Mowie/Mowie
1
0
Fork 0
mirror of https://github.com/Mowie/Mowie synced 2024-06-08 19:59:39 +00:00
Code Issues Releases Wiki Activity

When performing critical operations (such as user deletion) the system now asks you to confirm your password

Browse Source
This commit is contained in:
kolaente 2017-05-01 20:25:43 +02:00 committed by konrad
parent b365dc88ed
commit 4ce47c209f
9 changed files with 374 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
admin/assets/admin.css
View File

@ -1373,6 +1373,59 @@ header .stream{
display: block;
}
/*Confirm Window*/
.overlay {
position: fixed;
left: 0;
right: 0;
top: 0;
bottom: 0;
background: rgba(0, 0, 0, 0.4);
z-index: 99;
}
.window-confirm, .window-confirm .head {
text-align: center;
left: calc(50vw - 175px);
width: 100%;
max-width: 350px;
top: 40px;
background: #fff;
padding: 10px 10px 20px;
box-shadow: 0 2px 2px 0 rgba(0, 0, 0, .14), 0 3px 1px -2px rgba(0, 0, 0, .2), 0 1px 5px 0 rgba(0, 0, 0, .12);
z-index: 1;
border-radius: 2px;
position: fixed;
overflow: auto;
max-height: calc(100vh - 80px);
height: auto;
}
.window-confirm .head {
margin: -10px -10px 10px 0;
text-align: left;
padding: 10px 10px;
background: #eaeaea;
border-radius: 2px 2px 0 0;
-moz-user-select: -moz-none;
-webkit-user-select: none;
user-select: none;
cursor: default;
position: fixed;
}
.window-confirm .head .closeMsg {
color: #212121;
}
.window-confirm .head .closeMsg:hover {
color: #5d5d5d;
}
.window-confirm #content {
margin-top: 30px;
}
@media screen and (max-width: 450px) {
header .options span.usr_info {
display: none;

1
admin/general_config.php
View File

@ -87,7 +87,6 @@ tinymce();
$appUri = '../apps/';
foreach ($apps->getApps() as $app => $appconf)
{
require $appUri . $app . '/config.php';
if (isset($_CONF['general_conf']) && $_CONF['general_conf'] != '' && file_exists($appUri . $app . '/' . $_CONF['general_conf']))
{

8
admin/lang/lang.de.php
View File

@ -88,6 +88,14 @@ $lang['general_database'] = 'Datenbank';
$lang['general_create_backup'] = 'Datenbank Backup erstellen';
$lang['general_go_phpmyadmin'] = 'Zu phpmyadmin';
//Legitimation
$lang['legitimate_title'] = 'Legitimierung benötigt';
$lang['legitimate_text'] = 'Dieser Vorgang benötigt eine Passwortbestätigung.';
$lang['legitimate_confirm'] = 'Bestätigen';
$lang['legitimate_abort'] = 'Abbrechen';
$lang['legitimate_error'] = 'Beim Legitimieren ist ein Fehler aufgetreten.';
$lang['legitimate_fail'] = 'Falsches Passwort.';
/*
* Manage Admins
*/

65
admin/login.php
View File

@ -5,12 +5,14 @@ require_once '../inc/config.php';
require_once '../inc/libs/password.php';
require_once '../inc/libs/functions.php';
$db->setCol('system_admins');
$db->data['username'] = $_POST['username'];
$db->get();
if($db->data[0]['id'] != '')
if(isset($_POST['username']))
{
if(password_verify($_POST['pw'], $db->data[0]['pass']))
$db->setCol('system_admins');
$db->data['username'] = $_POST['username'];
$db->get();
if (isset($db->data[0]) && $db->data[0]['id'] != '')
{
if (password_verify($_POST['pw'], $db->data[0]['pass']))
{
session_regenerate_id();
$uid = $db->data[0]['id'];
@ -33,31 +35,28 @@ if($db->data[0]['id'] != '')
$db->setCol('system_admins');
$db->data['id'] = $uid;
$db->get();
if($db->data[0]['secret'] != '')
if ($db->data[0]['secret'] != '')
{
if(isset($_POST['2fa']) && $_POST['2fa'] == '')
if (isset($_POST['2fa']) && $_POST['2fa'] == '')
{
echo '2fa';
exit;
}
else
} else
{
require_once '../inc/libs/2fa.php';
$authenticator = new php2FA();
if($authenticator->verifyCode($db->data[0]['secret'], $_POST['2fa'], 3))
if ($authenticator->verifyCode($db->data[0]['secret'], $_POST['2fa'], 3))
{
echo 'success';
stream_message('{user} has logged in.', 4);
}
else
} else
{
echo '2fafail';
exit;
}
}
}
else
} else
{
echo 'success';
}
@ -70,13 +69,45 @@ if($db->data[0]['id'] != '')
$_SESSION['guestview'] = 'true';
stream_message('{user} has logged in.', 4);
} else
{
echo 'fail';
}
} else
{
echo 'fail';
}
}
//Check for password - needed for user's confirmation
if(isset($_GET['checkPassword']))
{
if(is_loggedin())
{
if(isset($_POST['pw']))
{
$db->setCol('system_admins');
$db->data['id'] = $_SESSION['userid'];
$db->get();
if (isset($db->data[0]) && $db->data[0]['id'] != '')
{
if (password_verify($_POST['pw'], $db->data[0]['pass']))
{
echo 'success';
}
else
{
echo 'fail';
}
}
else
{
}
else
{
echo 'fail';
}
}
}
else
{
echo 'login first.';
}
}

1
admin/new_user.php
View File

@ -50,6 +50,7 @@ if (hasPerm('manage_admins'))
<div class="main">
<div class="form">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="POST">
<input type="hidden" name="askPW" value="askPW">
<p><span><?php echo $lang->get('admins_cn_username'); ?>:</span><input type="text" name="userN"/>
</p>
<p><span><?php echo $lang->get('admins_cn_password'); ?>:</span><input type="password" name="pw1"/>

2
admin/permissions.php
View File

@ -35,7 +35,7 @@ if (hasPerm('edit_permissions'))
}
} else
{
echo '<div class="main"><form action="'.$_SERVER['REQUEST_URI'].'" method="post">';
echo '<div class="main"><form action="'.$_SERVER['REQUEST_URI'].'" method="post"><input type="hidden" name="askPW" value="askPW">';
//Admin Groups
$db->get();
$role_names = [];

4
admin/roles.php
View File

@ -42,6 +42,7 @@ if (hasPerm('manage_groups'))
?>
<div class="main" style="text-align: center">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<p><?php echo $lang->get('admins_roles_delete_confirm');?></p>
<input type="submit" name="del" value="<?php echo $lang->get('general_yes');?>"/>
<a href="roles.php?members=<?php echo $_GET['members']; ?>" class="button btn_del"><?php echo $lang->get('general_no');?></a>
@ -69,6 +70,7 @@ if (hasPerm('manage_groups'))
?>
<div class="main" style="text-align: center">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<p><?php echo $lang->get('admins_roles_user_delete_confirm');?></p>
<input type="submit" name="del" value="<?php echo $lang->get('general_yes');?>"/>
<a href="roles.php?members=<?php echo $_GET['members']; ?>" class="button btn_del"><?php echo $lang->get('general_no');?></a>
@ -133,6 +135,7 @@ if (hasPerm('manage_groups'))
{
?>
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<?php echo $lang->get('admins_roles_add_user');?>:
<select name="user">
<?php
@ -173,6 +176,7 @@ if (hasPerm('manage_groups'))
<div class="main">
<h2><?php echo $lang->get('admins_roles_create_group');?></h2>
<form action="<?php echo $_SERVER['REQUEST_URI']?>" method="post">
<input type="hidden" name="askPW" value="askPW">
<input type="text" name="group_name" placeholder="<?php echo $lang->get('admins_roles_group_name');?>"/><br/>
<input type="submit" name="submit" value="<?php echo $lang->get('admins_roles_create_group');?>"/>
</form>

1
admin/user_settings.php
View File

@ -275,6 +275,7 @@ if (hasPerm('manage_admins') || $uid == $_SESSION['userid'])
?>
<div class="main">
<form action="<?php echo $_SERVER['REQUEST_URI']?>" class="form" method="post">
<input type="hidden" name="askPW" value="askPW">
<p><span><?php echo $lang->get('username'); ?>:</span><input name="username"
value="<?php echo $db->data[0]['username'] ?>"/>
</p>

133
inc/footer.php
View File

@ -8,7 +8,7 @@ if (!isset($_GET['direct']))
<div id="showMsg"></div>
<script src="<?php echo $MCONF['web_uri'] ?>admin/assets/js/bootstrap.min.js"></script>
<script>
$(document).ready(function(){
$(document).ready(function () {
$('[data-toggle="tooltip"]').tooltip();
});
</script>
@ -49,7 +49,7 @@ if (!isset($_GET['direct']))
showTopLoader();
$.get('<?php echo $MCONF['home_uri'];?>admin/lang.php?set=' + lang, function (data) {
console.log(data);
if(data == 1){
if (data == 1) {
location.reload();
} else {
showMsg('Error.');
@ -58,10 +58,9 @@ if (!isset($_GET['direct']))
}
//showStream
function showStream()
{
$('#streamContent').fadeToggle(100,function() {
if($('#streamContent').is(":visible")) {
function showStream() {
$('#streamContent').fadeToggle(100, function () {
if ($('#streamContent').is(":visible")) {
$.getJSON('<?php echo $MCONF['home_uri'];?>admin/stream.php?getStream&limit=10', function (streamData) {
$('#streamContent').html('');
$.each(streamData, function (key, val) {
@ -73,42 +72,12 @@ if (!isset($_GET['direct']))
});
}
$(document).ready(function () {
//Router
$('#topnav').addClass('no-transition');
page('*', findPage);
page();
pageBodyParser();
function findPage(ctx, next) {
if(!ctx.init) {
if (ctx.body) { //If POST-Request, send Post via ajax
var isAjax = false;
var requestData = 'direct=true';
var editorname = '';
//console.log(typeof(tinyMCE));
if (typeof(tinyMCE) != "undefined" && tinyMCE.activeEditor != null) {editorname = $('#' + tinyMCE.activeEditor.id).attr("name");}//Get the new Content, not the old
for (var key in ctx.body) {
if (!ctx.body.hasOwnProperty(key)) continue;
//If we have content edited with tinymce, we want the new content to be passed with the POST-Request
if(key == editorname) {
console.log(tinyMCE);
requestData += '&' + key + '=' + encodeURIComponent(tinyMCE.activeEditor.getContent());
} else {
requestData += '&' + key + '=' + encodeURIComponent(ctx.body[key]);
}
if(key == 'ajax') isAjax = true;
function closeW() {
$('.overlay').fadeOut(200);
$('.overlay').html('');
}
console.log(requestData);
if(!isAjax) {
function sendPost(ctx, requestData) {
$.ajax({
url: ctx.canonicalPath,
type: 'POST',
@ -128,6 +97,86 @@ if (!isset($_GET['direct']))
}
});
}
$(document).ready(function () {
//Router
$('#topnav').addClass('no-transition');
page('*', findPage);
page();
pageBodyParser();
function findPage(ctx, next) {
if (!ctx.init) {
if (ctx.body) { //If POST-Request, send Post via ajax
var isAjax = false;
var requestData = 'direct=true';
var editorname = '';
var needsPwConfirm = false;
//console.log(typeof(tinyMCE));
if (typeof(tinyMCE) != "undefined" && tinyMCE.activeEditor != null) {
editorname = $('#' + tinyMCE.activeEditor.id).attr("name");
}//Get the new Content, not the old
for (var key in ctx.body) {
if (!ctx.body.hasOwnProperty(key)) continue;
//Check users password
if (key == 'askPW') {
needsPwConfirm = true;
}
//If we have content edited with tinymce, we want the new content to be passed with the POST-Request
if (key == editorname) {
console.log(tinyMCE);
requestData += '&' + key + '=' + encodeURIComponent(tinyMCE.activeEditor.getContent());
} else {
requestData += '&' + key + '=' + encodeURIComponent(ctx.body[key]);
}
if (key == 'ajax') isAjax = true;
}
//Confirm user password
if (needsPwConfirm) {
$('#showMsg').html('<div class="overlay" style="display:none;"><div class="window-confirm"><div class="head"><?php echo $lang->get('legitimate_title')?><a onclick="closeW();" class="closeMsg"><i class="fa fa-close"></i></a></div><div id="content"></div></div></div>');
$('#content').append('<p><?php echo $lang->get('legitimate_text')?></p><p><input type="password" placeholder="<?php echo $lang->get('password')?>" id="password_legitimate" autofocus/><input type="submit" value="<?php echo $lang->get('legitimate_confirm')?>" id="legitimateSmbt"/><a onclick="closeW();" class="button btn_del"><?php echo $lang->get('legitimate_abort')?></a></p><span id="sendMsg"></span>');
$('#password_legitimate').focus();
$(".overlay").fadeIn(250);
$('#legitimateSmbt').click(function () {
$.ajax({
url: 'login.php?checkPassword',
type: 'POST',
cache: false,
data: 'pw=' + $('#password_legitimate').val(),
success: function (result) { // On success, display a message...
if (result == 'success') {
closeW();
//Send the request
if (!isAjax) {
sendPost(ctx, requestData);
}
} else if (result == 'fail') {
$('#sendMsg').html('<p style="color:red;"><?php echo $lang->get('legitimate_fail')?></p>');
} else {
$('#sendMsg').html('<p style="color:red;"><?php echo $lang->get('legitimate_error')?></p>');
}
},
error: function (xhr, status, error) {
console.log(status, error);
showMsg('<?php echo $lang->get('legitimate_error')?>');
}
});
});
} else {
if (!isAjax) {
sendPost(ctx, requestData);
}
}
} else {//Otherwise display Contents
showTopLoader();
@ -180,8 +229,8 @@ if (!isset($_GET['direct']))
//Get CSS
$('#addedCss').remove(); // Remove old CSS
$.get(ctx.pathname + '?css' + query, function (data) {
if(data.css) {
for(var i = 0; i < data.css_files.length; i++) {
if (data.css) {
for (var i = 0; i < data.css_files.length; i++) {
var cssFile = data.css_files[i];
$('head').append('<link rel="stylesheet" href="' + data.fullUri + cssFile + '" type="text/css" id="addedCss">');
}