<? /*
// File: init.inc.php
// Purpose: Authentication, Init sequence.
// Creation: 2001-10-29
// Author: Felix <hide@address.com>
*/
//
// Make sure that required PHP (php.ini) settings are on
if ($cfg['httpd_mode'] == 'apache') {
if (!get_magic_quotes_gpc())
echo "<b>magic_quotes_gpc</b> must be set to <b>On</b>.<br>";
if (!ini_get("register_globals"))
echo "<b>register_globals</b> must be set to <b>On</b>.<br>";
}
// Set magic quotes runtime off (dont quote MySQL data)
set_magic_quotes_runtime(0);
// Ignore user abort, 60 seconds max allowed to a web interface script.
if ($cfg['httpd_mode'] == 'apache')
ignore_user_abort();
//
// Setup Database Connection
if ($cfg['httpd_mode'] == 'apache') {
mysql_connect($cfg['dbhost'], $cfg['dbuser'], $cfg['dbpass']);
mysql_select_db($cfg['dbname']);
}
//
// web://cp keeps track of users by setting a cookie
$webcp_tag = $HTTP_COOKIE_VARS["webcp_tag"];
//
// Get currently used server name (name|ip) to generate cute(compatible) looking redirect header Location:
if ($cfg['ssl'])
$web_name = "https://";
else
$web_name = "http://";
if ($HTTP_HOST AND !$cfg['cookiesec']) {
$tmp = parse_url($web_name.$HTTP_HOST);
$web_name .= $tmp['host'];
}
else
$web_name .= $cfg['sysname'];
if ($cfg['port'])
$web_name .= ":".$cfg['port'];
//
// if web://cp cookie isn't set or it is a logout, die on login screen
if (!$webcp_tag OR $failed == "logout" OR $failed == "su") {
include("login.inc.phps");
return false;
}
//
// if it exists, check its validity, check if the IP match records, check for Timeout & check for user suspension
else {
// Check for the validity of the unique ID sent by cookie against the database
unset($tmpdata);
$dbp = mysql_query("SELECT * FROM users WHERE webcp_tag='".$webcp_tag."'");
$tmpdata = mysql_fetch_array($dbp);
mysql_free_result($dbp);
// fail if the tag is not recognized
if (!$tmpdata) {
$failed = "invalidtag";
include("login.inc.phps");
return false;
}
// fail if the ID expired (Automated Unique ID timeout for security)
if (time() > $tmpdata['timeout'] AND $tmpdata['type'] != "demo") {
$failed = "timeout";
include("login.inc.phps");
return false;
}
// fail if Remote user's IP is different than the IP recorded in DB (and not a demo user)
if ($tmpdata['remote_addr'] != $REMOTE_ADDR AND $tmpdata['type'] != "demo") {
$failed = "remote_addr";
include("login.inc.phps");
return false;
}
// fail if user is suspended
if ($tmpdata['suspend'] == "true") {
$failed = "suspended";
include("login.inc.phps");
return false;
}
// fail if Remote user's IP is different than ip restriction (if on)
if ($tmpdata['ip_restrict'] AND !ereg("^".$tmpdata['ip_restrict'],$REMOTE_ADDR)) {
$failed = "ip_restrict";
include("login.inc.phps");
return false;
}
}
// Set Environment var: $userdata (contains info about the current user)
$userdata = fetchdata("*","user",$tmpdata['username']);
unset($tmpdata);
if (!is_array($userdata)) return('init.inc.phps :: ERROR! no $userdata');
// if backend is down, follow instructions
if ((@fileatime($cfg['basedir'].$cfg['statustag']) < (time() - 90)) && ($cfg['preventoutagelogins']) && ($userdata['level'] > 1)) {
$failed = "backend";
$message = "A user attempted to login to web-cp at $web_name and the backend was reported as down.";
$subject = "web-cp backend down : $web_name";
mail($cfg['adminmail'],$subject,$message, "X-Priority: 1\nImportance: High\nFrom: <".$cfg['adminmail'].">\n");
include("login.inc.phps");
return false;
}
// if no $skin (layout), set user's preference:
$skin = str_replace("/","",$skin);
if (!trim($skin) OR !file_exists("skin/".$skin)) {
if (file_exists("skin/".$userdata['skin']))
$skin = $userdata['skin'];
else
$skin = $cfg['defaultskin'];
}
// if no $lang (language), set user's preference:
$lang = str_replace("/","",$lang);
if (!trim($lang) OR !file_exists("lang/".$lang.".phps")) {
$lang = $userdata['lang'];
if (!trim($lang) OR !file_exists("lang/".$lang.".phps"))
$lang = $cfg['defaultlang'];
}
// Get favorite panel page and go there if needed.
$tmp = explode(":",$userdata['favorites']);
if (!trim($cp) AND trim($userdata['favorites'])) {
$cp = $tmp[0];
$url = $tmp[1];
$number = $tmp[2];
$user = $tmp[3];
}
// Set default cp if it is not set already
$cp = str_replace("/","",$cp);
if (!@is_dir($cp))
$cp = "personal";
// if no $url (current page), set default:
$url = str_replace("/","",$url);
if (!trim($url) OR !file_exists($cp."/".$url.".phps")) {
if ($cp == "personal")
$url = "userinfo";
elseif ($cp == "domain")
$url = "domaininfo";
elseif ($cp == "reseller")
$url = "siteadmin";
elseif ($cp == "server")
$url = "reselleradmin";
else
$url = "index";
}
// Check $number validity and reset it if it's not okay.
if (!ereg($rx['num'],$number) OR ($number < 1000000000 AND $cp == 'domain'))
$number = $userdata['id'];
if ($number AND $cp == 'domain') {
$tmp = fetchdata("id","domain",$number);
if (!$tmp)
$number = $userdata['id'];
}
// Check $user validity and reset it if it's not ok.
if (!ereg($rx['user'],$user))
$user = $userdata['username'];
// Verify user access level and Set $cp Environment var: $personaldata, $domaindata, $resellerdata
// (contains info about the current panel viewed)
switch($cp) {
case "tools":
break;
case "server":
if ($userdata['level'] < 2) {
break;
}
else
$failed = "access";
case "reseller":
if ($userdata['level'] < 3) {
$resellerdata = fetchdata("*","reseller",$number);
if (substr($userdata['id'], 0, 5) != $resellerdata['id'] AND $userdata['level'] == '2') {
$failed = "access";
break;
}
if (!trim($userdata))
return 'init.inc.phps :: ERROR! no $userdata';
break;
}
else
$failed = "access";
case "domain":
if ($userdata['level'] < 4) {
// fetch domain data and reseller name
$domaindata = fetchdata("*","domain",$number);
if ($domaindata['type'] != 'domain') {
// redirect to sub/pointer management page
$domid = $number;
$url = 'subpointer';
$number = $domaindata['owner'];
// reload parent domain's data
$domaindata = fetchdata("*","domain",$domaindata['owner']);
}
$resellerdata = fetchdata("name","reseller",$domaindata['id']);
if (!is_array($domaindata))
return 'init.inc.phps :: ERROR! no $domaindata';
if (!is_array($resellerdata))
return 'init.inc.phps :: ERROR! no $resellerdata';
if ($domaindata['type'] != 'domain')
return'init.inc.phps :: ERROR! type "domain" only';
// Verify user access validity.
if ($userdata['level'] == 3) {
if ($userdata['id'] != $domaindata['id'])
$failed = "access";
}
elseif ($userdata['level'] == 2) {
if (substr($userdata['id'], 0, 5) != $domaindata['owner'])
$failed = "access";
}
elseif ($userdata['level'] > 2) {
if ($domaindata['ip_restrict'] AND !ereg("^".$domaindata['ip_restrict'],$REMOTE_ADDR))
$failed = "ip_restrict";
}
break;
}
else
$failed = "access";
case "personal":
if ($userdata['level'] < 5) {
// fetch user data and reseller name
$personaldata = fetchdata("*","user",$user);
$domaindata = fetchdata("host,domain","domain",$personaldata['id']);
$resellerdata = fetchdata("name","reseller",$personaldata['id']);
if (!is_array($personaldata))
return 'init.inc.phps :: ERROR! no $personaldata';
if (!is_array($resellerdata))
return 'init.inc.phps :: ERROR! no $resellerdata';
// Verify user access validity in cases of domain and reseller administrators.
if ($userdata['level'] > $personaldata['level']) {
$failed = "access";
}
elseif ($userdata['level'] == 4) {
if($user != $userdata['username'])
$failed = "access";
}
elseif ($userdata['level'] == 3) {
if ($userdata['id'] != $personaldata['id'])
$failed = "access";
}
elseif ($userdata['level'] == 2) {
if (substr($userdata['id'], 0, 5) != substr($personaldata['id'], 0, 5))
$failed = "access";
}
$number = $personaldata['id'];
break;
}
else
$failed = "access";
default:
$failed = "access";
break;
}
// If any error happen, die displaying the login screen.
if (isset($failed)) {
$rcode = include("login.inc.phps");
if ($rcode != 1)
return $rcode;
else
return false;
}
// Construct valid url for self contained FORMS
$current_url = "./?cp=$cp&url=$url&number=$number";
if ($user) $current_url .= "&user=$user";
if ($framed) $current_url .= "&framed=$framed&framename=$framename";
?>