $requestjson);
}

// If we're not using the old api.php file, allow more flexible requests
if (strpos($_SERVER['REQUEST_URI'], "/api.php") === FALSE) {
$route = explode("/", substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], "api/") + 4));

if (count($route) >= 1) {
$VARS["action"] = $route[0];
}
if (count($route) >= 2 && strpos($route[1], "?") !== 0) {
for ($i = 1; $i < count($route); $i++) {
if (empty($route[$i]) || strpos($route[$i], "=") === false) {
continue;
}
$key = explode("=", $route[$i], 2)[0];
$val = explode("=", $route[$i], 2)[1];
$VARS[$key] = $val;
}
}

if (strpos($route[count($route) - 1], "?") === 0) {
$morevars = explode("&", substr($route[count($route) - 1], 1));
foreach ($morevars as $var) {
$key = explode("=", $var, 2)[0];
$val = explode("=", $var, 2)[1];
$VARS[$key] = $val;
}
}
}

if (!authenticate()) {
header('WWW-Authenticate: Basic realm="' . $SETTINGS['site_title'] . '"');
header('HTTP/1.1 401 Unauthorized');
die("401 Unauthorized: you need to supply valid credentials.");
}

if (empty($VARS['action'])) {
http_response_code(404);
die("404 No action specified");
}

if (!isset($APIS[$VARS['action']])) {
http_response_code(404);
die("404 Action not defined");
}

$APIACTION = $APIS[$VARS["action"]];

if (!file_exists(__DIR__ . "/actions/" . $APIACTION["load"])) {
http_response_code(404);
die("404 Action not found");
}

if (!empty($APIACTION["vars"])) {
checkVars($APIACTION["vars"]);
}

require_once __DIR__ . "/actions/" . $APIACTION["load"];

+ 5
- 5
app.php View File

@@ -39,7 +39,7 @@ header("Link: <static/js/bootstrap.bundle.min.js>; rel=preload; as=script", fals
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<title><?php echo SITE_TITLE; ?></title>
<title><?php echo $SETTINGS['site_title']; ?></title>

<link rel="icon" href="static/img/logo.svg">

@@ -127,7 +127,7 @@ END;
</button>
<a class="navbar-brand py-0 mr-auto" href="app.php">
<img src="static/img/logo.svg" alt="" class="d-none d-<?php echo $navbar_breakpoint; ?>-inline brand-img py-0" />
<?php echo SITE_TITLE; ?>
<?php echo $SETTINGS['site_title']; ?>
</a>

<div class="collapse navbar-collapse py-0" id="navbar-collapse">
@@ -163,7 +163,7 @@ END;
</div>
<div class="navbar-nav ml-auto py-0" id="navbar-right">
<span class="nav-item py-<?php echo $navbar_breakpoint; ?>-0">
<a class="nav-link py-<?php echo $navbar_breakpoint; ?>-0" href="<?php echo PORTAL_URL; ?>">
<a class="nav-link py-<?php echo $navbar_breakpoint; ?>-0" href="<?php echo $SETTINGS['accounthub']['home']; ?>">
<i class="fas fa-user fa-fw"></i><span>&nbsp;<?php echo $_SESSION['realname'] ?></span>
</a>
</span>
@@ -183,8 +183,8 @@ END;
?>
</div>
<div class="footer">
<?php echo FOOTER_TEXT; ?><br />
Copyright &copy; <?php echo date('Y'); ?> <?php echo COPYRIGHT_NAME; ?>
<?php echo $SETTINGS['footer_text']; ?><br />
Copyright &copy; <?php echo date('Y'); ?> <?php echo $SETTINGS['copyright']; ?>
</div>
</div>
<script src="static/js/jquery-3.3.1.min.js"></script>

+ 111
- 155
index.php View File

@@ -1,175 +1,131 @@
<?php
/* This Source Code Form is subject to the terms of the Mozilla Public
/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

require_once __DIR__ . "/required.php";

// if we're logged in, we don't need to be here.
if (!empty($_SESSION['loggedin']) && $_SESSION['loggedin'] === true && !isset($_GET['permissionerror'])) {
header('Location: app.php');
die();
}

if (isset($_GET['permissionerror'])) {
$alert = $Strings->get("no access permission", false);
/**
* Show a simple HTML page with a line of text and a button. Matches the UI of
* the AccountHub login flow.
*
* @global type $SETTINGS
* @global type $SECURE_NONCE
* @global type $Strings
* @param string $title Text to show, passed through i18n
* @param string $button Button text, passed through i18n
* @param string $url URL for the button
*/
function showHTML(string $title, string $button, string $url) {
global $SETTINGS, $SECURE_NONCE, $Strings;
?>
<!DOCTYPE html>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<title><?php echo $SETTINGS['site_title']; ?></title>

<link rel="icon" href="static/img/logo.svg">

<link href="static/css/bootstrap.min.css" rel="stylesheet">
<style nonce="<?php echo $SECURE_NONCE; ?>">
.display-5 {
font-size: 2.5rem;
font-weight: 300;
line-height: 1.2;
}

.banner-image {
max-height: 100px;
margin: 2em auto;
border: 1px solid grey;
border-radius: 15%;
}
</style>

<div class="container mt-4">
<div class="row justify-content-center">
<div class="col-12 text-center">
<img class="banner-image" src="./static/img/logo.svg" />
</div>

<div class="col-12 text-center">
<h1 class="display-5 mb-4"><?php $Strings->get($title); ?></h1>
</div>

<div class="col-12 col-sm-8 col-lg-6">
<div class="card mt-4">
<div class="card-body">
<a href="<?php echo $url; ?>" class="btn btn-primary btn-block"><?php $Strings->get($button); ?></a>
</div>
</div>
</div>
</div>
</div>
<?php
}

/* Authenticate user */
$userpass_ok = false;
$multiauth = false;
if (Login::checkLoginServer()) {
if (empty($VARS['progress'])) {
// Easy way to remove "undefined" warnings.
} else if ($VARS['progress'] == "1") {
if (!CAPTCHA_ENABLED || (CAPTCHA_ENABLED && Login::verifyCaptcha($VARS['captcheck_session_code'], $VARS['captcheck_selected_answer'], CAPTCHA_SERVER . "/api.php"))) {
$autherror = "";
$user = User::byUsername($VARS['username']);
if ($user->exists()) {
$status = $user->getStatus()->getString();
switch ($status) {
case "LOCKED_OR_DISABLED":
$alert = $Strings->get("account locked", false);
break;
case "TERMINATED":
$alert = $Strings->get("account terminated", false);
break;
case "CHANGE_PASSWORD":
$alert = $Strings->get("password expired", false);
break;
case "NORMAL":
$username_ok = true;
break;
case "ALERT_ON_ACCESS":
$mail_resp = $user->sendAlertEmail();
if (DEBUG) {
var_dump($mail_resp);
}
$username_ok = true;
break;
default:
if (!empty($error)) {
$alert = $error;
} else {
$alert = $Strings->get("login error", false);
}
break;
}
if ($username_ok) {
if ($user->checkPassword($VARS['password'])) {
$_SESSION['passok'] = true; // stop logins using only username and authcode
if ($user->has2fa()) {
$multiauth = true;
} else {
Session::start($user);
header('Location: app.php');
die("Logged in, go to app.php");
}
} else {
$alert = $Strings->get("login incorrect", false);
}
if (!empty($_GET['logout'])) {
showHTML("You have been logged out.", "Log in again", "./index.php");
die();
}
if (empty($_SESSION["login_code"])) {
$redirecttologin = true;
} else {
try {
$uidinfo = AccountHubApi::get("checkloginkey", ["code" => $_SESSION["login_code"]]);
if ($uidinfo["status"] == "ERROR") {
throw new Exception();
}
if (is_numeric($uidinfo['uid'])) {
$user = new User($uidinfo['uid'] * 1);
foreach ($SETTINGS['permissions'] as $perm) {
if (!$user->hasPermission($perm)) {
showHTML("no access permission", "sign out", "./action.php?action=signout");
die();
}
} else { // User does not exist anywhere
$alert = $Strings->get("login incorrect", false);
}
} else {
$alert = $Strings->get("captcha error", false);
}
} else if ($VARS['progress'] == "2") {
$user = User::byUsername($VARS['username']);
if ($_SESSION['passok'] !== true) {
// stop logins using only username and authcode
sendError("Password integrity check failed!");
}
if ($user->check2fa($VARS['authcode'])) {
Session::start($user);
$_SESSION["login_code"] = null;
header('Location: app.php');
die("Logged in, go to app.php");
showHTML("Logged in", "Continue", "./app.php");
die();
} else {
$alert = $Strings->get("2fa incorrect", false);
throw new Exception();
}
} catch (Exception $ex) {
$redirecttologin = true;
}
} else {
$alert = $Strings->get("login server unavailable", false);
}
header("Link: <static/fonts/Roboto.css>; rel=preload; as=style", false);
header("Link: <static/css/bootstrap.min.css>; rel=preload; as=style", false);
header("Link: <static/css/material-color/material-color.min.css>; rel=preload; as=style", false);
header("Link: <static/css/index.css>; rel=preload; as=style", false);
header("Link: <static/js/jquery-3.3.1.min.js>; rel=preload; as=script", false);
header("Link: <static/js/bootstrap.bundle.min.js>; rel=preload; as=script", false);
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<title><?php echo SITE_TITLE; ?></title>

<link rel="icon" href="static/img/logo.svg">

<link href="static/css/bootstrap.min.css" rel="stylesheet">
<link href="static/css/material-color/material-color.min.css" rel="stylesheet">
<link href="static/css/index.css" rel="stylesheet">
<?php if (CAPTCHA_ENABLED) { ?>
<script src="<?php echo CAPTCHA_SERVER ?>/captcheck.dist.js"></script>
<?php } ?>
</head>
<body>
<div class="row justify-content-center">
<div class="col-auto">
<img class="banner-image" src="static/img/logo.svg" />
</div>
</div>
<div class="row justify-content-center">
<div class="card col-11 col-xs-11 col-sm-8 col-md-6 col-lg-4">
<div class="card-body">
<h5 class="card-title"><?php $Strings->get("sign in"); ?></h5>
<form action="" method="POST">
<?php
if (!empty($alert)) {
?>
<div class="alert alert-danger">
<i class="fa fa-fw fa-exclamation-triangle"></i> <?php echo $alert; ?>
</div>
<?php
}

if ($multiauth != true) {
?>
<input type="text" class="form-control" name="username" placeholder="<?php $Strings->get("username"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="password" class="form-control" name="password" placeholder="<?php $Strings->get("password"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<?php if (CAPTCHA_ENABLED) { ?>
<div class="captcheck_container" data-stylenonce="<?php echo $SECURE_NONCE; ?>"></div>
<br />
<?php } ?>
<input type="hidden" name="progress" value="1" />
<?php
} else if ($multiauth) {
?>
<div class="alert alert-info">
<?php $Strings->get("2fa prompt"); ?>
</div>
<input type="text" class="form-control" name="authcode" placeholder="<?php $Strings->get("authcode"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="hidden" name="progress" value="2" />
<input type="hidden" name="username" value="<?php echo $VARS['username']; ?>" />
<?php
}
?>
<button type="submit" class="btn btn-primary">
<?php $Strings->get("continue"); ?>
</button>
</form>
</div>
</div>
</div>
<div class="footer">
<?php echo FOOTER_TEXT; ?><br />
Copyright &copy; <?php echo date('Y'); ?> <?php echo COPYRIGHT_NAME; ?>
</div>
</div>
<script src="static/js/jquery-3.3.1.min.js"></script>
<script src="static/js/bootstrap.bundle.min.js"></script>
</body>
</html>

if ($redirecttologin) {
try {
$urlbase = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] . (($_SERVER['SERVER_PORT'] != 80 && $_SERVER['SERVER_PORT'] != 443) ? ":" . $_SERVER['SERVER_PORT'] : "");
$iconurl = $urlbase . str_replace("index.php", "", $_SERVER["REQUEST_URI"]) . "static/img/logo.svg";
$codedata = AccountHubApi::get("getloginkey", ["appname" => $SETTINGS["site_title"], "appicon" => $iconurl]);

if ($codedata['status'] != "OK") {
throw new Exception($Strings->get("login server unavailable", false));
}

$redirecturl = $urlbase . $_SERVER['REQUEST_URI'];

$_SESSION["login_code"] = $codedata["code"];

$locationurl = $codedata["loginurl"] . "?code=" . htmlentities($codedata["code"]) . "&redirect=" . htmlentities($redirecturl);
header("Location: $locationurl");
showHTML("Continue", "Continue", $locationurl);
die();
} catch (Exception $ex) {
sendError($ex->getMessage());
}
}

+ 1
- 20
langs/en/core.json View File

@@ -1,26 +1,7 @@
{
"sign in": "Sign In",
"username": "Username",
"password": "Password",
"continue": "Continue",
"authcode": "Authentication code",
"2fa prompt": "Enter the six-digit code from your mobile authenticator app.",
"2fa incorrect": "Authentication code incorrect.",
"login incorrect": "Login incorrect.",
"login server unavailable": "Login server unavailable. Try again later or contact technical support.",
"account locked": "This account has been disabled. Contact technical support.",
"password expired": "You must change your password before continuing.",
"account terminated": "Account terminated. Access denied.",
"account state error": "Your account state is not stable. Log out, restart your browser, and try again.",
"welcome user": "Welcome, {user}!",
"sign out": "Sign out",
"settings": "Settings",
"options": "Options",
"404 error": "404 Error",
"page not found": "Page not found.",
"invalid parameters": "Invalid request parameters.",
"login server error": "The login server returned an error: {arg}",
"login server user data error": "The login server refused to provide account information. Try again or contact technical support.",
"captcha error": "There was a problem with the CAPTCHA (robot test). Try again.",
"no access permission": "You do not have permission to access this system."
"login server error": "The login server returned an error: {arg}"
}

+ 8
- 0
langs/en/index.json View File

@@ -0,0 +1,8 @@
{
"You have been logged out.": "You have been logged out.",
"Log in again": "Log in again",
"login server unavailable": "Login server unavailable. Try again later or contact technical support.",
"no access permission": "You do not have permission to access this system.",
"Logged in": "Logged in",
"Continue": "Continue"
}

+ 2
- 1
langs/en/strings.json View File

@@ -111,5 +111,6 @@
"search": "Search",
"no results": "No results.",
"contact form": "Contact Form",
"contact form messages will be forwarded to this email address": "Contact form messages will be forwarded to this email address, if it is set."
"contact form messages will be forwarded to this email address": "Contact form messages will be forwarded to this email address, if it is set.",
"settings": "Settings"
}

+ 56
- 0
lib/AccountHubApi.lib.php View File

@@ -0,0 +1,56 @@
<?php

/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

class AccountHubApi {

public static function get(string $action, array $data = null, bool $throwex = false) {
global $SETTINGS;

$content = [
"action" => $action,
"key" => $SETTINGS['accounthub']['key']
];
if (!is_null($data)) {
$content = array_merge($content, $data);
}
$options = [
'http' => [
'method' => 'POST',
'content' => json_encode($content),
'header' => "Content-Type: application/json\r\n" .
"Accept: application/json\r\n",
"ignore_errors" => true
]
];

$context = stream_context_create($options);
$result = file_get_contents($SETTINGS['accounthub']['api'], false, $context);
$response = json_decode($result, true);
if ($result === false || !AccountHubApi::checkHttpRespCode($http_response_header) || json_last_error() != JSON_ERROR_NONE) {
if ($throwex) {
throw new Exception($result);
} else {
sendError($result);
}
}
return $response;
}

private static function checkHttpRespCode(array $headers): bool {
foreach ($headers as $header) {
if (preg_match("/HTTP\/[0-9]\.[0-9] [0-9]{3}.*/", $header)) {
$respcode = explode(" ", $header)[1] * 1;
if ($respcode >= 200 && $respcode < 300) {
return true;
}
}
}
return false;
}

}

+ 326
- 0
lib/FormBuilder.lib.php View File

@@ -0,0 +1,326 @@
<?php

/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

class FormBuilder {

private $items = [];
private $hiddenitems = [];
private $title = "";
private $icon = "";
private $buttons = [];
private $action = "action.php";
private $method = "POST";
private $id = "editform";

/**
* Create a form with autogenerated HTML.
*
* @param string $title Form title/heading
* @param string $icon FontAwesone icon next to the title.
* @param string $action URL to submit the form to.
* @param string $method Form submission method (POST, GET, etc.)
*/
public function __construct(string $title = "Untitled Form", string $icon = "fas fa-file-alt", string $action = "action.php", string $method = "POST") {
$this->title = $title;
$this->icon = $icon;
$this->action = $action;
$this->method = $method;
}

/**
* Set the title of the form.
* @param string $title
*/
public function setTitle(string $title) {
$this->title = $title;
}

/**
* Set the icon for the form.
* @param string $icon FontAwesome icon (example: "fas fa-toilet-paper")
*/
public function setIcon(string $icon) {
$this->icon = $icon;
}

/**
* Set the URL the form will submit to.
* @param string $action
*/
public function setAction(string $action) {
$this->action = $action;
}

/**
* Set the form submission method (GET, POST, etc)
* @param string $method
*/
public function setMethod(string $method = "POST") {
$this->method = $method;
}

/**
* Set the form ID.
* @param string $id
*/
public function setID(string $id = "editform") {
$this->id = $id;
}

/**
* Add an input to the form.
*
* @param string $name Element name
* @param string $value Element value
* @param string $type Input type (text, number, date, select, tel...)
* @param bool $required If the element is required for form submission.
* @param string $id Element ID
* @param array $options Array of [value => text] pairs for a select element
* @param string $label Text label to display near the input
* @param string $icon FontAwesome icon (example: "fas fa-toilet-paper")
* @param int $width Bootstrap column width for the input, out of 12.
* @param int $minlength Minimum number of characters for the input.
* @param int $maxlength Maximum number of characters for the input.
* @param string $pattern Regex pattern for custom client-side validation.
* @param string $error Message to show if the input doesn't validate.
*/
public function addInput(string $name, string $value = "", string $type = "text", bool $required = true, string $id = null, array $options = null, string $label = "", string $icon = "", int $width = 4, int $minlength = 1, int $maxlength = 100, string $pattern = "", string $error = "") {
$item = [
"name" => $name,
"value" => $value,
"type" => $type,
"required" => $required,
"label" => $label,
"icon" => $icon,
"width" => $width,
"minlength" => $minlength,
"maxlength" => $maxlength
];
if (!empty($id)) {
$item["id"] = $id;
}
if (!empty($options) && $type == "select") {
$item["options"] = $options;
}
if (!empty($pattern)) {
$item["pattern"] = $pattern;
}
if (!empty($error)) {
$item["error"] = $error;
}
$this->items[] = $item;
}

/**
* Add a text input.
*
* @param string $name Element name
* @param string $value Element value
* @param bool $required If the element is required for form submission.
* @param string $id Element ID
* @param string $label Text label to display near the input
* @param string $icon FontAwesome icon (example: "fas fa-toilet-paper")
* @param int $width Bootstrap column width for the input, out of 12.
* @param int $minlength Minimum number of characters for the input.
* @param int $maxlength Maximum number of characters for the input.
* @param string $pattern Regex pattern for custom client-side validation.
* @param string $error Message to show if the input doesn't validate.
*/
public function addTextInput(string $name, string $value = "", bool $required = true, string $id = "", string $label = "", string $icon = "", int $width = 4, int $minlength = 1, int $maxlength = 100, string $pattern = "", string $error = "") {
$this->addInput($name, $value, "text", $required, $id, null, $label, $icon, $width, $minlength, $maxlength, $pattern, $error);
}

/**
* Add a select dropdown.
*
* @param string $name Element name
* @param string $value Element value
* @param bool $required If the element is required for form submission.
* @param string $id Element ID
* @param array $options Array of [value => text] pairs for a select element
* @param string $label Text label to display near the input
* @param string $icon FontAwesome icon (example: "fas fa-toilet-paper")
* @param int $width Bootstrap column width for the input, out of 12.
*/
public function addSelect(string $name, string $value = "", bool $required = true, string $id = null, array $options = null, string $label = "", string $icon = "", int $width = 4) {
$this->addInput($name, $value, "select", $required, $id, $options, $label, $icon, $width);
}

/**
* Add a button to the form.
*
* @param string $text Text string to show on the button.
* @param string $icon FontAwesome icon to show next to the text.
* @param string $href If not null, the button will actually be a hyperlink.
* @param string $type Usually "button" or "submit". Ignored if $href is set.
* @param string $id The element ID.
* @param string $name The element name for the button.
* @param string $value The form value for the button. Ignored if $name is null.
* @param string $class The CSS classes for the button, if a standard success-colored one isn't right.
*/
public function addButton(string $text, string $icon = "", string $href = null, string $type = "button", string $id = null, string $name = null, string $value = "", string $class = "btn btn-success") {
$button = [
"text" => $text,
"icon" => $icon,
"class" => $class,
"type" => $type,
"id" => $id,
"href" => $href,
"name" => $name,
"value" => $value
];
$this->buttons[] = $button;
}

/**
* Add a hidden input.
* @param string $name
* @param string $value
*/
public function addHiddenInput(string $name, string $value) {
$this->hiddenitems[$name] = $value;
}

/**
* Generate the form HTML.
* @param bool $echo If false, returns HTML string instead of outputting it.
*/
public function generate(bool $echo = true) {
$html = <<<HTMLTOP
<form action="$this->action" method="$this->method" id="$this->id">
<div class="card">
<h3 class="card-header d-flex">
<div>
<i class="$this->icon"></i> $this->title
</div>
</h3>

<div class="card-body">
<div class="row">
HTMLTOP;

foreach ($this->items as $item) {
$required = $item["required"] ? "required" : "";
$id = empty($item["id"]) ? "" : "id=\"$item[id]\"";
$pattern = empty($item["pattern"]) ? "" : "pattern=\"$item[pattern]\"";
if (empty($item['type'])) {
$item['type'] = "text";
}
$itemhtml = "";
$itemlabel = "";

if ($item['type'] == "textarea") {
$itemlabel = "<label class=\"mb-0\"><i class=\"$item[icon]\"></i> $item[label]:</label>";
} else if ($item['type'] != "checkbox") {
$itemlabel = "<label class=\"mb-0\">$item[label]:</label>";
}
$strippedlabel = strip_tags($item['label']);
$itemhtml .= <<<ITEMTOP
\n\n <div class="col-12 col-md-$item[width]">
<div class="form-group mb-3">
$itemlabel
ITEMTOP;
$inputgrouptop = <<<INPUTG
\n <div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="$item[icon]"></i></span>
</div>
INPUTG;
switch ($item['type']) {
case "select":
$itemhtml .= $inputgrouptop;
$itemhtml .= <<<SELECT
\n <select class="form-control" name="$item[name]" aria-label="$strippedlabel" $required>
SELECT;
foreach ($item['options'] as $value => $label) {
$selected = "";
if (!empty($item['value']) && $value == $item['value']) {
$selected = " selected";
}
$itemhtml .= "\n <option value=\"$value\"$selected>$label</option>";
}
$itemhtml .= "\n </select>";
break;
case "checkbox":
$itemhtml .= $inputgrouptop;
$itemhtml .= <<<CHECKBOX
\n <div class="form-group form-check">
<input type="checkbox" name="$item[name]" $id class="form-check-input" value="$item[value]" $required aria-label="$strippedlabel">
<label class="form-check-label">$item[label]</label>
</div>
CHECKBOX;
break;
case "textarea":
$val = htmlentities($item['value']);
$itemhtml .= <<<TEXTAREA
\n <textarea class="form-control" id="info" name="$item[name]" aria-label="$strippedlabel" minlength="$item[minlength]" maxlength="$item[maxlength]" $required>$val</textarea>
TEXTAREA;
break;
default:
$itemhtml .= $inputgrouptop;
$itemhtml .= <<<INPUT
\n <input type="$item[type]" name="$item[name]" $id class="form-control" aria-label="$strippedlabel" minlength="$item[minlength]" maxlength="$item[maxlength]" $pattern value="$item[value]" $required />
INPUT;
break;
}

if (!empty($item["error"])) {
$itemhtml .= <<<ERROR
\n <div class="invalid-feedback">
$item[error]
</div>
ERROR;
}
if ($item["type"] != "textarea") {
$itemhtml .= "\n </div>";
}
$itemhtml .= <<<ITEMBOTTOM
\n </div>
</div>\n
ITEMBOTTOM;
$html .= $itemhtml;
}

$html .= <<<HTMLBOTTOM

</div>
</div>
HTMLBOTTOM;

if (!empty($this->buttons)) {
$html .= "\n <div class=\"card-footer d-flex\">";
foreach ($this->buttons as $btn) {
$btnhtml = "";
$inner = "<i class=\"$btn[icon]\"></i> $btn[text]";
$id = empty($btn['id']) ? "" : "id=\"$btn[id]\"";
if (!empty($btn['href'])) {
$btnhtml = "<a href=\"$btn[href]\" class=\"$btn[class]\" $id>$inner</a>";
} else {
$name = empty($btn['name']) ? "" : "name=\"$btn[name]\"";
$value = (!empty($btn['name']) && !empty($btn['value'])) ? "value=\"$btn[value]\"" : "";
$btnhtml = "<button type=\"$btn[type]\" class=\"$btn[class]\" $id $name $value>$inner</button>";
}
$html .= "\n $btnhtml";
}
$html .= "\n </div>";
}

$html .= "\n </div>";
foreach ($this->hiddenitems as $name => $value) {
$value = htmlentities($value);
$html .= "\n <input type=\"hidden\" name=\"$name\" value=\"$value\" />";
}
$html .= "\n</form>\n";

if ($echo) {
echo $html;
}
return $html;
}

}

+ 2
- 51
lib/Login.lib.php View File

@@ -45,50 +45,13 @@ class Login {
return Login::LOGIN_OK;
}

public static function verifyCaptcha(string $session, string $answer, string $url): bool {
$data = [
'session_id' => $session,
'answer_id' => $answer,
'action' => "verify"
];
$options = [
'http' => [
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data)
]
];
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
$resp = json_decode($result, TRUE);
if (!$resp['result']) {
return false;
} else {
return true;
}
}

/**
* Check the login server API for sanity
* @return boolean true if OK, else false
*/
public static function checkLoginServer() {
try {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "ping"
]
]);

if ($response->getStatusCode() != 200) {
return false;
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("ping");
if ($resp['status'] == "OK") {
return true;
} else {
@@ -107,19 +70,7 @@ class Login {
*/
function checkAPIKey($key) {
try {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => $key,
'action' => "ping"
]
]);

if ($response->getStatusCode() === 200) {
return true;
}
$resp = AccountHubApi::get("ping", null, true);
return false;
} catch (Exception $e) {
return false;

+ 9
- 21
lib/Notifications.lib.php View File

@@ -32,27 +32,15 @@ class Notifications {
$timestamp = date("Y-m-d H:i:s", strtotime($timestamp));
}

$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "addnotification",
'uid' => $user->getUID(),
'title' => $title,
'content' => $content,
'timestamp' => $timestamp,
'url' => $url,
'sensitive' => $sensitive
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("addnotification", [
'uid' => $user->getUID(),
'title' => $title,
'content' => $content,
'timestamp' => $timestamp,
'url' => $url,
'sensitive' => $sensitive
]
);
if ($resp['status'] == "OK") {
return $resp['id'] * 1;
} else {

+ 16
- 147
lib/User.lib.php View File

@@ -17,22 +17,7 @@ class User {

public function __construct(int $uid, string $username = "") {
// Check if user exists
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "userexists",
'uid' => $uid
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("userexists", ["uid" => $uid]);
if ($resp['status'] == "OK" && $resp['exists'] === true) {
$this->exists = true;
} else {
@@ -43,22 +28,7 @@ class User {

if ($this->exists) {
// Get user info
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "userinfo",
'uid' => $uid
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("userinfo", ["uid" => $uid]);
if ($resp['status'] == "OK") {
$this->uid = $resp['data']['uid'] * 1;
$this->username = $resp['data']['username'];
@@ -71,22 +41,7 @@ class User {
}

public static function byUsername(string $username): User {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'username' => $username,
'action' => "userinfo"
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("userinfo", ["username" => $username]);
if (!isset($resp['status'])) {
sendError("Login server error: " . $resp);
}
@@ -105,22 +60,8 @@ class User {
if (!$this->exists) {
return false;
}
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "hastotp",
'username' => $this->username
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("hastotp", ['username' => $this->username]);
if ($resp['status'] == "OK") {
return $resp['otp'] == true;
} else {
@@ -147,26 +88,11 @@ class User {
/**
* Check the given plaintext password against the stored hash.
* @param string $password
* @param bool $apppass Set to true to enforce app passwords when 2fa is on.
* @return bool
*/
function checkPassword(string $password): bool {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "auth",
'username' => $this->username,
'password' => $password
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
function checkPassword(string $password, bool $apppass = false): bool {
$resp = AccountHubApi::get("auth", ['username' => $this->username, 'password' => $password, 'apppass' => ($apppass ? "1" : "0")]);
if ($resp['status'] == "OK") {
return true;
} else {
@@ -174,27 +100,13 @@ class User {
}
}


function check2fa(string $code): bool {
if (!$this->has2fa) {
return true;
}
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "verifytotp",
'username' => $this->username,
'code' => $code
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("verifytotp", ['username' => $this->username, 'code' => $code]);
if ($resp['status'] == "OK") {
return $resp['valid'];
} else {
@@ -209,23 +121,7 @@ class User {
* @return boolean TRUE if the user has the permission (or admin access), else FALSE
*/
function hasPermission(string $code): bool {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "permission",
'username' => $this->username,
'code' => $code
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("permission", ['username' => $this->username, 'code' => $code]);
if ($resp['status'] == "OK") {
return $resp['has_permission'];
} else {
@@ -238,23 +134,7 @@ class User {
* @return \AccountStatus
*/
function getStatus(): AccountStatus {

$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "acctstatus",
'username' => $this->username
]
]);

if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("acctstatus", ['username' => $this->username]);
if ($resp['status'] == "OK") {
return AccountStatus::fromString($resp['account']);
} else {
@@ -262,24 +142,13 @@ class User {
}
}

function sendAlertEmail(string $appname = SITE_TITLE) {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "alertemail",
'username' => $this->username,
'appname' => SITE_TITLE
]
]);

if ($response->getStatusCode() > 299) {
return "An unknown error occurred.";
function sendAlertEmail(string $appname = null) {
global $SETTINGS;
if (is_null($appname)) {
$appname = $SETTINGS['site_title'];
}
$resp = AccountHubApi::get("alertemail", ['username' => $this->username, 'appname' => $SETTINGS['site_title']]);

$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
return true;
} else {

+ 4
- 4
lib/filepicker.php View File

@@ -9,10 +9,10 @@ dieifnotloggedin();

include_once __DIR__ . "/../lib/mimetypes.php";

$base = FILE_UPLOAD_PATH;
$base = $SETTINGS["file_upload_path"];

$folder = "";
if (isset($VARS['path']) && file_exists($base . $VARS['path']) && strpos(realpath($base . $VARS['path']), FILE_UPLOAD_PATH) === 0) {
if (isset($VARS['path']) && file_exists($base . $VARS['path']) && strpos(realpath($base . $VARS['path']), $SETTINGS["file_upload_path"]) === 0) {
$folder = $VARS['path'];
}

@@ -23,7 +23,7 @@ if (isset($VARS['type']) && $VARS['type'] != "") {
$type = explode("|", $VARS['type']);
}

$enableunsplash = ENABLE_UNSPLASH;
$enableunsplash = $SETTINGS["unsplash"]["enable"];
if (count($type) > 0 && !in_array("image", $type)) {
$enableunsplash = false;
}
@@ -67,7 +67,7 @@ if ($enableunsplash) {
</div>
</div>
</div>
<span id="unsplashResults"></span> <span>via <a href="https://unsplash.com/?utm_source=<?php echo urlencode(UNSPLASH_UTMSOURCE); ?>&utm_medium=referral">Unsplash</a></span>
<span id="unsplashResults"></span> <span>via <a href="https://unsplash.com/?utm_source=<?php echo urlencode($SETTINGS["unsplash"]["utmsource"]); ?>&utm_medium=referral">Unsplash</a></span>
</div>
<div id="unsplashPhotoBin" class="px-2 pr-3">
</div>

+ 3
- 3
lib/filepicker_local.php View File

@@ -9,10 +9,10 @@ dieifnotloggedin();

include_once __DIR__ . "/../lib/mimetypes.php";

$base = FILE_UPLOAD_PATH;
$base = $SETTINGS["file_upload_path"];

$folder = "";
if (isset($VARS['path']) && file_exists($base . $VARS['path']) && strpos(realpath($base . $VARS['path']), FILE_UPLOAD_PATH) === 0) {
if (isset($VARS['path']) && file_exists($base . $VARS['path']) && strpos(realpath($base . $VARS['path']), $SETTINGS["file_upload_path"]) === 0) {
$folder = $VARS['path'];
}

@@ -23,7 +23,7 @@ if (isset($VARS['type']) && $VARS['type'] != "") {
$type = explode("|", $VARS['type']);
}

$enableunsplash = ENABLE_UNSPLASH;
$enableunsplash = $SETTINGS["unsplash"]["enable"];
if (count($type) > 0 && !in_array("image", $type)) {
$enableunsplash = false;
}

+ 3
- 3
lib/filepicker_unsplash.php View File

@@ -13,9 +13,9 @@ dieifnotloggedin();
header('Content-Type: application/json');

Crew\Unsplash\HttpClient::init([
'applicationId' => UNSPLASH_ACCESSKEY,
'secret' => UNSPLASH_SECRETKEY,
'utmSource' => UNSPLASH_UTMSOURCE
'applicationId' => $SETTINGS["unsplash"]["appid"],
'secret' => $SETTINGS["unsplash"]["secretkey"],
'utmSource' => $SETTINGS["unsplash"]["utmsource"]
]);

$page = 1;

+ 3
- 3
lib/gatheranalytics.php View File

@@ -78,7 +78,7 @@ if (!$database->has("settings", ["AND" => ["siteid" => getsiteid(), "key" => "an
// Lookup IP address
//

$reader = new Reader(GEOIP_DB);
$reader = new Reader($SETTINGS["geoip_db"]);

$record = $reader->city($clientip);

@@ -108,12 +108,12 @@ if (!$database->has("settings", ["AND" => ["siteid" => getsiteid(), "key" => "an
"time" => $time
]);
} catch (GeoIp2\Exception\AddressNotFoundException $e) {
if (DEBUG) {
if ($SETTINGS["debug"]) {
echo "<!-- The client IP was not found in the GeoIP database. -->";
}
} catch (Exception $e) {
// Silently fail so the rest of the site still works
if (DEBUG) {
if ($SETTINGS["debug"]) {
echo "<!-- Analytics error: " . $e->getMessage() . " -->";
}
}

+ 8
- 8
lib/requiredpublic.php View File

@@ -11,7 +11,7 @@ ob_start(); // allow sending headers after content
// Settings file
require __DIR__ . '/../settings.php';

if (!DEBUG) {
if (!$SETTINGS["debug"]) {
error_reporting(0);
} else {
error_reporting(E_ALL);
@@ -57,7 +57,7 @@ function sendError($error) {
. "<p>" . htmlspecialchars($error) . "</p>");
}

date_default_timezone_set(TIMEZONE);
date_default_timezone_set($SETTINGS['timezone']);

// Database settings
// Also inits database and stuff
@@ -66,12 +66,12 @@ use Medoo\Medoo;
$database;
try {
$database = new Medoo([
'database_type' => DB_TYPE,
'database_name' => DB_NAME,
'server' => DB_SERVER,
'username' => DB_USER,
'password' => DB_PASS,
'charset' => DB_CHARSET
'database_type' => $SETTINGS['database']['type'],
'database_name' => $SETTINGS['database']['name'],
'server' => $SETTINGS['database']['server'],
'username' => $SETTINGS['database']['user'],
'password' => $SETTINGS['database']['password'],
'charset' => $SETTINGS['database']['charset']
]);
} catch (Exception $ex) {
//header('HTTP/1.1 500 Internal Server Error');

+ 14
- 8
lib/themefunctions.php View File

@@ -87,10 +87,11 @@ function get_page_slug($echo = true) {
* @return string
*/
function get_page_clean_url($echo = true, $slug = null) {
global $SETTINGS;
if ($slug == null) {
$slug = get_page_slug(false);
}
if (PRETTY_URLS) {
if ($SETTINGS["pretty_urls"]) {
$url = formatsiteurl(get_site_url(false)) . "$slug";
} else {
$url = formatsiteurl(get_site_url(false)) . "index.php?id=$slug";
@@ -108,6 +109,7 @@ function get_page_clean_url($echo = true, $slug = null) {
* @return string
*/
function get_page_url($echo = true, $slug = null) {
global $SETTINGS;
if ($slug == null) {
$slug = get_page_slug(false);
}
@@ -132,7 +134,7 @@ function get_page_url($echo = true, $slug = null) {
$siteid = "&siteid=" . preg_replace("/[^0-9]/", '', $_GET['siteid']);
}
$args = "$edit$theme$template$color$siteid";
if (PRETTY_URLS) {
if ($SETTINGS["pretty_urls"]) {
if ($args != "") {
$args = "?$args";
}
@@ -214,6 +216,7 @@ function is_component_empty($name, $context = null) {
* @return array
*/
function get_complex_component($name, $context = null, $include = []) {
global $SETTINGS;
$db = getdatabase();
if ($context == null) {
$context = getpageslug();
@@ -234,14 +237,14 @@ function get_complex_component($name, $context = null, $include = []) {
$filtered = [];
foreach ($include as $i) {
if (array_key_exists($i, $content)) {
if (!isset($_GET['edit']) && $i == "image" && $content[$i] == URL . "/static/img/no-image.svg") {
if (!isset($_GET['edit']) && $i == "image" && $content[$i] == $SETTINGS["url"] . "/static/img/no-image.svg") {
$filtered[$i] = "";
} else {
$filtered[$i] = $content[$i];
}
} else {
if (isset($_GET['edit']) && $i == "image") {
$filtered[$i] = URL . "/static/img/no-image.svg";
$filtered[$i] = $SETTINGS["url"] . "/static/img/no-image.svg";
} else {
$filtered[$i] = "";
}
@@ -258,12 +261,13 @@ function get_complex_component($name, $context = null, $include = []) {
* @return boolean
*/
function is_complex_empty($name, $context = null) {
global $SETTINGS;
if (isset($_GET['edit'])) {
return false;
}
$comp = get_complex_component($name, $context);
foreach ($comp as $c => $v) {
if ($c == "image" && $v == URL . "/static/img/no-image.svg") {
if ($c == "image" && $v == $SETTINGS["url"] . "/static/img/no-image.svg") {
continue;
}
if (isset($v) && !empty($v)) {
@@ -314,13 +318,14 @@ function get_url_or_slug($str, $echo = true) {
* @return string
*/
function get_file_url($file, $echo = true) {
global $SETTINGS;
$url = "file.php?file=$file";
$base = FILE_UPLOAD_PATH;
$base = $SETTINGS["file_upload_path"];
$filepath = $base . $file;
if (!file_exists($filepath) || is_dir($filepath)) {
$url = $file;
} else {
if (strpos(realpath($filepath), FILE_UPLOAD_PATH) !== 0) {
if (strpos(realpath($filepath), $SETTINGS["file_upload_path"]) !== 0) {
$url = $file;
}
}
@@ -382,10 +387,11 @@ function get_setting($key, $echo = false) {
* @return string
*/
function get_theme_url($echo = true) {
global $SETTINGS;
$db = getdatabase();
$site = $db->get('sites', ["sitename", "url", "theme"], ["siteid" => getsiteid()]);
if (isset($_GET['edit']) || isset($_GET['in_sw'])) {
$url = URL . "/public/themes/" . SITE_THEME;
$url = $SETTINGS["url"] . "/public/themes/" . SITE_THEME;
} else {
$url = formatsiteurl($site["url"]) . "themes/" . SITE_THEME;
}

+ 16
- 44
mobile/index.php View File

@@ -8,10 +8,6 @@
* Mobile app API
*/

// The name of the permission needed to log in.
// Set to null if you don't need it.
$access_permission = null;

require __DIR__ . "/../required.php";

header('Content-Type: application/json');
@@ -23,21 +19,7 @@ if ($VARS['action'] == "ping") {
}

function mobile_enabled() {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "mobileenabled"
]
]);

if ($response->getStatusCode() > 299) {
return false;
}

$resp = json_decode($response->getBody(), TRUE);
$resp = AccountHubApi::get("mobileenabled");
if ($resp['status'] == "OK" && $resp['mobile'] === TRUE) {
return true;
} else {
@@ -46,26 +28,15 @@ function mobile_enabled() {
}

function mobile_valid($username, $code) {
$client = new GuzzleHttp\Client();

$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
"code" => $code,
"username" => $username,
'action' => "mobilevalid"
]
]);
try {
$resp = AccountHubApi::get("mobilevalid", ["code" => $code, "username" => $username], true);

if ($response->getStatusCode() > 299) {
return false;
}

$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK" && $resp['valid'] === TRUE) {
return true;
} else {
if ($resp['status'] == "OK" && $resp['valid'] === TRUE) {
return true;
} else {
return false;
}
} catch (Exception $ex) {
return false;
}
}
@@ -95,13 +66,14 @@ switch ($VARS['action']) {
if ($user->exists()) {
if ($user->getStatus()->getString() == "NORMAL") {
if ($user->checkPassword($VARS['password'])) {
if (is_null($access_permission) || $user->hasPermission($access_permission)) {
Session::start($user);
$_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"]));
} else {
exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no admin permission", false)]));
foreach ($SETTINGS['permissions'] as $perm) {
if (!$user->hasPermission($perm)) {
exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no permission", false)]));
}
}
Session::start($user);
$_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"]));
}
}
}

+ 8
- 0
pages.php View File

@@ -87,5 +87,13 @@ define("PAGES", [
],
"404" => [
"title" => "404 error"
],
"form" => [
"title" => "Form",
"navbar" => true,
"icon" => "fas fa-file-alt",
"scripts" => [
"static/js/form.js"
]
]
]);

+ 2
- 2
pages/files.php View File

@@ -19,10 +19,10 @@ if (!$user->hasPermission("SITEWRITER") && !$user->hasPermission("SITEWRITER_FIL

include_once __DIR__ . "/../lib/mimetypes.php";

$base = FILE_UPLOAD_PATH;
$base = $SETTINGS["file_upload_path"];

$folder = "";
if (isset($VARS['path']) && file_exists($base . $VARS['path']) && strpos(realpath($base . $VARS['path']), FILE_UPLOAD_PATH) === 0) {
if (isset($VARS['path']) && file_exists($base . $VARS['path']) && strpos(realpath($base . $VARS['path']), $SETTINGS["file_upload_path"]) === 0) {
$folder = $VARS['path'];
}


+ 26
- 0
pages/form.php View File

@@ -0,0 +1,26 @@
<?php

/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/

/*
* This file demonstrates creating a form with the FormBuilder class.
*/

$form = new FormBuilder("Sample Form", "fas fa-code", "", "GET");

$form->setID("sampleform");

$form->addHiddenInput("page", "form");

$form->addInput("name", "John", "text", true, null, null, "Your name", "fas fa-user", 6, 5, 20, "John(ny)?|Steve", "Invalid name, please enter John, Johnny, or Steve.");
$form->addInput("location", "", "select", true, null, ["1" => "Here", "2" => "There"], "Location", "fas fa-map-marker");
$form->addInput("textbox", "Hello world", "textarea", true, null, null, "Text area", "fas fa-font");
$form->addInput("box", "1", "checkbox", true, null, null, "I agree to the terms of service");

$form->addButton("Submit", "fas fa-save", null, "submit", "savebtn");

$form->generate();

+ 9
- 9
public/contact.php View File

@@ -63,18 +63,18 @@ if ($database->has('settings', ["AND" => ['siteid' => $siteid, 'key' => 'contact
// Setup mailer
$mail = new PHPMailer(true);
$mail->isSMTP();
$mail->Host = SMTP_HOST;
$mail->SMTPAuth = SMTP_AUTH;
if (SMTP_AUTH) {
$mail->Username = SMTP_USERNAME;
$mail->Password = SMTP_PASSWORD;
$mail->Host = $SETTINGS["email"]["host"];
$mail->SMTPAuth = $SETTINGS["email"]["auth"];
if ($SETTINGS["email"]["auth"]) {
$mail->Username = $SETTINGS["email"]["user"];
$mail->Password = $SETTINGS["email"]["password"];
}
if (SMTP_SECURITY != "none") {
$mail->SMTPSecure = SMTP_SECURITY;
if ($SETTINGS["email"]["secure"] != "none") {
$mail->SMTPSecure = $SETTINGS["email"]["secure"];
}
$mail->Port = SMTP_PORT;
$mail->Port = $SETTINGS["email"]["port"];
$mail->isHTML(true);
$mail->setFrom(SMTP_FROMADDRESS, SMTP_FROMNAME);
$mail->setFrom($SETTINGS["email"]["fromaddress"], $SETTINGS["email"]["fromname"]);

$mail->addAddress($emailto);
$mail->addReplyTo($_POST['email'], $_POST['name']);

+ 3
- 3
public/file.php View File

@@ -8,11 +8,11 @@

require_once __DIR__ . "/../lib/requiredpublic.php";

$base = FILE_UPLOAD_PATH;
$base = $SETTINGS["file_upload_path"];

$filepath = "";

if ($_GET['file'] === URL . "/static/img/no-image.svg") {
if ($_GET['file'] === $SETTINGS["url"] . "/static/img/no-image.svg") {
header("Content-Type: image/svg+xml");
ob_end_flush();

@@ -26,7 +26,7 @@ if (isset($_GET['file'])) {
http_response_code(404);
die("404 File Not Found");
}
if (strpos(realpath($filepath), FILE_UPLOAD_PATH) !== 0) {
if (strpos(realpath($filepath), $SETTINGS["file_upload_path"]) !== 0) {
http_response_code(404);
die("404 File Not Found");
}

+ 6
- 6
public/index.php View File

@@ -23,8 +23,8 @@ if (!getsiteid()) {
<h2 class="card-title">Welcome!</h2>
<p>You're seeing this message because no website has been created yet.
<br />
Open <?php echo SITE_TITLE; ?> to make one.</p>
<p><a href="<?php echo PORTAL_URL; ?>" class="btn btn-primary">Log In</a></p>
Open <?php echo $SETTINGS["site_title"]; ?> to make one.</p>
<p><a href="<?php echo $SETTINGS["accounthub"]["home"]; ?>" class="btn btn-primary">Log In</a></p>
</div>
</div>
</div>
@@ -57,15 +57,15 @@ if (isset($_GET['edit'])) {
}
?>
<style><?php echo file_get_contents(__DIR__ . "/../static/css/editor.css"); ?></style>
<script src="<?php echo URL; ?>/static/js/jquery-3.3.1.min.js"></script>
<script src="<?php echo URL; ?>/static/js/tinymce/tinymce.min.js"></script>
<script src="<?php echo $SETTINGS["url"]; ?>/static/js/jquery-3.3.1.min.js"></script>
<script src="<?php echo $SETTINGS["url"]; ?>/static/js/tinymce/tinymce.min.js"></script>
<script>
static_dir = "<?php echo URL; ?>/static";
static_dir = "<?php echo $SETTINGS["url"]; ?>/static";
page_slug = "<?php echo getpageslug(); ?>";
site_id = "<?php echo getsiteid(); ?>";
pages_list = <?php echo json_encode($allpages); ?>;
</script>
<script src="<?php echo URL; ?>/static/js/editor.js"></script>
<script src="<?php echo $SETTINGS["url"]; ?>/static/js/editor.js"></script>
<?php
}
?>

+ 31
- 16
required.php View File

@@ -32,7 +32,6 @@ session_start(); // stick some cookies in it
// renew session cookie
setcookie(session_name(), session_id(), time() + $session_length, "/", false, false);

$captcha_server = (CAPTCHA_ENABLED === true ? preg_replace("/http(s)?:\/\//", "", CAPTCHA_SERVER) : "");
if ($_SESSION['mobile'] === TRUE) {
header("Content-Security-Policy: "
. "default-src 'self';"
@@ -42,8 +41,8 @@ if ($_SESSION['mobile'] === TRUE) {
. "frame-src 'self'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'unsafe-inline' $captcha_server; "
. "script-src 'self' 'unsafe-inline' $captcha_server");
. "style-src 'self' 'unsafe-inline'; "
. "script-src 'self' 'unsafe-inline'");
} else {
header("Content-Security-Policy: "
. "default-src 'self';"
@@ -53,8 +52,8 @@ if ($_SESSION['mobile'] === TRUE) {
. "frame-src 'self'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'unsafe-inline' $captcha_server; "
. "script-src 'self' 'nonce-$SECURE_NONCE' $captcha_server");
. "style-src 'self' 'nonce-$SECURE_NONCE'; "
. "script-src 'self' 'nonce-$SECURE_NONCE'");
}

//
@@ -69,7 +68,7 @@ foreach ($libs as $lib) {
require_once $lib;
}

$Strings = new Strings(LANGUAGE);
$Strings = new Strings($SETTINGS['language']);

/**
* Kill off the running process and spit out an error message
@@ -93,7 +92,7 @@ function sendError($error) {
. "<p>" . htmlspecialchars($error) . "</p>");
}

date_default_timezone_set(TIMEZONE);