sven/ulogger-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewrite authorization into class

Browse Source
This commit is contained in:
Bartek Fabiszewski 2017-08-25 13:59:19 +02:00
parent ed3e18ef0c
commit 33e77d9962
16 changed files with 438 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
auth.php
View File

@ -1,142 +0,0 @@
<?php
/* μlogger
*
* Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)
*
* This is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
if (defined('headless')) {
if (ob_get_level()) {
ob_end_clean();
}
ini_set('display_errors', '0');
}
define('ROOT_DIR', __DIR__);
require_once(ROOT_DIR . "/helpers/config.php");
require_once(ROOT_DIR . "/lang.php");
require_once(ROOT_DIR . "/helpers/user.php");
session_name('ulogger');
session_start();
$sid = session_id();
// check for forced login to authorize admin in case of public access
$force_login = isset($_REQUEST['force_login']) ? $_REQUEST['force_login'] : false;
if ($force_login) {
uConfig::$require_authentication = true;
}
$user = new uUser();
$user->getFromSession();
if (!$user->isValid && (uConfig::$require_authentication || defined('client'))) {
/* authentication */
$login = isset($_REQUEST['user']) ? $_REQUEST['user'] : NULL;
$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;
$ssl = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "" || $_SERVER['HTTPS'] == "off") ? "http" : "https";
$auth_error = isset($_REQUEST['auth_error']) ? $_REQUEST['auth_error'] : false;
if (!$login) {
// not authenticated and username not submited
// load form
if (defined('headless')) {
header('WWW-Authenticate: OAuth realm="users@ulogger"');
header('HTTP/1.1 401 Unauthorized', true, 401);
} else {
print
'<!DOCTYPE html>
<html>
<head>
<title>' . $lang["title"] . '</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="viewport" content="initial-scale=1.0, user-scalable=no">
<link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">
<link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="manifest.json">
<link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="icons/favicon.ico">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&amp;subset=cyrillic" rel="stylesheet">
<meta name="msapplication-config" content="browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="css/main.css">
<script type="text/javascript">
function focus() {
document.forms[0].elements[0].focus();
}
</script>
</head>
<body onload="focus()">
<div id="login">
<div id="title">' . $lang["title"] . '</div>
<div id="subtitle">' . $lang["private"] . '</div>
<form action="index.php" method="post">
' . $lang["username"] . ':<br>
<input type="text" name="user"><br>
' . $lang["password"] . ':<br>
<input type="password" name="pass"><br>
<br>
<input type="submit" value="' . $lang["login"] . '">
' . (($force_login) ? '<input type="hidden" name="force_login" value="1">
<div id="cancel"><a href="index.php">' . $lang["cancel"] . '</a></div>' : '') . '
</form>
<div id="error">' . (($auth_error) ? $lang["authfail"] : "") . '</div>
</div>
</body>
</html>';
}
exit();
} else {
// username submited
$user = new uUser($login);
//correct pass
if ($user->isValid && $user->validPassword($pass)) {
// login successful
//delete old session
$_SESSION = NULL;
session_destroy();
// start new session
session_name('ulogger');
session_start();
$user->storeInSession();
if (!defined('client')) {
// redirect
$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");
header("Location: $ssl://$url");
exit();
}
} else {
// unsuccessful
$error = "?auth_error=1";
if ($force_login) { $error .= "&force_login=1"; }
// destroy session
$_SESSION = NULL;
if (isset($_COOKIE[session_name('ulogger')])) {
setcookie(session_name('ulogger'), '', time() - 42000, '/');
}
session_destroy();
if (defined('headless')) {
header('WWW-Authenticate: OAuth realm="users@ulogger"');
header('HTTP/1.1 401 Unauthorized', true, 401);
} else {
$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");
header("Location: $ssl://$url$error");
}
exit();
}
}
/* end of authentication */
}
?>

202
client/index.php
View File

@ -17,101 +17,113 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
/** /**
* Set response error status and message * Exit with error status and message
* *
* @param array $response Respons * @param string $message Message
* @param string $message Message */
*/ function exitWithError($message) {
function setError(&$response, $message) { $response = [];
$response['error'] = true; $response['error'] = true;
$response['message'] = $message; $response['message'] = $message;
} header('Content-Type: application/json');
echo json_encode($response);
define("headless", true); exit();
define("client", true); }
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
/**
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null; * Exit with success status
$response = [ 'error' => false ]; *
* @param array $params Optional params
switch ($action) { * @return void
// action: authorize */
case "auth": function exitWithSuccess($params = []) {
break; $response = [];
$response['error'] = false;
// action: adduser (currently unused) header('Content-Type: application/json');
case "adduser": echo json_encode(array_merge($response, $params));
if (!$user->isAdmin) { exit();
setError($response, "User not authorized"); }
break;
} require_once(dirname(__DIR__) . "/helpers/auth.php");
$login = isset($_REQUEST['login']) ? $_REQUEST['login'] : NULL;
$pass = isset($_REQUEST['password']) ? $_REQUEST['password'] : NULL; $auth = new uAuth();
if (!empty($login) && !empty($pass)) { if (!$auth->isAuthenticated()) {
$newId = uUser::add($login, $pass); $auth->sendUnauthorizedHeader();
if ($newId !== false) { exitWithError("Unauthorized");
// return user id }
$response['userid'] = $newId;
} else { $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null;
setError($response, "Server error");
} switch ($action) {
} else { // action: authorize
setError($response, "Empty login or password"); case "auth":
} exitWithSuccess();
break; break;
// action: addtrack // action: adduser (currently unused)
case "addtrack": case "adduser":
$trackName = isset($_REQUEST['track']) ? $_REQUEST['track'] : NULL; if (!$auth->user->isAdmin) {
if (empty($trackName)) { exitWithError("Not allowed");
setError($response, "Missing required parameter"); }
break; $login = isset($_REQUEST['login']) ? $_REQUEST['login'] : NULL;
} $pass = isset($_REQUEST['password']) ? $_REQUEST['password'] : NULL;
require_once(ROOT_DIR . "/helpers/track.php"); if (empty($login) || empty($pass)) {
$trackId = uTrack::add($user->id, $trackName); exitWithError("Empty login or password");
if ($trackId === false) { }
setError($response, "Server error"); $newId = uUser::add($login, $pass);
break; if ($newId === false) {
} exitWithError("Server error");
// return track id }
$response['trackid'] = $trackId; exitWithSuccess(['userid'=> $newId]);
break; break;
// action: addposition // action: addtrack
case "addpos": case "addtrack":
$lat = isset($_REQUEST["lat"]) ? $_REQUEST["lat"] : NULL; $trackName = isset($_REQUEST['track']) ? $_REQUEST['track'] : NULL;
$lon = isset($_REQUEST["lon"]) ? $_REQUEST["lon"] : NULL; if (empty($trackName)) {
$timestamp = isset($_REQUEST["time"]) ? $_REQUEST["time"] : NULL; exitWithError("Missing required parameter");
$altitude = isset($_REQUEST["altitude"]) ? $_REQUEST["altitude"] : NULL; }
$speed = isset($_REQUEST["speed"]) ? $_REQUEST["speed"] : NULL; require_once(ROOT_DIR . "/helpers/track.php");
$bearing = isset($_REQUEST["bearing"]) ? $_REQUEST["bearing"] : NULL; $trackId = uTrack::add($auth->user->id, $trackName);
$accuracy = isset($_REQUEST["accuracy"]) ? $_REQUEST["accuracy"] : NULL; if ($trackId === false) {
$provider = isset($_REQUEST["provider"]) ? $_REQUEST["provider"] : NULL; exitWithError("Server error");
$comment = isset($_REQUEST["comment"]) ? $_REQUEST["comment"] : NULL; }
$imageId = isset($_REQUEST["imageid"]) ? $_REQUEST["imageid"] : NULL; // return track id
$trackId = isset($_REQUEST["trackid"]) ? $_REQUEST["trackid"] : NULL; exitWithSuccess(['trackid' => $trackId]);
break;
if (!is_numeric($lat) || !is_numeric($lon) || !is_numeric($timestamp) || !is_numeric($trackId)) {
setError($response, "Missing required parameter"); // action: addposition
break; case "addpos":
} $lat = isset($_REQUEST["lat"]) ? $_REQUEST["lat"] : NULL;
$lon = isset($_REQUEST["lon"]) ? $_REQUEST["lon"] : NULL;
require_once(ROOT_DIR . "/helpers/position.php"); $timestamp = isset($_REQUEST["time"]) ? $_REQUEST["time"] : NULL;
$positionId = uPosition::add($user->id, $trackId, $altitude = isset($_REQUEST["altitude"]) ? $_REQUEST["altitude"] : NULL;
$timestamp, $lat, $lon, $altitude, $speed, $bearing, $accuracy, $provider, $comment, $imageId); $speed = isset($_REQUEST["speed"]) ? $_REQUEST["speed"] : NULL;
$bearing = isset($_REQUEST["bearing"]) ? $_REQUEST["bearing"] : NULL;
if ($positionId === false) { $accuracy = isset($_REQUEST["accuracy"]) ? $_REQUEST["accuracy"] : NULL;
setError($response, "Server error"); $provider = isset($_REQUEST["provider"]) ? $_REQUEST["provider"] : NULL;
} $comment = isset($_REQUEST["comment"]) ? $_REQUEST["comment"] : NULL;
break; $imageId = isset($_REQUEST["imageid"]) ? $_REQUEST["imageid"] : NULL;
$trackId = isset($_REQUEST["trackid"]) ? $_REQUEST["trackid"] : NULL;
default:
setError($response, "Unknown command"); if (!is_numeric($lat) || !is_numeric($lon) || !is_numeric($timestamp) || !is_numeric($trackId)) {
break; exitWithError("Missing required parameter");
}
require_once(ROOT_DIR . "/helpers/position.php");
$positionId = uPosition::add($auth->user->id, $trackId,
$timestamp, $lat, $lon, $altitude, $speed, $bearing, $accuracy, $provider, $comment, $imageId);
if ($positionId === false) {
exitWithError("Server error");
}
exitWithSuccess();
break;
default:
exitWithError("Unknown command");
break;
} }
header('Content-Type: application/json');
echo json_encode($response);
exit();
?> ?>

187
helpers/auth.php Normal file
View File

@ -0,0 +1,187 @@
<?php
/* μlogger
*
* Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)
*
* This is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define('ROOT_DIR', dirname(__DIR__));
require_once(ROOT_DIR . "/helpers/user.php");
/**
* Authentication
*/
class uAuth {
private $isAuthenticated = false;
private $isLoginAttempt = false;
public $user = null;
public function __construct() {
$this->sessionStart();
$user = (new uUser())->getFromSession();
if ($user->isValid) {
$this->setAuthenticated($user);
} else {
$this->checkLogin();
}
}
/**
* Is user authenticated
*
* @return boolean True if authenticated, false otherwise
*/
public function isAuthenticated() {
return $this->isAuthenticated;
}
/**
* Has user attempted to log in
*
* @return boolean True if attempted login, false otherwise
*/
public function isLoginAttempt() {
return $this->isLoginAttempt;
}
/**
* Is authenticated user admin
*
* @return boolean True if admin, false otherwise
*/
public function isAdmin() {
return ($this->isAuthenticated && $this->user->isAdmin);
}
/**
* Start php session
*
* @return void
*/
private function sessionStart() {
session_name("ulogger");
session_start();
}
/**
* Terminate php session
*
* @return void
*/
private function sessionEnd() {
$_SESSION = [];
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name('ulogger'), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
}
/**
* Clean session variables
*
* @return void
*/
private function sessionCleanup() {
$_SESSION = [];
}
/**
* Mark as authenticated, set user
*
* @param [type] $user
* @return void
*/
private function setAuthenticated($user) {
$this->isAuthenticated = true;
$this->user = $user;
}
/**
* Process log in request
*
* @return void
*/
private function checkLogin() {
$action = isset($_REQUEST["action"]) ? $_REQUEST["action"] : NULL;
$login = isset($_REQUEST["user"]) ? $_REQUEST["user"] : NULL;
$pass = isset($_REQUEST["pass"]) ? $_REQUEST["pass"] : NULL;
if ($action == "auth" && !is_null($login) && !is_null($pass)) {
$this->isLoginAttempt = true;
if (!empty($login) && !empty($pass)) {
$user = new uUser($login);
if ($user->isValid && $user->validPassword($pass)) {
$this->setAuthenticated($user);
$this->sessionCleanup();
$user->storeInSession();
}
}
}
}
/**
* Log out with redirect
*
* @param string $path URL path
* @return void
*/
public function logOutWithRedirect($path = NULL) {
$this->sessionEnd();
$this->exitWithRedirect($path);
}
/**
* Send 401 headers
*
* @return void
*/
public function sendUnauthorizedHeader() {
header('WWW-Authenticate: OAuth realm="users@ulogger"');
header('HTTP/1.1 401 Unauthorized', true, 401);
}
/**
* Send 401 headers and exit
*
* @return void
*/
public function exitWithUnauthorized() {
$this->sendUnauthorizedHeader();
exit();
}
/**
* Redirect browser and exit
*
* @param string $path Redirect URL path
* @return void
*/
public function exitWithRedirect($path = NULL) {
$ssl = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "" || $_SERVER['HTTPS'] == "off") ? "http" : "https";
$url = $_SERVER['HTTP_HOST'];
if (is_null($path)) {
$path = dirname($_SERVER['SCRIPT_NAME']) . "/";
}
$url = str_replace("//", "/", $url . $path);
header("Location: $ssl://$url");
exit();
}
}

5
helpers/db.php
View File

@ -50,10 +50,7 @@
public function __construct($host, $user, $pass, $name, $port = null, $socket = null) { public function __construct($host, $user, $pass, $name, $port = null, $socket = null) {
@parent::__construct($host, $user, $pass, $name, $port, $socket); @parent::__construct($host, $user, $pass, $name, $port, $socket);
if ($this->connect_error) { if ($this->connect_error) {
if (defined('headless')) { header("HTTP/1.1 503 Service Unavailable");
header("HTTP/1.1 503 Service Unavailable");
exit;
}
die("Database connection error (" . $this->connect_error . ")"); die("Database connection error (" . $this->connect_error . ")");
} }
$this->set_charset('utf8'); $this->set_charset('utf8');

2
helpers/user.php
View File

@ -173,7 +173,7 @@
/** /**
* Fill uUser object properties from session data * Fill uUser object properties from session data
* @return uPosition Self * @return uUser
*/ */
public function getFromSession() { public function getFromSession() {
if (isset($_SESSION['user'])) { if (isset($_SESSION['user'])) {

51
index.php
View File

@ -17,14 +17,26 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
require_once(__DIR__ . "/auth.php"); // sets $user require_once(__DIR__ . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/config.php");
require_once(ROOT_DIR . "/helpers/position.php"); require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/helpers/track.php"); require_once(ROOT_DIR . "/helpers/track.php");
require_once(ROOT_DIR . "/helpers/utils.php"); require_once(ROOT_DIR . "/helpers/utils.php");
require_once(ROOT_DIR . "/lang.php");
$auth = new uAuth();
if (!$auth->isAuthenticated() && $auth->isLoginAttempt()) {
$auth->exitWithRedirect("/login.php?auth_error=1");
}
if (!$auth->isAuthenticated() && uConfig::$require_authentication) {
$auth->exitWithRedirect("/login.php");
}
$displayUserId = NULL; $displayUserId = NULL;
$usersArr = []; $usersArr = [];
if ($user->isAdmin || uConfig::$public_tracks) { if ($auth->isAdmin() || uConfig::$public_tracks) {
// public access or admin user // public access or admin user
// get last position user // get last position user
$lastPosition = uPosition::getLast(); $lastPosition = uPosition::getLast();
@ -34,9 +46,9 @@
} }
// populate users array (for <select>) // populate users array (for <select>)
$usersArr = uUser::getAll(); $usersArr = uUser::getAll();
} else if ($user->isValid) { } else if ($auth->isAuthenticated()) {
// display track of authenticated user // display track of authenticated user
$displayUserId = $user->id; $displayUserId = $auth->user->id;
} }
$tracksArr = uTrack::getAll($displayUserId); $tracksArr = uTrack::getAll($displayUserId);
@ -53,18 +65,7 @@
<html> <html>
<head> <head>
<title><?= $lang["title"] ?></title> <title><?= $lang["title"] ?></title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8"> <?php include("meta.php"); ?>
<meta name="viewport" content="initial-scale=1.0, user-scalable=no">
<link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">
<link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="manifest.json">
<link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="icons/favicon.ico">
<meta name="msapplication-config" content="browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&amp;subset=cyrillic" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="css/main.css">
<script> <script>
var interval = '<?= uConfig::$interval ?>'; var interval = '<?= uConfig::$interval ?>';
var userid = '<?= ($displayUserId) ? $displayUserId : -1 ?>'; var userid = '<?= ($displayUserId) ? $displayUserId : -1 ?>';
@ -79,8 +80,8 @@
var init_latitude = '<?= uConfig::$init_latitude ?>'; var init_latitude = '<?= uConfig::$init_latitude ?>';
var init_longitude = '<?= uConfig::$init_longitude ?>'; var init_longitude = '<?= uConfig::$init_longitude ?>';
var lang = <?= json_encode($lang) ?>; var lang = <?= json_encode($lang) ?>;
var admin = <?= json_encode($user->isAdmin) ?>; var admin = <?= json_encode($auth->isAdmin()) ?>;
var auth = '<?= ($user->isValid) ? $user->login : "null" ?>'; var auth = '<?= ($auth->isAuthenticated()) ? $auth->user->login : "null" ?>';
var pass_regex = <?= uConfig::passRegex() ?>; var pass_regex = <?= uConfig::passRegex() ?>;
</script> </script>
<script type="text/javascript" src="js/main.js"></script> <script type="text/javascript" src="js/main.js"></script>
@ -92,10 +93,10 @@
<script type="text/javascript" src="//openlayers.org/api/OpenLayers.js"></script> <script type="text/javascript" src="//openlayers.org/api/OpenLayers.js"></script>
<script type="text/javascript" src="js/api_openlayers.js"></script> <script type="text/javascript" src="js/api_openlayers.js"></script>
<?php endif; ?> <?php endif; ?>
<?php if ($user->isAdmin): ?> <?php if ($auth->isAdmin()): ?>
<script type="text/javascript" src="js/admin.js"></script> <script type="text/javascript" src="js/admin.js"></script>
<?php endif; ?> <?php endif; ?>
<?php if ($user->isValid): ?> <?php if ($auth->isAuthenticated()): ?>
<script type="text/javascript" src="js/track.js"></script> <script type="text/javascript" src="js/track.js"></script>
<?php endif; ?> <?php endif; ?>
<script type="text/javascript" src="js/pass.js"></script> <script type="text/javascript" src="js/pass.js"></script>
@ -109,16 +110,16 @@
<div id="menu"> <div id="menu">
<div id="menu-content"> <div id="menu-content">
<?php if ($user->isValid): ?> <?php if ($auth->isAuthenticated()): ?>
<div id="user_menu"> <div id="user_menu">
<a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= htmlspecialchars($user->login) ?></a> <a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= htmlspecialchars($auth->user->login) ?></a>
<div id="user_dropdown" class="dropdown"> <div id="user_dropdown" class="dropdown">
<a href="javascript:void(0)" onclick="changePass()"><img class="icon" alt="<?= $lang["changepass"] ?>" src="images/lock.svg"> <?= $lang["changepass"] ?></a> <a href="javascript:void(0)" onclick="changePass()"><img class="icon" alt="<?= $lang["changepass"] ?>" src="images/lock.svg"> <?= $lang["changepass"] ?></a>
<a href="utils/logout.php"><img class="icon" alt="<?= $lang["logout"] ?>" src="images/poweroff.svg"> <?= $lang["logout"] ?></a> <a href="utils/logout.php"><img class="icon" alt="<?= $lang["logout"] ?>" src="images/poweroff.svg"> <?= $lang["logout"] ?></a>
</div> </div>
</div> </div>
<?php else: ?> <?php else: ?>
<a href="index.php?force_login=1"><img class="icon" alt="<?= $lang["login"] ?>" src="images/key.svg"> <?= $lang["login"] ?></a> <a href="login.php"><img class="icon" alt="<?= $lang["login"] ?>" src="images/key.svg"> <?= $lang["login"] ?></a>
<?php endif; ?> <?php endif; ?>
<div id="user"> <div id="user">
@ -193,7 +194,7 @@
<a class="menulink" href="javascript:void(0);" onclick="exportFile('gpx', userid, trackid);">gpx</a> <a class="menulink" href="javascript:void(0);" onclick="exportFile('gpx', userid, trackid);">gpx</a>
</div> </div>
<?php if ($user->isValid): ?> <?php if ($auth->isAuthenticated()): ?>
<div id="import"> <div id="import">
<div class="menutitle u"><?= $lang["import"] ?></div> <div class="menutitle u"><?= $lang["import"] ?></div>
<form id="importForm" enctype="multipart/form-data" method="post"> <form id="importForm" enctype="multipart/form-data" method="post">
@ -205,7 +206,7 @@
<div id="admin_menu"> <div id="admin_menu">
<div class="menutitle u"><?= $lang["adminmenu"] ?></div> <div class="menutitle u"><?= $lang["adminmenu"] ?></div>
<?php if ($user->isAdmin): ?> <?php if ($auth->isAdmin()): ?>
<a class="menulink" href="javascript:void(0);" onclick="addUser()"><?= $lang["adduser"] ?></a> <a class="menulink" href="javascript:void(0);" onclick="addUser()"><?= $lang["adduser"] ?></a>
<a class="menulink" href="javascript:void(0);" onclick="editUser()"><?= $lang["edituser"] ?></a> <a class="menulink" href="javascript:void(0);" onclick="editUser()"><?= $lang["edituser"] ?></a>
<?php endif; ?> <?php endif; ?>

57
login.php Normal file
View File

@ -0,0 +1,57 @@
<?php
/* μlogger
*
* Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)
*
* This is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
require_once("helpers/auth.php");
require_once(ROOT_DIR . "/lang.php");
require_once(ROOT_DIR . "/helpers/config.php");
$auth_error = isset($_REQUEST['auth_error']) ? (bool) $_REQUEST['auth_error'] : false;
?>
<!DOCTYPE html>
<html>
<head>
<title><?= $lang["title"] ?></title>
<?php include("meta.php"); ?>
<script type="text/javascript">
function focus() {
document.forms[0].elements[0].focus();
}
</script>
</head>
<body onload="focus()">
<div id="login">
<div id="title"><?= $lang["title"] ?></div>
<div id="subtitle"><?= $lang["private"] ?></div>
<form action="/" method="post">
<?= $lang["username"] ?>:<br>
<input type="text" name="user"><br>
<?= $lang["password"] ?>:<br>
<input type="password" name="pass"><br>
<br>
<input type="submit" value="<?= $lang["login"] ?>">
<input type="hidden" name="action" value="auth">
<?php if (!uConfig::$require_authentication): ?>
<div id="cancel"><a href="/"><?= $lang["cancel"] ?></a></div>
<?php endif; ?>
</form>
<div id="error"><?= (($auth_error) ? $lang["authfail"] : "") ?></div>
</div>
</body>
</html>

12
meta.php Normal file
View File

@ -0,0 +1,12 @@
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="viewport" content="initial-scale=1.0, user-scalable=no">
<link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">
<link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="manifest.json">
<link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="icons/favicon.ico">
<meta name="msapplication-config" content="browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&amp;subset=cyrillic" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="css/main.css">

13
utils/changepass.php
View File

@ -17,17 +17,22 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
define("headless", true); require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(ROOT_DIR . "/helpers/utils.php"); require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
if (!$auth->isAuthenticated()) {
$auth->sendUnauthorizedHeader();
uUtils::exitWithError("Unauthorized");
}
$login = isset($_REQUEST['login']) ? trim($_REQUEST['login']) : NULL; $login = isset($_REQUEST['login']) ? trim($_REQUEST['login']) : NULL;
$oldpass = isset($_REQUEST['oldpass']) ? $_REQUEST['oldpass'] : NULL; $oldpass = isset($_REQUEST['oldpass']) ? $_REQUEST['oldpass'] : NULL;
$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL; $pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;
if (empty($pass)) { if (empty($pass)) {
uUtils::exitWithError("Empty password"); uUtils::exitWithError("Empty password");
} }
if ($user->isAdmin && !empty($login)) { if ($auth->isAdmin() && !empty($login)) {
// different user, only admin // different user, only admin
$passUser = new uUser($login); $passUser = new uUser($login);
if (!$passUser->valid) { if (!$passUser->valid) {
@ -35,7 +40,7 @@
} }
} else { } else {
// current user // current user
$passUser = $user; $passUser = $auth->user;
if (!$passUser->validPassword($oldpass)) { if (!$passUser->validPassword($oldpass)) {
uUtils::exitWithError("Wrong old password"); uUtils::exitWithError("Wrong old password");
} }

11
utils/export.php
View File

@ -17,8 +17,12 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
require_once(dirname(__DIR__) . "/auth.php"); // sets $user require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/position.php"); require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/lang.php");
$auth = new uAuth();
/** /**
* Add kml marker style element * Add kml marker style element
@ -42,7 +46,7 @@ function addStyle($xml, $name, $url) {
/** /**
* Convert seconds to [day], hour, minute, second string * Convert seconds to [day], hour, minute, second string
* *
* @param [type] $s Number of seconds * @param int $s Number of seconds
* @return string [d ]hhmmss * @return string [d ]hhmmss
*/ */
function toHMS($s) { function toHMS($s) {
@ -57,7 +61,8 @@ $type = isset($_REQUEST["type"]) ? $_REQUEST["type"] : "kml";
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL; $userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL; $trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
if (!uConfig::$public_tracks && !$user->isAdmin && $user->id !== $userId) { if (!uConfig::$public_tracks &&
(!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $userId))) {
// unauthorized // unauthorized
exit(); exit();
} }

8
utils/getpositions.php
View File

@ -17,18 +17,20 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
define("headless", true); require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(ROOT_DIR . "/helpers/position.php"); require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/helpers/utils.php"); require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL; $userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL; $trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
if ($userId) { if ($userId) {
$positionsArr = []; $positionsArr = [];
if (uConfig::$public_tracks || $user->isAdmin || $user->id === $userId) { if (uConfig::$public_tracks ||
($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
if ($trackId) { if ($trackId) {
// get all track data // get all track data
$positionsArr = uPosition::getAll($userId, $trackId); $positionsArr = uPosition::getAll($userId, $trackId);

8
utils/gettracks.php
View File

@ -17,16 +17,18 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
define("headless", true); require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(ROOT_DIR . "/helpers/track.php"); require_once(ROOT_DIR . "/helpers/track.php");
$auth = new uAuth();
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL; $userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
if ($userId) { if ($userId) {
$tracksArr = []; $tracksArr = [];
if (uConfig::$public_tracks || $user->isAdmin || $user->id === $userId) { if (uConfig::$public_tracks ||
($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
$tracksArr = uTrack::getAll($userId); $tracksArr = uTrack::getAll($userId);
} }

8
utils/handletrack.php
View File

@ -17,11 +17,12 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
define("headless", true); require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(ROOT_DIR . "/helpers/track.php"); require_once(ROOT_DIR . "/helpers/track.php");
require_once(ROOT_DIR . "/helpers/utils.php"); require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : NULL; $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : NULL;
$trackId = isset($_REQUEST['trackid']) ? trim($_REQUEST['trackid']) : NULL; $trackId = isset($_REQUEST['trackid']) ? trim($_REQUEST['trackid']) : NULL;
$trackName = isset($_REQUEST['trackname']) ? trim($_REQUEST['trackname']) : NULL; $trackName = isset($_REQUEST['trackname']) ? trim($_REQUEST['trackname']) : NULL;
@ -29,7 +30,8 @@
uUtils::exitWithError($lang["servererror"]); uUtils::exitWithError($lang["servererror"]);
} }
$track = new uTrack($trackId); $track = new uTrack($trackId);
if (!$track->isValid || (!$user->isAdmin && $user->id != $track->userId)) { if (!$track->isValid ||
(!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id != $track->userId))) {
uUtils::exitWithError($lang["servererror"]); uUtils::exitWithError($lang["servererror"]);
} }

7
utils/handleuser.php
View File

@ -17,14 +17,15 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
define("headless", true); require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(ROOT_DIR . "/helpers/utils.php"); require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : NULL; $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : NULL;
$login = isset($_REQUEST['login']) ? trim($_REQUEST['login']) : NULL; $login = isset($_REQUEST['login']) ? trim($_REQUEST['login']) : NULL;
$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL; $pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;
if (!$user->isAdmin || empty($action) || empty($login) || $user->login == $login) { if (!$auth->isAuthenticated() || !$auth->isAdmin || $auth->user->login == $login || empty($action) || empty($login)) {
uUtils::exitWithError($lang["servererror"]); uUtils::exitWithError($lang["servererror"]);
} }

12
utils/import.php
View File

@ -17,11 +17,13 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
define("headless", true); require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(ROOT_DIR . "/helpers/track.php"); require_once(ROOT_DIR . "/helpers/track.php");
require_once(ROOT_DIR . "/helpers/position.php"); require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/helpers/utils.php"); require_once(ROOT_DIR . "/helpers/utils.php");
require_once(ROOT_DIR . "/lang.php");
$auth = new uAuth();
$uploadErrors[UPLOAD_ERR_INI_SIZE] = "The uploaded file exceeds the upload_max_filesize directive in php.ini"; $uploadErrors[UPLOAD_ERR_INI_SIZE] = "The uploaded file exceeds the upload_max_filesize directive in php.ini";
$uploadErrors[UPLOAD_ERR_FORM_SIZE] = "The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form"; $uploadErrors[UPLOAD_ERR_FORM_SIZE] = "The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form";
@ -31,8 +33,8 @@ $uploadErrors[UPLOAD_ERR_NO_TMP_DIR] = "Missing a temporary folder";
$uploadErrors[UPLOAD_ERR_CANT_WRITE] = "Failed to write file to disk"; $uploadErrors[UPLOAD_ERR_CANT_WRITE] = "Failed to write file to disk";
$uploadErrors[UPLOAD_ERR_EXTENSION] = "A PHP extension stopped the file upload"; $uploadErrors[UPLOAD_ERR_EXTENSION] = "A PHP extension stopped the file upload";
if (!$user->isValid) { if (!$auth->isAuthenticated()) {
uUtils::exitWithError($lang["servererror"]); uUtils::exitWithError($lang["private"]);
} }
if (!isset($_FILES["gpx"])) { if (!isset($_FILES["gpx"])) {
@ -88,7 +90,7 @@ $trackCnt = 0;
foreach ($gpx->trk as $trk) { foreach ($gpx->trk as $trk) {
$trackName = empty($trk->name) ? $gpxName : $trk->name->__toString(); $trackName = empty($trk->name) ? $gpxName : $trk->name->__toString();
$metaName = empty($gpx->metadata->name) ? NULL : $gpx->metadata->name->__toString(); $metaName = empty($gpx->metadata->name) ? NULL : $gpx->metadata->name->__toString();
$trackId = uTrack::add($user->id, $trackName, $metaName); $trackId = uTrack::add($auth->user->id, $trackName, $metaName);
if ($trackId === false) { if ($trackId === false) {
uUtils::exitWithError($lang["servererror"]); uUtils::exitWithError($lang["servererror"]);
break; break;

14
utils/logout.php
View File

@ -17,15 +17,9 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
session_name('ulogger'); include_once(dirname(__DIR__) . "/helpers/auth.php");
session_start();
$_SESSION = NULL; $auth = new uAuth();
if (isset($_COOKIE[session_name('ulogger') ])) { $auth->logOutWithRedirect(dirname(dirname($_SERVER['SCRIPT_NAME'])) . "/");
setcookie(session_name('ulogger'), '', time() - 42000, '/');
}
session_destroy();
$ssl = ((!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "" || $_SERVER['HTTPS'] == "off") ? "http" : "https");
$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname(dirname($_SERVER['SCRIPT_NAME'])) . "/index.php");
header("Location: $ssl://$url");
?> ?>