diff --git a/vexim/config/authsite.php b/vexim/config/authsite.php index ce17b04c..aa60d00f 100644 --- a/vexim/config/authsite.php +++ b/vexim/config/authsite.php @@ -16,7 +16,7 @@ die(); } - if ($_SESSION['localpart'] != "siteadmin"){ + if ($_SESSION['username'] != "siteadmin"){ header ("Location: index.php?login=failed"); die(); } diff --git a/vexim/config/header.php b/vexim/config/header.php index 772be473..1076ff7c 100644 --- a/vexim/config/header.php +++ b/vexim/config/header.php @@ -1,9 +1,9 @@ prepare($headerquery); - $headersuccess = $headerresult->execute(array(':localpart'=>$_SESSION['localpart'], ':domain_id'=>$_SESSION['domain_id'])); + $headersuccess = $headerresult->execute(array(':username'=>$_SESSION['username'], ':domain_id'=>$_SESSION['domain_id'])); if ($headersuccess && $headerrow = $headerresult->fetch()) { if ($headerrow['domain'] === "0") { invalidate_session(); @@ -100,6 +100,8 @@ printf (_("-- %s is not a valid e-mail address."), $_GET['invalidforward']); } else if (isset($_GET['nodbquery'])) { print _("-- Database query failed, terminating session"); + } else if (isset($_GET['login']) && ($_GET['login'] === "disabled")) { + print _("-- Login is disabled. Please contact your administrator."); } if (isset($_GET['login']) && ($_GET['login'] == "failed")) { print _("Login failed"); } diff --git a/vexim/config/variables.php.example b/vexim/config/variables.php.example index de61453b..5571be70 100644 --- a/vexim/config/variables.php.example +++ b/vexim/config/variables.php.example @@ -38,15 +38,10 @@ or bcrypt with complexity 2^12 -> $cryptscheme='$2a$12$' */ $cryptscheme = 'sha512'; - /* Choose the type of domain name input for the index page. It should - either be 'static', 'dropdown' or 'textbox'. Static causes the - domain name part of the URL to be used automatically, and the user - cannot change it. Dropdown uses a dropdown style menu with  @  - - query($query); - ?> - '; - } else if ($domaininput == 'textbox') { - print ' (domain name)'; - } else if ($domaininput == 'static') { - print $domain - . ''; - } - ?> + : + + @@ -48,7 +26,7 @@ - + " class="longbutton"> diff --git a/vexim/login.php b/vexim/login.php index 4b36321b..b57d9eac 100644 --- a/vexim/login.php +++ b/vexim/login.php @@ -5,35 +5,22 @@ # first check if we have sufficient post variables to achieve a successful login... if not the login fails immediately if (!isset($_POST['crypt']) || $_POST['crypt']==='' - || !isset($_POST['localpart']) || $_POST['localpart']==='' - || !isset($_POST['domain']) + || !isset($_POST['username']) || $_POST['username']==='' ){ header ('Location: index.php?login=failed'); die; } - # construct the correct sql statement based on who the user is - if ($_POST['localpart'] === 'siteadmin') { - $query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains - WHERE localpart='siteadmin' - AND domain='admin' - AND username='siteadmin' - AND users.domain_id = domains.domain_id"; - } else if ($AllowUserLogin) { - $query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled - FROM users,domains - WHERE localpart=:localpart - AND users.domain_id = domains.domain_id - AND domains.domain=:domain;"; - } else { - $query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains - WHERE localpart=:localpart - AND users.domain_id = domains.domain_id - AND domains.domain=:domain - AND admin=1;"; - } + if($domainguess === 1 && $_POST['username']!=='siteadmin') $_POST['username'].='@'.preg_replace ("/^mail\./", "", $_SERVER["SERVER_NAME"]); + + # sql statement based on username + $query = "SELECT users.crypt,users.username,users.user_id,domains.domain,domains.domain_id,users.admin,users.type, + domains.enabled AS domainenabled, users.enabled AS userenabled + FROM users,domains + WHERE username=:username + AND users.domain_id = domains.domain_id"; $sth = $dbh->prepare($query); - $success = $sth->execute(array(':localpart'=>$_POST['localpart'], ':domain'=>$_POST['domain'])); + $success = $sth->execute(array(':username'=>$_POST['username'])); if(!$success) { print_r($sth->errorInfo()); die(); @@ -47,16 +34,15 @@ $cryptedpass = crypt_password($_POST['crypt'], $row['crypt']); // Some debugging prints. They help when you don't know why auth is failing. - /* +/* print $query. "
\n";; - print $row['localpart']. "
\n"; - print $_POST['localpart'] . "
\n"; - print $_POST['domain'] . "
\n"; + print $row['username']. "
\n"; + print $_POST['username'] . "
\n"; print "Posted crypt: " .$_POST['crypt'] . "
\n"; print $row['crypt'] . "
\n"; print $cryptscheme . "
\n"; print $cryptedpass . "
\n"; - */ +*/ # if they have the wrong password bail out if ($cryptedpass !== $row['crypt']) { @@ -73,9 +59,9 @@ } # populate session variables from what was retrieved from the database (NOT what they posted) - $_SESSION['localpart'] = $row['localpart']; - $_SESSION['domain'] = $row['domain']; + $_SESSION['username'] = $row['username']; $_SESSION['domain_id'] = $row['domain_id']; + $_SESSION['domain'] = $row['domain']; $_SESSION['crypt'] = $row['crypt']; $_SESSION['user_id'] = $row['user_id']; @@ -88,13 +74,17 @@ header ('Location: site.php'); die(); } + if ($row['admin'] == '1') { header ('Location: admin.php'); die(); } - # must be a user, send them to edit their own details - header ('Location: userchange.php'); - + # must be a user, send them to edit their own details, if User-Login is permitted + if($AllowUserLogin===1) { + header ('Location: userchange.php'); + die(); + } + header ('Location: index.php?login=disabled'); ?>