Project

General

Profile

Download (30.8 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
 * system_usermanager.php
4
 *
5
 * part of pfSense (https://www.pfsense.org)
6
 * Copyright (c) 2004-2018 Rubicon Communications, LLC (Netgate)
7
 * Copyright (c) 2008 Shrew Soft Inc.
8
 * Copyright (c) 2005 Paul Taylor <paultaylor@winn-dixie.com>
9
 * All rights reserved.
10
 *
11
 * originally based on m0n0wall (http://m0n0.ch/wall)
12
 * Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.
13
 * All rights reserved.
14
 *
15
 * Licensed under the Apache License, Version 2.0 (the "License");
16
 * you may not use this file except in compliance with the License.
17
 * You may obtain a copy of the License at
18
 *
19
 * http://www.apache.org/licenses/LICENSE-2.0
20
 *
21
 * Unless required by applicable law or agreed to in writing, software
22
 * distributed under the License is distributed on an "AS IS" BASIS,
23
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24
 * See the License for the specific language governing permissions and
25
 * limitations under the License.
26
 */
27

    
28
##|+PRIV
29
##|*IDENT=page-system-usermanager
30
##|*NAME=System: User Manager
31
##|*DESCR=Allow access to the 'System: User Manager' page.
32
##|*WARN=standard-warning-root
33
##|*MATCH=system_usermanager.php*
34
##|-PRIV
35

    
36
require_once("certs.inc");
37
require_once("guiconfig.inc");
38
require_once("pfsense-utils.inc");
39

    
40
// start admin user code
41
if (isset($_REQUEST['userid']) && is_numericint($_REQUEST['userid'])) {
42
	$id = $_REQUEST['userid'];
43
}
44

    
45
if (!isset($config['system']['user']) || !is_array($config['system']['user'])) {
46
	$config['system']['user'] = array();
47
}
48

    
49
$a_user = &$config['system']['user'];
50
$act = $_REQUEST['act'];
51

    
52
if (isset($_SERVER['HTTP_REFERER'])) {
53
	$referer = $_SERVER['HTTP_REFERER'];
54
} else {
55
	$referer = '/system_usermanager.php';
56
}
57

    
58
if (isset($id) && $a_user[$id]) {
59
	$pconfig['usernamefld'] = $a_user[$id]['name'];
60
	$pconfig['descr'] = $a_user[$id]['descr'];
61
	$pconfig['expires'] = $a_user[$id]['expires'];
62
	$pconfig['customsettings'] = isset($a_user[$id]['customsettings']);
63
	$pconfig['webguicss'] = $a_user[$id]['webguicss'];
64
	$pconfig['webguifixedmenu'] = $a_user[$id]['webguifixedmenu'];
65
	$pconfig['webguihostnamemenu'] = $a_user[$id]['webguihostnamemenu'];
66
	$pconfig['dashboardcolumns'] = $a_user[$id]['dashboardcolumns'];
67
	$pconfig['interfacessort'] = isset($a_user[$id]['interfacessort']);
68
	$pconfig['dashboardavailablewidgetspanel'] = isset($a_user[$id]['dashboardavailablewidgetspanel']);
69
	$pconfig['systemlogsfilterpanel'] = isset($a_user[$id]['systemlogsfilterpanel']);
70
	$pconfig['systemlogsmanagelogpanel'] = isset($a_user[$id]['systemlogsmanagelogpanel']);
71
	$pconfig['statusmonitoringsettingspanel'] = isset($a_user[$id]['statusmonitoringsettingspanel']);
72
	$pconfig['webguileftcolumnhyper'] = isset($a_user[$id]['webguileftcolumnhyper']);
73
	$pconfig['disablealiaspopupdetail'] = isset($a_user[$id]['disablealiaspopupdetail']);
74
	$pconfig['pagenamefirst'] = isset($a_user[$id]['pagenamefirst']);
75
	$pconfig['groups'] = local_user_get_groups($a_user[$id]);
76
	$pconfig['utype'] = $a_user[$id]['scope'];
77
	$pconfig['uid'] = $a_user[$id]['uid'];
78
	$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
79
	$pconfig['priv'] = $a_user[$id]['priv'];
80
	$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
81
	$pconfig['disabled'] = isset($a_user[$id]['disabled']);
82
}
83

    
84
if ($_POST['act'] == "deluser") {
85

    
86
	if (!isset($_POST['username']) || !isset($a_user[$id]) || ($_POST['username'] != $a_user[$id]['name'])) {
87
		pfSenseHeader("system_usermanager.php");
88
		exit;
89
	}
90

    
91
	if ($_POST['username'] == $_SESSION['Username']) {
92
		$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $_POST['username']);
93
	} else {
94
		local_user_del($a_user[$id]);
95
		$userdeleted = $a_user[$id]['name'];
96
		unset($a_user[$id]);
97
		/* Reindex the array to avoid operating on an incorrect index https://redmine.pfsense.org/issues/7733 */
98
		$a_user = array_values($a_user);
99
		write_config();
100
		$savemsg = sprintf(gettext("User %s successfully deleted."), $userdeleted);
101
	}
102

    
103
} else if ($act == "new") {
104
	/*
105
	 * set this value cause the text field is read only
106
	 * and the user should not be able to mess with this
107
	 * setting.
108
	 */
109
	$pconfig['utype'] = "user";
110
	$pconfig['lifetime'] = 3650;
111

    
112
	$nonPrvCas = array();
113
	if (is_array($config['ca']) && count($config['ca']) > 0) {
114
		foreach ($config['ca'] as $ca) {
115
			if (!$ca['prv']) {
116
				continue;
117
			}
118

    
119
			$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
120
		}
121
	}
122

    
123
}
124

    
125
if (isset($_POST['dellall'])) {
126

    
127
	$del_users = $_POST['delete_check'];
128
	$deleted_users = "";
129
	$deleted_count = 0;
130
	$comma = "";
131

    
132
	if (!empty($del_users)) {
133
		foreach ($del_users as $userid) {
134
			if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
135
				if ($a_user[$userid]['name'] == $_SESSION['Username']) {
136
					$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $a_user[$userid]['name']);
137
				} else {
138
					$deleted_users = $deleted_users . $comma . $a_user[$userid]['name'];
139
					$comma = ", ";
140
					$deleted_count++;
141
					local_user_del($a_user[$userid]);
142
					unset($a_user[$userid]);
143
				}
144
			} else {
145
				$delete_errors[] = sprintf(gettext("Cannot delete user %s because it is a system user."), $a_user[$userid]['name']);
146
			}
147
		}
148

    
149
		if ($deleted_count > 0) {
150
			if ($deleted_count == 1) {
151
				$savemsg = sprintf(gettext("User %s successfully deleted."), $deleted_users);
152
			} else {
153
				$savemsg = sprintf(gettext("Users %s successfully deleted."), $deleted_users);
154
			}
155
			/* Reindex the array to avoid operating on an incorrect index https://redmine.pfsense.org/issues/7733 */
156
			$a_user = array_values($a_user);
157
			write_config($savemsg);
158
		}
159
	}
160
}
161

    
162
if ($_POST['act'] == "delcert") {
163

    
164
	if (!$a_user[$id]) {
165
		pfSenseHeader("system_usermanager.php");
166
		exit;
167
	}
168

    
169
	$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
170
	$certdeleted = $certdeleted['descr'];
171
	unset($a_user[$id]['cert'][$_POST['certid']]);
172
	write_config();
173
	$_POST['act'] = "edit";
174
	$savemsg = sprintf(gettext("Certificate %s association removed."), $certdeleted);
175
}
176

    
177
if ($_POST['act'] == "delprivid") {
178
	$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
179
	unset($a_user[$id]['priv'][$_POST['privid']]);
180
	local_user_set($a_user[$id]);
181
	write_config();
182
	$_POST['act'] = "edit";
183
	$savemsg = sprintf(gettext("Privilege %s removed."), $privdeleted);
184
}
185

    
186
if ($_POST['save']) {
187
	unset($input_errors);
188
	$pconfig = $_POST;
189

    
190
	/* input validation */
191
	if (isset($id) && ($a_user[$id])) {
192
		$reqdfields = explode(" ", "usernamefld");
193
		$reqdfieldsn = array(gettext("Username"));
194
	} else {
195
		if (empty($_POST['name'])) {
196
			$reqdfields = explode(" ", "usernamefld passwordfld1");
197
			$reqdfieldsn = array(
198
				gettext("Username"),
199
				gettext("Password"));
200
		} else {
201
			$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
202
			$reqdfieldsn = array(
203
				gettext("Username"),
204
				gettext("Password"),
205
				gettext("Descriptive name"),
206
				gettext("Certificate authority"),
207
				gettext("Key length"),
208
				gettext("Lifetime"));
209
		}
210
	}
211

    
212
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
213

    
214
	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
215
		$input_errors[] = gettext("The username contains invalid characters.");
216
	}
217

    
218
	if (strlen($_POST['usernamefld']) > 32) {
219
		$input_errors[] = gettext("The username is longer than 32 characters.");
220
	}
221

    
222
	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
223
		$input_errors[] = gettext("The passwords do not match.");
224
	}
225

    
226
	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
227
		$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
228
	}
229

    
230
	/* Check the POSTed groups to ensure they are valid and exist */
231
	if (is_array($_POST['groups'])) {
232
		foreach ($_POST['groups'] as $newgroup) {
233
			if (empty(getGroupEntry($newgroup))) {
234
				$input_errors[] = gettext("One or more invalid groups was submitted.");
235
			}
236
		}
237
	}
238

    
239
	if (isset($id) && $a_user[$id]) {
240
		$oldusername = $a_user[$id]['name'];
241
	} else {
242
		$oldusername = "";
243
	}
244
	/* make sure this user name is unique */
245
	if (!$input_errors) {
246
		foreach ($a_user as $userent) {
247
			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
248
				$input_errors[] = gettext("Another entry with the same username already exists.");
249
				break;
250
			}
251
		}
252
	}
253
	/* also make sure it is not reserved */
254
	if (!$input_errors) {
255
		$system_users = explode("\n", file_get_contents("/etc/passwd"));
256
		foreach ($system_users as $s_user) {
257
			$ent = explode(":", $s_user);
258
			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
259
				$input_errors[] = gettext("That username is reserved by the system.");
260
				break;
261
			}
262
		}
263
	}
264

    
265
	/*
266
	 * Check for a valid expiration date if one is set at all (valid means,
267
	 * DateTime puts out a time stamp so any DateTime compatible time
268
	 * format may be used. to keep it simple for the enduser, we only
269
	 * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
270
	 * like "+1 day", which will be converted to MM/DD/YYYY based on "now".
271
	 * Otherwise such an entry would lead to an invalid expiration data.
272
	 */
273
	if ($_POST['expires']) {
274
		try {
275
			$expdate = new DateTime($_POST['expires']);
276
			//convert from any DateTime compatible date to MM/DD/YYYY
277
			$_POST['expires'] = $expdate->format("m/d/Y");
278
		} catch (Exception $ex) {
279
			$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
280
		}
281
	}
282

    
283
	if (!empty($_POST['name'])) {
284
		$ca = lookup_ca($_POST['caref']);
285
		if (!$ca) {
286
			$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
287
		}
288
	}
289

    
290
	if (!$input_errors) {
291

    
292
		$userent = array();
293
		if (isset($id) && $a_user[$id]) {
294
			$userent = $a_user[$id];
295
		}
296

    
297
		isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
298

    
299
		/* the user name was modified */
300
		if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
301
			$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
302
			local_user_del($userent);
303
		}
304

    
305
		/* the user password was modified */
306
		if ($_POST['passwordfld1']) {
307
			local_user_set_password($userent, $_POST['passwordfld1']);
308
		}
309

    
310
		/* only change description if sent */
311
		if (isset($_POST['descr'])) {
312
			$userent['descr'] = $_POST['descr'];
313
		}
314

    
315
		$userent['name'] = $_POST['usernamefld'];
316
		$userent['expires'] = $_POST['expires'];
317
		$userent['dashboardcolumns'] = $_POST['dashboardcolumns'];
318
		$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
319
		$userent['ipsecpsk'] = $_POST['ipsecpsk'];
320

    
321
		if ($_POST['disabled']) {
322
			$userent['disabled'] = true;
323
		} else {
324
			unset($userent['disabled']);
325
		}
326

    
327
		if ($_POST['customsettings']) {
328
			$userent['customsettings'] = true;
329
		} else {
330
			unset($userent['customsettings']);
331
		}
332

    
333
		if ($_POST['webguicss']) {
334
			$userent['webguicss'] = $_POST['webguicss'];
335
		} else {
336
			unset($userent['webguicss']);
337
		}
338

    
339
		if ($_POST['webguifixedmenu']) {
340
			$userent['webguifixedmenu'] = $_POST['webguifixedmenu'];
341
		} else {
342
			unset($userent['webguifixedmenu']);
343
		}
344

    
345
		if ($_POST['webguihostnamemenu']) {
346
			$userent['webguihostnamemenu'] = $_POST['webguihostnamemenu'];
347
		} else {
348
			unset($userent['webguihostnamemenu']);
349
		}
350

    
351
		if ($_POST['interfacessort']) {
352
			$userent['interfacessort'] = true;
353
		} else {
354
			unset($userent['interfacessort']);
355
		}
356

    
357
		if ($_POST['dashboardavailablewidgetspanel']) {
358
			$userent['dashboardavailablewidgetspanel'] = true;
359
		} else {
360
			unset($userent['dashboardavailablewidgetspanel']);
361
		}
362

    
363
		if ($_POST['systemlogsfilterpanel']) {
364
			$userent['systemlogsfilterpanel'] = true;
365
		} else {
366
			unset($userent['systemlogsfilterpanel']);
367
		}
368

    
369
		if ($_POST['systemlogsmanagelogpanel']) {
370
			$userent['systemlogsmanagelogpanel'] = true;
371
		} else {
372
			unset($userent['systemlogsmanagelogpanel']);
373
		}
374

    
375
		if ($_POST['statusmonitoringsettingspanel']) {
376
			$userent['statusmonitoringsettingspanel'] = true;
377
		} else {
378
			unset($userent['statusmonitoringsettingspanel']);
379
		}
380

    
381
		if ($_POST['webguileftcolumnhyper']) {
382
			$userent['webguileftcolumnhyper'] = true;
383
		} else {
384
			unset($userent['webguileftcolumnhyper']);
385
		}
386

    
387
		if ($_POST['disablealiaspopupdetail']) {
388
			$userent['disablealiaspopupdetail'] = true;
389
		} else {
390
			unset($userent['disablealiaspopupdetail']);
391
		}
392

    
393
		if ($_POST['pagenamefirst']) {
394
			$userent['pagenamefirst'] = true;
395
		} else {
396
			unset($userent['pagenamefirst']);
397
		}
398

    
399
		if (isset($id) && $a_user[$id]) {
400
			$a_user[$id] = $userent;
401
		} else {
402
			if (!empty($_POST['name'])) {
403
				$cert = array();
404
				$cert['refid'] = uniqid();
405
				$userent['cert'] = array();
406

    
407
				$cert['descr'] = $_POST['name'];
408

    
409
				$subject = cert_get_subject_array($ca['crt']);
410

    
411
				$dn = array(
412
					'countryName' => $subject[0]['v'],
413
					'stateOrProvinceName' => $subject[1]['v'],
414
					'localityName' => $subject[2]['v'],
415
					'organizationName' => $subject[3]['v'],
416
					'emailAddress' => $subject[4]['v'],
417
					'commonName' => $userent['name']);
418
				$cn_altname = cert_add_altname_type($userent['name']);
419
				if (!empty($cn_altname)) {
420
					$dn['subjectAltName'] = $cn_altname;
421
				}
422

    
423
				cert_create($cert, $_POST['caref'], $_POST['keylen'],
424
					(int)$_POST['lifetime'], $dn);
425

    
426
				if (!is_array($config['cert'])) {
427
					$config['cert'] = array();
428
				}
429
				$config['cert'][] = $cert;
430
				$userent['cert'][] = $cert['refid'];
431
			}
432
			$userent['uid'] = $config['system']['nextuid']++;
433
			/* Add the user to All Users group. */
434
			foreach ($config['system']['group'] as $gidx => $group) {
435
				if ($group['name'] == "all") {
436
					if (!is_array($config['system']['group'][$gidx]['member'])) {
437
						$config['system']['group'][$gidx]['member'] = array();
438
					}
439
					$config['system']['group'][$gidx]['member'][] = $userent['uid'];
440
					break;
441
				}
442
			}
443

    
444
			$a_user[] = $userent;
445
		}
446

    
447
		/* Sort it alphabetically */
448
		usort($config['system']['user'], function($a, $b) {
449
			return strcmp($a['name'], $b['name']);
450
		});
451

    
452
		/* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */
453
		local_user_set_groups($userent, $_POST['groups']);
454
		local_user_set($userent);
455
		/* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */
456
		local_user_set_groups($userent, $_POST['groups']);
457
		write_config();
458

    
459
		if (is_dir("/etc/inc/privhooks")) {
460
			run_plugins("/etc/inc/privhooks");
461
		}
462

    
463
		pfSenseHeader("system_usermanager.php");
464
	}
465
}
466

    
467
function build_priv_table() {
468
	global $a_user, $id;
469

    
470
	$privhtml = '<div class="table-responsive">';
471
	$privhtml .=	'<table class="table table-striped table-hover table-condensed">';
472
	$privhtml .=		'<thead>';
473
	$privhtml .=			'<tr>';
474
	$privhtml .=				'<th>' . gettext('Inherited from') . '</th>';
475
	$privhtml .=				'<th>' . gettext('Name') . '</th>';
476
	$privhtml .=				'<th>' . gettext('Description') . '</th>';
477
	$privhtml .=				'<th>' . gettext('Action') . '</th>';
478
	$privhtml .=			'</tr>';
479
	$privhtml .=		'</thead>';
480
	$privhtml .=		'<tbody>';
481

    
482
	$i = 0;
483
	$user_has_root_priv = false;
484

    
485
	foreach (get_user_privdesc($a_user[$id]) as $priv) {
486
		$group = false;
487
		if ($priv['group']) {
488
			$group = $priv['group'];
489
		}
490

    
491
		$privhtml .=		'<tr>';
492
		$privhtml .=			'<td>' . htmlspecialchars($priv['group']) . '</td>';
493
		$privhtml .=			'<td>' . htmlspecialchars($priv['name']) . '</td>';
494
		$privhtml .=			'<td>' . htmlspecialchars($priv['descr']);
495
		if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) {
496
			$privhtml .=			' ' . gettext('(admin privilege)');
497
			$user_has_root_priv = true;
498
		}
499
		$privhtml .=			'</td>';
500
		$privhtml .=			'<td>';
501
		if (!$group) {
502
			$privhtml .=			'<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
503
		}
504

    
505
		$privhtml .=			'</td>';
506
		$privhtml .=		'</tr>';
507

    
508
		if (!$group) {
509
			$i++;
510
		}
511
	}
512

    
513
	if ($user_has_root_priv) {
514
		$privhtml .=		'<tr>';
515
		$privhtml .=			'<td colspan="3">';
516
		$privhtml .=				'<b>' . gettext('Security notice: This user effectively has administrator-level access') . '</b>';
517
		$privhtml .=			'</td>';
518
		$privhtml .=			'<td>';
519
		$privhtml .=			'</td>';
520
		$privhtml .=		'</tr>';
521

    
522
	}
523

    
524
	$privhtml .=		'</tbody>';
525
	$privhtml .=	'</table>';
526
	$privhtml .= '</div>';
527

    
528
	$privhtml .= '<nav class="action-buttons">';
529
	$privhtml .=	'<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
530
	$privhtml .= '</nav>';
531

    
532
	return($privhtml);
533
}
534

    
535
function build_cert_table() {
536
	global $a_user, $id;
537

    
538
	$certhtml = '<div class="table-responsive">';
539
	$certhtml .=	'<table class="table table-striped table-hover table-condensed">';
540
	$certhtml .=		'<thead>';
541
	$certhtml .=			'<tr>';
542
	$certhtml .=				'<th>' . gettext('Name') . '</th>';
543
	$certhtml .=				'<th>' . gettext('CA') . '</th>';
544
	$certhtml .=				'<th></th>';
545
	$certhtml .=			'</tr>';
546
	$certhtml .=		'</thead>';
547
	$certhtml .=		'<tbody>';
548

    
549
	$a_cert = $a_user[$id]['cert'];
550
	if (is_array($a_cert)) {
551
		$i = 0;
552
		foreach ($a_cert as $certref) {
553
			$cert = lookup_cert($certref);
554
			$ca = lookup_ca($cert['caref']);
555
			$revokedstr =	is_cert_revoked($cert) ? '<b> Revoked</b>':'';
556

    
557
			$certhtml .=	'<tr>';
558
			$certhtml .=		'<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
559
			$certhtml .=		'<td>' . htmlspecialchars($ca['descr']) . '</td>';
560
			$certhtml .=		'<td>';
561
			$certhtml .=			'<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
562
			$certhtml .=			gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
563
			$certhtml .=		'</td>';
564
			$certhtml .=	'</tr>';
565
			$i++;
566
		}
567

    
568
	}
569

    
570
	$certhtml .=		'</tbody>';
571
	$certhtml .=	'</table>';
572
	$certhtml .= '</div>';
573

    
574
	$certhtml .= '<nav class="action-buttons">';
575
	$certhtml .=	'<a href="system_certmanager.php?act=new&amp;userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
576
	$certhtml .= '</nav>';
577

    
578
	return($certhtml);
579
}
580

    
581
$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
582
$pglinks = array("", "system_usermanager.php", "system_usermanager.php");
583

    
584
if ($act == "new" || $act == "edit" || $input_errors) {
585
	$pgtitle[] = gettext('Edit');
586
	$pglinks[] = "@self";
587
}
588

    
589
include("head.inc");
590

    
591
if ($delete_errors) {
592
	print_input_errors($delete_errors);
593
}
594

    
595
if ($input_errors) {
596
	print_input_errors($input_errors);
597
}
598

    
599
if ($savemsg) {
600
	print_info_box($savemsg, 'success');
601
}
602

    
603
$tab_array = array();
604
$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
605
$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
606
$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
607
$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
608
display_top_tabs($tab_array);
609

    
610
if (!($act == "new" || $act == "edit" || $input_errors)) {
611
?>
612
<form method="post">
613
<div class="panel panel-default">
614
	<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
615
	<div class="panel-body">
616
		<div class="table-responsive">
617
			<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap table-rowdblclickedit" data-sortable>
618
				<thead>
619
					<tr>
620
						<th>&nbsp;</th>
621
						<th><?=gettext("Username")?></th>
622
						<th><?=gettext("Full name")?></th>
623
						<th><?=gettext("Status")?></th>
624
						<th><?=gettext("Groups")?></th>
625
						<th><?=gettext("Actions")?></th>
626
					</tr>
627
				</thead>
628
				<tbody>
629
<?php
630
foreach ($a_user as $i => $userent):
631
	?>
632
					<tr>
633
						<td>
634
							<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=((($userent['scope'] == "system") || ($userent['name'] == $_SESSION['Username'])) ? 'disabled' : '')?>/>
635
						</td>
636
						<td>
637
<?php
638
	if ($userent['scope'] != "user") {
639
		$usrimg = 'eye-open';
640
	} else {
641
		$usrimg = 'user';
642
	}
643
?>
644
							<i class="fa fa-<?=$usrimg?>"></i>
645
							<?=htmlspecialchars($userent['name'])?>
646
						</td>
647
						<td><?=htmlspecialchars($userent['descr'])?></td>
648
						<td><i class="fa fa-<?= (isset($userent['disabled'])) ? 'ban" title="' . gettext("Disabled") . '"' : 'check" title="' . gettext("Enabled") . '"' ; ?>><span style='display: none'><?= (isset($userent['disabled'])) ? gettext("Disabled") : gettext("Enabled") ; ?></span></i></td>
649
						<td><?=implode(",", local_user_get_groups($userent))?></td>
650
						<td>
651
							<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&amp;userid=<?=$i?>"></a>
652
<?php if (($userent['scope'] != "system") && ($userent['name'] != $_SESSION['Username'])): ?>
653
							<a class="fa fa-trash"	title="<?=gettext("Delete user")?>" href="?act=deluser&amp;userid=<?=$i?>&amp;username=<?=$userent['name']?>" usepost></a>
654
<?php endif; ?>
655
						</td>
656
					</tr>
657
<?php endforeach; ?>
658
				</tbody>
659
			</table>
660
		</div>
661
	</div>
662
</div>
663
<nav class="action-buttons">
664
	<a href="?act=new" class="btn btn-sm btn-success">
665
		<i class="fa fa-plus icon-embed-btn"></i>
666
		<?=gettext("Add")?>
667
	</a>
668

    
669
	<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
670
		<i class="fa fa-trash icon-embed-btn"></i>
671
		<?=gettext("Delete")?>
672
	</button>
673

    
674
</nav>
675
</form>
676
<div class="infoblock">
677
<?php
678
	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
679
		"the webConfigurator can be assigned directly or inherited from group memberships. " .
680
		"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
681
		'<p>' . gettext("Accounts added here are also used for other parts of the system " .
682
		"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
683
	);
684

    
685
?></div>
686

    
687
<?php
688
	include("foot.inc");
689
	exit;
690
}
691

    
692
$form = new Form;
693

    
694
if ($act == "new" || $act == "edit" || $input_errors):
695

    
696
	$form->addGlobal(new Form_Input(
697
		'act',
698
		null,
699
		'hidden',
700
		''
701
	));
702

    
703
	$form->addGlobal(new Form_Input(
704
		'userid',
705
		null,
706
		'hidden',
707
		isset($id) ? $id:''
708
	));
709

    
710
	$form->addGlobal(new Form_Input(
711
		'privid',
712
		null,
713
		'hidden',
714
		''
715
	));
716

    
717
	$form->addGlobal(new Form_Input(
718
		'certid',
719
		null,
720
		'hidden',
721
		''
722
	));
723

    
724
	$ro = "";
725
	if ($pconfig['utype'] == "system") {
726
		$ro = "readonly";
727
	}
728

    
729
	$section = new Form_Section('User Properties');
730

    
731
	$section->addInput(new Form_StaticText(
732
		'Defined by',
733
		strtoupper($pconfig['utype'])
734
	));
735

    
736
	$form->addGlobal(new Form_Input(
737
		'utype',
738
		null,
739
		'hidden',
740
		$pconfig['utype']
741
	));
742

    
743
	$section->addInput(new Form_Checkbox(
744
		'disabled',
745
		'Disabled',
746
		'This user cannot login',
747
		$pconfig['disabled']
748
	));
749

    
750
	$section->addInput($input = new Form_Input(
751
		'usernamefld',
752
		'*Username',
753
		'text',
754
		$pconfig['usernamefld']
755
	));
756

    
757
	if ($ro) {
758
		$input->setReadonly();
759
	}
760

    
761
	$form->addGlobal(new Form_Input(
762
		'oldusername',
763
		null,
764
		'hidden',
765
		$pconfig['usernamefld']
766
	));
767

    
768
	if ($act == "edit") {
769
		$pwd_required = "";
770
	} else {
771
		$pwd_required = "*";
772
	}
773

    
774
	$group = new Form_Group($pwd_required . 'Password');
775
	$group->add(new Form_Input(
776
		'passwordfld1',
777
		'Password',
778
		'password'
779
	));
780
	$group->add(new Form_Input(
781
		'passwordfld2',
782
		'Confirm Password',
783
		'password'
784
	));
785

    
786
	$section->add($group);
787

    
788
	$section->addInput($input = new Form_Input(
789
		'descr',
790
		'Full name',
791
		'text',
792
		htmlspecialchars($pconfig['descr'])
793
	))->setHelp('User\'s full name, for administrative information only');
794

    
795
	if ($ro) {
796
		$input->setDisabled();
797
	}
798

    
799
	$section->addInput(new Form_Input(
800
		'expires',
801
		'Expiration date',
802
		'text',
803
		$pconfig['expires']
804
	))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
805
		'the expiration date as MM/DD/YYYY');
806

    
807
	$section->addInput(new Form_Checkbox(
808
		'customsettings',
809
		'Custom Settings',
810
		'Use individual customized GUI options and dashboard layout for this user.',
811
		$pconfig['customsettings']
812
	));
813

    
814
	gen_user_settings_fields($section, $pconfig);
815

    
816
	// ==== Group membership ==================================================
817
	$group = new Form_Group('Group membership');
818

    
819
	// Make a list of all the groups configured on the system, and a list of
820
	// those which this user is a member of
821
	$systemGroups = array();
822
	$usersGroups = array();
823

    
824
	$usergid = [$pconfig['usernamefld']];
825

    
826
	foreach ($config['system']['group'] as $Ggroup) {
827
		if ($Ggroup['name'] != "all") {
828
			if (($act == 'edit') && $Ggroup['member'] && in_array($pconfig['uid'], $Ggroup['member'])) {
829
				$usersGroups[ $Ggroup['name'] ] = $Ggroup['name'];	// Add it to the user's list
830
			} else {
831
				$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
832
			}
833
		}
834
	}
835

    
836
	$group->add(new Form_Select(
837
		'sysgroups',
838
		null,
839
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
840
		$systemGroups,
841
		true
842
	))->setHelp('Not member of');
843

    
844
	$group->add(new Form_Select(
845
		'groups',
846
		null,
847
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
848
		$usersGroups,
849
		true
850
	))->setHelp('Member of');
851

    
852
	$section->add($group);
853

    
854
	$group = new Form_Group('');
855

    
856
	$group->add(new Form_Button(
857
		'movetoenabled',
858
		'Move to "Member of" list',
859
		null,
860
		'fa-angle-double-right'
861
	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
862

    
863
	$group->add(new Form_Button(
864
		'movetodisabled',
865
		'Move to "Not member of" list',
866
		null,
867
		'fa-angle-double-left'
868
	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
869

    
870
	$group->setHelp('Hold down CTRL (PC)/COMMAND (Mac) key to select multiple items.');
871
	$section->add($group);
872

    
873
	// ==== Button for adding user certificate ================================
874
	if ($act == 'new') {
875
		if (count($nonPrvCas) > 0) {
876
			$section->addInput(new Form_Checkbox(
877
				'showcert',
878
				'Certificate',
879
				'Click to create a user certificate',
880
				false
881
			));
882
		} else {
883
			$section->addInput(new Form_StaticText(
884
				'Certificate',
885
				gettext('No private CAs found. A private CA is required to create a new user certificate. ' .
886
					'Save the user first to import an external certificate.')
887
			));
888
		}
889
	}
890

    
891
	$form->add($section);
892

    
893
	// ==== Effective privileges section ======================================
894
	if (isset($pconfig['uid'])) {
895
		// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
896
		// is the best way to make the display we need.
897

    
898
		$section = new Form_Section('Effective Privileges');
899

    
900
		$section->addInput(new Form_StaticText(
901
			null,
902
			build_priv_table()
903
		));
904

    
905
		$form->add($section);
906

    
907
		// ==== Certificate table section =====================================
908
		$section = new Form_Section('User Certificates');
909

    
910
		$section->addInput(new Form_StaticText(
911
			null,
912
			build_cert_table()
913
		));
914

    
915
		$form->add($section);
916
	}
917

    
918
	// ==== Add user certificate for a new user
919
	if (is_array($config['ca']) && count($config['ca']) > 0) {
920
		$section = new Form_Section('Create Certificate for User');
921
		$section->addClass('cert-options');
922

    
923
		if (!empty($nonPrvCas)) {
924
			$section->addInput(new Form_Input(
925
				'name',
926
				'Descriptive name',
927
				'text',
928
				$pconfig['name']
929
			));
930

    
931
			$section->addInput(new Form_Select(
932
				'caref',
933
				'Certificate authority',
934
				null,
935
				$nonPrvCas
936
			));
937

    
938
			$section->addInput(new Form_Select(
939
				'keylen',
940
				'Key length',
941
				2048,
942
				array(
943
					512 => '512 bits',
944
					1024 => '1024 bits',
945
					2048 => '2048 bits',
946
					3072 => '3072 bits',
947
					4096 => '4096 bits',
948
					7680 => '7680 bits',
949
					8192 => '8192 bits',
950
					15360 => '15360 bits',
951
					16384 => '16384 bits'
952
				)
953
			))->setHelp('The larger the key, the more security it offers, but larger keys take considerably more time to generate, ' .
954
				'and take slightly longer to validate leading to a slight slowdown in setting up new sessions (not always noticeable). ' .
955
				'As of 2016, 2048 bit is the minimum and most common selection and 4096 is the maximum in common use. ' .
956
				'For more information see %1$s.', '<a href="https://keylength.com">keylength.com</a>');
957

    
958
			$section->addInput(new Form_Input(
959
				'lifetime',
960
				'Lifetime',
961
				'number',
962
				$pconfig['lifetime']
963
			));
964
		}
965

    
966
		$form->add($section);
967
	}
968

    
969
endif;
970
// ==== Paste a key for the new user
971
$section = new Form_Section('Keys');
972

    
973
$section->addInput(new Form_Checkbox(
974
	'showkey',
975
	'Authorized keys',
976
	'Click to paste an authorized key',
977
	false
978
));
979

    
980
$section->addInput(new Form_Textarea(
981
	'authorizedkeys',
982
	'Authorized SSH Keys',
983
	$pconfig['authorizedkeys']
984
))->setHelp('Enter authorized SSH keys for this user');
985

    
986
$section->addInput(new Form_Input(
987
	'ipsecpsk',
988
	'IPsec Pre-Shared Key',
989
	'text',
990
	$pconfig['ipsecpsk']
991
));
992

    
993
$form->add($section);
994

    
995
print $form;
996

    
997
$csswarning = sprintf(gettext("%sUser-created themes are unsupported, use at your own risk."), "<br />");
998
?>
999
<script type="text/javascript">
1000
//<![CDATA[
1001
events.push(function() {
1002

    
1003
	function setcustomoptions() {
1004
		var adv = $('#customsettings').prop('checked');
1005

    
1006
		hideInput('webguicss', !adv);
1007
		hideInput('webguifixedmenu', !adv);
1008
		hideInput('webguihostnamemenu', !adv);
1009
		hideInput('dashboardcolumns', !adv);
1010
		hideCheckbox('interfacessort', !adv);
1011
		hideCheckbox('dashboardavailablewidgetspanel', !adv);
1012
		hideCheckbox('systemlogsfilterpanel', !adv);
1013
		hideCheckbox('systemlogsmanagelogpanel', !adv);
1014
		hideCheckbox('statusmonitoringsettingspanel', !adv);
1015
		hideCheckbox('webguileftcolumnhyper', !adv);
1016
		hideCheckbox('disablealiaspopupdetail', !adv);
1017
		hideCheckbox('pagenamefirst', !adv);
1018
	}
1019

    
1020
	// Handle displaying a warning message if a user-created theme is selected.
1021
	function setThemeWarning() {
1022
		if ($('#webguicss').val().startsWith("pfSense")) {
1023
			$('#csstxt').html("").addClass("text-default");
1024
		} else {
1025
			$('#csstxt').html("<?=$csswarning?>").addClass("text-danger");
1026
		}
1027
	}
1028

    
1029
	$('#webguicss').change(function() {
1030
		setThemeWarning();
1031
	});
1032

    
1033
	setThemeWarning();
1034

    
1035
	// On click . .
1036
	$('#customsettings').click(function () {
1037
		setcustomoptions();
1038
	});
1039

    
1040
	$("#movetodisabled").click(function() {
1041
		moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
1042
	});
1043

    
1044
	$("#movetoenabled").click(function() {
1045
		moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
1046
	});
1047

    
1048
	$("#showcert").click(function() {
1049
		hideClass('cert-options', !this.checked);
1050
	});
1051

    
1052
	$("#showkey").click(function() {
1053
		hideInput('authorizedkeys', false);
1054
		hideCheckbox('showkey', true);
1055
	});
1056

    
1057
	$('[id^=delcert]').click(function(event) {
1058
		if (confirm(event.target.title)) {
1059
			$('#certid').val(event.target.id.match(/\d+$/)[0]);
1060
			$('#userid').val('<?=$id;?>');
1061
			$('#act').val('delcert');
1062
			$('form').submit();
1063
		}
1064
	});
1065

    
1066
	$('[id^=delprivid]').click(function(event) {
1067
		if (confirm(event.target.title)) {
1068
			$('#privid').val(event.target.id.match(/\d+$/)[0]);
1069
			$('#userid').val('<?=$id;?>');
1070
			$('#act').val('delprivid');
1071
			$('form').submit();
1072
		}
1073
	});
1074

    
1075
	$('#expires').datepicker();
1076

    
1077
	// ---------- On initial page load ------------------------------------------------------------
1078

    
1079
	hideClass('cert-options', true);
1080
	//hideInput('authorizedkeys', true);
1081
	hideCheckbox('showkey', true);
1082
	setcustomoptions();
1083

    
1084
	// On submit mark all the user's groups as "selected"
1085
	$('form').submit(function() {
1086
		AllServers($('[name="groups[]"] option'), true);
1087
	});
1088

    
1089
});
1090
//]]>
1091
</script>
1092
<?php
1093
include('foot.inc');
1094
?>
(212-212/232)