Project

General

Profile

Download (24.7 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
	system_usermanager.php
4
*/
5
/* ====================================================================
6
 *	Copyright (c)  2004-2015  Electric Sheep Fencing, LLC. All rights reserved.
7
 *	Copyright (c)  2008 Shrew Soft Inc.
8
 *	Copyright (c)  2005 Paul Taylor <paultaylor@winn-dixie.com>
9
 *
10
 *	Some or all of this file is based on the m0n0wall project which is
11
 *	Copyright (c)  2004 Manuel Kasper (BSD 2 clause)
12
 *
13
 *	Redistribution and use in source and binary forms, with or without modification,
14
 *	are permitted provided that the following conditions are met:
15
 *
16
 *	1. Redistributions of source code must retain the above copyright notice,
17
 *		this list of conditions and the following disclaimer.
18
 *
19
 *	2. Redistributions in binary form must reproduce the above copyright
20
 *		notice, this list of conditions and the following disclaimer in
21
 *		the documentation and/or other materials provided with the
22
 *		distribution.
23
 *
24
 *	3. All advertising materials mentioning features or use of this software
25
 *		must display the following acknowledgment:
26
 *		"This product includes software developed by the pfSense Project
27
 *		 for use in the pfSense software distribution. (http://www.pfsense.org/).
28
 *
29
 *	4. The names "pfSense" and "pfSense Project" must not be used to
30
 *		 endorse or promote products derived from this software without
31
 *		 prior written permission. For written permission, please contact
32
 *		 coreteam@pfsense.org.
33
 *
34
 *	5. Products derived from this software may not be called "pfSense"
35
 *		nor may "pfSense" appear in their names without prior written
36
 *		permission of the Electric Sheep Fencing, LLC.
37
 *
38
 *	6. Redistributions of any form whatsoever must retain the following
39
 *		acknowledgment:
40
 *
41
 *	"This product includes software developed by the pfSense Project
42
 *	for use in the pfSense software distribution (http://www.pfsense.org/).
43
 *
44
 *	THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
45
 *	EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46
 *	IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47
 *	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
48
 *	ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49
 *	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50
 *	NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51
 *	LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52
 *	HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53
 *	STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54
 *	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55
 *	OF THE POSSIBILITY OF SUCH DAMAGE.
56
 *
57
 *	====================================================================
58
 *
59
 */
60

    
61
##|+PRIV
62
##|*IDENT=page-system-usermanager
63
##|*NAME=System: User Manager
64
##|*DESCR=Allow access to the 'System: User Manager' page.
65
##|*MATCH=system_usermanager.php*
66
##|-PRIV
67

    
68
require("certs.inc");
69
require("guiconfig.inc");
70

    
71
// start admin user code
72
if (isset($_POST['userid']) && is_numericint($_POST['userid'])) {
73
	$id = $_POST['userid'];
74
}
75

    
76
if (isset($_GET['userid']) && is_numericint($_GET['userid'])) {
77
	$id = $_GET['userid'];
78
}
79

    
80
if (!isset($config['system']['user']) || !is_array($config['system']['user'])) {
81
	$config['system']['user'] = array();
82
}
83

    
84
$a_user = &$config['system']['user'];
85
$act = $_GET['act'];
86

    
87
if (isset($_SERVER['HTTP_REFERER'])) {
88
	$referer = $_SERVER['HTTP_REFERER'];
89
} else {
90
	$referer = '/system_usermanager.php';
91
}
92

    
93
if (isset($id) && $a_user[$id]) {
94
	$pconfig['usernamefld'] = $a_user[$id]['name'];
95
	$pconfig['descr'] = $a_user[$id]['descr'];
96
	$pconfig['expires'] = $a_user[$id]['expires'];
97
	$pconfig['groups'] = local_user_get_groups($a_user[$id]);
98
	$pconfig['utype'] = $a_user[$id]['scope'];
99
	$pconfig['uid'] = $a_user[$id]['uid'];
100
	$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
101
	$pconfig['priv'] = $a_user[$id]['priv'];
102
	$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
103
	$pconfig['disabled'] = isset($a_user[$id]['disabled']);
104
}
105

    
106
if ($_GET['act'] == "deluser") {
107

    
108
	if (!isset($_GET['username']) || !isset($a_user[$id]) || ($_GET['username'] != $a_user[$id]['name'])) {
109
		pfSenseHeader("system_usermanager.php");
110
		exit;
111
	}
112

    
113
	conf_mount_rw();
114
	local_user_del($a_user[$id]);
115
	conf_mount_ro();
116
	$userdeleted = $a_user[$id]['name'];
117
	unset($a_user[$id]);
118
	write_config();
119
	$savemsg = sprintf(gettext("User %s successfully deleted."), $userdeleted);
120
} else if ($act == "new") {
121
	/*
122
	 * set this value cause the text field is read only
123
	 * and the user should not be able to mess with this
124
	 * setting.
125
	 */
126
	$pconfig['utype'] = "user";
127
	$pconfig['lifetime'] = 3650;
128
}
129

    
130
if (isset($_POST['dellall'])) {
131

    
132
	$del_users = $_POST['delete_check'];
133

    
134
	if (!empty($del_users)) {
135
		foreach ($del_users as $userid) {
136
			if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
137
				conf_mount_rw();
138
				local_user_del($a_user[$userid]);
139
 			    conf_mount_ro();
140
				unset($a_user[$userid]);
141
			}
142
		}
143
		$savemsg = gettext("Selected users removed successfully.");
144
		write_config($savemsg);
145
	}
146
}
147

    
148
if ($_POST['act'] == "delcert") {
149

    
150
	if (!$a_user[$id]) {
151
		pfSenseHeader("system_usermanager.php");
152
		exit;
153
	}
154

    
155
	$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
156
	$certdeleted = $certdeleted['descr'];
157
	unset($a_user[$id]['cert'][$_POST['certid']]);
158
	write_config();
159
	$_POST['act'] = "edit";
160
	$savemsg = sprintf(gettext("Certificate %s association removed."), $certdeleted);
161
}
162

    
163
if ($_POST['act'] == "delprivid") {
164
	$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
165
	unset($a_user[$id]['priv'][$_POST['privid']]);
166
	local_user_set($a_user[$id]);
167
	write_config();
168
	$_POST['act'] = "edit";
169
	$savemsg = sprintf(gettext("Privilege %s removed."), $privdeleted);
170
}
171

    
172
if ($_POST['save']) {
173
	unset($input_errors);
174
	$pconfig = $_POST;
175

    
176
	/* input validation */
177
	if (isset($id) && ($a_user[$id])) {
178
		$reqdfields = explode(" ", "usernamefld");
179
		$reqdfieldsn = array(gettext("Username"));
180
	} else {
181
		if (empty($_POST['name'])) {
182
			$reqdfields = explode(" ", "usernamefld passwordfld1");
183
			$reqdfieldsn = array(
184
				gettext("Username"),
185
				gettext("Password"));
186
		} else {
187
			$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
188
			$reqdfieldsn = array(
189
				gettext("Username"),
190
				gettext("Password"),
191
				gettext("Descriptive name"),
192
				gettext("Certificate authority"),
193
				gettext("Key length"),
194
				gettext("Lifetime"));
195
		}
196
	}
197

    
198
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
199

    
200
	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
201
		$input_errors[] = gettext("The username contains invalid characters.");
202
	}
203

    
204
	if (strlen($_POST['usernamefld']) > 16) {
205
		$input_errors[] = gettext("The username is longer than 16 characters.");
206
	}
207

    
208
	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
209
		$input_errors[] = gettext("The passwords do not match.");
210
	}
211

    
212
	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
213
		$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
214
	}
215

    
216
	if (isset($id) && $a_user[$id]) {
217
		$oldusername = $a_user[$id]['name'];
218
	} else {
219
		$oldusername = "";
220
	}
221
	/* make sure this user name is unique */
222
	if (!$input_errors) {
223
		foreach ($a_user as $userent) {
224
			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
225
				$input_errors[] = gettext("Another entry with the same username already exists.");
226
				break;
227
			}
228
		}
229
	}
230
	/* also make sure it is not reserved */
231
	if (!$input_errors) {
232
		$system_users = explode("\n", file_get_contents("/etc/passwd"));
233
		foreach ($system_users as $s_user) {
234
			$ent = explode(":", $s_user);
235
			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
236
				$input_errors[] = gettext("That username is reserved by the system.");
237
				break;
238
			}
239
		}
240
	}
241

    
242
	/*
243
	 * Check for a valid expiration date if one is set at all (valid means,
244
	 * DateTime puts out a time stamp so any DateTime compatible time
245
	 * format may be used. to keep it simple for the enduser, we only
246
	 * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
247
	 * like "+1 day", which will be converted to MM/DD/YYYY based on "now".
248
	 * Otherwise such an entry would lead to an invalid expiration data.
249
	 */
250
	if ($_POST['expires']) {
251
		try {
252
			$expdate = new DateTime($_POST['expires']);
253
			//convert from any DateTime compatible date to MM/DD/YYYY
254
			$_POST['expires'] = $expdate->format("m/d/Y");
255
		} catch (Exception $ex) {
256
			$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
257
		}
258
	}
259

    
260
	if (!empty($_POST['name'])) {
261
		$ca = lookup_ca($_POST['caref']);
262
		if (!$ca) {
263
			$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
264
		}
265
	}
266

    
267
	/* if this is an AJAX caller then handle via JSON */
268
	if (isAjax() && is_array($input_errors)) {
269
		input_errors2Ajax($input_errors);
270
		exit;
271
	}
272

    
273
	if (!$input_errors) {
274

    
275
		conf_mount_rw();
276
		$userent = array();
277
		if (isset($id) && $a_user[$id]) {
278
			$userent = $a_user[$id];
279
		}
280

    
281
		isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
282

    
283
		/* the user name was modified */
284
		if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
285
			$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
286
			local_user_del($userent);
287
		}
288

    
289
		/* the user password was modified */
290
		if ($_POST['passwordfld1']) {
291
			local_user_set_password($userent, $_POST['passwordfld1']);
292
		}
293

    
294
		/* only change description if sent */
295
		if (isset($_POST['descr'])) {
296
			$userent['descr'] = $_POST['descr'];
297
		}
298

    
299
		$userent['name'] = $_POST['usernamefld'];
300
		$userent['expires'] = $_POST['expires'];
301
		$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
302
		$userent['ipsecpsk'] = $_POST['ipsecpsk'];
303

    
304
		if ($_POST['disabled']) {
305
			$userent['disabled'] = true;
306
		} else {
307
			unset($userent['disabled']);
308
		}
309

    
310
		if (isset($id) && $a_user[$id]) {
311
			$a_user[$id] = $userent;
312
		} else {
313
			if (!empty($_POST['name'])) {
314
				$cert = array();
315
				$cert['refid'] = uniqid();
316
				$userent['cert'] = array();
317

    
318
				$cert['descr'] = $_POST['name'];
319

    
320
				$subject = cert_get_subject_array($ca['crt']);
321

    
322
				$dn = array(
323
					'countryName' => $subject[0]['v'],
324
					'stateOrProvinceName' => $subject[1]['v'],
325
					'localityName' => $subject[2]['v'],
326
					'organizationName' => $subject[3]['v'],
327
					'emailAddress' => $subject[4]['v'],
328
					'commonName' => $userent['name']);
329

    
330
				cert_create($cert, $_POST['caref'], $_POST['keylen'],
331
					(int)$_POST['lifetime'], $dn);
332

    
333
				if (!is_array($config['cert'])) {
334
					$config['cert'] = array();
335
				}
336
				$config['cert'][] = $cert;
337
				$userent['cert'][] = $cert['refid'];
338
			}
339
			$userent['uid'] = $config['system']['nextuid']++;
340
			/* Add the user to All Users group. */
341
			foreach ($config['system']['group'] as $gidx => $group) {
342
				if ($group['name'] == "all") {
343
					if (!is_array($config['system']['group'][$gidx]['member'])) {
344
						$config['system']['group'][$gidx]['member'] = array();
345
					}
346
					$config['system']['group'][$gidx]['member'][] = $userent['uid'];
347
					break;
348
				}
349
			}
350

    
351
			$a_user[] = $userent;
352
		}
353

    
354
		/* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */
355
		local_user_set_groups($userent, $_POST['groups']);
356
		local_user_set($userent);
357
		/* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */
358
		local_user_set_groups($userent, $_POST['groups']);
359
		write_config();
360

    
361
		if (is_dir("/etc/inc/privhooks")) {
362
			run_plugins("/etc/inc/privhooks");
363
		}
364

    
365
		conf_mount_ro();
366

    
367
		pfSenseHeader("system_usermanager.php");
368
	}
369
}
370

    
371
function build_priv_table() {
372
	global $a_user, $id;
373

    
374
	$privhtml = '<div class="table-responsive">';
375
	$privhtml .=	'<table class="table table-striped table-hover table-condensed">';
376
	$privhtml .=		'<thead>';
377
	$privhtml .=			'<tr>';
378
	$privhtml .=				'<th>' . gettext('Inherited from') . '</th>';
379
	$privhtml .=				'<th>' . gettext('Name') . '</th>';
380
	$privhtml .=				'<th>' . gettext('Description') . '</th>';
381
	$privhtml .=				'<th>' . gettext('Action') . '</th>';
382
	$privhtml .=			'</tr>';
383
	$privhtml .=		'</thead>';
384
	$privhtml .=		'<tbody>';
385

    
386
	$i = 0;
387

    
388
	foreach (get_user_privdesc($a_user[$id]) as $priv) {
389
		$group = false;
390
		if ($priv['group']) {
391
			$group = $priv['group'];
392
		}
393

    
394
		$privhtml .=		'<tr>';
395
		$privhtml .=			'<td>' . htmlspecialchars($priv['group']) . '</td>';
396
		$privhtml .=			'<td>' . htmlspecialchars($priv['name']) . '</td>';
397
		$privhtml .=			'<td>' . htmlspecialchars($priv['descr']) . '</td>';
398
		$privhtml .=			'<td>';
399
		if (!$group) {
400
			$privhtml .=			'<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
401
		}
402

    
403
		$privhtml .=			'</td>';
404
		$privhtml .=		'</tr>';
405

    
406
		if (!$group) {
407
			$i++;
408
		}
409
	}
410

    
411
	$privhtml .=		'</tbody>';
412
	$privhtml .=	'</table>';
413
	$privhtml .= '</div>';
414

    
415
	$privhtml .= '<nav class="action-buttons">';
416
	$privhtml .=	'<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success">' . gettext("Add") . '</a>';
417
	$privhtml .= '</nav>';
418

    
419
	return($privhtml);
420
}
421

    
422
function build_cert_table() {
423
	global $a_user, $id;
424

    
425
	$certhtml = '<div class="table-responsive">';
426
	$certhtml .=	'<table class="table table-striped table-hover table-condensed">';
427
	$certhtml .=		'<thead>';
428
	$certhtml .=			'<tr>';
429
	$certhtml .=				'<th>' . gettext('Name') . '</th>';
430
	$certhtml .=				'<th>' . gettext('CA') . '</th>';
431
	$certhtml .=				'<th></th>';
432
	$certhtml .=			'</tr>';
433
	$certhtml .=		'</thead>';
434
	$certhtml .=		'<tbody>';
435

    
436
	$a_cert = $a_user[$id]['cert'];
437
	if (is_array($a_cert)) {
438
		$i = 0;
439
		foreach ($a_cert as $certref) {
440
			$cert = lookup_cert($certref);
441
			$ca = lookup_ca($cert['caref']);
442
			$revokedstr =	is_cert_revoked($cert) ? '<b> Revoked</b>':'';
443

    
444
			$certhtml .=	'<tr>';
445
			$certhtml .=		'<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
446
			$certhtml .=		'<td>' . htmlspecialchars($ca['descr']) . '</td>';
447
			$certhtml .=		'<td>';
448
			$certhtml .=			'<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
449
			$certhtml .=			gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
450
			$certhtml .=		'</td>';
451
			$certhtml .=	'</tr>';
452
			$i++;
453
		}
454

    
455
	}
456

    
457
	$certhtml .=		'</tbody>';
458
	$certhtml .=	'</table>';
459
	$certhtml .= '</div>';
460

    
461
	$certhtml .= '<nav class="action-buttons">';
462
	$certhtml .=	'<a href="system_certmanager.php?act=new&amp;userid=' . $id . '" class="btn btn-success">' . gettext("Add") . '</a>';
463
	$certhtml .= '</nav>';
464

    
465
	return($certhtml);
466
}
467

    
468
$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
469

    
470
if ($act == "new" || $act == "edit" || $input_errors) {
471
	$pgtitle[] = gettext('Edit');
472
}
473
include("head.inc");
474

    
475
if ($input_errors) {
476
	print_input_errors($input_errors);
477
}
478

    
479
if ($savemsg) {
480
	print_info_box($savemsg, 'success');
481
}
482

    
483
$tab_array = array();
484
$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
485
$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
486
$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
487
$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
488
display_top_tabs($tab_array);
489

    
490
if (!($act == "new" || $act == "edit" || $input_errors)) {
491
?>
492
<form method="post">
493
<div class="panel panel-default">
494
	<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
495
	<div class="panel-body">
496
		<div class="table-responsive">
497
			<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap" data-sortable>
498
				<thead>
499
					<tr>
500
						<th>&nbsp;</th>
501
						<th><?=gettext("Username")?></th>
502
						<th><?=gettext("Full name")?></th>
503
						<th><?=gettext("Disabled")?></th>
504
						<th><?=gettext("Groups")?></th>
505
						<th><?=gettext("Actions")?></th>
506
					</tr>
507
				</thead>
508
				<tbody>
509
<?php
510
foreach ($a_user as $i => $userent):
511
	?>
512
					<tr>
513
						<td>
514
							<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=($userent['scope'] == "system" ? 'disabled' : '')?>/>
515
						</td>
516
						<td>
517
<?php
518
	if ($userent['scope'] != "user") {
519
		$usrimg = 'eye-open';
520
	} else {
521
		$usrimg = 'user';
522
	}
523
?>
524
							<i class="fa fa-<?=$usrimg?>"></i>
525
							<?=htmlspecialchars($userent['name'])?>
526
						</td>
527
						<td><?=htmlspecialchars($userent['descr'])?></td>
528
						<td><?php if (isset($userent['disabled'])) echo "*"?></td>
529
						<td><?=implode(",", local_user_get_groups($userent))?></td>
530
						<td>
531
							<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&amp;userid=<?=$i?>"></a>
532
<?php if ($userent['scope'] != "system"): ?>
533
							<a class="fa fa-trash"	title="<?=gettext("Delete user")?>" href="?act=deluser&amp;userid=<?=$i?>&amp;username=<?=$userent['name']?>"></a>
534
<?php endif; ?>
535
						</td>
536
					</tr>
537
<?php endforeach; ?>
538
				</tbody>
539
			</table>
540
		</div>
541
	</div>
542
</div>
543
<nav class="action-buttons">
544
	<a href="?act=new" class="btn btn-sm btn-success">
545
		<i class="fa fa-plus icon-embed-btn"></i>
546
		<?=gettext("Add")?>
547
	</a>
548

    
549
	<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
550
		<i class="fa fa-trash icon-embed-btn"></i>
551
		<?=gettext("Delete")?>
552
	</button>
553
</nav>
554
</form>
555
<div class="infoblock">
556
<?php
557
	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
558
		"the webConfigurator can be assigned directly or inherited from group memberships. " .
559
		"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
560
		'<p>' . gettext("Accounts added here are also used for other parts of the system " .
561
		"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
562
	);
563
?></div><?php
564
	include("foot.inc");
565
	exit;
566
}
567

    
568
$form = new Form;
569

    
570
if ($act == "new" || $act == "edit" || $input_errors):
571

    
572
	$form->addGlobal(new Form_Input(
573
		'act',
574
		null,
575
		'hidden',
576
		''
577
	));
578

    
579
	$form->addGlobal(new Form_Input(
580
		'userid',
581
		null,
582
		'hidden',
583
		isset($id) ? $id:''
584
	));
585

    
586
	$form->addGlobal(new Form_Input(
587
		'privid',
588
		null,
589
		'hidden',
590
		''
591
	));
592

    
593
	$form->addGlobal(new Form_Input(
594
		'certid',
595
		null,
596
		'hidden',
597
		''
598
	));
599

    
600
	$ro = "";
601
	if ($pconfig['utype'] == "system") {
602
		$ro = "readonly";
603
	}
604

    
605
	$section = new Form_Section('User Properties');
606

    
607
	$section->addInput(new Form_StaticText(
608
		'Defined by',
609
		strtoupper($pconfig['utype'])
610
	));
611

    
612
	$form->addGlobal(new Form_Input(
613
		'utype',
614
		null,
615
		'hidden',
616
		$pconfig['utype']
617
	));
618

    
619
	$section->addInput(new Form_Checkbox(
620
		'disabled',
621
		'Disabled',
622
		'This user cannot login',
623
		$pconfig['disabled']
624
	));
625

    
626
	$section->addInput($input = new Form_Input(
627
		'usernamefld',
628
		'Username',
629
		'text',
630
		$pconfig['usernamefld']
631
	));
632

    
633
	if ($ro) {
634
		$input->setReadonly();
635
	}
636

    
637
	$form->addGlobal(new Form_Input(
638
		'oldusername',
639
		null,
640
		'hidden',
641
		$pconfig['usernamefld']
642
	));
643

    
644
	$group = new Form_Group('Password');
645
	$group->add(new Form_Input(
646
		'passwordfld1',
647
		'Password',
648
		'password'
649
	));
650
	$group->add(new Form_Input(
651
		'passwordfld2',
652
		'Confirm Password',
653
		'password'
654
	));
655

    
656
	$section->add($group);
657

    
658
	$section->addInput($input = new Form_Input(
659
		'descr',
660
		'Full name',
661
		'text',
662
		htmlspecialchars($pconfig['descr'])
663
	))->setHelp('User\'s full name, for your own information only');
664

    
665
	if ($ro) {
666
		$input->setDisabled();
667
	}
668

    
669
	$section->addInput(new Form_Input(
670
		'expires',
671
		'Expiration date',
672
		'date',
673
		$pconfig['expires']
674
	))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
675
		'the expiration date');
676

    
677
	// ==== Group membership ==================================================
678
	$group = new Form_Group('Group membership');
679

    
680
	// Make a list of all the groups configured on the system, and a list of
681
	// those which this user is a member of
682
	$systemGroups = array();
683
	$usersGroups = array();
684

    
685
	$usergid = [$pconfig['usernamefld']];
686

    
687
	foreach ($config['system']['group'] as $Ggroup) {
688
		if ($Ggroup['name'] != "all") {
689
			if (($act == 'edit') && $Ggroup['member'] && in_array($pconfig['uid'], $Ggroup['member'])) {
690
				$usersGroups[ $Ggroup['name'] ] = $Ggroup['name'];	// Add it to the user's list
691
			} else {
692
				$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
693
			}
694
		}
695
	}
696

    
697
	$group->add(new Form_Select(
698
		'sysgroups',
699
		null,
700
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
701
		$systemGroups,
702
		true
703
	))->setHelp('Not member of');
704

    
705
	$group->add(new Form_Select(
706
		'groups',
707
		null,
708
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
709
		$usersGroups,
710
		true
711
	))->setHelp('Member of');
712

    
713
	$section->add($group);
714

    
715
	$group = new Form_Group('');
716

    
717
	$group->add(new Form_Button(
718
		'movetoenabled',
719
		'Move to "Member of" list >'
720
	))->removeClass('btn-primary')->addClass('btn-default btn-sm');
721

    
722
	$group->add(new Form_Button(
723
		'movetodisabled',
724
		'< Move to "Not member of" list'
725
	))->removeClass('btn-primary')->addClass('btn-default btn-sm');
726

    
727
	$group->setHelp('Hold down CTRL (pc)/COMMAND (mac) key to select multiple items');
728
	$section->add($group);
729

    
730
	// ==== Button for adding user certificate ================================
731
	if ($act == 'new') {
732
		$section->addInput(new Form_Checkbox(
733
			'showcert',
734
			'Certificate',
735
			'Click to create a user certificate',
736
			false
737
		));
738
	}
739

    
740
	$form->add($section);
741

    
742
	// ==== Effective privileges section ======================================
743
	if (isset($pconfig['uid'])) {
744
		// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
745
		// is the best way to make the display we need.
746

    
747
		$section = new Form_Section('Effective Privileges');
748

    
749
		$section->addInput(new Form_StaticText(
750
			null,
751
			build_priv_table()
752
		));
753

    
754
		$form->add($section);
755

    
756
		// ==== Certificate table section =====================================
757
		$section = new Form_Section('User Certificates');
758

    
759
		$section->addInput(new Form_StaticText(
760
			null,
761
			build_cert_table()
762
		));
763

    
764
		$form->add($section);
765
	}
766

    
767
	// ==== Add user certificate for a new user
768
	if (is_array($config['ca']) && count($config['ca']) > 0) {
769
		$section = new Form_Section('Create Certificate for User');
770
		$section->addClass('cert-options');
771

    
772
		$nonPrvCas = array();
773
		foreach($config['ca'] as $ca) {
774
			if (!$ca['prv']) {
775
				continue;
776
			}
777

    
778
			$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
779
		}
780

    
781
		if (!empty($nonPrvCas)) {
782
			$section->addInput(new Form_Input(
783
				'name',
784
				'Descriptive name',
785
				'text',
786
				$pconfig['name']
787
			));
788

    
789
			$section->addInput(new Form_Select(
790
				'caref',
791
				'Certificate authority',
792
				null,
793
				$nonPrvCas
794
			));
795

    
796
			$section->addInput(new Form_Select(
797
				'keylen',
798
				'Key length',
799
				2048,
800
				array(
801
					512 => '512 bits',
802
					1024 => '1024 bits',
803
					2048 => '2049 bits',
804
					4096 => '4096 bits',
805
				)
806
			));
807

    
808
			$section->addInput(new Form_Input(
809
				'lifetime',
810
				'Lifetime',
811
				'number',
812
				$pconfig['lifetime']
813
			));
814
		}
815

    
816
		$form->add($section);
817
	}
818

    
819
endif;
820
// ==== Paste a key for the new user
821
$section = new Form_Section('Keys');
822

    
823
$section->addInput(new Form_Checkbox(
824
	'showkey',
825
	'Authorized keys',
826
	'Click to paste an authorized key',
827
	false
828
));
829

    
830
$section->addInput(new Form_Textarea(
831
	'authorizedkeys',
832
	'Authorized SSH Keys',
833
	$pconfig['authorizedkeys']
834
))->setHelp('Enter authorized SSH keys for this user');
835

    
836
$section->addInput(new Form_Input(
837
	'ipsecpsk',
838
	'IPsec Pre-Shared Key',
839
	'text',
840
	$pconfig['ipsecpsk']
841
));
842

    
843
$form->add($section);
844

    
845
print $form;
846
?>
847
<script type="text/javascript">
848
//<![CDATA[
849
events.push(function() {
850

    
851
	// Make buttons plain buttons, not submit
852
	$("#movetodisabled").prop('type','button');
853
	$("#movetoenabled").prop('type','button');
854

    
855
	// On click . .
856
	$("#movetodisabled").click(function() {
857
		moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
858
	});
859

    
860
	$("#movetoenabled").click(function() {
861
		moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
862
	});
863

    
864
	$("#showcert").click(function() {
865
		hideClass('cert-options', !this.checked);
866
	});
867

    
868
	$("#showkey").click(function() {
869
		hideInput('authorizedkeys', false);
870
		hideCheckbox('showkey', true);
871
	});
872

    
873
	$('[id^=delcert]').click(function(event) {
874
		if (confirm(event.target.title)) {
875
			$('#certid').val(event.target.id.match(/\d+$/)[0]);
876
			$('#userid').val('<?=$id;?>');
877
			$('#act').val('delcert');
878
			$('form').submit();
879
		}
880
	});
881

    
882
	$('[id^=delprivid]').click(function(event) {
883
		if (confirm(event.target.title)) {
884
			$('#privid').val(event.target.id.match(/\d+$/)[0]);
885
			$('#userid').val('<?=$id;?>');
886
			$('#act').val('delprivid');
887
			$('form').submit();
888
		}
889
	});
890

    
891

    
892
	// ---------- On initial page load ------------------------------------------------------------
893

    
894
	hideClass('cert-options', true);
895
	//hideInput('authorizedkeys', true);
896
	hideCheckbox('showkey', true);
897

    
898
	// On submit mark all the user's groups as "selected"
899
	$('form').submit(function() {
900
		AllServers($('[name="groups[]"] option'), true);
901
	});
902
});
903
//]]>
904
</script>
905
<?php
906
include('foot.inc');
907
?>
(206-206/227)