Mowie
/
Mowie
mirror of https://github.com/Mowie/Mowie
1
0
Fork 0
Code Issues Releases Wiki Activity

When performing critical operations (such as user deletion) the system now asks you to confirm your password

This commit is contained in:
kolaente 2017-05-01 20:25:43 +02:00 committed by konrad
parent b365dc88ed
commit 4ce47c209f
9 changed files with 374 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
admin/assets/admin.css
View File

@ -1373,6 +1373,59 @@ header .stream{
display: block;
}
/*Confirm Window*/
.overlay {
position: fixed;
left: 0;
right: 0;
top: 0;
bottom: 0;
background: rgba(0, 0, 0, 0.4);
z-index: 99;
}
.window-confirm, .window-confirm .head {
text-align: center;
left: calc(50vw - 175px);
width: 100%;
max-width: 350px;
top: 40px;
background: #fff;
padding: 10px 10px 20px;
box-shadow: 0 2px 2px 0 rgba(0, 0, 0, .14), 0 3px 1px -2px rgba(0, 0, 0, .2), 0 1px 5px 0 rgba(0, 0, 0, .12);
z-index: 1;
border-radius: 2px;
position: fixed;
overflow: auto;
max-height: calc(100vh - 80px);
height: auto;
}
.window-confirm .head {
margin: -10px -10px 10px 0;
text-align: left;
padding: 10px 10px;
background: #eaeaea;
border-radius: 2px 2px 0 0;
-moz-user-select: -moz-none;
-webkit-user-select: none;
user-select: none;
cursor: default;
position: fixed;
}
.window-confirm .head .closeMsg {
color: #212121;
}
.window-confirm .head .closeMsg:hover {
color: #5d5d5d;
}
.window-confirm #content {
margin-top: 30px;
}
@media screen and (max-width: 450px) {
header .options span.usr_info {
display: none;

1
admin/general_config.php
View File

@ -87,7 +87,6 @@ tinymce();
$appUri = '../apps/';
foreach ($apps->getApps() as $app => $appconf)
{
require $appUri . $app . '/config.php';
if (isset($_CONF['general_conf']) && $_CONF['general_conf'] != '' && file_exists($appUri . $app . '/' . $_CONF['general_conf']))
{

8
admin/lang/lang.de.php
View File

@ -88,6 +88,14 @@ $lang['general_database'] = 'Datenbank';
$lang['general_create_backup'] = 'Datenbank Backup erstellen';
$lang['general_go_phpmyadmin'] = 'Zu phpmyadmin';
//Legitimation
$lang['legitimate_title'] = 'Legitimierung benötigt';
$lang['legitimate_text'] = 'Dieser Vorgang benötigt eine Passwortbestätigung.';
$lang['legitimate_confirm'] = 'Bestätigen';
$lang['legitimate_abort'] = 'Abbrechen';
$lang['legitimate_error'] = 'Beim Legitimieren ist ein Fehler aufgetreten.';
$lang['legitimate_fail'] = 'Falsches Passwort.';
/*
* Manage Admins
*/

155
admin/login.php
View File

@ -5,78 +5,109 @@ require_once '../inc/config.php';
require_once '../inc/libs/password.php';
require_once '../inc/libs/functions.php';
$db->setCol('system_admins');
$db->data['username'] = $_POST['username'];
$db->get();
if($db->data[0]['id'] != '')
if(isset($_POST['username']))
{
if(password_verify($_POST['pw'], $db->data[0]['pass']))
$db->setCol('system_admins');
$db->data['username'] = $_POST['username'];
$db->get();
if (isset($db->data[0]) && $db->data[0]['id'] != '')
{
session_regenerate_id();
$uid = $db->data[0]['id'];
//Token
$token = random(64);
$_SESSION['token'] = $token;
$db->clear();
$db->setCol('system_loggedin');
$db->data['user'] = $uid;
$db->data['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$db->data['ip'] = $_SERVER['REMOTE_ADDR'];
$db->data['time'] = time();
$db->data['token'] = $token;
//if($db->insert()) echo 'token'; else echo 'hm';
$db->insert();
//echo $token;
$db->clear();
$db->setCol('system_admins');
$db->data['id'] = $uid;
$db->get();
if($db->data[0]['secret'] != '')
if (password_verify($_POST['pw'], $db->data[0]['pass']))
{
if(isset($_POST['2fa']) && $_POST['2fa'] == '')
{
echo '2fa';
exit;
}
else
{
require_once '../inc/libs/2fa.php';
$authenticator = new php2FA();
session_regenerate_id();
$uid = $db->data[0]['id'];
if($authenticator->verifyCode($db->data[0]['secret'], $_POST['2fa'], 3))
//Token
$token = random(64);
$_SESSION['token'] = $token;
$db->clear();
$db->setCol('system_loggedin');
$db->data['user'] = $uid;
$db->data['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$db->data['ip'] = $_SERVER['REMOTE_ADDR'];
$db->data['time'] = time();
$db->data['token'] = $token;
//if($db->insert()) echo 'token'; else echo 'hm';
$db->insert();
//echo $token;
$db->clear();
$db->setCol('system_admins');
$db->data['id'] = $uid;
$db->get();
if ($db->data[0]['secret'] != '')
{
if (isset($_POST['2fa']) && $_POST['2fa'] == '')
{
echo 'success';
stream_message('{user} has logged in.', 4);
}
else
{
echo '2fafail';
echo '2fa';
exit;
}
}
}
else
{
echo 'success';
}
} else
{
require_once '../inc/libs/2fa.php';
$authenticator = new php2FA();
//Session
$_SESSION['user'] = $db->data[0]['username'];
$_SESSION['userid'] = $db->data[0]['id'];
$_SESSION['lvl'] = $db->data[0]['lvl'];
$_SESSION['mail'] = $db->data[0]['mail'];
$_SESSION['guestview'] = 'true';
stream_message('{user} has logged in.', 4);
}
else
if ($authenticator->verifyCode($db->data[0]['secret'], $_POST['2fa'], 3))
{
echo 'success';
stream_message('{user} has logged in.', 4);
} else
{
echo '2fafail';
exit;
}
}
} else
{
echo 'success';
}
//Session
$_SESSION['user'] = $db->data[0]['username'];
$_SESSION['userid'] = $db->data[0]['id'];
$_SESSION['lvl'] = $db->data[0]['lvl'];
$_SESSION['mail'] = $db->data[0]['mail'];
$_SESSION['guestview'] = 'true';
stream_message('{user} has logged in.', 4);
} else
{
echo 'fail';
}
} else
{
echo 'fail';
}
}
else
//Check for password - needed for user's confirmation
if(isset($_GET['checkPassword']))
{
echo 'fail';
if(is_loggedin())
{
if(isset($_POST['pw']))
{
$db->setCol('system_admins');
$db->data['id'] = $_SESSION['userid'];
$db->get();
if (isset($db->data[0]) && $db->data[0]['id'] != '')
{
if (password_verify($_POST['pw'], $db->data[0]['pass']))
{
echo 'success';
}
else
{
echo 'fail';
}
}
else
{
echo 'fail';
}
}
}
else
{
echo 'login first.';
}
}

1
admin/new_user.php
View File

@ -50,6 +50,7 @@ if (hasPerm('manage_admins'))
<div class="main">
<div class="form">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="POST">
<input type="hidden" name="askPW" value="askPW">
<p><span><?php echo $lang->get('admins_cn_username'); ?>:</span><input type="text" name="userN"/>
</p>
<p><span><?php echo $lang->get('admins_cn_password'); ?>:</span><input type="password" name="pw1"/>

2
admin/permissions.php
View File

@ -35,7 +35,7 @@ if (hasPerm('edit_permissions'))
}
} else
{
echo '<div class="main"><form action="'.$_SERVER['REQUEST_URI'].'" method="post">';
echo '<div class="main"><form action="'.$_SERVER['REQUEST_URI'].'" method="post"><input type="hidden" name="askPW" value="askPW">';
//Admin Groups
$db->get();
$role_names = [];

4
admin/roles.php
View File

@ -42,6 +42,7 @@ if (hasPerm('manage_groups'))
?>
<div class="main" style="text-align: center">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<p><?php echo $lang->get('admins_roles_delete_confirm');?></p>
<input type="submit" name="del" value="<?php echo $lang->get('general_yes');?>"/>
<a href="roles.php?members=<?php echo $_GET['members']; ?>" class="button btn_del"><?php echo $lang->get('general_no');?></a>
@ -69,6 +70,7 @@ if (hasPerm('manage_groups'))
?>
<div class="main" style="text-align: center">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<p><?php echo $lang->get('admins_roles_user_delete_confirm');?></p>
<input type="submit" name="del" value="<?php echo $lang->get('general_yes');?>"/>
<a href="roles.php?members=<?php echo $_GET['members']; ?>" class="button btn_del"><?php echo $lang->get('general_no');?></a>
@ -133,6 +135,7 @@ if (hasPerm('manage_groups'))
{
?>
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<?php echo $lang->get('admins_roles_add_user');?>:
<select name="user">
<?php
@ -173,6 +176,7 @@ if (hasPerm('manage_groups'))
<div class="main">
<h2><?php echo $lang->get('admins_roles_create_group');?></h2>
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<input type="text" name="group_name" placeholder="<?php echo $lang->get('admins_roles_group_name');?>"/><br/>
<input type="submit" name="submit" value="<?php echo $lang->get('admins_roles_create_group');?>"/>
</form>

1
admin/user_settings.php
View File

@ -275,6 +275,7 @@ if (hasPerm('manage_admins') || $uid == $_SESSION['userid'])
?>
<div class="main">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" class="form" method="post">
<input type="hidden" name="askPW" value="askPW">
<p><span><?php echo $lang->get('username'); ?>:</span><input name="username"
value="<?php echo $db->data[0]['username'] ?>"/>
</p>

377
inc/footer.php
View File

@ -4,203 +4,252 @@ if (!isset($_GET['direct']))
?>
</div>
<div id="showMsg"></div>
<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/bootstrap.min.js"></script>
<script>
$(document).ready(function(){
$('[data-toggle="tooltip"]').tooltip();
});
</script>
</div>
<div id="showMsg"></div>
<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/bootstrap.min.js"></script>
<script>
$(document).ready(function () {
$('[data-toggle="tooltip"]').tooltip();
});
</script>
<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/moment.js"></script>
<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/moment.js"></script>
<!--<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/page.js"></script>
<!--<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/page.js"></script>
<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/page.bodyparser.js"></script>-->
<script>
moment.locale('de');
<script>
moment.locale('de');
//Msg
function showMsg(msg) {
$('#showMsg').html('<div class="snackbar"><a onclick="closeMsg();" class="closeMsg"><i class="fa fa-close"></i> </a><p>' + msg + '</p></div>');
}
//Msg
function showMsg(msg) {
$('#showMsg').html('<div class="snackbar"><a onclick="closeMsg();" class="closeMsg"><i class="fa fa-close"></i> </a><p>' + msg + '</p></div>');
}
function closeMsg() {
$('#showMsg').html('');
}
function closeMsg() {
$('#showMsg').html('');
}
//Show Loader
function showTopLoader() {
$('.loader-overlay').fadeIn(150);
$('.toploading').animate({height: "8px"}, 150);
}
//Show Loader
function showTopLoader() {
$('.loader-overlay').fadeIn(150);
$('.toploading').animate({height: "8px"}, 150);
}
function hideTopLoader() {
$('.loader-overlay').fadeOut(150);
$('.toploading').animate({height: "0"}, 150);
}
function hideTopLoader() {
$('.loader-overlay').fadeOut(150);
$('.toploading').animate({height: "0"}, 150);
}
//Change current Language
$('#langselectbtn').click(function () {
$('.langs').fadeToggle(100);
});
//Change current Language
$('#langselectbtn').click(function () {
$('.langs').fadeToggle(100);
});
function changeLang(lang) {
showTopLoader();
$.get('<?php echo $MCONF['home_uri'];?>admin/lang.php?set=' + lang, function (data) {
console.log(data);
if(data == 1){
location.reload();
} else {
showMsg('Error.');
}
})
}
function changeLang(lang) {
showTopLoader();
$.get('<?php echo $MCONF['home_uri'];?>admin/lang.php?set=' + lang, function (data) {
console.log(data);
if (data == 1) {
location.reload();
} else {
showMsg('Error.');
}
})
}
//showStream
function showStream()
{
$('#streamContent').fadeToggle(100,function() {
if($('#streamContent').is(":visible")) {
$.getJSON('<?php echo $MCONF['home_uri'];?>admin/stream.php?getStream&limit=10', function (streamData) {
$('#streamContent').html('');
$.each(streamData, function (key, val) {
$('#streamContent').append('<p>' + val.message + ' (' + moment(val.time * 1000).fromNow() + ')</p>');
});
$('#streamContent').append('<a href="<?php echo $MCONF['home_uri'];?>admin/stream.php" class="button">Mehr</a>');
});
}
});
}
//showStream
function showStream() {
$('#streamContent').fadeToggle(100, function () {
if ($('#streamContent').is(":visible")) {
$.getJSON('<?php echo $MCONF['home_uri'];?>admin/stream.php?getStream&limit=10', function (streamData) {
$('#streamContent').html('');
$.each(streamData, function (key, val) {
$('#streamContent').append('<p>' + val.message + ' (' + moment(val.time * 1000).fromNow() + ')</p>');
});
$('#streamContent').append('<a href="<?php echo $MCONF['home_uri'];?>admin/stream.php" class="button">Mehr</a>');
});
}
});
}
$(document).ready(function () {
function closeW() {
$('.overlay').fadeOut(200);
$('.overlay').html('');
}
//Router
$('#topnav').addClass('no-transition');
function sendPost(ctx, requestData) {
$.ajax({
url: ctx.canonicalPath,
type: 'POST',
cache: false,
data: requestData,
beforeSend: function () {
showTopLoader();
},
complete: function () {
hideTopLoader();
},
success: function (result) {
$("#loader").html(result);
},
error: function (xhr, status, error) {
console.log(status, error);
}
});
}
page('*', findPage);
page();
$(document).ready(function () {
pageBodyParser();
//Router
$('#topnav').addClass('no-transition');
function findPage(ctx, next) {
if(!ctx.init) {
if (ctx.body) { //If POST-Request, send Post via ajax
page('*', findPage);
page();
var isAjax = false;
var requestData = 'direct=true';
var editorname = '';
//console.log(typeof(tinyMCE));
if (typeof(tinyMCE) != "undefined" && tinyMCE.activeEditor != null) {editorname = $('#' + tinyMCE.activeEditor.id).attr("name");}//Get the new Content, not the old
pageBodyParser();
for (var key in ctx.body) {
if (!ctx.body.hasOwnProperty(key)) continue;
function findPage(ctx, next) {
if (!ctx.init) {
if (ctx.body) { //If POST-Request, send Post via ajax
//If we have content edited with tinymce, we want the new content to be passed with the POST-Request
if(key == editorname) {
console.log(tinyMCE);
requestData += '&' + key + '=' + encodeURIComponent(tinyMCE.activeEditor.getContent());
} else {
requestData += '&' + key + '=' + encodeURIComponent(ctx.body[key]);
}
if(key == 'ajax') isAjax = true;
}
var isAjax = false;
var requestData = 'direct=true';
var editorname = '';
var needsPwConfirm = false;
//console.log(typeof(tinyMCE));
if (typeof(tinyMCE) != "undefined" && tinyMCE.activeEditor != null) {
editorname = $('#' + tinyMCE.activeEditor.id).attr("name");
}//Get the new Content, not the old
console.log(requestData);
for (var key in ctx.body) {
if (!ctx.body.hasOwnProperty(key)) continue;
if(!isAjax) {
$.ajax({
url: ctx.canonicalPath,
type: 'POST',
cache: false,
data: requestData,
beforeSend: function () {
showTopLoader();
},
complete: function () {
hideTopLoader();
},
success: function (result) {
$("#loader").html(result);
},
error: function (xhr, status, error) {
console.log(status, error);
}
});
}
} else {//Otherwise display Contents
//Check users password
if (key == 'askPW') {
needsPwConfirm = true;
}
showTopLoader();
//Load Title
var title = '';
var query = '';
if (ctx.querystring != '') {
query += '&' + ctx.querystring;
}
$.get(ctx.pathname + '?title' + query, function (data) {
title = data;
}).fail(function (e) {
if (e.status == 404) {
showMsg('<?php echo $lang->get('404_not_found');?> (' + e.statusText + ')');
} else {
showMsg('Error.');
}
});
//If we have content edited with tinymce, we want the new content to be passed with the POST-Request
if (key == editorname) {
console.log(tinyMCE);
requestData += '&' + key + '=' + encodeURIComponent(tinyMCE.activeEditor.getContent());
} else {
requestData += '&' + key + '=' + encodeURIComponent(ctx.body[key]);
}
if (key == 'ajax') isAjax = true;
}
//Load Content
$.get(ctx.pathname + '?direct' + query, function (data) {
hideTopLoader();
if (data == 'Login First.') {
location.reload();
} else {
$("#loader").html(data);
//Confirm user password
if (needsPwConfirm) {
$('#showMsg').html('<div class="overlay" style="display:none;"><div class="window-confirm"><div class="head"><?php echo $lang->get('legitimate_title')?><a onclick="closeW();" class="closeMsg"><i class="fa fa-close"></i></a></div><div id="content"></div></div></div>');
$('#content').append('<p><?php echo $lang->get('legitimate_text')?></p><p><input type="password" placeholder="<?php echo $lang->get('password')?>" id="password_legitimate" autofocus/><input type="submit" value="<?php echo $lang->get('legitimate_confirm')?>" id="legitimateSmbt"/><a onclick="closeW();" class="button btn_del"><?php echo $lang->get('legitimate_abort')?></a></p><span id="sendMsg"></span>');
$('#password_legitimate').focus();
$(".overlay").fadeIn(250);
//Set Title
$("#title").html(title);
document.title = title + ' | <?php echo $lang->get('admin_title') . ' | ' . $MCONF['title']?>';
$('#legitimateSmbt').click(function () {
$.ajax({
url: 'login.php?checkPassword',
type: 'POST',
cache: false,
data: 'pw=' + $('#password_legitimate').val(),
success: function (result) { // On success, display a message...
if (result == 'success') {
closeW();
//Update Menu
$('li').each(function (index) {
$(this).removeClass('active');
});
//Send the request
if (!isAjax) {
sendPost(ctx, requestData);
}
} else if (result == 'fail') {
$('#sendMsg').html('<p style="color:red;"><?php echo $lang->get('legitimate_fail')?></p>');
} else {
$('#sendMsg').html('<p style="color:red;"><?php echo $lang->get('legitimate_error')?></p>');
}
},
error: function (xhr, status, error) {
console.log(status, error);
showMsg('<?php echo $lang->get('legitimate_error')?>');
}
});
});
} else {
if (!isAjax) {
sendPost(ctx, requestData);
}
}
} else {//Otherwise display Contents
//Find Class & Parent for menu
var menuitem = 'mw-menu-' + ctx.path.replace(/\//g, '-').replace('.php', '').replace('?', '').replace('&', '').replace('=', '');
//console.log(menuitem);
$('#' + menuitem).addClass('active');
showTopLoader();
//Load Title
var title = '';
var query = '';
if (ctx.querystring != '') {
query += '&' + ctx.querystring;
}
$.get(ctx.pathname + '?title' + query, function (data) {
title = data;
}).fail(function (e) {
if (e.status == 404) {
showMsg('<?php echo $lang->get('404_not_found');?> (' + e.statusText + ')');
} else {
showMsg('Error.');
}
});
//Find Top item
var topitems = menuitem.split('-');
//console.log(topitems);
$('#' + 'mw-menu-' + topitems[2] + '-' + topitems[3] + '-top').addClass('active');
if (topitems[3] == 'roles' || topitems[3] == 'users' || topitems[3] == 'permissions' || topitems[3] == 'new_user') {
$('#' + 'mw-menu-admin-users-top').addClass('active');
}
//Load Content
$.get(ctx.pathname + '?direct' + query, function (data) {
hideTopLoader();
if (data == 'Login First.') {
location.reload();
} else {
$("#loader").html(data);
//Get CSS
//Set Title
$("#title").html(title);
document.title = title + ' | <?php echo $lang->get('admin_title') . ' | ' . $MCONF['title']?>';
//Update Menu
$('li').each(function (index) {
$(this).removeClass('active');
});
//Find Class & Parent for menu
var menuitem = 'mw-menu-' + ctx.path.replace(/\//g, '-').replace('.php', '').replace('?', '').replace('&', '').replace('=', '');
//console.log(menuitem);
$('#' + menuitem).addClass('active');
//Find Top item
var topitems = menuitem.split('-');
//console.log(topitems);
$('#' + 'mw-menu-' + topitems[2] + '-' + topitems[3] + '-top').addClass('active');
if (topitems[3] == 'roles' || topitems[3] == 'users' || topitems[3] == 'permissions' || topitems[3] == 'new_user') {
$('#' + 'mw-menu-admin-users-top').addClass('active');
}
//Get CSS
$('#addedCss').remove(); // Remove old CSS
$.get(ctx.pathname + '?css' + query, function (data) {
if(data.css) {
for(var i = 0; i < data.css_files.length; i++) {
if (data.css) {
for (var i = 0; i < data.css_files.length; i++) {
var cssFile = data.css_files[i];
$('head').append('<link rel="stylesheet" href="' + data.fullUri + cssFile + '" type="text/css" id="addedCss">');
}
}
});
}
}).fail(function (e) {
if (e.status == 404) {
showMsg('<?php echo $lang->get('404_not_found');?> (' + e.statusText + ')');
} else {
showMsg('Error.');
}
});
}
}
}
});
</script>
</body>
</html>
}
}).fail(function (e) {
if (e.status == 404) {
showMsg('<?php echo $lang->get('404_not_found');?> (' + e.statusText + ')');
} else {
showMsg('Error.');
}
});
}
}
}
});
</script>
</body>
</html>
<?php
}