/src/usr/local/www/system_usermanager.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/www/system_usermanager.php @ 408d0882

1	1df17ba9	Scott Ullrich	<?php
2	fab7ff44	Bill Marquette	/*
3	4c291f4c	Renato Botelho	system_usermanager.php
4	fab7ff44	Bill Marquette	*/
5	7d2e572f	Stephen Beaver	/* ====================================================================
6			* Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved.
7			* Copyright (c) 2008 Shrew Soft Inc.
8			* Copyright (c) 2005 Paul Taylor <paultaylor@winn-dixie.com>
9			*
10	cb41dd63	Renato Botelho	* Some or all of this file is based on the m0n0wall project which is
11			* Copyright (c) 2004 Manuel Kasper (BSD 2 clause)
12	191cb31d	Stephen Beaver	*
13	7d2e572f	Stephen Beaver	* Redistribution and use in source and binary forms, with or without modification,
14			* are permitted provided that the following conditions are met:
15			*
16			* 1. Redistributions of source code must retain the above copyright notice,
17			* this list of conditions and the following disclaimer.
18			*
19			* 2. Redistributions in binary form must reproduce the above copyright
20			* notice, this list of conditions and the following disclaimer in
21			* the documentation and/or other materials provided with the
22			* distribution.
23			*
24			* 3. All advertising materials mentioning features or use of this software
25			* must display the following acknowledgment:
26			* "This product includes software developed by the pfSense Project
27			* for use in the pfSense software distribution. (http://www.pfsense.org/).
28			*
29			* 4. The names "pfSense" and "pfSense Project" must not be used to
30			* endorse or promote products derived from this software without
31			* prior written permission. For written permission, please contact
32			* coreteam@pfsense.org.
33			*
34			* 5. Products derived from this software may not be called "pfSense"
35			* nor may "pfSense" appear in their names without prior written
36			* permission of the Electric Sheep Fencing, LLC.
37			*
38			* 6. Redistributions of any form whatsoever must retain the following
39			* acknowledgment:
40			*
41			* "This product includes software developed by the pfSense Project
42			* for use in the pfSense software distribution (http://www.pfsense.org/).
43			*
44			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
45			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
48			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55			* OF THE POSSIBILITY OF SUCH DAMAGE.
56			*
57			* ====================================================================
58			*
59			*/
60	1d333258	Scott Ullrich	/*
61	3ccb9689	Charlie Marshall	pfSense_BUILDER_BINARIES:
62	7411c285	Stephen Beaver	pfSense_MODULE: auth
63	1d333258	Scott Ullrich	*/
64	fab7ff44	Bill Marquette
65	6b07c15a	Matthew Grooms	##\|+PRIV
66			##\|*IDENT=page-system-usermanager
67			##\|*NAME=System: User Manager page
68			##\|*DESCR=Allow access to the 'System: User Manager' page.
69			##\|MATCH=system_usermanager.php
70			##\|-PRIV
71
72	ead24d63	sullrich	require("certs.inc");
73	fab7ff44	Bill Marquette	require("guiconfig.inc");
74
75	e33be77c	Ermal	// start admin user code
76	73fa304b	Phil Davis	$pgtitle = array(gettext("System"), gettext("User Manager"));
77	fab7ff44	Bill Marquette
78	73fa304b	Phil Davis	if (isset($_POST['userid']) && is_numericint($_POST['userid'])) {
79	1a6769a6	Renato Botelho	$id = $_POST['userid'];
80	73fa304b	Phil Davis	}
81	1df17ba9	Scott Ullrich
82	7411c285	Stephen Beaver	if (isset($_GET['userid']) && is_numericint($_GET['userid'])) {
83			$id = $_GET['userid'];
84			}
85
86	73fa304b	Phil Davis	if (!isset($config['system']['user']) \|\| !is_array($config['system']['user'])) {
87	e33be77c	Ermal	$config['system']['user'] = array();
88	73fa304b	Phil Davis	}
89	1df17ba9	Scott Ullrich
90	e33be77c	Ermal	$a_user = &$config['system']['user'];
91	7411c285	Stephen Beaver	$act = $_GET['act'];
92	45ee90ed	Matthew Grooms
93	73fa304b	Phil Davis	if (isset($_SERVER['HTTP_REFERER'])) {
94	7c2d0050	Renato Botelho	$referer = $_SERVER['HTTP_REFERER'];
95	73fa304b	Phil Davis	} else {
96	7c2d0050	Renato Botelho	$referer = '/system_usermanager.php';
97	73fa304b	Phil Davis	}
98	7c2d0050	Renato Botelho
99	adacdf5f	jim-p	if (isset($id) && $a_user[$id]) {
100			$pconfig['usernamefld'] = $a_user[$id]['name'];
101			$pconfig['descr'] = $a_user[$id]['descr'];
102			$pconfig['expires'] = $a_user[$id]['expires'];
103			$pconfig['groups'] = local_user_get_groups($a_user[$id]);
104			$pconfig['utype'] = $a_user[$id]['scope'];
105			$pconfig['uid'] = $a_user[$id]['uid'];
106			$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
107			$pconfig['priv'] = $a_user[$id]['priv'];
108			$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
109			$pconfig['disabled'] = isset($a_user[$id]['disabled']);
110			}
111
112	43acaa2f	Stephen Beaver	if ($_GET['act'] == "deluser") {
113	45ee90ed	Matthew Grooms
114	43acaa2f	Stephen Beaver	if (!isset($_GET['username']) \|\| !isset($a_user[$id]) \|\| ($_GET['username'] != $a_user[$id]['name'])) {
115	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
116			exit;
117	6b07c15a	Matthew Grooms	}
118
119	8a0ae97f	Renato Botelho	conf_mount_rw();
120	e33be77c	Ermal	local_user_del($a_user[$id]);
121	8a0ae97f	Renato Botelho	conf_mount_ro();
122	e33be77c	Ermal	$userdeleted = $a_user[$id]['name'];
123			unset($a_user[$id]);
124			write_config();
125			$savemsg = gettext("User")." {$userdeleted} ".
126	8cd558b6	ayvis	gettext("successfully deleted")."<br />";
127	e33be77c	Ermal	}
128	7411c285	Stephen Beaver	else if ($act == "new") {
129	e33be77c	Ermal	/*
130			* set this value cause the text field is read only
131			* and the user should not be able to mess with this
132			* setting.
133			*/
134			$pconfig['utype'] = "user";
135			$pconfig['lifetime'] = 3650;
136			}
137	45ee90ed	Matthew Grooms
138	73fa304b	Phil Davis	if (isset($_POST['dellall_x'])) {
139	4e21c82e	bruno
140			$del_users = $_POST['delete_check'];
141
142	73fa304b	Phil Davis	if (!empty($del_users)) {
143			foreach ($del_users as $userid) {
144	4e21c82e	bruno	if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
145			conf_mount_rw();
146			local_user_del($a_user[$userid]);
147			conf_mount_ro();
148			unset($a_user[$userid]);
149			}
150			}
151			$savemsg = gettext("Selected users removed successfully!");
152			write_config($savemsg);
153			}
154			}
155
156	98402844	Stephen Beaver	if ($_POST['act'] == "delcert") {
157
158			if (!$a_user[$id]) {
159			pfSenseHeader("system_usermanager.php");
160			exit;
161			}
162
163			$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
164			$certdeleted = $certdeleted['descr'];
165			unset($a_user[$id]['cert'][$_POST['certid']]);
166			write_config();
167			$_POST['act'] = "edit";
168			$savemsg = gettext("Certificate") . " {$certdeleted} " . gettext("association removed.") . "<br />";
169			}
170
171	1a6769a6	Renato Botelho	if ($_POST['save']) {
172	e33be77c	Ermal	unset($input_errors);
173			$pconfig = $_POST;
174	45ee90ed	Matthew Grooms
175	e33be77c	Ermal	/* input validation */
176			if (isset($id) && ($a_user[$id])) {
177			$reqdfields = explode(" ", "usernamefld");
178			$reqdfieldsn = array(gettext("Username"));
179			} else {
180			if (empty($_POST['name'])) {
181			$reqdfields = explode(" ", "usernamefld passwordfld1");
182			$reqdfieldsn = array(
183			gettext("Username"),
184			gettext("Password"));
185	45ee90ed	Matthew Grooms	} else {
186	e33be77c	Ermal	$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
187			$reqdfieldsn = array(
188			gettext("Username"),
189			gettext("Password"),
190			gettext("Descriptive name"),
191			gettext("Certificate authority"),
192			gettext("Key length"),
193			gettext("Lifetime"));
194	45ee90ed	Matthew Grooms	}
195	e33be77c	Ermal	}
196	45ee90ed	Matthew Grooms
197	1e9b4611	Renato Botelho	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
198	45ee90ed	Matthew Grooms
199	73fa304b	Phil Davis	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
200	e33be77c	Ermal	$input_errors[] = gettext("The username contains invalid characters.");
201	73fa304b	Phil Davis	}
202	45ee90ed	Matthew Grooms
203	73fa304b	Phil Davis	if (strlen($_POST['usernamefld']) > 16) {
204	e33be77c	Ermal	$input_errors[] = gettext("The username is longer than 16 characters.");
205	73fa304b	Phil Davis	}
206	94d455da	jim-p
207	73fa304b	Phil Davis	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
208	e33be77c	Ermal	$input_errors[] = gettext("The passwords do not match.");
209	73fa304b	Phil Davis	}
210	45ee90ed	Matthew Grooms
211	73fa304b	Phil Davis	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
212	123d8700	Renato Botelho	$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
213	73fa304b	Phil Davis	}
214	123d8700	Renato Botelho
215	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
216	e33be77c	Ermal	$oldusername = $a_user[$id]['name'];
217	73fa304b	Phil Davis	} else {
218	e33be77c	Ermal	$oldusername = "";
219	73fa304b	Phil Davis	}
220	e33be77c	Ermal	/* make sure this user name is unique */
221			if (!$input_errors) {
222			foreach ($a_user as $userent) {
223			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
224			$input_errors[] = gettext("Another entry with the same username already exists.");
225			break;
226	58664cc9	Scott Ullrich	}
227	3dec33d4	Erik Fonnesbeck	}
228	e33be77c	Ermal	}
229			/* also make sure it is not reserved */
230			if (!$input_errors) {
231			$system_users = explode("\n", file_get_contents("/etc/passwd"));
232			foreach ($system_users as $s_user) {
233			$ent = explode(":", $s_user);
234			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
235			$input_errors[] = gettext("That username is reserved by the system.");
236			break;
237	8339ab6d	jim-p	}
238	7e4a4513	Scott Ullrich	}
239	e33be77c	Ermal	}
240	1df17ba9	Scott Ullrich
241	e33be77c	Ermal	/*
242	e30050b6	Phil Davis	* Check for a valid expiration date if one is set at all (valid means,
243	4d148b59	Yehuda Katz	* DateTime puts out a time stamp so any DateTime compatible time
244	e33be77c	Ermal	* format may be used. to keep it simple for the enduser, we only
245			* claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
246			* like "+1 day", which will be converted to MM/DD/YYYY based on "now".
247	e30050b6	Phil Davis	* Otherwise such an entry would lead to an invalid expiration data.
248	e33be77c	Ermal	*/
249	73fa304b	Phil Davis	if ($_POST['expires']) {
250	4d148b59	Yehuda Katz	try {
251			$expdate = new DateTime($_POST['expires']);
252			//convert from any DateTime compatible date to MM/DD/YYYY
253			$_POST['expires'] = $expdate->format("m/d/Y");
254	73fa304b	Phil Davis	} catch (Exception $ex) {
255	e33be77c	Ermal	$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
256	0092b3bd	mgrooms	}
257	e33be77c	Ermal	}
258	0092b3bd	mgrooms
259	e33be77c	Ermal	if (!empty($_POST['name'])) {
260			$ca = lookup_ca($_POST['caref']);
261	73fa304b	Phil Davis	if (!$ca) {
262	4c291f4c	Renato Botelho	$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
263	73fa304b	Phil Davis	}
264	e33be77c	Ermal	}
265	c9794c06	Ermal
266	e33be77c	Ermal	/* if this is an AJAX caller then handle via JSON */
267			if (isAjax() && is_array($input_errors)) {
268			input_errors2Ajax($input_errors);
269			exit;
270			}
271	408d0882	heper	echo "privid: ";
272			echo $_POST['privid'];
273	e33be77c	Ermal	if (!$input_errors) {
274	4ee51131	Sjon Hortensius	// This used to be a separate act=delpriv
275	408d0882	heper
276	4ee51131	Sjon Hortensius	if ($a_user[$id] && !empty($_POST['privid'])) {
277			foreach ($_POST['privid'] as $i)
278			unset($a_user[$id]['priv'][$i]);
279
280	98402844	Stephen Beaver	local_user_set($a_user[$id]);
281	4ee51131	Sjon Hortensius	write_config();
282			}
283
284	e33be77c	Ermal	conf_mount_rw();
285			$userent = array();
286	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
287	e33be77c	Ermal	$userent = $a_user[$id];
288	73fa304b	Phil Davis	}
289	e879fc81	Ermal
290	e33be77c	Ermal	isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
291
292			/* the user name was modified */
293	926e0a2f	Phil Davis	if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
294	e33be77c	Ermal	$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
295	fdcf104c	jim-p	local_user_del($userent);
296			}
297	1df17ba9	Scott Ullrich
298	e30050b6	Phil Davis	/* the user password was modified */
299	73fa304b	Phil Davis	if ($_POST['passwordfld1']) {
300	e33be77c	Ermal	local_user_set_password($userent, $_POST['passwordfld1']);
301	73fa304b	Phil Davis	}
302	1df17ba9	Scott Ullrich
303	e33be77c	Ermal	$userent['name'] = $_POST['usernamefld'];
304			$userent['descr'] = $_POST['descr'];
305			$userent['expires'] = $_POST['expires'];
306			$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
307			$userent['ipsecpsk'] = $_POST['ipsecpsk'];
308	3ccb9689	Charlie Marshall
309	73fa304b	Phil Davis	if ($_POST['disabled']) {
310	e33be77c	Ermal	$userent['disabled'] = true;
311	73fa304b	Phil Davis	} else {
312	e33be77c	Ermal	unset($userent['disabled']);
313	73fa304b	Phil Davis	}
314	e33be77c	Ermal
315	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
316	e33be77c	Ermal	$a_user[$id] = $userent;
317	73fa304b	Phil Davis	} else {
318	e33be77c	Ermal	if (!empty($_POST['name'])) {
319			$cert = array();
320			$cert['refid'] = uniqid();
321	4c291f4c	Renato Botelho	$userent['cert'] = array();
322	e33be77c	Ermal
323			$cert['descr'] = $_POST['name'];
324
325	4c291f4c	Renato Botelho	$subject = cert_get_subject_array($ca['crt']);
326	e33be77c	Ermal
327	4c291f4c	Renato Botelho	$dn = array(
328			'countryName' => $subject[0]['v'],
329			'stateOrProvinceName' => $subject[1]['v'],
330			'localityName' => $subject[2]['v'],
331			'organizationName' => $subject[3]['v'],
332			'emailAddress' => $subject[4]['v'],
333			'commonName' => $userent['name']);
334	e33be77c	Ermal
335			cert_create($cert, $_POST['caref'], $_POST['keylen'],
336			(int)$_POST['lifetime'], $dn);
337
338	73fa304b	Phil Davis	if (!is_array($config['cert'])) {
339	e33be77c	Ermal	$config['cert'] = array();
340	73fa304b	Phil Davis	}
341	e33be77c	Ermal	$config['cert'][] = $cert;
342			$userent['cert'][] = $cert['refid'];
343			}
344			$userent['uid'] = $config['system']['nextuid']++;
345			/* Add the user to All Users group. */
346			foreach ($config['system']['group'] as $gidx => $group) {
347			if ($group['name'] == "all") {
348	73fa304b	Phil Davis	if (!is_array($config['system']['group'][$gidx]['member'])) {
349	e33be77c	Ermal	$config['system']['group'][$gidx]['member'] = array();
350	73fa304b	Phil Davis	}
351	e33be77c	Ermal	$config['system']['group'][$gidx]['member'][] = $userent['uid'];
352			break;
353			}
354			}
355	970db70b	Scott Ullrich
356	e33be77c	Ermal	$a_user[] = $userent;
357	45ee90ed	Matthew Grooms	}
358	e33be77c	Ermal
359	900ce3b0	jim-p	/* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */
360			local_user_set_groups($userent,$_POST['groups']);
361	e33be77c	Ermal	local_user_set($userent);
362	900ce3b0	jim-p	/* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */
363	73fa304b	Phil Davis	local_user_set_groups($userent, $_POST['groups']);
364	e33be77c	Ermal	write_config();
365
366	73fa304b	Phil Davis	if (is_dir("/etc/inc/privhooks")) {
367	e33be77c	Ermal	run_plugins("/etc/inc/privhooks");
368	73fa304b	Phil Davis	}
369	e33be77c	Ermal
370			conf_mount_ro();
371	3ccb9689	Charlie Marshall
372	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
373	45ee90ed	Matthew Grooms	}
374	e33be77c	Ermal	}
375	fab7ff44	Bill Marquette
376	7411c285	Stephen Beaver	function build_priv_table() {
377			global $a_user, $id;
378
379			$privhtml = '<div class="table-responsive">';
380			$privhtml .= '<table class="table table-striped table-hover table-condensed">';
381			$privhtml .= '<thead>';
382	7d2e572f	Stephen Beaver	$privhtml .= '<tr>';
383			$privhtml .= '<th>' . gettext('Inherited from') . '</th>';
384			$privhtml .= '<th>' . gettext('Name') . '</th>';
385			$privhtml .= '<th>' . gettext('Description') . '</th>';
386			$privhtml .= '</tr>';
387	7411c285	Stephen Beaver	$privhtml .= '</thead>';
388			$privhtml .= '<tbody>';
389
390			foreach (get_user_privdesc($a_user[$id]) as $i => $priv) {
391			$privhtml .= '<tr>';
392			$privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>';
393			$privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>';
394			$privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>';
395	408d0882	heper	$privhtml .= '<td><a class="fa fa-trash" title="'.gettext('Delete Privilege').'" id="delprivid' .$i. '"></a></td>';
396	7411c285	Stephen Beaver	$privhtml .= '</tr>';
397			}
398
399			$privhtml .= '</tbody>';
400			$privhtml .= '</table>';
401			$privhtml .= '</div>';
402
403			$privhtml .= '<nav class="action-buttons">';
404			$privhtml .= '<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success">' . gettext("Add") . '</a>';
405			$privhtml .= '</nav>';
406
407			return($privhtml);
408			}
409	98402844	Stephen Beaver
410	7411c285	Stephen Beaver	function build_cert_table() {
411			global $a_user, $id;
412
413			$certhtml = '<div class="table-responsive">';
414			$certhtml .= '<table class="table table-striped table-hover table-condensed">';
415			$certhtml .= '<thead>';
416	7d2e572f	Stephen Beaver	$certhtml .= '<tr>';
417			$certhtml .= '<th>' . gettext('Name') . '</th>';
418			$certhtml .= '<th>' . gettext('CA') . '</th>';
419	98402844	Stephen Beaver	$certhtml .= '<th></th>';
420	7d2e572f	Stephen Beaver	$certhtml .= '</tr>';
421	7411c285	Stephen Beaver	$certhtml .= '</thead>';
422			$certhtml .= '<tbody>';
423
424			$a_cert = $a_user[$id]['cert'];
425			if (is_array($a_cert)) {
426			$i = 0;
427			foreach ($a_cert as $certref) {
428	7d2e572f	Stephen Beaver	$cert = lookup_cert($certref);
429			$ca = lookup_ca($cert['caref']);
430			$revokedstr = is_cert_revoked($cert) ? '<b> Revoked</b>':'';
431
432	7411c285	Stephen Beaver	$certhtml .= '<tr>';
433	7d2e572f	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
434	7411c285	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($ca['descr']) . '</td>';
435	db676e5b	Stephen Beaver	$certhtml .= '<td>';
436	98402844	Stephen Beaver	$certhtml .= '<a id="delcert' . $i .'" class="btn btn-xs btn-warning" title="';
437			$certhtml .= gettext('Remove this certificate association? (Certificate will not be deleted)') . '">Delete</a>';
438	db676e5b	Stephen Beaver	$certhtml .= '</td>';
439	7411c285	Stephen Beaver	$certhtml .= '</tr>';
440	db676e5b	Stephen Beaver	$i++;
441	7411c285	Stephen Beaver	}
442	db676e5b	Stephen Beaver
443	7411c285	Stephen Beaver	}
444
445			$certhtml .= '</tbody>';
446			$certhtml .= '</table>';
447			$certhtml .= '</div>';
448
449			$certhtml .= '<nav class="action-buttons">';
450			$certhtml .= '<a href="system_certmanager.php?act=new&userid=' . $id . '" class="btn btn-success">' . gettext("Add") . '</a>';
451			$certhtml .= '</nav>';
452
453			return($certhtml);
454			}
455
456	9ef4289c	Colin Fleming	$closehead = false;
457	e33be77c	Ermal	include("head.inc");
458	fab7ff44	Bill Marquette
459	4ee51131	Sjon Hortensius	if ($input_errors)
460			print_input_errors($input_errors);
461	98402844	Stephen Beaver
462	4ee51131	Sjon Hortensius	if ($savemsg)
463	98402844	Stephen Beaver	print_info_box($savemsg, 'success');
464	4ee51131	Sjon Hortensius
465			$tab_array = array();
466			$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
467			$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
468			$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
469			$tab_array[] = array(gettext("Servers"), false, "system_authservers.php");
470			display_top_tabs($tab_array);
471
472	7411c285	Stephen Beaver	if (!($act == "new" \|\| $act == "edit" \|\| $input_errors)) {
473	64600f94	Sjon Hortensius	?>
474	94404d94	Sander van Leeuwen
475			<div class="table-responsive">
476	7411c285	Stephen Beaver	<table class="table table-striped table-hover">
477			<thead>
478			<tr>
479			<th> </th>
480			<th><?=gettext("Username")?></th>
481			<th><?=gettext("Full name")?></th>
482			<th><?=gettext("Disabled")?></th>
483			<th><?=gettext("Groups")?></th>
484			</tr>
485			</thead>
486			<tbody>
487			</tbody>
488			<tbody>
489	a0165602	Sjon Hortensius	<?php
490			foreach($a_user as $i => $userent):
491			?>
492	7411c285	Stephen Beaver	<tr>
493			<td>
494			<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=($userent['scope'] == "system" ? 'disabled="disabled"' : '')?>/>
495			</td>
496			<td>
497	a0165602	Sjon Hortensius	<?php
498			if($userent['scope'] != "user")
499			$usrimg = 'eye-open';
500			else
501			$usrimg = 'user';
502			?>
503	7411c285	Stephen Beaver	<i class="icon icon-<?=$usrimg?>"></i>
504			<?=htmlspecialchars($userent['name'])?>
505			</td>
506			<td><?=htmlspecialchars($userent['descr'])?></td>
507			<td><?php if(isset($userent['disabled'])) echo "*"?></td>
508			<td><?=implode(",",local_user_get_groups($userent))?></td>
509			<td>
510	bb1b5c6f	heper	<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&userid=<?=$i?>"></a>
511	a0165602	Sjon Hortensius	<?php if($userent['scope'] != "system"): ?>
512	33f0b0d5	Stephen Beaver	<a class="fa fa-trash" title="<?=gettext("Delete user")?>" href="?act=deluser&userid=<?=$i?>&username=<?=$userent['name']?>"></a>
513	a0165602	Sjon Hortensius	<?php endif; ?>
514	7411c285	Stephen Beaver	</td>
515			</tr>
516	a0165602	Sjon Hortensius	<?php endforeach; ?>
517	7411c285	Stephen Beaver	</tbody>
518			</table>
519	94404d94	Sander van Leeuwen	</div>
520	c10cb196	Stephen Beaver	<nav class="action-buttons">
521	b921ab63	Stephen Beaver	<a href="?act=new" class="btn btn-success">
522	9d5a20cf	heper	<i class="fa fa-plus icon-embed-btn"></i>
523	b921ab63	Stephen Beaver	<?=gettext("Add")?>
524			</a>
525	94404d94	Sander van Leeuwen	</nav>
526	b921ab63	Stephen Beaver
527			<div id="infoblock">
528			<?=print_info_box(gettext("Additional users can be added here. User permissions for accessing " .
529	a0165602	Sjon Hortensius	"the webConfigurator can be assigned directly or inherited from group memberships. " .
530			"An icon that appears grey indicates that it is a system defined object. " .
531	b921ab63	Stephen Beaver	"Some system object properties can be modified but they cannot be deleted.") .
532			'<br /><br />' .
533			gettext("Accounts created here are also used for other parts of the system " .
534			"such as OpenVPN, IPsec, and Captive Portal."), info)?>
535			</div>
536
537	a0165602	Sjon Hortensius	<?php
538			include("foot.inc");
539			exit;
540			}
541	4ee51131	Sjon Hortensius
542	ad2879b8	PiBa-NL	require_once('classes/Form.class.php');
543	4ee51131	Sjon Hortensius	$form = new Form;
544
545	7411c285	Stephen Beaver	if ($act == "new" \|\| $act == "edit" \|\| $input_errors):
546	4ee51131	Sjon Hortensius
547	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
548			'act',
549			null,
550			'hidden',
551			''
552			));
553	4ee51131	Sjon Hortensius
554	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
555			'userid',
556			null,
557			'hidden',
558			isset($id) ? $id:''
559			));
560	4ee51131	Sjon Hortensius
561	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
562			'privid',
563			null,
564			'hidden',
565			''
566			));
567	4ee51131	Sjon Hortensius
568	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
569			'certid',
570			null,
571			'hidden',
572			''
573			));
574	4ee51131	Sjon Hortensius
575	7411c285	Stephen Beaver	$ro = "";
576			if ($pconfig['utype'] == "system") {
577			$ro = "readonly=\"readonly\"";
578			}
579	4ee51131	Sjon Hortensius
580	7411c285	Stephen Beaver	$section = new Form_Section('User Properties');
581	4ee51131	Sjon Hortensius
582	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
583			'Defined by',
584			strtoupper($pconfig['utype'])
585			));
586	4ee51131	Sjon Hortensius
587	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
588			'utype',
589			null,
590			'hidden',
591			$pconfig['utype']
592			));
593	4ee51131	Sjon Hortensius
594	7411c285	Stephen Beaver	$section->addInput(new Form_Checkbox(
595			'disabled',
596			'Disabled',
597			'This user cannot login',
598			$pconfig['disabled']
599			));
600	6b07c15a	Matthew Grooms
601	7411c285	Stephen Beaver	$section->addInput($input = new Form_Input(
602			'usernamefld',
603			'Username',
604			'text',
605			$pconfig['usernamefld']
606			));
607	61dec0b0	Renato Botelho
608	7411c285	Stephen Beaver	if ($ro)
609	1fe9cc38	Stephen Beaver	$input->setReadonly();
610	7411c285	Stephen Beaver
611			$form->addGlobal(new Form_Input(
612			'oldusername',
613	4ee51131	Sjon Hortensius	null,
614	7411c285	Stephen Beaver	'hidden',
615			$pconfig['usernamefld']
616	4ee51131	Sjon Hortensius	));
617	6b07c15a	Matthew Grooms
618	7411c285	Stephen Beaver	$group = new Form_Group('Password');
619			$group->add(new Form_Input(
620			'passwordfld1',
621			'Password',
622			'password'
623			));
624			$group->add(new Form_Input(
625			'passwordfld2',
626			'Confirm Password',
627			'password'
628			));
629
630			$section->add($group);
631
632			$section->addInput($input = new Form_Input(
633			'descr',
634			'Full name',
635			'text',
636			htmlspecialchars($pconfig['descr'])
637			))->setHelp('User\'s full name, for your own information only');
638
639			if ($ro)
640			$input->setDisabled();
641
642			$section->addInput(new Form_Input(
643			'expires',
644			'Expiration date',
645			'date',
646			$pconfig['expires']
647			))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
648			'the expiration date');
649
650			// ==== Group membership ==================================================
651			$group = new Form_Group('Group membership');
652
653	7d2e572f	Stephen Beaver	// Make a list of all the groups configured on the system, and a list of
654	7411c285	Stephen Beaver	// those which this user is a member of
655			$systemGroups = array();
656			$usersGroups = array();
657
658			$usergid = [$pconfig['usernamefld']];
659
660			foreach ($config['system']['group'] as $Ggroup) {
661	b4333696	Stephen Beaver	if($Ggroup['name'] != "all") {
662			if(($act == 'edit') && $Ggroup['member'] && in_array($pconfig['uid'], $Ggroup['member']))
663			$usersGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the user's list
664			else
665			$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
666			}
667	7411c285	Stephen Beaver	}
668
669			$group->add(new Form_Select(
670			'sysgroups',
671			null,
672			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
673			$systemGroups,
674			true
675			))->setHelp('Not member of');
676	6b07c15a	Matthew Grooms
677	7411c285	Stephen Beaver	$group->add(new Form_Select(
678			'groups',
679			null,
680			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
681			$usersGroups,
682			true
683			))->setHelp('Member of');
684
685			$section->add($group);
686
687			$group = new Form_Group('');
688
689			$group->add(new Form_Button(
690			'movetoenabled',
691			'Move to "Member of" list >'
692			))->removeClass('btn-primary')->addClass('btn-default btn-sm');
693
694			$group->add(new Form_Button(
695			'movetodisabled',
696			'< Move to "Not member of" list'
697			))->removeClass('btn-primary')->addClass('btn-default btn-sm');
698	4ee51131	Sjon Hortensius
699	7411c285	Stephen Beaver	$group->setHelp('Hold down CTRL (pc)/COMMAND (mac) key to select multiple items');
700			$section->add($group);
701	4ee51131	Sjon Hortensius
702	7411c285	Stephen Beaver	// ==== Button for adding user certificate ================================
703			if($act == 'new') {
704	4ee51131	Sjon Hortensius	$section->addInput(new Form_Checkbox(
705	7411c285	Stephen Beaver	'showcert',
706			'Certificate',
707			'Click to create a user certificate',
708			false
709	4ee51131	Sjon Hortensius	));
710	6b07c15a	Matthew Grooms	}
711
712	7411c285	Stephen Beaver	$form->add($section);
713	6b07c15a	Matthew Grooms
714	7411c285	Stephen Beaver	// ==== Effective privileges section ======================================
715			if (isset($pconfig['uid'])) {
716			// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
717			// is the best way to make the display we need.
718	6b07c15a	Matthew Grooms
719	7411c285	Stephen Beaver	$section = new Form_Section('Effective Privileges');
720	4ee51131	Sjon Hortensius
721	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
722			null,
723			build_priv_table()
724			));
725	4ee51131	Sjon Hortensius
726	7411c285	Stephen Beaver	$form->add($section);
727	4ee51131	Sjon Hortensius
728	7411c285	Stephen Beaver	// ==== Certificate table section =====================================
729			$section = new Form_Section('User certificates');
730
731			$section->addInput(new Form_StaticText(
732			null,
733			build_cert_table()
734			));
735	64600f94	Sjon Hortensius
736			$form->add($section);
737	c9794c06	Ermal	}
738	7411c285	Stephen Beaver	else;
739			$section = new Form_Section('User Certificates');
740
741			foreach ((array)$a_user[$id]['cert'] as $i => $certref) {
742			$cert = lookup_cert($certref);
743			$ca = lookup_ca($cert['caref']);
744
745			// We reverse name and action for readability of longer names
746			$section->addInput(new Form_Checkbox(
747			'certid[]',
748			'Delete certificate',
749			$cert['descr']. (is_cert_revoked($cert) ? ' <b>revoked</b>' : ''),
750			false,
751			$i
752			));
753			}
754
755			#FIXME; old ui supplied direct export links to each certificate
756	c9794c06	Ermal
757	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
758			null,
759			new Form_Button(null, 'add certificate', 'system_certmanager.php?act=new&userid='. $id).
760			new Form_Button(null, 'export certificates', 'system_certmanager.php')
761			));
762
763			// ==== Add user certificate for a new user
764			if (is_array($config['ca']) && count($config['ca']) > 0) {
765			$section = new Form_Section('Create certificate for user');
766			$section->addClass('cert-options');
767
768			$nonPrvCas = array();
769			foreach( $config['ca'] as $ca) {
770			if (!$ca['prv'])
771			continue;
772
773			$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
774			}
775
776			if (!empty($nonPrvCas)) {
777			$section->addInput(new Form_Input(
778			'name',
779			'Descriptive name',
780			'text',
781			$pconfig['name']
782			));
783
784			$section->addInput(new Form_Select(
785			'caref',
786			'Certificate authority',
787			null,
788			$nonPrvCas
789			));
790
791			$section->addInput(new Form_Select(
792			'keylen',
793			'Key length',
794			2048,
795			array(
796			512 => '512 bits',
797			1024 => '1024 bits',
798			2048 => '2049 bits',
799			4096 => '4096 bits',
800			)
801			));
802
803			$section->addInput(new Form_Input(
804			'lifetime',
805			'Lifetime',
806			'number',
807			$pconfig['lifetime']
808			));
809			}
810
811			$form->add($section);
812			}
813
814			endif;
815			// ==== Paste a key for the new user
816	4ee51131	Sjon Hortensius	$section = new Form_Section('Keys');
817
818	35e0cd70	Stephen Beaver	$section->addInput(new Form_Checkbox(
819			'showkey',
820			'Authorized keys',
821			'Click to paste an authorized key',
822			false
823			));
824
825	4ee51131	Sjon Hortensius	$section->addInput(new Form_Textarea(
826			'authorizedkeys',
827	d1e73829	Stephen Beaver	'Authorized SSH Keys',
828	4ee51131	Sjon Hortensius	$pconfig['authorizedkeys']
829	d1e73829	Stephen Beaver	))->setHelp('Enter authorized SSH keys for this user');
830	4ee51131	Sjon Hortensius
831	35e0cd70	Stephen Beaver	$section->addInput(new Form_Input(
832	4ee51131	Sjon Hortensius	'ipsecpsk',
833			'IPsec Pre-Shared Key',
834			'text',
835			$pconfig['ipsecpsk']
836			));
837
838			$form->add($section);
839	7411c285	Stephen Beaver
840	a0165602	Sjon Hortensius	print $form;
841	7411c285	Stephen Beaver	?>
842			<script>
843			//<![CDATA[
844			events.push(function(){
845
846			// Select every option in the specified multiselect
847			function AllServers(id, selectAll) {
848			for (i = 0; i < id.length; i++) {
849			id.eq(i).prop('selected', selectAll);
850			}
851			}
852
853			// Move all selected options from one multiselect to another
854			function moveOptions(From, To) {
855			var len = From.length;
856			var option;
857
858	32b84ded	Stephen Beaver	if(len > 0) {
859	7411c285	Stephen Beaver	for(i=0; i<len; i++) {
860			if(From.eq(i).is(':selected')) {
861			option = From.eq(i).val();
862			To.append(new Option(option, option));
863			From.eq(i).remove();
864			}
865			}
866			}
867			}
868
869			// Make buttons plain buttons, not submit
870			$("#movetodisabled").prop('type','button');
871			$("#movetoenabled").prop('type','button');
872
873			// On click . .
874			$("#movetodisabled").click(function() {
875			moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
876			});
877
878			$("#movetoenabled").click(function() {
879			moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
880			});
881
882			$("#showcert").click(function() {
883			hideClass('cert-options', !this.checked);
884			});
885
886			$("#showkey").click(function() {
887	35e0cd70	Stephen Beaver	hideInput('authorizedkeys', false);
888			hideCheckbox('showkey', true);
889	7411c285	Stephen Beaver	});
890
891	98402844	Stephen Beaver	$('[id^=delcert]').click(function(event) {
892			if(confirm(event.target.title)) {
893			$('#certid').val(event.target.id.match(/\d+$/)[0]);
894			$('#userid').val('<?=$id;?>');
895			$('#act').val('delcert');
896			$('form').submit();
897			}
898			});
899	408d0882	heper	$('[id^=delprivid]').click(function(event) {
900			if(confirm(event.target.title)) {
901			$('#privid).val(event.target.id.match(/\d+$/)[0]);
902			$('#userid').val('<?=$id;?>');
903			$('#act').val('delprivid');
904			$('form').submit();
905			}
906			});
907
908	98402844	Stephen Beaver
909	eef93144	Jared Dillard	// ---------- On initial page load ------------------------------------------------------------
910
911			hideClass('cert-options', true);
912			//hideInput('authorizedkeys', true);
913	d1e73829	Stephen Beaver	hideCheckbox('showkey', true);
914	7411c285	Stephen Beaver
915			// On submit mark all the user's groups as "selected"
916			$('form').submit(function(){
917			AllServers($('[name="groups[]"] option'), true);
918			});
919			});
920			//]]>
921			</script>
922			<?php
923	4ee51131	Sjon Hortensius
924	bb1b5c6f	heper	include('foot.inc');

Project

General

Profile

pfSense