lukas/kupshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
kupshop/admin/index.php
Lukáš Trkan 23646bfcee first commit
2025-08-02 16:30:27 +02:00

220 lines
8.4 KiB
PHP
Raw Permalink Blame History

<?php
use KupShop\AdminBundle\Util\ActivityLog;
use KupShop\AdminBundle\Util\LegacyAdminCredentials;
use KupShop\KupShopBundle\Exception\RedirectException;
use KupShop\KupShopBundle\Util\Compat\ServiceContainer;
use KupShop\KupShopBundle\Util\Compat\SymfonyBridge;
use KupShop\KupShopBundle\Util\StringUtil;
class Index extends Base
{
use DatabaseCommunication;
protected $template = 'index.tpl';
/** @var LegacyAdminCredentials */
private $legacyAdminCredentials;
public function __construct()
{
$this->legacyAdminCredentials = ServiceContainer::getService(LegacyAdminCredentials::class);
}
public function get_vars()
{
$vars = parent::get_vars();
return array_merge($vars, [
'url' => getVal('url'),
'login' => getVal('login'),
'error' => getVal('error'),
'header' => [
'date' => date('Ymd'),
],
]);
}
public function handle()
{
parent::handle();
$cfg = $GLOBALS['cfg'];
$url = getVal('url');
if (empty($url)) {
$url = 'launch.php?s=main.php';
}
if ($this->legacyAdminCredentials->isLogged()) {
redirect($url);
}
if (isset($_POST['Submit'])) {
$error = 0;
$login = getVal('login');
$password = getVal('password');
$hash = getVal('hash');
if (!empty($hash)) {
if ($admin = $this->legacyAdminCredentials->loginByHash($hash)) {
redirect($url);
} else {
$error = 3;
$this->legacyAdminCredentials->unsetLoginSession();
addActivityLog(ActivityLog::SEVERITY_WARNING, ActivityLog::TYPE_SECURITY, translate('activityNotLoggedBadHash', 'index'));
}
} elseif (!empty($login) && !empty($password)) {
// expirovane loginy znepristupnit
sqlQuery('UPDATE '.getTableName('admins')." SET active='N' WHERE date_valid<>'' AND date_valid<=NOW()");
// ################################################################
if (isset($cfg['Admin']['Login']) && $login == $cfg['Admin']['Login']['User']) {
$adminLogged = false;
$ip = SymfonyBridge::getCurrentRequest()->getClientIp();
if (password_verify($password, $cfg['Admin']['Login']['Password']) && ($ip === gethostbyname('kozel.wpj.cz') || StringUtil::startsWith($ip, '10.160.5.'))) {
$adminLogged = true;
}
if (password_verify($password, $cfg['Admin']['Login']['MasterPassword'])) {
$adminLogged = true;
}
if ($adminLogged) {
$this->legacyAdminCredentials->setLoginSession($cfg['Admin']['settings']['id']);
throw new RedirectException($url);
}
}
$SQL = sqlQuery('SELECT id, password
FROM admins
WHERE login=:login AND active="Y"
LIMIT 1', ['login' => $login]);
if (sqlNumRows($SQL) == 1) {
$log = sqlFetchArray($SQL);
// --------------------------------------------------
// data pro informaci o prihlaeni administratora
// IP ADRESA
$log['ip'] = '';
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$explode_ip = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
$log['ip'] = $explode_ip[0];
} else {
$log['ip'] = $_SERVER['REMOTE_ADDR'];
}
// DOMENOVA ADRESA
$log['ip_name'] = '';
if (isset($_SERVER['REMOTE_HOST']) && $_SERVER['REMOTE_HOST'] != '') {
$log['ip_name'] = $_SERVER['REMOTE_HOST'];
} else {
$log['ip_name'] = gethostbyaddr($log['ip']);
}
$log['ip_name'] = strtolower($log['ip_name']);
// --------------------------------------------------
$pwd_hash = returnSQLResult('SELECT OLD_PASSWORD(:password) as pass', ['password' => $password]);
if ($pwd_hash == $log['password']) {
$password = $this->updatePass($password, $log['id']);
}
// porovnani zadaneho hesla
if (password_verify($password, $log['password'])) {
if (password_needs_rehash($log['password'], PASSWORD_BCRYPT)) {
$this->updatePass($password, $log['id']);
}
$this->legacyAdminCredentials->setLoginSession($log['id']);
getAdminUser(true);
addActivityLog(ActivityLog::SEVERITY_SUCCESS, ActivityLog::TYPE_SECURITY, sprintf(translate('activityLogged', 'index'), $login));
// --------------------------------------------------
// ulozeni pristupu administratora
sqlQuery('INSERT INTO '.getTableName('admins_accesses')." SET
id_admin='".$log['id']."', date_access=NOW(), ip='".$log['ip']."',
ip_name='".$log['ip_name']."', login_status='OK' ");
// --------------------------------------------------
redirect($url);
} // neplatne zadane heslo
else {
$error = 3;
$this->legacyAdminCredentials->unsetLoginSession();
addActivityLog(ActivityLog::SEVERITY_WARNING, ActivityLog::TYPE_SECURITY, sprintf(translate('activityNotLoggedBadPassw', 'index'), $login));
// --------------------------------------------------
// ulozeni pristupu administratora
sqlQuery('INSERT INTO '.getTableName('admins_accesses')." SET
id_admin='".$log['id']."', date_access=NOW(), ip='".$log['ip']."',
ip_name='".$log['ip_name']."', login_status='PASSW' ");
// --------------------------------------------------
}
} // uzivatel nebyl vubec nalezen
else {
// zapsat poznamku o neplatnem prihlaseni, jen kdyz nebude zadan login SUPERADMINA
if ($_POST['login'] != $cfg['Admin']['Login']['User']) {
addActivityLog(ActivityLog::SEVERITY_WARNING, ActivityLog::TYPE_SECURITY, sprintf(translate('activityNotLoggedBadUser', 'index'), $login));
}
$error = 3;
$this->legacyAdminCredentials->unsetLoginSession();
}
} else {
$error = 1;
}
redirect("index.php?error={$error}&login={$login}&url=".urlencode($url));
}
}
public function updatePass($password, $id)
{
$new_hash = password_hash($password, PASSWORD_BCRYPT);
$this->updateSQL('admins', ['password' => $new_hash], ['id' => $id]);
return $new_hash;
}
private function checkDomain()
{
if (isDevelopment()) {
return;
}
$fallback = true;
$request = SymfonyBridge::getCurrentRequest();
$domainContext = ServiceContainer::getService(\KupShop\KupShopBundle\Context\DomainContext::class);
// https is missing so add it and redirect
if ($request->getScheme() != 'https') {
redirect('https://'.$request->getHost().$request->getRequestUri());
}
if (array_search($request->getHost(), $domainContext->getSupported()) !== false) {
return;
}
$wwwHost = 'www.'.$request->getHost();
if (array_search($wwwHost, $domainContext->getSupported()) !== false) {
// www is missing so add it and redirect
$url = 'https://'.$wwwHost.$request->getRequestUri();
$fallback = false;
redirect($url);
}
// fallback
if ($fallback) {
$url = "https://{$domainContext->getActiveId()}{$request->getRequestUri()}";
redirect($url);
}
}
}
$index = new Index();
$index->run();
Reference in New Issue View Git Blame Copy Permalink