fusionpbx/resources/check_auth.php

<?php
/*
	FusionPBX
	Version: MPL 1.1

	The contents of this file are subject to the Mozilla Public License Version
	1.1 (the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at
	http://www.mozilla.org/MPL/

	Software distributed under the License is distributed on an "AS IS" basis,
	WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
	for the specific language governing rights and limitations under the
	License.

	The Original Code is FusionPBX

	The Initial Developer of the Original Code is
	Mark J Crane <markjcrane@fusionpbx.com>
	Portions created by the Initial Developer are Copyright (C) 2008-2023
	the Initial Developer. All Rights Reserved.

	Contributor(s):
	Mark J Crane <markjcrane@fusionpbx.com>
*/

//includes
	require_once "resources/require.php";

//add multi-lingual support
	$language = new text;
	$text = $language->get(null, 'resources');

//for compatibility require this library if less than version 5.5
	if (version_compare(phpversion(), '5.5', '<')) {
		require_once "resources/functions/password.php";
	}

//start the session
	if (!isset($_SESSION)) { session_start(); }

//define variables
	if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; }

//if the session is not authorized then verify the identity
	if (!isset($_SESSION['authorized']) && !$_SESSION['authorized']) {

		//clear the menu
			unset($_SESSION["menu"]);

		//clear the template only if the template has not been assigned by the superadmin
			if (empty($_SESSION['domain']['template']['name'])) {
				$_SESSION["template_content"] = '';
			}

		//validate the username and password
			$auth = new authentication;
			$auth->debug = true;
			$result = $auth->validate();

		//if not authorized
			if (!$_SESSION['authorized']) {

				//log the failed auth attempt to the system to the syslog server
					openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
					syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);
					closelog();

				//redirect the user to the login page
					$target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"];
					message::add($text['message-invalid_credentials'], 'negative');
					header("Location: ".PROJECT_PATH."/?path=".urlencode($target_path));
					exit;
			}

		//if logged in, redirect to login destination
			if (!isset($_REQUEST["key"])) {
				if (isset($_SESSION['redirect_path'])) {
					$redirect_path = $_SESSION['redirect_path'];
					unset($_SESSION['redirect_path']);
					// prevent open redirect attacks. redirect url shouldn't contain a hostname
					$parsed_url = parse_url($redirect_path);
					if ($parsed_url['host']) {
						die("Was someone trying to hack you?");
					}
					header("Location: ".$redirect_path);
				}
				elseif (isset($_SESSION['login']['destination']['url'])) {
					header("Location: ".$_SESSION['login']['destination']['url']);
				}
				elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) {
					header("Location: ".PROJECT_PATH."/core/dashboard/");
				}
				else {
					require_once "resources/header.php";
					require_once "resources/footer.php";
				}
			}

	}

?>
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`<?php`
			`/*`
			`FusionPBX`
			`Version: MPL 1.1`

			`The contents of this file are subject to the Mozilla Public License Version`
			`1.1 (the "License"); you may not use this file except in compliance with`
			`the License. You may obtain a copy of the License at`
			`http://www.mozilla.org/MPL/`

			`Software distributed under the License is distributed on an "AS IS" basis,`
			`WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License`
			`for the specific language governing rights and limitations under the`
			`License.`

			`The Original Code is FusionPBX`

			`The Initial Developer of the Original Code is`
			`Mark J Crane <markjcrane@fusionpbx.com>`
Login: Change destination setting type. 2023-01-28 01:19:00 +01:00			`Portions created by the Initial Developer are Copyright (C) 2008-2023`
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`the Initial Developer. All Rights Reserved.`

			`Contributor(s):`
			`Mark J Crane <markjcrane@fusionpbx.com>`
			`*/`
Update indentation and line spacing. 2020-07-28 23:47:36 +02:00
Update check_auth.php Updated to use the new authentication class. 2016-09-11 07:13:08 +02:00			`//includes`
			`require_once "resources/require.php";`
Add the password.php to check_auth.php 2013-09-01 08:40:28 +02:00
Enhance [master] - update check_auth to use $text (#2661) * Enhance - update check_auth to use $text convert to messages::add and utilize $text for invalid_credentials * Russian translations for check_auth 2017-06-10 06:13:51 +02:00			`//add multi-lingual support`
			`$language = new text;`
BugFix - check_auth (#2672) the update to check_auth to enable text i made a mistake and put the wrong parameter into get. this corrects that 2017-06-10 17:22:24 +02:00			`$text = $language->get(null, 'resources');`
Enhance [master] - update check_auth to use $text (#2661) * Enhance - update check_auth to use $text convert to messages::add and utilize $text for invalid_credentials * Russian translations for check_auth 2017-06-10 06:13:51 +02:00
			`//for compatibility require this library if less than version 5.5`
Add the password.php to check_auth.php 2013-09-01 08:40:28 +02:00			`if (version_compare(phpversion(), '5.5', '<')) {`
			`require_once "resources/functions/password.php";`
			`}`

			`//start the session`
Update check_auth.php 2016-12-12 06:47:51 +01:00			`if (!isset($_SESSION)) { session_start(); }`
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00
Update check_auth.php 2016-12-12 07:37:59 +01:00			`//define variables`
			`if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; }`

Add mutli-factor authentication. 2023-04-16 09:10:39 +02:00			`//if the session is not authorized then verify the identity`
			`if (!isset($_SESSION['authorized']) && !$_SESSION['authorized']) {`
Get rid of $auth_failed, if username session is set consider the the user authenticated. 2015-03-17 15:44:09 +01:00
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`//clear the menu`
Update check_auth.php 2018-06-06 07:36:24 +02:00			`unset($_SESSION["menu"]);`
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00
			`//clear the template only if the template has not been assigned by the superadmin`
Frytimo pr patches for php8.1 (#6630) * Passing null to parameter #2 ($string) of type string is deprecated * Passing null to parameter #1 ($string) of type string is deprecated * php 8.1 fixes * php 8.1 fixes - replace strlen($var) > 0 with !empty($var) * php 8.1 fixes - replace ${var} with {$var} * php 8.1 fixes - replace ${var} with {$var} * php 8.1 fixes - replace ${var} with {$var} * php 8.1 fixes - replace ${var} with {$var} * php 8.1 fixes - strlower with null * php 8.1 fixes - strreplace with null * php 8.1 fixes - passing null to base64_decode * php 8.1 fixes - check for false and check for null on $this->dir * php 8.1 fixes - remove assignment of $db variable to modules object * php 8.1 fixes - avoid sending null to substr * php 8.1 fixes - change ${var} to {$var} * php 8.1 fixes - check for null before preg_replace * php 8.1 fixes - remove setting db variable on domains object * php 8.1 fixes - set empty string if $row['domain_setting_subcategory'] is null * php 8.1 fixes - set empty string if $_REQUEST['show'] is not available * php 8.1 fixes * php 8.1 fixes - correct $_POST checking syntax * php 8.1 fixes - correct $_POST variables * php 8.1 fixes * Use brackets consistently * Update user_setting_edit.php * Change to not empty * Update device.php * Update text.php --------- Co-authored-by: Tim Fry <tim@voipstratus.com> Co-authored-by: FusionPBX <markjcrane@gmail.com> 2023-05-05 18:46:37 +02:00			`if (empty($_SESSION['domain']['template']['name'])) {`
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`$_SESSION["template_content"] = '';`
			`}`

Update check_auth.php Updated to use the new authentication class. 2016-09-11 07:13:08 +02:00			`//validate the username and password`
			`$auth = new authentication;`
Add mutli-factor authentication. 2023-04-16 09:10:39 +02:00			`$auth->debug = true;`
Update check_auth.php Updated to use the new authentication class. 2016-09-11 07:13:08 +02:00			`$result = $auth->validate();`
Add user setting CIDR support 2021-04-01 04:54:23 +02:00
Add mutli-factor authentication. 2023-04-16 09:10:39 +02:00			`//if not authorized`
			`if (!$_SESSION['authorized']) {`
Add user setting CIDR support 2021-04-01 04:54:23 +02:00
Add mutli-factor authentication. 2023-04-16 09:10:39 +02:00			`//log the failed auth attempt to the system to the syslog server`
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);`
Update check_auth.php Updated to use the new authentication class. 2016-09-11 07:13:08 +02:00			`syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);`
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`closelog();`
Update check_auth.php 2018-06-06 07:36:24 +02:00
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`//redirect the user to the login page`
Fix for Issue 481 (Enhanced) - Links to protected pages (such as emailed conference recording links, etc) will now properly redirect upon a successful login attempt AFTER failed login attempts. 2014-06-18 06:53:18 +02:00			`$target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"];`
Change messages class to message 2018-08-31 05:09:01 +02:00			`message::add($text['message-invalid_credentials'], 'negative');`
Add mutli-factor authentication. 2023-04-16 09:10:39 +02:00			`header("Location: ".PROJECT_PATH."/?path=".urlencode($target_path));`
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`exit;`
			`}`

Move the login destination here so it will work at the user level. 2021-08-01 06:55:48 +02:00			`//if logged in, redirect to login destination`
Only redirect when not using the key. 2021-08-05 06:38:48 +02:00			`if (!isset($_REQUEST["key"])) {`
[login] fix url redirection (#6325) * prevent open redirection attack 2022-03-11 04:10:16 +01:00			`if (isset($_SESSION['redirect_path'])) {`
			`$redirect_path = $_SESSION['redirect_path'];`
			`unset($_SESSION['redirect_path']);`
			`// prevent open redirect attacks. redirect url shouldn't contain a hostname`
			`$parsed_url = parse_url($redirect_path);`
			`if ($parsed_url['host']) {`
			`die("Was someone trying to hack you?");`
			`}`
			`header("Location: ".$redirect_path);`
			`}`
Add mutli-factor authentication. 2023-04-16 09:10:39 +02:00			`elseif (isset($_SESSION['login']['destination']['url'])) {`
			`header("Location: ".$_SESSION['login']['destination']['url']);`
			`}`
			`elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) {`
Use the new dashboard. 2021-11-10 16:27:53 +01:00			`header("Location: ".PROJECT_PATH."/core/dashboard/");`
Only redirect when not using the key. 2021-08-05 06:38:48 +02:00			`}`
			`else {`
			`require_once "resources/header.php";`
			`require_once "resources/footer.php";`
			`}`
Move the login destination here so it will work at the user level. 2021-08-01 06:55:48 +02:00			`}`
Only redirect when not using the key. 2021-08-05 06:38:48 +02:00
Add a missing file sip_profile_copy.php to the dev branch. 2012-06-04 16:58:40 +02:00			`}`

Update check_auth.php 2019-09-24 21:51:38 +02:00			`?>`