File: login.php

package info (click to toggle)
postfixadmin 4.0.1%2Bds-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,888 kB
  • sloc: php: 12,256; perl: 1,156; sh: 717; python: 142; xml: 63; sql: 3; makefile: 2
file content (119 lines) | stat: -rw-r--r-- 3,296 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
<?php

/**
 * Postfix Admin
 *
 * LICENSE
 * This source file is subject to the GPL license that is bundled with
 * this package in the file LICENSE.TXT.
 *
 * Further details on the project are available at https://github.com/postfixadmin/postfixadmin
 *
 * @version $Id$
 * @license GNU GPL v2 or later.
 *
 * File: login.php
 * Authenticates a user, and populates their $_SESSION as appropriate.
 * Template File: login.tpl
 *
 * Template Variables:
 *
 *  none
 *
 * Form POST \ GET Variables:
 *
 *  fUsername
 *  fPassword
 *  token
 *  lang
 */

require_once('common.php');

$CONF = Config::getInstance()->getAll();
$smarty = PFASmarty::getInstance();

if ($CONF['configured'] !== true) {
    print "Installation not yet configured; please edit config.inc.php or write your settings to config.local.php";
    exit;
}

check_db_version(); # check if the database layout is up to date (and error out if not)

if (authentication_mfa_incomplete()) {
    header("Location: login-mfa.php");
    exit;
}

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (!isset($_SESSION['PFA_token'])) {
        die("Invalid token (session timeout; refresh the page and try again?)");
    }

    if (safepost('token') != $_SESSION['PFA_token']) {
        die('Invalid token! (CSRF check failed)');
    }

    $totppf = new TotpPf('admin', new Login('admin'));

    $lang = safepost('lang');
    $fUsername = trim(safepost('fUsername'));
    $fPassword = safepost('fPassword');

    if ($lang != check_language(false)) { # only set cookie if language selection was changed
        setcookie('lang', $lang, time() + 60 * 60 * 24 * 30); # language cookie, lifetime 30 days
        # (language preference cookie is processed even if username and/or password are invalid)
    }

    $h = new AdminHandler();

    $login = new Login('admin');
    if ($login->login($fUsername, $fPassword)) {
        init_session($fUsername, true);

        # they've logged in, so see if they are a domain admin, as well.

        if (!$h->init($fUsername)) {
            flash_error($PALANG['pLogin_failed']);
        }

        if (!$h->view()) {
            flash_error($PALANG['pLogin_failed']);
        }

        $adminproperties = $h->result();


        if ($totppf->usesTOTP($fUsername)) {
            init_session($fUsername, true, false);
            header("Location: login-mfa.php");
            exit(0);
        }

        init_session($fUsername, true, true);

        if ($adminproperties['superadmin'] == 1) {
            $_SESSION['sessid']['roles'][] = 'global-admin';
        }

        header("Location: main.php");
        exit(0);
    } else { # $h->login failed
        error_log("PostfixAdmin admin login failed (username: $fUsername, ip_address: {$_SERVER['REMOTE_ADDR']})");
        flash_error($PALANG['pLogin_failed']);
    }
} else {
    session_unset();
    session_destroy();
    session_start();
}

$_SESSION['PFA_token'] = md5(uniqid("pfa" . rand(), true));

$smarty->assign('language_selector', language_selector(), false);
$smarty->assign('smarty_template', 'login');
$smarty->assign('logintype', 'admin');
$smarty->assign('forgotten_password_reset', Config::bool('forgotten_admin_password_reset'));
$smarty->display('index.tpl');

/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */