sven/ulogger-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewrite authorization into class

Browse Source
This commit is contained in:
Bartek Fabiszewski 2017-08-25 13:59:19 +02:00
parent ed3e18ef0c
commit 33e77d9962
16 changed files with 438 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
auth.php
View File

@ -1,142 +0,0 @@
<?php
/* μlogger
*
* Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)
*
* This is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
if (defined('headless')) {
if (ob_get_level()) {
ob_end_clean();
}
ini_set('display_errors', '0');
}
define('ROOT_DIR', __DIR__);
require_once(ROOT_DIR . "/helpers/config.php");
require_once(ROOT_DIR . "/lang.php");
require_once(ROOT_DIR . "/helpers/user.php");
session_name('ulogger');
session_start();
$sid = session_id();
// check for forced login to authorize admin in case of public access
$force_login = isset($_REQUEST['force_login']) ? $_REQUEST['force_login'] : false;
if ($force_login) {
uConfig::$require_authentication = true;
}
$user = new uUser();
$user->getFromSession();
if (!$user->isValid && (uConfig::$require_authentication || defined('client'))) {
/* authentication */
$login = isset($_REQUEST['user']) ? $_REQUEST['user'] : NULL;
$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;
$ssl = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "" || $_SERVER['HTTPS'] == "off") ? "http" : "https";
$auth_error = isset($_REQUEST['auth_error']) ? $_REQUEST['auth_error'] : false;
if (!$login) {
// not authenticated and username not submited
// load form
if (defined('headless')) {
header('WWW-Authenticate: OAuth realm="users@ulogger"');
header('HTTP/1.1 401 Unauthorized', true, 401);
} else {
print
'<!DOCTYPE html>
<html>
<head>
<title>' . $lang["title"] . '</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="viewport" content="initial-scale=1.0, user-scalable=no">
<link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">
<link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="manifest.json">
<link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="icons/favicon.ico">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&amp;subset=cyrillic" rel="stylesheet">
<meta name="msapplication-config" content="browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="css/main.css">
<script type="text/javascript">
function focus() {
document.forms[0].elements[0].focus();
}
</script>
</head>
<body onload="focus()">
<div id="login">
<div id="title">' . $lang["title"] . '</div>
<div id="subtitle">' . $lang["private"] . '</div>
<form action="index.php" method="post">
' . $lang["username"] . ':<br>
<input type="text" name="user"><br>
' . $lang["password"] . ':<br>
<input type="password" name="pass"><br>
<br>
<input type="submit" value="' . $lang["login"] . '">
' . (($force_login) ? '<input type="hidden" name="force_login" value="1">
<div id="cancel"><a href="index.php">' . $lang["cancel"] . '</a></div>' : '') . '
</form>
<div id="error">' . (($auth_error) ? $lang["authfail"] : "") . '</div>
</div>
</body>
</html>';
}
exit();
} else {
// username submited
$user = new uUser($login);
//correct pass
if ($user->isValid && $user->validPassword($pass)) {
// login successful
//delete old session
$_SESSION = NULL;
session_destroy();
// start new session
session_name('ulogger');
session_start();
$user->storeInSession();
if (!defined('client')) {
// redirect
$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");
header("Location: $ssl://$url");
exit();
}
} else {
// unsuccessful
$error = "?auth_error=1";
if ($force_login) { $error .= "&force_login=1"; }
// destroy session
$_SESSION = NULL;
if (isset($_COOKIE[session_name('ulogger')])) {
setcookie(session_name('ulogger'), '', time() - 42000, '/');
}
session_destroy();
if (defined('headless')) {
header('WWW-Authenticate: OAuth realm="users@ulogger"');
header('HTTP/1.1 401 Unauthorized', true, 401);
} else {
$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");
header("Location: $ssl://$url$error");
}
exit();
}
}
/* end of authentication */
}
?>

202
client/index.php
View File

@ -17,101 +17,113 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/**
* Set response error status and message
*
* @param array $response Respons
* @param string $message Message
*/
function setError(&$response, $message) {
$response['error'] = true;
$response['message'] = $message;
}
define("headless", true);
define("client", true);
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null;
$response = [ 'error' => false ];
switch ($action) {
// action: authorize
case "auth":
break;
// action: adduser (currently unused)
case "adduser":
if (!$user->isAdmin) {
setError($response, "User not authorized");
break;
}
$login = isset($_REQUEST['login']) ? $_REQUEST['login'] : NULL;
$pass = isset($_REQUEST['password']) ? $_REQUEST['password'] : NULL;
if (!empty($login) && !empty($pass)) {
$newId = uUser::add($login, $pass);
if ($newId !== false) {
// return user id
$response['userid'] = $newId;
} else {
setError($response, "Server error");
}
} else {
setError($response, "Empty login or password");
}
break;
// action: addtrack
case "addtrack":
$trackName = isset($_REQUEST['track']) ? $_REQUEST['track'] : NULL;
if (empty($trackName)) {
setError($response, "Missing required parameter");
break;
}
require_once(ROOT_DIR . "/helpers/track.php");
$trackId = uTrack::add($user->id, $trackName);
if ($trackId === false) {
setError($response, "Server error");
break;
}
// return track id
$response['trackid'] = $trackId;
break;
// action: addposition
case "addpos":
$lat = isset($_REQUEST["lat"]) ? $_REQUEST["lat"] : NULL;
$lon = isset($_REQUEST["lon"]) ? $_REQUEST["lon"] : NULL;
$timestamp = isset($_REQUEST["time"]) ? $_REQUEST["time"] : NULL;
$altitude = isset($_REQUEST["altitude"]) ? $_REQUEST["altitude"] : NULL;
$speed = isset($_REQUEST["speed"]) ? $_REQUEST["speed"] : NULL;
$bearing = isset($_REQUEST["bearing"]) ? $_REQUEST["bearing"] : NULL;
$accuracy = isset($_REQUEST["accuracy"]) ? $_REQUEST["accuracy"] : NULL;
$provider = isset($_REQUEST["provider"]) ? $_REQUEST["provider"] : NULL;
$comment = isset($_REQUEST["comment"]) ? $_REQUEST["comment"] : NULL;
$imageId = isset($_REQUEST["imageid"]) ? $_REQUEST["imageid"] : NULL;
$trackId = isset($_REQUEST["trackid"]) ? $_REQUEST["trackid"] : NULL;
if (!is_numeric($lat) || !is_numeric($lon) || !is_numeric($timestamp) || !is_numeric($trackId)) {
setError($response, "Missing required parameter");
break;
}
require_once(ROOT_DIR . "/helpers/position.php");
$positionId = uPosition::add($user->id, $trackId,
$timestamp, $lat, $lon, $altitude, $speed, $bearing, $accuracy, $provider, $comment, $imageId);
if ($positionId === false) {
setError($response, "Server error");
}
break;
default:
setError($response, "Unknown command");
break;
/**
* Exit with error status and message
*
* @param string $message Message
*/
function exitWithError($message) {
$response = [];
$response['error'] = true;
$response['message'] = $message;
header('Content-Type: application/json');
echo json_encode($response);
exit();
}
/**
* Exit with success status
*
* @param array $params Optional params
* @return void
*/
function exitWithSuccess($params = []) {
$response = [];
$response['error'] = false;
header('Content-Type: application/json');
echo json_encode(array_merge($response, $params));
exit();
}
require_once(dirname(__DIR__) . "/helpers/auth.php");
$auth = new uAuth();
if (!$auth->isAuthenticated()) {
$auth->sendUnauthorizedHeader();
exitWithError("Unauthorized");
}
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null;
switch ($action) {
// action: authorize
case "auth":
exitWithSuccess();
break;
// action: adduser (currently unused)
case "adduser":
if (!$auth->user->isAdmin) {
exitWithError("Not allowed");
}
$login = isset($_REQUEST['login']) ? $_REQUEST['login'] : NULL;
$pass = isset($_REQUEST['password']) ? $_REQUEST['password'] : NULL;
if (empty($login) || empty($pass)) {
exitWithError("Empty login or password");
}
$newId = uUser::add($login, $pass);
if ($newId === false) {
exitWithError("Server error");
}
exitWithSuccess(['userid'=> $newId]);
break;
// action: addtrack
case "addtrack":
$trackName = isset($_REQUEST['track']) ? $_REQUEST['track'] : NULL;
if (empty($trackName)) {
exitWithError("Missing required parameter");
}
require_once(ROOT_DIR . "/helpers/track.php");
$trackId = uTrack::add($auth->user->id, $trackName);
if ($trackId === false) {
exitWithError("Server error");
}
// return track id
exitWithSuccess(['trackid' => $trackId]);
break;
// action: addposition
case "addpos":
$lat = isset($_REQUEST["lat"]) ? $_REQUEST["lat"] : NULL;
$lon = isset($_REQUEST["lon"]) ? $_REQUEST["lon"] : NULL;
$timestamp = isset($_REQUEST["time"]) ? $_REQUEST["time"] : NULL;
$altitude = isset($_REQUEST["altitude"]) ? $_REQUEST["altitude"] : NULL;
$speed = isset($_REQUEST["speed"]) ? $_REQUEST["speed"] : NULL;
$bearing = isset($_REQUEST["bearing"]) ? $_REQUEST["bearing"] : NULL;
$accuracy = isset($_REQUEST["accuracy"]) ? $_REQUEST["accuracy"] : NULL;
$provider = isset($_REQUEST["provider"]) ? $_REQUEST["provider"] : NULL;
$comment = isset($_REQUEST["comment"]) ? $_REQUEST["comment"] : NULL;
$imageId = isset($_REQUEST["imageid"]) ? $_REQUEST["imageid"] : NULL;
$trackId = isset($_REQUEST["trackid"]) ? $_REQUEST["trackid"] : NULL;
if (!is_numeric($lat) || !is_numeric($lon) || !is_numeric($timestamp) || !is_numeric($trackId)) {
exitWithError("Missing required parameter");
}
require_once(ROOT_DIR . "/helpers/position.php");
$positionId = uPosition::add($auth->user->id, $trackId,
$timestamp, $lat, $lon, $altitude, $speed, $bearing, $accuracy, $provider, $comment, $imageId);
if ($positionId === false) {
exitWithError("Server error");
}
exitWithSuccess();
break;
default:
exitWithError("Unknown command");
break;
}
header('Content-Type: application/json');
echo json_encode($response);
exit();
?>

187
helpers/auth.php Normal file
View File

@ -0,0 +1,187 @@
<?php
/* μlogger
*
* Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)
*
* This is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define('ROOT_DIR', dirname(__DIR__));
require_once(ROOT_DIR . "/helpers/user.php");
/**
* Authentication
*/
class uAuth {
private $isAuthenticated = false;
private $isLoginAttempt = false;
public $user = null;
public function __construct() {
$this->sessionStart();
$user = (new uUser())->getFromSession();
if ($user->isValid) {
$this->setAuthenticated($user);
} else {
$this->checkLogin();
}
}
/**
* Is user authenticated
*
* @return boolean True if authenticated, false otherwise
*/
public function isAuthenticated() {
return $this->isAuthenticated;
}
/**
* Has user attempted to log in
*
* @return boolean True if attempted login, false otherwise
*/
public function isLoginAttempt() {
return $this->isLoginAttempt;
}
/**
* Is authenticated user admin
*
* @return boolean True if admin, false otherwise
*/
public function isAdmin() {
return ($this->isAuthenticated && $this->user->isAdmin);
}
/**
* Start php session
*
* @return void
*/
private function sessionStart() {
session_name("ulogger");
session_start();
}
/**
* Terminate php session
*
* @return void
*/
private function sessionEnd() {
$_SESSION = [];
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name('ulogger'), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
}
/**
* Clean session variables
*
* @return void
*/
private function sessionCleanup() {
$_SESSION = [];
}
/**
* Mark as authenticated, set user
*
* @param [type] $user
* @return void
*/
private function setAuthenticated($user) {
$this->isAuthenticated = true;
$this->user = $user;
}
/**
* Process log in request
*
* @return void
*/
private function checkLogin() {
$action = isset($_REQUEST["action"]) ? $_REQUEST["action"] : NULL;
$login = isset($_REQUEST["user"]) ? $_REQUEST["user"] : NULL;
$pass = isset($_REQUEST["pass"]) ? $_REQUEST["pass"] : NULL;
if ($action == "auth" && !is_null($login) && !is_null($pass)) {
$this->isLoginAttempt = true;
if (!empty($login) && !empty($pass)) {
$user = new uUser($login);
if ($user->isValid && $user->validPassword($pass)) {
$this->setAuthenticated($user);
$this->sessionCleanup();
$user->storeInSession();
}
}
}
}
/**
* Log out with redirect
*
* @param string $path URL path
* @return void
*/
public function logOutWithRedirect($path = NULL) {
$this->sessionEnd();
$this->exitWithRedirect($path);
}
/**
* Send 401 headers
*
* @return void
*/
public function sendUnauthorizedHeader() {
header('WWW-Authenticate: OAuth realm="users@ulogger"');
header('HTTP/1.1 401 Unauthorized', true, 401);
}
/**
* Send 401 headers and exit
*
* @return void
*/
public function exitWithUnauthorized() {
$this->sendUnauthorizedHeader();
exit();
}
/**
* Redirect browser and exit
*
* @param string $path Redirect URL path
* @return void
*/
public function exitWithRedirect($path = NULL) {
$ssl = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "" || $_SERVER['HTTPS'] == "off") ? "http" : "https";
$url = $_SERVER['HTTP_HOST'];
if (is_null($path)) {
$path = dirname($_SERVER['SCRIPT_NAME']) . "/";
}
$url = str_replace("//", "/", $url . $path);
header("Location: $ssl://$url");
exit();
}
}

5
helpers/db.php
View File

@ -50,10 +50,7 @@
public function __construct($host, $user, $pass, $name, $port = null, $socket = null) {
@parent::__construct($host, $user, $pass, $name, $port, $socket);
if ($this->connect_error) {
if (defined('headless')) {
header("HTTP/1.1 503 Service Unavailable");
exit;
}
header("HTTP/1.1 503 Service Unavailable");
die("Database connection error (" . $this->connect_error . ")");
}
$this->set_charset('utf8');

2
helpers/user.php
View File

@ -173,7 +173,7 @@
/**
* Fill uUser object properties from session data
* @return uPosition Self
* @return uUser
*/
public function getFromSession() {
if (isset($_SESSION['user'])) {

51
index.php
View File

@ -17,14 +17,26 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
require_once(__DIR__ . "/auth.php"); // sets $user
require_once(__DIR__ . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/config.php");
require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/helpers/track.php");
require_once(ROOT_DIR . "/helpers/utils.php");
require_once(ROOT_DIR . "/lang.php");
$auth = new uAuth();
if (!$auth->isAuthenticated() && $auth->isLoginAttempt()) {
$auth->exitWithRedirect("/login.php?auth_error=1");
}
if (!$auth->isAuthenticated() && uConfig::$require_authentication) {
$auth->exitWithRedirect("/login.php");
}
$displayUserId = NULL;
$usersArr = [];
if ($user->isAdmin || uConfig::$public_tracks) {
if ($auth->isAdmin() || uConfig::$public_tracks) {
// public access or admin user
// get last position user
$lastPosition = uPosition::getLast();
@ -34,9 +46,9 @@
}
// populate users array (for <select>)
$usersArr = uUser::getAll();
} else if ($user->isValid) {
} else if ($auth->isAuthenticated()) {
// display track of authenticated user
$displayUserId = $user->id;
$displayUserId = $auth->user->id;
}
$tracksArr = uTrack::getAll($displayUserId);
@ -53,18 +65,7 @@
<html>
<head>
<title><?= $lang["title"] ?></title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="viewport" content="initial-scale=1.0, user-scalable=no">
<link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">
<link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="manifest.json">
<link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="icons/favicon.ico">
<meta name="msapplication-config" content="browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&amp;subset=cyrillic" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="css/main.css">
<?php include("meta.php"); ?>
<script>
var interval = '<?= uConfig::$interval ?>';
var userid = '<?= ($displayUserId) ? $displayUserId : -1 ?>';
@ -79,8 +80,8 @@
var init_latitude = '<?= uConfig::$init_latitude ?>';
var init_longitude = '<?= uConfig::$init_longitude ?>';
var lang = <?= json_encode($lang) ?>;
var admin = <?= json_encode($user->isAdmin) ?>;
var auth = '<?= ($user->isValid) ? $user->login : "null" ?>';
var admin = <?= json_encode($auth->isAdmin()) ?>;
var auth = '<?= ($auth->isAuthenticated()) ? $auth->user->login : "null" ?>';
var pass_regex = <?= uConfig::passRegex() ?>;
</script>
<script type="text/javascript" src="js/main.js"></script>
@ -92,10 +93,10 @@
<script type="text/javascript" src="//openlayers.org/api/OpenLayers.js"></script>
<script type="text/javascript" src="js/api_openlayers.js"></script>
<?php endif; ?>
<?php if ($user->isAdmin): ?>
<?php if ($auth->isAdmin()): ?>
<script type="text/javascript" src="js/admin.js"></script>
<?php endif; ?>
<?php if ($user->isValid): ?>
<?php if ($auth->isAuthenticated()): ?>
<script type="text/javascript" src="js/track.js"></script>
<?php endif; ?>
<script type="text/javascript" src="js/pass.js"></script>
@ -109,16 +110,16 @@
<div id="menu">
<div id="menu-content">
<?php if ($user->isValid): ?>
<?php if ($auth->isAuthenticated()): ?>
<div id="user_menu">
<a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= htmlspecialchars($user->login) ?></a>
<a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= htmlspecialchars($auth->user->login) ?></a>
<div id="user_dropdown" class="dropdown">
<a href="javascript:void(0)" onclick="changePass()"><img class="icon" alt="<?= $lang["changepass"] ?>" src="images/lock.svg"> <?= $lang["changepass"] ?></a>
<a href="utils/logout.php"><img class="icon" alt="<?= $lang["logout"] ?>" src="images/poweroff.svg"> <?= $lang["logout"] ?></a>
</div>
</div>
<?php else: ?>
<a href="index.php?force_login=1"><img class="icon" alt="<?= $lang["login"] ?>" src="images/key.svg"> <?= $lang["login"] ?></a>
<a href="login.php"><img class="icon" alt="<?= $lang["login"] ?>" src="images/key.svg"> <?= $lang["login"] ?></a>
<?php endif; ?>
<div id="user">
@ -193,7 +194,7 @@
<a class="menulink" href="javascript:void(0);" onclick="exportFile('gpx', userid, trackid);">gpx</a>
</div>
<?php if ($user->isValid): ?>
<?php if ($auth->isAuthenticated()): ?>
<div id="import">
<div class="menutitle u"><?= $lang["import"] ?></div>
<form id="importForm" enctype="multipart/form-data" method="post">
@ -205,7 +206,7 @@
<div id="admin_menu">
<div class="menutitle u"><?= $lang["adminmenu"] ?></div>
<?php if ($user->isAdmin): ?>
<?php if ($auth->isAdmin()): ?>
<a class="menulink" href="javascript:void(0);" onclick="addUser()"><?= $lang["adduser"] ?></a>
<a class="menulink" href="javascript:void(0);" onclick="editUser()"><?= $lang["edituser"] ?></a>
<?php endif; ?>

57
login.php Normal file
View File

@ -0,0 +1,57 @@
<?php
/* μlogger
*
* Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)
*
* This is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
require_once("helpers/auth.php");
require_once(ROOT_DIR . "/lang.php");
require_once(ROOT_DIR . "/helpers/config.php");
$auth_error = isset($_REQUEST['auth_error']) ? (bool) $_REQUEST['auth_error'] : false;
?>
<!DOCTYPE html>
<html>
<head>
<title><?= $lang["title"] ?></title>
<?php include("meta.php"); ?>
<script type="text/javascript">
function focus() {
document.forms[0].elements[0].focus();
}
</script>
</head>
<body onload="focus()">
<div id="login">
<div id="title"><?= $lang["title"] ?></div>
<div id="subtitle"><?= $lang["private"] ?></div>
<form action="/" method="post">
<?= $lang["username"] ?>:<br>
<input type="text" name="user"><br>
<?= $lang["password"] ?>:<br>
<input type="password" name="pass"><br>
<br>
<input type="submit" value="<?= $lang["login"] ?>">
<input type="hidden" name="action" value="auth">
<?php if (!uConfig::$require_authentication): ?>
<div id="cancel"><a href="/"><?= $lang["cancel"] ?></a></div>
<?php endif; ?>
</form>
<div id="error"><?= (($auth_error) ? $lang["authfail"] : "") ?></div>
</div>
</body>
</html>

12
meta.php Normal file
View File

@ -0,0 +1,12 @@
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="viewport" content="initial-scale=1.0, user-scalable=no">
<link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">
<link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="manifest.json">
<link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="icons/favicon.ico">
<meta name="msapplication-config" content="browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&amp;subset=cyrillic" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="css/main.css">

13
utils/changepass.php
View File

@ -17,17 +17,22 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define("headless", true);
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
if (!$auth->isAuthenticated()) {
$auth->sendUnauthorizedHeader();
uUtils::exitWithError("Unauthorized");
}
$login = isset($_REQUEST['login']) ? trim($_REQUEST['login']) : NULL;
$oldpass = isset($_REQUEST['oldpass']) ? $_REQUEST['oldpass'] : NULL;
$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;
if (empty($pass)) {
uUtils::exitWithError("Empty password");
}
if ($user->isAdmin && !empty($login)) {
if ($auth->isAdmin() && !empty($login)) {
// different user, only admin
$passUser = new uUser($login);
if (!$passUser->valid) {
@ -35,7 +40,7 @@
}
} else {
// current user
$passUser = $user;
$passUser = $auth->user;
if (!$passUser->validPassword($oldpass)) {
uUtils::exitWithError("Wrong old password");
}

11
utils/export.php
View File

@ -17,8 +17,12 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/lang.php");
$auth = new uAuth();
/**
* Add kml marker style element
@ -42,7 +46,7 @@ function addStyle($xml, $name, $url) {
/**
* Convert seconds to [day], hour, minute, second string
*
* @param [type] $s Number of seconds
* @param int $s Number of seconds
* @return string [d ]hhmmss
*/
function toHMS($s) {
@ -57,7 +61,8 @@ $type = isset($_REQUEST["type"]) ? $_REQUEST["type"] : "kml";
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
if (!uConfig::$public_tracks && !$user->isAdmin && $user->id !== $userId) {
if (!uConfig::$public_tracks &&
(!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $userId))) {
// unauthorized
exit();
}

8
utils/getpositions.php
View File

@ -17,18 +17,20 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define("headless", true);
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
if ($userId) {
$positionsArr = [];
if (uConfig::$public_tracks || $user->isAdmin || $user->id === $userId) {
if (uConfig::$public_tracks ||
($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
if ($trackId) {
// get all track data
$positionsArr = uPosition::getAll($userId, $trackId);

8
utils/gettracks.php
View File

@ -17,16 +17,18 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define("headless", true);
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/track.php");
$auth = new uAuth();
$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
if ($userId) {
$tracksArr = [];
if (uConfig::$public_tracks || $user->isAdmin || $user->id === $userId) {
if (uConfig::$public_tracks ||
($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
$tracksArr = uTrack::getAll($userId);
}

8
utils/handletrack.php
View File

@ -17,11 +17,12 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define("headless", true);
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/track.php");
require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : NULL;
$trackId = isset($_REQUEST['trackid']) ? trim($_REQUEST['trackid']) : NULL;
$trackName = isset($_REQUEST['trackname']) ? trim($_REQUEST['trackname']) : NULL;
@ -29,7 +30,8 @@
uUtils::exitWithError($lang["servererror"]);
}
$track = new uTrack($trackId);
if (!$track->isValid || (!$user->isAdmin && $user->id != $track->userId)) {
if (!$track->isValid ||
(!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id != $track->userId))) {
uUtils::exitWithError($lang["servererror"]);
}

7
utils/handleuser.php
View File

@ -17,14 +17,15 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define("headless", true);
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/utils.php");
$auth = new uAuth();
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : NULL;
$login = isset($_REQUEST['login']) ? trim($_REQUEST['login']) : NULL;
$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;
if (!$user->isAdmin || empty($action) || empty($login) || $user->login == $login) {
if (!$auth->isAuthenticated() || !$auth->isAdmin || $auth->user->login == $login || empty($action) || empty($login)) {
uUtils::exitWithError($lang["servererror"]);
}

12
utils/import.php
View File

@ -17,11 +17,13 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
define("headless", true);
require_once(dirname(__DIR__) . "/auth.php"); // sets $user
require_once(dirname(__DIR__) . "/helpers/auth.php");
require_once(ROOT_DIR . "/helpers/track.php");
require_once(ROOT_DIR . "/helpers/position.php");
require_once(ROOT_DIR . "/helpers/utils.php");
require_once(ROOT_DIR . "/lang.php");
$auth = new uAuth();
$uploadErrors[UPLOAD_ERR_INI_SIZE] = "The uploaded file exceeds the upload_max_filesize directive in php.ini";
$uploadErrors[UPLOAD_ERR_FORM_SIZE] = "The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form";
@ -31,8 +33,8 @@ $uploadErrors[UPLOAD_ERR_NO_TMP_DIR] = "Missing a temporary folder";
$uploadErrors[UPLOAD_ERR_CANT_WRITE] = "Failed to write file to disk";
$uploadErrors[UPLOAD_ERR_EXTENSION] = "A PHP extension stopped the file upload";
if (!$user->isValid) {
uUtils::exitWithError($lang["servererror"]);
if (!$auth->isAuthenticated()) {
uUtils::exitWithError($lang["private"]);
}
if (!isset($_FILES["gpx"])) {
@ -88,7 +90,7 @@ $trackCnt = 0;
foreach ($gpx->trk as $trk) {
$trackName = empty($trk->name) ? $gpxName : $trk->name->__toString();
$metaName = empty($gpx->metadata->name) ? NULL : $gpx->metadata->name->__toString();
$trackId = uTrack::add($user->id, $trackName, $metaName);
$trackId = uTrack::add($auth->user->id, $trackName, $metaName);
if ($trackId === false) {
uUtils::exitWithError($lang["servererror"]);
break;

14
utils/logout.php
View File

@ -17,15 +17,9 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
session_name('ulogger');
session_start();
$_SESSION = NULL;
if (isset($_COOKIE[session_name('ulogger') ])) {
setcookie(session_name('ulogger'), '', time() - 42000, '/');
}
session_destroy();
$ssl = ((!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "" || $_SERVER['HTTPS'] == "off") ? "http" : "https");
$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname(dirname($_SERVER['SCRIPT_NAME'])) . "/index.php");
header("Location: $ssl://$url");
include_once(dirname(__DIR__) . "/helpers/auth.php");
$auth = new uAuth();
$auth->logOutWithRedirect(dirname(dirname($_SERVER['SCRIPT_NAME'])) . "/");
?>