Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion vexim/config/authsite.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
die();
}

if ($_SESSION['localpart'] != "siteadmin"){
if ($_SESSION['username'] != "siteadmin"){
header ("Location: index.php?login=failed");
die();
}
Expand Down
6 changes: 4 additions & 2 deletions vexim/config/header.php
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<?php
if (isset($_SESSION['domain_id'])) {
$headerquery = "SELECT domains.enabled AS domain, users.enabled AS user FROM users,domains
WHERE users.localpart=:localpart AND domains.domain_id=:domain_id AND users.domain_id=domains.domain_id;";
WHERE users.username=:username AND domains.domain_id=:domain_id AND users.domain_id=domains.domain_id;";
$headerresult = $dbh->prepare($headerquery);
$headersuccess = $headerresult->execute(array(':localpart'=>$_SESSION['localpart'], ':domain_id'=>$_SESSION['domain_id']));
$headersuccess = $headerresult->execute(array(':username'=>$_SESSION['username'], ':domain_id'=>$_SESSION['domain_id']));
if ($headersuccess && $headerrow = $headerresult->fetch()) {
if ($headerrow['domain'] === "0") {
invalidate_session();
Expand Down Expand Up @@ -100,6 +100,8 @@
printf (_("-- %s is not a valid e-mail address."), $_GET['invalidforward']);
} else if (isset($_GET['nodbquery'])) {
print _("-- Database query failed, terminating session");
} else if (isset($_GET['login']) && ($_GET['login'] === "disabled")) {
print _("-- Login is disabled. Please contact your administrator.");
}
if (isset($_GET['login']) && ($_GET['login'] == "failed")) { print _("Login failed"); }

Expand Down
13 changes: 4 additions & 9 deletions vexim/config/variables.php.example
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,10 @@
or bcrypt with complexity 2^12 -> $cryptscheme='$2a$12$' */
$cryptscheme = 'sha512';

/* Choose the type of domain name input for the index page. It should
either be 'static', 'dropdown' or 'textbox'. Static causes the
domain name part of the URL to be used automatically, and the user
cannot change it. Dropdown uses a dropdown style menu with <select>
and <option>. Textbox presents a blank line for the user to type
their domain name one. Textbox might be prefered if you have a
large number of domains, or don't want to reveal the names of sites
which you host */
$domaininput = "dropdown";
/* Guess domain name from hostname and allow login based on
local part only. It is off by default, set this value to 1
in order to enable this function */
$domainguess = 0;

/* The UID's and GID's control the default UID and GID for new domains
and if postmasters can define their own.
Expand Down
34 changes: 6 additions & 28 deletions vexim/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -14,41 +14,19 @@
<form style="margin-top:3em;" name="login" method="post" action="login.php">
<table align="center">
<tr>
<td><?php echo _('Username'); ?>:<td><input name="localpart" type="text" class="textfield">&nbsp;@&nbsp;</td>
<td>
<?php
$domain = preg_replace ("/^mail\./", "", $_SERVER["SERVER_NAME"]);
if ($domaininput == 'dropdown') {
$query = "SELECT domain FROM domains WHERE type='local' AND domain!='admin' ORDER BY domain";
$result = $dbh->query($query);
?>
<select name="domain" class="textfield">
<option value=''></option>
<?php
if ($result->rowCount()) {
while ($row = $result->fetch()) {
print "<option value='{$row['domain']}'>{$row['domain']}"
. '</option>';
}
}
print '</select>';
} else if ($domaininput == 'textbox') {
print '<input type="text" name="domain" class="textfield"> (domain name)';
} else if ($domaininput == 'static') {
print $domain
. '<input type="hidden" name="domain" value='
. $domain
. '>';
}
?>
<td><?php echo _('Username'); ?>:</td>
<td><input name="username" type="text" class="textfield">
<?php
if($domainguess===1) echo '@'.preg_replace ("/^mail\./", "", $_SERVER["SERVER_NAME"]);
?>
</td>
</tr>
<tr>
<td><?php echo _("Password"); ?>:</td>
<td><input name="crypt" type="password" class="textfield"></td>
</tr>
<tr>
<td colspan="3" style="text-align:center;padding-top:1em">
<td colspan="2" style="text-align:center;padding-top:1em">
<input name="submit" type="submit"
value="<?php echo _("Submit"); ?>" class="longbutton">
</td>
Expand Down
56 changes: 23 additions & 33 deletions vexim/login.php
Original file line number Diff line number Diff line change
Expand Up @@ -5,35 +5,22 @@

# first check if we have sufficient post variables to achieve a successful login... if not the login fails immediately
if (!isset($_POST['crypt']) || $_POST['crypt']===''
|| !isset($_POST['localpart']) || $_POST['localpart']===''
|| !isset($_POST['domain'])
|| !isset($_POST['username']) || $_POST['username']===''
){
header ('Location: index.php?login=failed');
die;
}

# construct the correct sql statement based on who the user is
if ($_POST['localpart'] === 'siteadmin') {
$query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains
WHERE localpart='siteadmin'
AND domain='admin'
AND username='siteadmin'
AND users.domain_id = domains.domain_id";
} else if ($AllowUserLogin) {
$query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled
FROM users,domains
WHERE localpart=:localpart
AND users.domain_id = domains.domain_id
AND domains.domain=:domain;";
} else {
$query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains
WHERE localpart=:localpart
AND users.domain_id = domains.domain_id
AND domains.domain=:domain
AND admin=1;";
}
if($domainguess === 1 && $_POST['username']!=='siteadmin') $_POST['username'].='@'.preg_replace ("/^mail\./", "", $_SERVER["SERVER_NAME"]);

# sql statement based on username
$query = "SELECT users.crypt,users.username,users.user_id,domains.domain,domains.domain_id,users.admin,users.type,
domains.enabled AS domainenabled, users.enabled AS userenabled
FROM users,domains
WHERE username=:username
AND users.domain_id = domains.domain_id";
$sth = $dbh->prepare($query);
$success = $sth->execute(array(':localpart'=>$_POST['localpart'], ':domain'=>$_POST['domain']));
$success = $sth->execute(array(':username'=>$_POST['username']));
if(!$success) {
print_r($sth->errorInfo());
die();
Expand All @@ -47,16 +34,15 @@
$cryptedpass = crypt_password($_POST['crypt'], $row['crypt']);

// Some debugging prints. They help when you don't know why auth is failing.
/*
/*
print $query. "<br>\n";;
print $row['localpart']. "<br>\n";
print $_POST['localpart'] . "<br>\n";
print $_POST['domain'] . "<br>\n";
print $row['username']. "<br>\n";
print $_POST['username'] . "<br>\n";
print "Posted crypt: " .$_POST['crypt'] . "<br>\n";
print $row['crypt'] . "<br>\n";
print $cryptscheme . "<br>\n";
print $cryptedpass . "<br>\n";
*/
*/

# if they have the wrong password bail out
if ($cryptedpass !== $row['crypt']) {
Expand All @@ -73,9 +59,9 @@
}

# populate session variables from what was retrieved from the database (NOT what they posted)
$_SESSION['localpart'] = $row['localpart'];
$_SESSION['domain'] = $row['domain'];
$_SESSION['username'] = $row['username'];
$_SESSION['domain_id'] = $row['domain_id'];
$_SESSION['domain'] = $row['domain'];
$_SESSION['crypt'] = $row['crypt'];
$_SESSION['user_id'] = $row['user_id'];

Expand All @@ -88,13 +74,17 @@
header ('Location: site.php');
die();
}

if ($row['admin'] == '1') {
header ('Location: admin.php');
die();
}

# must be a user, send them to edit their own details
header ('Location: userchange.php');

# must be a user, send them to edit their own details, if User-Login is permitted
if($AllowUserLogin===1) {
header ('Location: userchange.php');
die();
}
header ('Location: index.php?login=disabled');
?>
<!-- Layout and CSS tricks obtained from http://www.bluerobot.com/web/layouts/ -->