Project

General

Profile

Download (26.2 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
	system_usermanager.php
4
*/
5
/* ====================================================================
6
 *	Copyright (c)  2004-2015  Electric Sheep Fencing, LLC. All rights reserved.
7
 *	Copyright (c)  2008 Shrew Soft Inc.
8
 *	Copyright (c)  2005 Paul Taylor <paultaylor@winn-dixie.com>
9
 *
10
 *	Some or all of this file is based on the m0n0wall project which is
11
 *	Copyright (c)  2004 Manuel Kasper (BSD 2 clause)
12
 *
13
 *	Redistribution and use in source and binary forms, with or without modification,
14
 *	are permitted provided that the following conditions are met:
15
 *
16
 *	1. Redistributions of source code must retain the above copyright notice,
17
 *		this list of conditions and the following disclaimer.
18
 *
19
 *	2. Redistributions in binary form must reproduce the above copyright
20
 *		notice, this list of conditions and the following disclaimer in
21
 *		the documentation and/or other materials provided with the
22
 *		distribution.
23
 *
24
 *	3. All advertising materials mentioning features or use of this software
25
 *		must display the following acknowledgment:
26
 *		"This product includes software developed by the pfSense Project
27
 *		 for use in the pfSense software distribution. (http://www.pfsense.org/).
28
 *
29
 *	4. The names "pfSense" and "pfSense Project" must not be used to
30
 *		 endorse or promote products derived from this software without
31
 *		 prior written permission. For written permission, please contact
32
 *		 coreteam@pfsense.org.
33
 *
34
 *	5. Products derived from this software may not be called "pfSense"
35
 *		nor may "pfSense" appear in their names without prior written
36
 *		permission of the Electric Sheep Fencing, LLC.
37
 *
38
 *	6. Redistributions of any form whatsoever must retain the following
39
 *		acknowledgment:
40
 *
41
 *	"This product includes software developed by the pfSense Project
42
 *	for use in the pfSense software distribution (http://www.pfsense.org/).
43
 *
44
 *	THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
45
 *	EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46
 *	IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47
 *	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
48
 *	ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49
 *	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50
 *	NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51
 *	LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52
 *	HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53
 *	STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54
 *	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55
 *	OF THE POSSIBILITY OF SUCH DAMAGE.
56
 *
57
 *	====================================================================
58
 *
59
 */
60

    
61
##|+PRIV
62
##|*IDENT=page-system-usermanager
63
##|*NAME=System: User Manager
64
##|*DESCR=Allow access to the 'System: User Manager' page.
65
##|*MATCH=system_usermanager.php*
66
##|-PRIV
67

    
68
require_once("certs.inc");
69
require_once("guiconfig.inc");
70

    
71
// start admin user code
72
if (isset($_POST['userid']) && is_numericint($_POST['userid'])) {
73
	$id = $_POST['userid'];
74
}
75

    
76
if (isset($_GET['userid']) && is_numericint($_GET['userid'])) {
77
	$id = $_GET['userid'];
78
}
79

    
80
if (!isset($config['system']['user']) || !is_array($config['system']['user'])) {
81
	$config['system']['user'] = array();
82
}
83

    
84
$a_user = &$config['system']['user'];
85
$act = $_GET['act'];
86

    
87
if (isset($_SERVER['HTTP_REFERER'])) {
88
	$referer = $_SERVER['HTTP_REFERER'];
89
} else {
90
	$referer = '/system_usermanager.php';
91
}
92

    
93
if (isset($id) && $a_user[$id]) {
94
	$pconfig['usernamefld'] = $a_user[$id]['name'];
95
	$pconfig['descr'] = $a_user[$id]['descr'];
96
	$pconfig['expires'] = $a_user[$id]['expires'];
97
	$pconfig['groups'] = local_user_get_groups($a_user[$id]);
98
	$pconfig['utype'] = $a_user[$id]['scope'];
99
	$pconfig['uid'] = $a_user[$id]['uid'];
100
	$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
101
	$pconfig['priv'] = $a_user[$id]['priv'];
102
	$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
103
	$pconfig['disabled'] = isset($a_user[$id]['disabled']);
104
}
105

    
106
if ($_GET['act'] == "deluser") {
107

    
108
	if (!isset($_GET['username']) || !isset($a_user[$id]) || ($_GET['username'] != $a_user[$id]['name'])) {
109
		pfSenseHeader("system_usermanager.php");
110
		exit;
111
	}
112

    
113
	if ($_GET['username'] == $_SESSION['Username']) {
114
		$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $_GET['username']);
115
	} else {
116
		conf_mount_rw();
117
		local_user_del($a_user[$id]);
118
		conf_mount_ro();
119
		$userdeleted = $a_user[$id]['name'];
120
		unset($a_user[$id]);
121
		write_config();
122
		$savemsg = sprintf(gettext("User %s successfully deleted."), $userdeleted);
123
	}
124
} else if ($act == "new") {
125
	/*
126
	 * set this value cause the text field is read only
127
	 * and the user should not be able to mess with this
128
	 * setting.
129
	 */
130
	$pconfig['utype'] = "user";
131
	$pconfig['lifetime'] = 3650;
132
}
133

    
134
if (isset($_POST['dellall'])) {
135

    
136
	$del_users = $_POST['delete_check'];
137
	$deleted_users = "";
138
	$deleted_count = 0;
139
	$comma = "";
140

    
141
	if (!empty($del_users)) {
142
		foreach ($del_users as $userid) {
143
			if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
144
				if ($a_user[$userid]['name'] == $_SESSION['Username']) {
145
					$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $a_user[$userid]['name']);
146
				} else {
147
					conf_mount_rw();
148
					$deleted_users = $deleted_users . $comma . $a_user[$userid]['name'];
149
					$comma = ", ";
150
					$deleted_count++;
151
					local_user_del($a_user[$userid]);
152
					conf_mount_ro();
153
					unset($a_user[$userid]);
154
				}
155
			} else {
156
				$delete_errors[] = sprintf(gettext("Cannot delete user %s because it is a system user."), $a_user[$userid]['name']);
157
			}
158
		}
159

    
160
		if ($deleted_count > 0) {
161
			if ($deleted_count == 1) {
162
				$savemsg = sprintf(gettext("User %s successfully deleted."), $deleted_users);
163
			} else {
164
				$savemsg = sprintf(gettext("Users %s successfully deleted."), $deleted_users);
165
			}
166
			write_config($savemsg);
167
		}
168
	}
169
}
170

    
171
if ($_POST['act'] == "delcert") {
172

    
173
	if (!$a_user[$id]) {
174
		pfSenseHeader("system_usermanager.php");
175
		exit;
176
	}
177

    
178
	$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
179
	$certdeleted = $certdeleted['descr'];
180
	unset($a_user[$id]['cert'][$_POST['certid']]);
181
	write_config();
182
	$_POST['act'] = "edit";
183
	$savemsg = sprintf(gettext("Certificate %s association removed."), $certdeleted);
184
}
185

    
186
if ($_POST['act'] == "delprivid") {
187
	$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
188
	unset($a_user[$id]['priv'][$_POST['privid']]);
189
	local_user_set($a_user[$id]);
190
	write_config();
191
	$_POST['act'] = "edit";
192
	$savemsg = sprintf(gettext("Privilege %s removed."), $privdeleted);
193
}
194

    
195
if ($_POST['save']) {
196
	unset($input_errors);
197
	$pconfig = $_POST;
198

    
199
	/* input validation */
200
	if (isset($id) && ($a_user[$id])) {
201
		$reqdfields = explode(" ", "usernamefld");
202
		$reqdfieldsn = array(gettext("Username"));
203
	} else {
204
		if (empty($_POST['name'])) {
205
			$reqdfields = explode(" ", "usernamefld passwordfld1");
206
			$reqdfieldsn = array(
207
				gettext("Username"),
208
				gettext("Password"));
209
		} else {
210
			$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
211
			$reqdfieldsn = array(
212
				gettext("Username"),
213
				gettext("Password"),
214
				gettext("Descriptive name"),
215
				gettext("Certificate authority"),
216
				gettext("Key length"),
217
				gettext("Lifetime"));
218
		}
219
	}
220

    
221
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
222

    
223
	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
224
		$input_errors[] = gettext("The username contains invalid characters.");
225
	}
226

    
227
	if (strlen($_POST['usernamefld']) > 16) {
228
		$input_errors[] = gettext("The username is longer than 16 characters.");
229
	}
230

    
231
	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
232
		$input_errors[] = gettext("The passwords do not match.");
233
	}
234

    
235
	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
236
		$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
237
	}
238

    
239
	/* Check the POSTed groups to ensure they are valid and exist */
240
	if(is_array($_POST['groups'])) {
241
		foreach ($_POST['groups'] as $newgroup) {
242
			if (empty(getGroupEntry($newgroup))) {
243
				$input_errors[] = gettext("One or more invalid groups was submitted.");
244
			}
245
		}
246
	}
247

    
248
	if (isset($id) && $a_user[$id]) {
249
		$oldusername = $a_user[$id]['name'];
250
	} else {
251
		$oldusername = "";
252
	}
253
	/* make sure this user name is unique */
254
	if (!$input_errors) {
255
		foreach ($a_user as $userent) {
256
			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
257
				$input_errors[] = gettext("Another entry with the same username already exists.");
258
				break;
259
			}
260
		}
261
	}
262
	/* also make sure it is not reserved */
263
	if (!$input_errors) {
264
		$system_users = explode("\n", file_get_contents("/etc/passwd"));
265
		foreach ($system_users as $s_user) {
266
			$ent = explode(":", $s_user);
267
			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
268
				$input_errors[] = gettext("That username is reserved by the system.");
269
				break;
270
			}
271
		}
272
	}
273

    
274
	/*
275
	 * Check for a valid expiration date if one is set at all (valid means,
276
	 * DateTime puts out a time stamp so any DateTime compatible time
277
	 * format may be used. to keep it simple for the enduser, we only
278
	 * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
279
	 * like "+1 day", which will be converted to MM/DD/YYYY based on "now".
280
	 * Otherwise such an entry would lead to an invalid expiration data.
281
	 */
282
	if ($_POST['expires']) {
283
		try {
284
			$expdate = new DateTime($_POST['expires']);
285
			//convert from any DateTime compatible date to MM/DD/YYYY
286
			$_POST['expires'] = $expdate->format("m/d/Y");
287
		} catch (Exception $ex) {
288
			$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
289
		}
290
	}
291

    
292
	if (!empty($_POST['name'])) {
293
		$ca = lookup_ca($_POST['caref']);
294
		if (!$ca) {
295
			$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
296
		}
297
	}
298

    
299
	/* if this is an AJAX caller then handle via JSON */
300
	if (isAjax() && is_array($input_errors)) {
301
		input_errors2Ajax($input_errors);
302
		exit;
303
	}
304

    
305
	if (!$input_errors) {
306

    
307
		conf_mount_rw();
308
		$userent = array();
309
		if (isset($id) && $a_user[$id]) {
310
			$userent = $a_user[$id];
311
		}
312

    
313
		isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
314

    
315
		/* the user name was modified */
316
		if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
317
			$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
318
			local_user_del($userent);
319
		}
320

    
321
		/* the user password was modified */
322
		if ($_POST['passwordfld1']) {
323
			local_user_set_password($userent, $_POST['passwordfld1']);
324
		}
325

    
326
		/* only change description if sent */
327
		if (isset($_POST['descr'])) {
328
			$userent['descr'] = $_POST['descr'];
329
		}
330

    
331
		$userent['name'] = $_POST['usernamefld'];
332
		$userent['expires'] = $_POST['expires'];
333
		$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
334
		$userent['ipsecpsk'] = $_POST['ipsecpsk'];
335

    
336
		if ($_POST['disabled']) {
337
			$userent['disabled'] = true;
338
		} else {
339
			unset($userent['disabled']);
340
		}
341

    
342
		if (isset($id) && $a_user[$id]) {
343
			$a_user[$id] = $userent;
344
		} else {
345
			if (!empty($_POST['name'])) {
346
				$cert = array();
347
				$cert['refid'] = uniqid();
348
				$userent['cert'] = array();
349

    
350
				$cert['descr'] = $_POST['name'];
351

    
352
				$subject = cert_get_subject_array($ca['crt']);
353

    
354
				$dn = array(
355
					'countryName' => $subject[0]['v'],
356
					'stateOrProvinceName' => $subject[1]['v'],
357
					'localityName' => $subject[2]['v'],
358
					'organizationName' => $subject[3]['v'],
359
					'emailAddress' => $subject[4]['v'],
360
					'commonName' => $userent['name']);
361

    
362
				cert_create($cert, $_POST['caref'], $_POST['keylen'],
363
					(int)$_POST['lifetime'], $dn);
364

    
365
				if (!is_array($config['cert'])) {
366
					$config['cert'] = array();
367
				}
368
				$config['cert'][] = $cert;
369
				$userent['cert'][] = $cert['refid'];
370
			}
371
			$userent['uid'] = $config['system']['nextuid']++;
372
			/* Add the user to All Users group. */
373
			foreach ($config['system']['group'] as $gidx => $group) {
374
				if ($group['name'] == "all") {
375
					if (!is_array($config['system']['group'][$gidx]['member'])) {
376
						$config['system']['group'][$gidx]['member'] = array();
377
					}
378
					$config['system']['group'][$gidx]['member'][] = $userent['uid'];
379
					break;
380
				}
381
			}
382

    
383
			$a_user[] = $userent;
384
		}
385

    
386
		/* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */
387
		local_user_set_groups($userent, $_POST['groups']);
388
		local_user_set($userent);
389
		/* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */
390
		local_user_set_groups($userent, $_POST['groups']);
391
		write_config();
392

    
393
		if (is_dir("/etc/inc/privhooks")) {
394
			run_plugins("/etc/inc/privhooks");
395
		}
396

    
397
		conf_mount_ro();
398

    
399
		pfSenseHeader("system_usermanager.php");
400
	}
401
}
402

    
403
function build_priv_table() {
404
	global $a_user, $id;
405

    
406
	$privhtml = '<div class="table-responsive">';
407
	$privhtml .=	'<table class="table table-striped table-hover table-condensed">';
408
	$privhtml .=		'<thead>';
409
	$privhtml .=			'<tr>';
410
	$privhtml .=				'<th>' . gettext('Inherited from') . '</th>';
411
	$privhtml .=				'<th>' . gettext('Name') . '</th>';
412
	$privhtml .=				'<th>' . gettext('Description') . '</th>';
413
	$privhtml .=				'<th>' . gettext('Action') . '</th>';
414
	$privhtml .=			'</tr>';
415
	$privhtml .=		'</thead>';
416
	$privhtml .=		'<tbody>';
417

    
418
	$i = 0;
419

    
420
	foreach (get_user_privdesc($a_user[$id]) as $priv) {
421
		$group = false;
422
		if ($priv['group']) {
423
			$group = $priv['group'];
424
		}
425

    
426
		$privhtml .=		'<tr>';
427
		$privhtml .=			'<td>' . htmlspecialchars($priv['group']) . '</td>';
428
		$privhtml .=			'<td>' . htmlspecialchars($priv['name']) . '</td>';
429
		$privhtml .=			'<td>' . htmlspecialchars($priv['descr']) . '</td>';
430
		$privhtml .=			'<td>';
431
		if (!$group) {
432
			$privhtml .=			'<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
433
		}
434

    
435
		$privhtml .=			'</td>';
436
		$privhtml .=		'</tr>';
437

    
438
		if (!$group) {
439
			$i++;
440
		}
441
	}
442

    
443
	$privhtml .=		'</tbody>';
444
	$privhtml .=	'</table>';
445
	$privhtml .= '</div>';
446

    
447
	$privhtml .= '<nav class="action-buttons">';
448
	$privhtml .=	'<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
449
	$privhtml .= '</nav>';
450

    
451
	return($privhtml);
452
}
453

    
454
function build_cert_table() {
455
	global $a_user, $id;
456

    
457
	$certhtml = '<div class="table-responsive">';
458
	$certhtml .=	'<table class="table table-striped table-hover table-condensed">';
459
	$certhtml .=		'<thead>';
460
	$certhtml .=			'<tr>';
461
	$certhtml .=				'<th>' . gettext('Name') . '</th>';
462
	$certhtml .=				'<th>' . gettext('CA') . '</th>';
463
	$certhtml .=				'<th></th>';
464
	$certhtml .=			'</tr>';
465
	$certhtml .=		'</thead>';
466
	$certhtml .=		'<tbody>';
467

    
468
	$a_cert = $a_user[$id]['cert'];
469
	if (is_array($a_cert)) {
470
		$i = 0;
471
		foreach ($a_cert as $certref) {
472
			$cert = lookup_cert($certref);
473
			$ca = lookup_ca($cert['caref']);
474
			$revokedstr =	is_cert_revoked($cert) ? '<b> Revoked</b>':'';
475

    
476
			$certhtml .=	'<tr>';
477
			$certhtml .=		'<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
478
			$certhtml .=		'<td>' . htmlspecialchars($ca['descr']) . '</td>';
479
			$certhtml .=		'<td>';
480
			$certhtml .=			'<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
481
			$certhtml .=			gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
482
			$certhtml .=		'</td>';
483
			$certhtml .=	'</tr>';
484
			$i++;
485
		}
486

    
487
	}
488

    
489
	$certhtml .=		'</tbody>';
490
	$certhtml .=	'</table>';
491
	$certhtml .= '</div>';
492

    
493
	$certhtml .= '<nav class="action-buttons">';
494
	$certhtml .=	'<a href="system_certmanager.php?act=new&amp;userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
495
	$certhtml .= '</nav>';
496

    
497
	return($certhtml);
498
}
499

    
500
$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
501

    
502
if ($act == "new" || $act == "edit" || $input_errors) {
503
	$pgtitle[] = gettext('Edit');
504
}
505
include("head.inc");
506

    
507
if ($delete_errors) {
508
	print_input_errors($delete_errors);
509
}
510

    
511
if ($input_errors) {
512
	print_input_errors($input_errors);
513
}
514

    
515
if ($savemsg) {
516
	print_info_box($savemsg, 'success');
517
}
518

    
519
$tab_array = array();
520
$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
521
$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
522
$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
523
$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
524
display_top_tabs($tab_array);
525

    
526
if (!($act == "new" || $act == "edit" || $input_errors)) {
527
?>
528
<form method="post">
529
<div class="panel panel-default">
530
	<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
531
	<div class="panel-body">
532
		<div class="table-responsive">
533
			<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap" data-sortable>
534
				<thead>
535
					<tr>
536
						<th>&nbsp;</th>
537
						<th><?=gettext("Username")?></th>
538
						<th><?=gettext("Full name")?></th>
539
						<th><?=gettext("Disabled")?></th>
540
						<th><?=gettext("Groups")?></th>
541
						<th><?=gettext("Actions")?></th>
542
					</tr>
543
				</thead>
544
				<tbody>
545
<?php
546
foreach ($a_user as $i => $userent):
547
	?>
548
					<tr>
549
						<td>
550
							<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=((($userent['scope'] == "system") || ($userent['name'] == $_SESSION['Username'])) ? 'disabled' : '')?>/>
551
						</td>
552
						<td>
553
<?php
554
	if ($userent['scope'] != "user") {
555
		$usrimg = 'eye-open';
556
	} else {
557
		$usrimg = 'user';
558
	}
559
?>
560
							<i class="fa fa-<?=$usrimg?>"></i>
561
							<?=htmlspecialchars($userent['name'])?>
562
						</td>
563
						<td><?=htmlspecialchars($userent['descr'])?></td>
564
						<td><?php if (isset($userent['disabled'])) echo "*"?></td>
565
						<td><?=implode(",", local_user_get_groups($userent))?></td>
566
						<td>
567
							<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&amp;userid=<?=$i?>"></a>
568
<?php if (($userent['scope'] != "system") && ($userent['name'] != $_SESSION['Username'])): ?>
569
							<a class="fa fa-trash"	title="<?=gettext("Delete user")?>" href="?act=deluser&amp;userid=<?=$i?>&amp;username=<?=$userent['name']?>"></a>
570
<?php endif; ?>
571
						</td>
572
					</tr>
573
<?php endforeach; ?>
574
				</tbody>
575
			</table>
576
		</div>
577
	</div>
578
</div>
579
<nav class="action-buttons">
580
	<a href="?act=new" class="btn btn-sm btn-success">
581
		<i class="fa fa-plus icon-embed-btn"></i>
582
		<?=gettext("Add")?>
583
	</a>
584

    
585
	<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
586
		<i class="fa fa-trash icon-embed-btn"></i>
587
		<?=gettext("Delete")?>
588
	</button>
589
</nav>
590
</form>
591
<div class="infoblock">
592
<?php
593
	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
594
		"the webConfigurator can be assigned directly or inherited from group memberships. " .
595
		"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
596
		'<p>' . gettext("Accounts added here are also used for other parts of the system " .
597
		"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
598
	);
599
?></div><?php
600
	include("foot.inc");
601
	exit;
602
}
603

    
604
$form = new Form;
605

    
606
if ($act == "new" || $act == "edit" || $input_errors):
607

    
608
	$form->addGlobal(new Form_Input(
609
		'act',
610
		null,
611
		'hidden',
612
		''
613
	));
614

    
615
	$form->addGlobal(new Form_Input(
616
		'userid',
617
		null,
618
		'hidden',
619
		isset($id) ? $id:''
620
	));
621

    
622
	$form->addGlobal(new Form_Input(
623
		'privid',
624
		null,
625
		'hidden',
626
		''
627
	));
628

    
629
	$form->addGlobal(new Form_Input(
630
		'certid',
631
		null,
632
		'hidden',
633
		''
634
	));
635

    
636
	$ro = "";
637
	if ($pconfig['utype'] == "system") {
638
		$ro = "readonly";
639
	}
640

    
641
	$section = new Form_Section('User Properties');
642

    
643
	$section->addInput(new Form_StaticText(
644
		'Defined by',
645
		strtoupper($pconfig['utype'])
646
	));
647

    
648
	$form->addGlobal(new Form_Input(
649
		'utype',
650
		null,
651
		'hidden',
652
		$pconfig['utype']
653
	));
654

    
655
	$section->addInput(new Form_Checkbox(
656
		'disabled',
657
		'Disabled',
658
		'This user cannot login',
659
		$pconfig['disabled']
660
	));
661

    
662
	$section->addInput($input = new Form_Input(
663
		'usernamefld',
664
		'Username',
665
		'text',
666
		$pconfig['usernamefld']
667
	));
668

    
669
	if ($ro) {
670
		$input->setReadonly();
671
	}
672

    
673
	$form->addGlobal(new Form_Input(
674
		'oldusername',
675
		null,
676
		'hidden',
677
		$pconfig['usernamefld']
678
	));
679

    
680
	$group = new Form_Group('Password');
681
	$group->add(new Form_Input(
682
		'passwordfld1',
683
		'Password',
684
		'password'
685
	));
686
	$group->add(new Form_Input(
687
		'passwordfld2',
688
		'Confirm Password',
689
		'password'
690
	));
691

    
692
	$section->add($group);
693

    
694
	$section->addInput($input = new Form_Input(
695
		'descr',
696
		'Full name',
697
		'text',
698
		htmlspecialchars($pconfig['descr'])
699
	))->setHelp('User\'s full name, for administrative information only');
700

    
701
	if ($ro) {
702
		$input->setDisabled();
703
	}
704

    
705
	$section->addInput(new Form_Input(
706
		'expires',
707
		'Expiration date',
708
		'text',
709
		$pconfig['expires']
710
	))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
711
		'the expiration date');
712

    
713
	// ==== Group membership ==================================================
714
	$group = new Form_Group('Group membership');
715

    
716
	// Make a list of all the groups configured on the system, and a list of
717
	// those which this user is a member of
718
	$systemGroups = array();
719
	$usersGroups = array();
720

    
721
	$usergid = [$pconfig['usernamefld']];
722

    
723
	foreach ($config['system']['group'] as $Ggroup) {
724
		if ($Ggroup['name'] != "all") {
725
			if (($act == 'edit') && $Ggroup['member'] && in_array($pconfig['uid'], $Ggroup['member'])) {
726
				$usersGroups[ $Ggroup['name'] ] = $Ggroup['name'];	// Add it to the user's list
727
			} else {
728
				$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
729
			}
730
		}
731
	}
732

    
733
	$group->add(new Form_Select(
734
		'sysgroups',
735
		null,
736
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
737
		$systemGroups,
738
		true
739
	))->setHelp('Not member of');
740

    
741
	$group->add(new Form_Select(
742
		'groups',
743
		null,
744
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
745
		$usersGroups,
746
		true
747
	))->setHelp('Member of');
748

    
749
	$section->add($group);
750

    
751
	$group = new Form_Group('');
752

    
753
	$group->add(new Form_Button(
754
		'movetoenabled',
755
		'Move to "Member of" list',
756
		null,
757
		'fa-angle-double-right'
758
	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
759

    
760
	$group->add(new Form_Button(
761
		'movetodisabled',
762
		'Move to "Not member of" list',
763
		null,
764
		'fa-angle-double-left'
765
	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
766

    
767
	$group->setHelp('Hold down CTRL (PC)/COMMAND (Mac) key to select multiple items.');
768
	$section->add($group);
769

    
770
	// ==== Button for adding user certificate ================================
771
	if ($act == 'new') {
772
		$section->addInput(new Form_Checkbox(
773
			'showcert',
774
			'Certificate',
775
			'Click to create a user certificate',
776
			false
777
		));
778
	}
779

    
780
	$form->add($section);
781

    
782
	// ==== Effective privileges section ======================================
783
	if (isset($pconfig['uid'])) {
784
		// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
785
		// is the best way to make the display we need.
786

    
787
		$section = new Form_Section('Effective Privileges');
788

    
789
		$section->addInput(new Form_StaticText(
790
			null,
791
			build_priv_table()
792
		));
793

    
794
		$form->add($section);
795

    
796
		// ==== Certificate table section =====================================
797
		$section = new Form_Section('User Certificates');
798

    
799
		$section->addInput(new Form_StaticText(
800
			null,
801
			build_cert_table()
802
		));
803

    
804
		$form->add($section);
805
	}
806

    
807
	// ==== Add user certificate for a new user
808
	if (is_array($config['ca']) && count($config['ca']) > 0) {
809
		$section = new Form_Section('Create Certificate for User');
810
		$section->addClass('cert-options');
811

    
812
		$nonPrvCas = array();
813
		foreach($config['ca'] as $ca) {
814
			if (!$ca['prv']) {
815
				continue;
816
			}
817

    
818
			$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
819
		}
820

    
821
		if (!empty($nonPrvCas)) {
822
			$section->addInput(new Form_Input(
823
				'name',
824
				'Descriptive name',
825
				'text',
826
				$pconfig['name']
827
			));
828

    
829
			$section->addInput(new Form_Select(
830
				'caref',
831
				'Certificate authority',
832
				null,
833
				$nonPrvCas
834
			));
835

    
836
			$section->addInput(new Form_Select(
837
				'keylen',
838
				'Key length',
839
				2048,
840
				array(
841
					512 => '512 bits',
842
					1024 => '1024 bits',
843
					2048 => '2048 bits',
844
					4096 => '4096 bits',
845
				)
846
			));
847

    
848
			$section->addInput(new Form_Input(
849
				'lifetime',
850
				'Lifetime',
851
				'number',
852
				$pconfig['lifetime']
853
			));
854
		}
855

    
856
		$form->add($section);
857
	}
858

    
859
endif;
860
// ==== Paste a key for the new user
861
$section = new Form_Section('Keys');
862

    
863
$section->addInput(new Form_Checkbox(
864
	'showkey',
865
	'Authorized keys',
866
	'Click to paste an authorized key',
867
	false
868
));
869

    
870
$section->addInput(new Form_Textarea(
871
	'authorizedkeys',
872
	'Authorized SSH Keys',
873
	$pconfig['authorizedkeys']
874
))->setHelp('Enter authorized SSH keys for this user');
875

    
876
$section->addInput(new Form_Input(
877
	'ipsecpsk',
878
	'IPsec Pre-Shared Key',
879
	'text',
880
	$pconfig['ipsecpsk']
881
));
882

    
883
$form->add($section);
884

    
885
print $form;
886
?>
887
<script type="text/javascript">
888
//<![CDATA[
889
events.push(function() {
890

    
891
	// On click . .
892
	$("#movetodisabled").click(function() {
893
		moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
894
	});
895

    
896
	$("#movetoenabled").click(function() {
897
		moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
898
	});
899

    
900
	$("#showcert").click(function() {
901
		hideClass('cert-options', !this.checked);
902
	});
903

    
904
	$("#showkey").click(function() {
905
		hideInput('authorizedkeys', false);
906
		hideCheckbox('showkey', true);
907
	});
908

    
909
	$('[id^=delcert]').click(function(event) {
910
		if (confirm(event.target.title)) {
911
			$('#certid').val(event.target.id.match(/\d+$/)[0]);
912
			$('#userid').val('<?=$id;?>');
913
			$('#act').val('delcert');
914
			$('form').submit();
915
		}
916
	});
917

    
918
	$('[id^=delprivid]').click(function(event) {
919
		if (confirm(event.target.title)) {
920
			$('#privid').val(event.target.id.match(/\d+$/)[0]);
921
			$('#userid').val('<?=$id;?>');
922
			$('#act').val('delprivid');
923
			$('form').submit();
924
		}
925
	});
926

    
927
	$('#expires').datepicker();
928

    
929
	// ---------- On initial page load ------------------------------------------------------------
930

    
931
	hideClass('cert-options', true);
932
	//hideInput('authorizedkeys', true);
933
	hideCheckbox('showkey', true);
934

    
935
	// On submit mark all the user's groups as "selected"
936
	$('form').submit(function() {
937
		AllServers($('[name="groups[]"] option'), true);
938
	});
939
});
940
//]]>
941
</script>
942
<?php
943
include('foot.inc');
944
?>
(206-206/225)