Bootswatch, Summernote, and Captcheck mods for Mods for HESK (mods-for-hesk.com). In use at support.netsyms.com.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

index.php 20KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503
  1. <?php
  2. /**
  3. *
  4. * This file is part of HESK - PHP Help Desk Software.
  5. *
  6. * (c) Copyright Klemen Stirn. All rights reserved.
  7. * https://www.hesk.com
  8. *
  9. * For the full copyright and license agreement information visit
  10. * https://www.hesk.com/eula.php
  11. *
  12. */
  13. define('IN_SCRIPT', 1);
  14. define('HESK_PATH', '../');
  15. define('PAGE_TITLE', 'LOGIN');
  16. /* Get all the required files and functions */
  17. require(HESK_PATH . 'hesk_settings.inc.php');
  18. require(HESK_PATH . 'inc/common.inc.php');
  19. require(HESK_PATH . 'inc/admin_functions.inc.php');
  20. hesk_load_database_functions();
  21. hesk_session_start();
  22. hesk_dbConnect();
  23. $modsForHesk_settings = mfh_getSettings();
  24. /* What should we do? */
  25. $action = hesk_REQUEST('a');
  26. switch ($action) {
  27. case 'do_login':
  28. do_login();
  29. break;
  30. case 'login':
  31. print_login();
  32. break;
  33. case 'logout':
  34. logout();
  35. break;
  36. default:
  37. hesk_autoLogin();
  38. print_login();
  39. }
  40. exit();
  41. /*** START FUNCTIONS ***/
  42. function do_login()
  43. {
  44. global $hesk_settings, $hesklang, $modsForHesk_settings;
  45. $hesk_error_buffer = array();
  46. $user = hesk_input(hesk_POST('user'));
  47. if (empty($user)) {
  48. $myerror = $hesk_settings['list_users'] ? $hesklang['select_username'] : $hesklang['enter_username'];
  49. $hesk_error_buffer['user'] = $myerror;
  50. }
  51. define('HESK_USER', $user);
  52. $pass = hesk_input(hesk_POST('pass'));
  53. if (empty($pass)) {
  54. $hesk_error_buffer['pass'] = $hesklang['enter_pass'];
  55. }
  56. if ($hesk_settings['secimg_use'] == 2 && !isset($_SESSION['img_a_verified'])) {
  57. // Using ReCaptcha?
  58. if ($hesk_settings['recaptcha_use'] == 1) {
  59. require_once(HESK_PATH . 'inc/recaptcha/recaptchalib.php');
  60. $resp = recaptcha_check_answer($hesk_settings['recaptcha_private_key'],
  61. hesk_getClientIP(),
  62. hesk_POST('recaptcha_challenge_field', ''),
  63. hesk_POST('recaptcha_response_field', '')
  64. );
  65. if ($resp->is_valid) {
  66. $_SESSION['img_a_verified'] = true;
  67. } else {
  68. $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error'];
  69. }
  70. } // Using ReCaptcha API v2?
  71. elseif ($hesk_settings['recaptcha_use'] == 2) {
  72. require(HESK_PATH . 'inc/recaptcha/recaptchalib_v2.php');
  73. $resp = null;
  74. $reCaptcha = new ReCaptcha($hesk_settings['recaptcha_private_key']);
  75. // Was there a reCAPTCHA response?
  76. if (isset($_POST["g-recaptcha-response"])) {
  77. $resp = $reCaptcha->verifyResponse(hesk_getClientIP(), hesk_POST("g-recaptcha-response"));
  78. }
  79. if ($resp != null && $resp->success) {
  80. $_SESSION['img_a_verified'] = true;
  81. } else {
  82. $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error'];
  83. }
  84. } // Using PHP generated image
  85. else {
  86. $mysecnum = intval(hesk_POST('mysecnum', 0));
  87. if (empty($mysecnum)) {
  88. $hesk_error_buffer['mysecnum'] = $hesklang['sec_miss'];
  89. } else {
  90. require(HESK_PATH . 'inc/secimg.inc.php');
  91. $sc = new PJ_SecurityImage($hesk_settings['secimg_sum']);
  92. if (isset($_SESSION['checksum']) && $sc->checkCode($mysecnum, $_SESSION['checksum'])) {
  93. $_SESSION['img_a_verified'] = true;
  94. } else {
  95. $hesk_error_buffer['mysecnum'] = $hesklang['sec_wrng'];
  96. }
  97. }
  98. }
  99. }
  100. /* Any missing fields? */
  101. if (count($hesk_error_buffer) != 0) {
  102. $_SESSION['a_iserror'] = array_keys($hesk_error_buffer);
  103. $tmp = '';
  104. foreach ($hesk_error_buffer as $error) {
  105. $tmp .= "<li>$error</li>\n";
  106. }
  107. $hesk_error_buffer = $tmp;
  108. $hesk_error_buffer = $hesklang['pcer'] . '<br /><br /><ul>' . $hesk_error_buffer . '</ul>';
  109. hesk_process_messages($hesk_error_buffer, 'NOREDIRECT');
  110. print_login();
  111. exit();
  112. } elseif (isset($_SESSION['img_a_verified'])) {
  113. unset($_SESSION['img_a_verified']);
  114. }
  115. /* User entered all required info, now lets limit brute force attempts */
  116. hesk_limitBfAttempts();
  117. $result = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `user` = '" . hesk_dbEscape($user) . "' LIMIT 1");
  118. if (hesk_dbNumRows($result) != 1) {
  119. hesk_session_stop();
  120. $_SESSION['a_iserror'] = array('user', 'pass');
  121. hesk_process_messages($hesklang['wrong_user'], 'NOREDIRECT');
  122. print_login();
  123. exit();
  124. }
  125. $res = hesk_dbFetchAssoc($result);
  126. foreach ($res as $k => $v) {
  127. $_SESSION[$k] = $v;
  128. }
  129. /* Check password */
  130. if (hesk_Pass2Hash($pass) != $_SESSION['pass']) {
  131. hesk_session_stop();
  132. $_SESSION['a_iserror'] = array('pass');
  133. hesk_process_messages($hesklang['wrong_pass'], 'NOREDIRECT');
  134. print_login();
  135. exit();
  136. }
  137. $pass_enc = hesk_Pass2Hash($_SESSION['pass'] . strtolower($user) . $_SESSION['pass']);
  138. /* Check if default password */
  139. if ($_SESSION['pass'] == '499d74967b28a841c98bb4baaabaad699ff3c079') {
  140. hesk_process_messages($hesklang['chdp'], 'NOREDIRECT', 'NOTICE');
  141. }
  142. // Set a tag that will be used to expire sessions after username or password change
  143. $_SESSION['session_verify'] = hesk_activeSessionCreateTag($user, $_SESSION['pass']);
  144. // We don't need the password hash anymore
  145. unset($_SESSION['pass']);
  146. /* Login successful, clean brute force attempts */
  147. hesk_cleanBfAttempts();
  148. /* Make sure our user is active */
  149. if (!$_SESSION['active']) {
  150. hesk_session_stop();
  151. $_SESSION['a_iserror'] = array('active');
  152. hesk_process_messages($hesklang['inactive_user'], 'NOREDIRECT');
  153. print_login();
  154. exit();
  155. }
  156. /* Regenerate session ID (security) */
  157. hesk_session_regenerate_id();
  158. /* Remember username? */
  159. if ($hesk_settings['autologin'] && hesk_POST('remember_user') == 'AUTOLOGIN') {
  160. hesk_setcookie('hesk_username', "$user", strtotime('+1 year'));
  161. hesk_setcookie('hesk_p', "$pass_enc", strtotime('+1 year'));
  162. } elseif (hesk_POST('remember_user') == 'JUSTUSER') {
  163. hesk_setcookie('hesk_username', "$user", strtotime('+1 year'));
  164. hesk_setcookie('hesk_p', '');
  165. } else {
  166. // Expire cookie if set otherwise
  167. hesk_setcookie('hesk_username', '');
  168. hesk_setcookie('hesk_p', '');
  169. }
  170. /* Close any old tickets here so Cron jobs aren't necessary */
  171. if ($hesk_settings['autoclose']) {
  172. $revision = sprintf($hesklang['thist3'], hesk_date(), $hesklang['auto']);
  173. $dt = date('Y-m-d H:i:s', time() - $hesk_settings['autoclose'] * 86400);
  174. $closedStatusRs = hesk_dbQuery('SELECT `ID`, `Closable` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `IsDefaultStaffReplyStatus` = 1');
  175. $closedStatus = hesk_dbFetchAssoc($closedStatusRs);
  176. // Are we allowed to close tickets in this status?
  177. if ($closedStatus['Closable'] == 'yes' || $closedStatus['Closable'] == 'sonly') {
  178. // Notify customer of closed ticket?
  179. if ($hesk_settings['notify_closed']) {
  180. // Get list of tickets
  181. $result = hesk_dbQuery("SELECT * FROM `" . $hesk_settings['db_pfix'] . "tickets` WHERE `status` = " . $closedStatus['ID'] . " AND `lastchange` <= '" . hesk_dbEscape($dt) . "' ");
  182. if (hesk_dbNumRows($result) > 0) {
  183. global $ticket;
  184. // Load required functions?
  185. if (!function_exists('hesk_notifyCustomer')) {
  186. require(HESK_PATH . 'inc/email_functions.inc.php');
  187. }
  188. while ($ticket = hesk_dbFetchAssoc($result)) {
  189. $ticket['dt'] = hesk_date($ticket['dt'], true);
  190. $ticket['lastchange'] = hesk_date($ticket['lastchange'], true);
  191. $ticket = hesk_ticketToPlain($ticket, 1, 0);
  192. hesk_notifyCustomer($modsForHesk_settings, 'ticket_closed');
  193. }
  194. }
  195. }
  196. // Update ticket statuses and history in database if we're allowed to do so
  197. $defaultCloseRs = hesk_dbQuery('SELECT `ID` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `IsAutocloseOption` = 1');
  198. $defaultCloseStatus = hesk_dbFetchAssoc($defaultCloseRs);
  199. hesk_dbQuery("UPDATE `" . $hesk_settings['db_pfix'] . "tickets` SET `status`=" . intval($defaultCloseStatus['ID']) . ", `closedat`=NOW(), `closedby`='-1', `history`=CONCAT(`history`,'" . hesk_dbEscape($revision) . "') WHERE `status` = '" . $closedStatus['ID'] . "' AND `lastchange` <= '" . hesk_dbEscape($dt) . "' ");
  200. }
  201. }
  202. /* Redirect to the destination page */
  203. header('Location: ' . hesk_verifyGoto());
  204. exit();
  205. } // End do_login()
  206. function print_login()
  207. {
  208. global $hesk_settings, $hesklang;
  209. // Tell header to load reCaptcha API if needed
  210. if ($hesk_settings['recaptcha_use'] == 2)
  211. {
  212. define('RECAPTCHA',1);
  213. }
  214. $hesk_settings['tmp_title'] = $hesk_settings['hesk_title'] . ' - ' .$hesklang['admin_login'];
  215. require_once(HESK_PATH . 'inc/headerAdmin.inc.php');
  216. if ( hesk_isREQUEST('notice') )
  217. {
  218. hesk_process_messages($hesklang['session_expired'],'NOREDIRECT');
  219. }
  220. if (!isset($_SESSION['a_iserror']))
  221. {
  222. $_SESSION['a_iserror'] = array();
  223. }
  224. ?>
  225. <div class="login-box">
  226. <div class="login-logo">
  227. <?php echo $hesk_settings['hesk_title']; ?>
  228. </div>
  229. <div class="login-box-body">
  230. <div class="loginError">
  231. <?php
  232. /* This will handle error, success and notice messages */
  233. hesk_handle_messages();
  234. ?>
  235. </div>
  236. <h4 class="login-box-msg">
  237. <?php echo $hesklang['staff_login_title']; ?>
  238. </h4>
  239. <form class="form-horizontal" role="form" action="index.php" method="post" name="form1">
  240. <?php
  241. $has_error = '';
  242. if (in_array('pass',$_SESSION['a_iserror'])) {
  243. $has_error = 'has-error';
  244. }
  245. ?>
  246. <div class="form-group <?php echo $has_error; ?>">
  247. <label for="user" class="col-sm-4 control-label">
  248. <?php echo $hesklang['username']; ?>
  249. </label>
  250. <div class="col-sm-8">
  251. <?php
  252. if (defined('HESK_USER')) {
  253. $savedUser = HESK_USER;
  254. } else {
  255. $savedUser = hesk_htmlspecialchars(hesk_COOKIE('hesk_username'));
  256. }
  257. $is_1 = '';
  258. $is_2 = '';
  259. $is_3 = '';
  260. $remember_user = hesk_POST('remember_user');
  261. if ($hesk_settings['autologin'] && (isset($_COOKIE['hesk_p']) || $remember_user == 'AUTOLOGIN')) {
  262. $is_1 = 'checked';
  263. } elseif (isset($_COOKIE['hesk_username']) || $remember_user == 'JUSTUSER') {
  264. $is_2 = 'checked';
  265. } else {
  266. $is_3 = 'checked';
  267. }
  268. if ($hesk_settings['list_users']) :
  269. $res = hesk_dbQuery("SELECT `user` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `active` = '1' ORDER BY `user` ASC");
  270. ?>
  271. <select class="form-control" name="user">
  272. <?php
  273. while ($row = hesk_dbFetchAssoc($res)):
  274. $sel = (strtolower($savedUser) == strtolower($row['user'])) ? 'selected' : '';
  275. ?>
  276. <option value="<?php echo $row['user']; ?>" <?php echo $sel; ?>>
  277. <?php echo $row['user']; ?>
  278. </option>
  279. <?php endwhile; ?>
  280. </select>
  281. <?php else: ?>
  282. <input class="form-control" type="text" name="user" size="35"
  283. placeholder="<?php echo htmlspecialchars($hesklang['username']); ?>"
  284. value="<?php echo $savedUser; ?>">
  285. <?php endif; ?>
  286. </div>
  287. </div>
  288. <?php
  289. $has_error = '';
  290. if (in_array('pass',$_SESSION['a_iserror'])) {
  291. $has_error = 'has-error';
  292. }
  293. ?>
  294. <div class="form-group <?php echo $has_error; ?>">
  295. <label for="pass" class="col-sm-4 control-label">
  296. <?php echo $hesklang['pass']; ?>
  297. </label>
  298. <div class="col-sm-8">
  299. <input type="password" class="form-control" id="pass" name="pass" size="35" placeholder="<?php echo htmlspecialchars($hesklang['pass']); ?>">
  300. </div>
  301. </div>
  302. <?php
  303. if ($hesk_settings['secimg_use'] == 2)
  304. {
  305. // SPAM prevention verified for this session
  306. if (isset($_SESSION['img_a_verified']))
  307. {
  308. echo '<img src="'.HESK_PATH.'img/success.png" width="16" height="16" border="0" alt="" style="vertical-align:text-bottom" /> '.$hesklang['vrfy'];
  309. }
  310. // Not verified yet, should we use Recaptcha?
  311. elseif ($hesk_settings['recaptcha_use'] == 1)
  312. {
  313. ?>
  314. <script type="text/javascript">
  315. var RecaptchaOptions = {
  316. theme : '<?php echo ( isset($_SESSION['a_iserror']) && in_array('mysecnum',$_SESSION['a_iserror']) ) ? 'red' : 'white'; ?>',
  317. custom_translations : {
  318. visual_challenge : "<?php echo hesk_slashJS($hesklang['visual_challenge']); ?>",
  319. audio_challenge : "<?php echo hesk_slashJS($hesklang['audio_challenge']); ?>",
  320. refresh_btn : "<?php echo hesk_slashJS($hesklang['refresh_btn']); ?>",
  321. instructions_visual : "<?php echo hesk_slashJS($hesklang['instructions_visual']); ?>",
  322. instructions_context : "<?php echo hesk_slashJS($hesklang['instructions_context']); ?>",
  323. instructions_audio : "<?php echo hesk_slashJS($hesklang['instructions_audio']); ?>",
  324. help_btn : "<?php echo hesk_slashJS($hesklang['help_btn']); ?>",
  325. play_again : "<?php echo hesk_slashJS($hesklang['play_again']); ?>",
  326. cant_hear_this : "<?php echo hesk_slashJS($hesklang['cant_hear_this']); ?>",
  327. incorrect_try_again : "<?php echo hesk_slashJS($hesklang['incorrect_try_again']); ?>",
  328. image_alt_text : "<?php echo hesk_slashJS($hesklang['image_alt_text']); ?>"
  329. }
  330. };
  331. </script>
  332. <?php
  333. require_once(HESK_PATH . 'inc/recaptcha/recaptchalib.php');
  334. echo '<div class="form-group"><div class="col-md-8 col-md-offset-4">';
  335. echo recaptcha_get_html($hesk_settings['recaptcha_public_key'], null, true);
  336. echo '</div></div>';
  337. }
  338. // Use reCaptcha API v2?
  339. elseif ($hesk_settings['recaptcha_use'] == 2)
  340. {
  341. ?>
  342. <div class="form-group">
  343. <div class="col-md-8 col-md-offset-4">
  344. <div class="g-recaptcha" data-sitekey="<?php echo $hesk_settings['recaptcha_public_key']; ?>"></div>
  345. </div>
  346. </div>
  347. <?php
  348. }
  349. // At least use some basic PHP generated image (better than nothing)
  350. else
  351. {
  352. echo '<div class="form-group"><div class="col-md-8 col-md-offset-4">';
  353. $cls = in_array('mysecnum',$_SESSION['a_iserror']) ? ' class="isError" ' : '';
  354. echo $hesklang['sec_enter'].'<br><br><img src="'.HESK_PATH.'print_sec_img.php?'.rand(10000,99999).'" width="150" height="40" alt="'.$hesklang['sec_img'].'" title="'.$hesklang['sec_img'].'" border="1" name="secimg" style="vertical-align:text-bottom"> '.
  355. '<a href="javascript:void(0)" onclick="javascript:document.form1.secimg.src=\''.HESK_PATH.'print_sec_img.php?\'+ ( Math.floor((90000)*Math.random()) + 10000);"><img src="'.HESK_PATH.'img/reload.png" height="24" width="24" alt="'.$hesklang['reload'].'" title="'.$hesklang['reload'].'" border="0" style="vertical-align:text-bottom"></a>'.
  356. '<br><br><input type="text" name="mysecnum" size="20" maxlength="5" '.$cls.'>';
  357. echo '</div></div>';
  358. }
  359. } // End if $hesk_settings['secimg_use'] == 2
  360. if ($hesk_settings['autologin'])
  361. {
  362. ?>
  363. <div class="form-group">
  364. <div class="col-md-offset-4 col-md-8">
  365. <div class="radio">
  366. <label><input type="radio" name="remember_user" value="AUTOLOGIN" <?php echo $is_1; ?>> <?php echo $hesklang['autologin']; ?></label>
  367. </div>
  368. <div class="radio">
  369. <label><input type="radio" name="remember_user" value="JUSTUSER" <?php echo $is_2; ?>> <?php echo $hesklang['just_user']; ?></label>
  370. </div>
  371. <div class="radio">
  372. <label><input type="radio" name="remember_user" value="NOTHANKS" <?php echo $is_3; ?>> <?php echo $hesklang['nothx']; ?></label>
  373. </div>
  374. </div>
  375. </div>
  376. <?php
  377. }
  378. else
  379. {
  380. ?>
  381. <div class="form-group">
  382. <div class="col-md-offset-4 col-md-8">
  383. <div class="checkbox">
  384. <label><input type="checkbox" name="remember_user" value="JUSTUSER" <?php echo $is_2; ?> /> <?php echo $hesklang['remember_user']; ?></label>
  385. </div>
  386. </div>
  387. </div>
  388. <?php
  389. } // End if $hesk_settings['autologin']
  390. ?>
  391. <div class="form-group">
  392. <div class="col-md-offset-4 col-md-8">
  393. <input type="submit" value="<?php echo $hesklang['click_login']; ?>" class="btn btn-default">
  394. <input type="hidden" name="a" value="do_login">
  395. <?php
  396. if ( hesk_isREQUEST('goto') && $url=hesk_REQUEST('goto') )
  397. {
  398. echo '<input type="hidden" name="goto" value="'.$url.'">';
  399. }
  400. // Do we allow staff password reset?
  401. if ($hesk_settings['reset_pass'])
  402. {
  403. echo '<br><br><a href="password.php" class="smaller">'.$hesklang['fpass'].'</a>';
  404. }
  405. ?>
  406. </div>
  407. </div>
  408. </form>
  409. </div>
  410. </div>
  411. <?php
  412. hesk_cleanSessionVars('a_iserror');
  413. exit();
  414. } // End print_login()
  415. function logout()
  416. {
  417. global $hesk_settings, $hesklang;
  418. if (!hesk_token_check('GET', 0)) {
  419. print_login();
  420. exit();
  421. }
  422. /* Delete from Who's online database */
  423. if ($hesk_settings['online']) {
  424. require(HESK_PATH . 'inc/users_online.inc.php');
  425. hesk_setOffline($_SESSION['id']);
  426. }
  427. /* Destroy session and cookies */
  428. hesk_session_stop();
  429. /* If we're using the security image for admin login start a new session */
  430. if ($hesk_settings['secimg_use'] == 2) {
  431. hesk_session_start();
  432. }
  433. /* Show success message and reset the cookie */
  434. hesk_process_messages($hesklang['logout_success'], 'NOREDIRECT', 'SUCCESS');
  435. hesk_setcookie('hesk_p', '');
  436. /* Print the login form */
  437. print_login();
  438. exit();
  439. } // End logout()
  440. ?>