From 0d5609501a894f2a6206234571e3944aec5138b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois?= Date: Tue, 8 Mar 2022 18:06:41 +0100 Subject: [PATCH] add admin --- src/Jirafeau/a.php | 312 ++++++++++++++++++++++++--------------------- 1 file changed, 167 insertions(+), 145 deletions(-) diff --git a/src/Jirafeau/a.php b/src/Jirafeau/a.php index b049e04..879c6d8 100644 --- a/src/Jirafeau/a.php +++ b/src/Jirafeau/a.php @@ -27,7 +27,11 @@ define ('VAR_TOKENS', $cfg ['var_root'].'tokens/'); define ('VAR_TRACKS', $cfg ['var_root'].'tracks/'); define ('VAR_PERIOD', $cfg ['var_root'].'period/'); define ('VAR_FAKE', $cfg ['var_root'].'fake/'); -define ('VAR_PRIVATE', $cfg ['var_root'].'private/'); +define ('VAR_ADMIN', $cfg ['var_root'].'admin/'); + +$domain="kaz.local"; +if (preg_match ("%^.*//([^/]*)/?.*$%", $cfg ['web_root'], $matches)) + $domain = $matches [1]; define ('MAX_VALID_UPLOAD_TIME', 60); define ('TOKEN_USE_LIMIT', "-2 hours"); @@ -46,7 +50,7 @@ define ('M_TOO_LONG_LOGGED', "Temps de connexion dépassé."); define ('M_EMAIL_CONTENT', "Bonjour,

Ceci est un message automatique, car vous venez de cliquer sur une demande de consultation de vos pièces jointes.

!!! Si vous n'êtes pas à l'origine de cette demande, ne cliquez sur aucun lien de ce message. !!!

Le lien de connexion suivant est valable 15 minutes.
___LINK___

Vous pouvez signaler des abus auprès de Kaz en faisant suivre ce message qui contient les traces de son émetteur (___IP___, ___DATE___).

Bonne navigation.
."); define ('M_DOWNLOAD', "Télécharger"); define ('M_UPDATE', "Prolonger"); -define ('M_EMAIL_SUBJECT', "Lien de consultation des envois de pièces jointes."); +define ('M_EMAIL_SUBJECT', "Lien de consultation des envois sur ".$domain."."); define ('M_FILE', " fichier."); define ('M_FILES', " fichiers."); define ('M_FILES_NOT_FOUND', " fichiers sont expirés."); @@ -64,7 +68,7 @@ define ('M_LOGOUT', 'Deconnecter'); define ('M_REFRESH', 'Actualiser'); define ('M_LOGOUT_TOKEN', "Vous n'êtes plus connecté."); define ('M_SEND_TOKEN', "

Vous allez recevoir un lien d'accès temporaire à vos données.

"); -define ('M_WELCOME', "

Informations concernant le compte : ___SENDER___
(page actualisée à ___DATE___)

"); +define ('M_WELCOME', "

Informations concernant le compte : ___SENDER______ADMIN___
(page actualisée à ___DATE___)

"); define ('M_INCONSISTENT_DATES', " (dates incohéantes avec ___FILENAME___ : ___DIRTIME___ != ___FILETIME___)"); @@ -126,7 +130,7 @@ if (isset ($_REQUEST [A_RECORD]) && !empty ($_REQUEST [A_RECORD])) { if (!preg_match ("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/i", $_REQUEST [A_RECORD])) $content = false.NL; else - $content = getSenderTrack ($_REQUEST [A_RECORD]).NL; + $content = isSenderTrack ($_REQUEST [A_RECORD]).NL; header ('HTTP/1.0 200 OK'); header ('Content-Length: ' . strlen ($content)); header ('Content-Type: text/plain'); @@ -185,7 +189,7 @@ function rmSenderTrack ($sender) { if (file_exists (VAR_TRACKS.$sender)) unlink (VAR_TRACKS.$sender); } -function getSenderTrack ($sender) { +function isSenderTrack ($sender) { return $sender && file_exists (VAR_TRACKS.$sender); } @@ -211,7 +215,6 @@ function getSenderPeriod ($sender) { return trim (file (VAR_PERIOD.$sender)[0]); return DEFAULT_PERIOD; } - function period2seconds ($periodName) { if (!$periodName) return JIRAFEAU_MONTH; @@ -326,12 +329,13 @@ function readArchiveFromLines ($lines) { $archive [T_SIGN] = $matches [1]; break; default: - global $message; - $message .= "

error:".$line."

"; $error = true; break; } } + global $message, $admin; + if ($error && $admin) + $message .= "readArchiveFromLines
".print_r ($lines, true)."
"; return $error ? [] : $archive; } @@ -386,8 +390,9 @@ function sendEMail ($receiver, $receiver_name, $subject, $body_string){ $mail->charSet = "UTF-8"; $mail->ContentType = 'text/html'; + global $domain; //Recipients (change this for every project) - $mail->setFrom ('no-reply@kaz.local', ''); + $mail->setFrom ('no-reply@'.$domain, ''); $mail->addAddress ($receiver, $receiver_name); //Content @@ -419,14 +424,12 @@ function cleanToken () { unlink ($file); } } - function rmToken ($sender) { if (!$sender) return; if (file_exists (VAR_TOKENS.$sender)) unlink (VAR_TOKENS.$sender); } - function setToken ($sender) { if (!$sender) return; @@ -435,13 +438,11 @@ function setToken ($sender) { return $token; return false; } - function setLoggedToken ($sender, $token) { if (!$sender || !$token) return; file_put_contents (VAR_TOKENS.$sender, T_CREATE.": ".time ().NL.T_TOKEN.": ".$token.NL.T_LOGGED.": ok".NL); } - function getTokenVar ($sender, $varName) { if (!$sender) return; @@ -452,25 +453,162 @@ function getTokenVar ($sender, $varName) { return $matches [1]; return false; } - function getToken ($sender) { return getTokenVar ($sender, T_TOKEN,); } - function getCreateToken ($sender) { return getTokenVar ($sender, T_CREATE); } - function getLoggedToken ($sender) { return getTokenVar ($sender, T_LOGGED); } - function getTimeToken ($sender) { if (!$sender || !file_exists (VAR_TOKENS.$sender)) return false; return filemtime (VAR_TOKENS.$sender); } +// ======================================== +function setAdmin ($sender) { + if (!$sender) + return; + if (!file_exists (VAR_ADMIN)) + mkdir (VAR_ADMIN, 0755); + touch (VAR_ADMIN.$sender); +} +function rmAdmin ($sender) { + if (!$sender) + return; + if (file_exists (VAR_ADMIN.$sender)) + unlink (VAR_ADMIN.$sender); +} +function isAdmin ($sender) { + return $sender && file_exists (VAR_ADMIN.$sender); +} + +// ======================================== +function deleteAction ($linkName) { + global $sender, $token, $message, $doLogout; + + $link = jirafeau_get_link ($linkName); + //$message .= "ln: ".$linkName." l: "."
".print_r ($link, 1)."
mt: ".getTimeFile ($link ['hash'])."
"; + if (!count ($link)) + return; + if (isKazArchive ($link)) { + $dirName = $linkName; + $dirLink = $link; + $dirTime = $dirLink ['upload_date']; + $archiveInfo = readArchiveFromLink ($dirLink); + if (! count ($archiveInfo)) + return; + if ($sender != $archiveInfo [T_SENDER]) { + setSenderFake ("rmdir: not owner", $sender, $archiveInfo [T_SENDER], $dirLink, null); + $message .= "Tentative de supprimer un envoi dont vous n'êtes pas le propriétaire"; + return; + } + $fileToDelete = false; + if ($archiveInfo [T_NEW]) + foreach ($archiveInfo [T_NEW] as [$fileName, $cryptKey]) { + $fileLink = jirafeau_get_link ($fileName); + if (! count ($fileLink)) + continue; + $fileTime = $fileLink ['upload_date']; + if (! valideTime ($dirTime, $fileTime)) { + setSenderFake ("rmdir: newfile not same time", $sender, null, $dirLink, $fileLink); + $message .= "Cet envoi a été forgée". + str_replace (["___FILENAME___", "___DIRTIME___", "___FILETIME___"], + [$fileLink ['file_name'], $dirTime , $fileTime], M_INCONSISTENT_DATES); + return; + } + $fileToDelete = true; + } + $message .= "l'envoi ".$archiveInfo [T_TIME]." est supprimé"; + if ($fileToDelete) + $message .= " avec" : "."; + return; + } + $fileName = $linkName; + $fileLink = $link; + $fileTime = $fileLink ['upload_date']; + $stack = array (VAR_LINKS); + while (($d = array_shift ($stack)) && $d != null) { + if (!file_exists ($d)) + continue; + $dir = scandir ($d); + foreach ($dir as $dirName) { + if (strcmp ($dirName, '.') == 0 || strcmp ($dirName, '..') == 0 || + preg_match ('/\.tmp/i', "$dirName")) { + continue; + } + if (is_dir ($d . $dirName)) { + $stack [] = $d . $dirName . '/'; + continue; + } + $dirLink = jirafeau_get_link ($dirName); + //$dirTime = getTimeFile ($dirLink ['hash']); + $dirTime = $dirLink ['upload_date']; + if (!count ($dirLink)) + continue; + if (!isKazArchive ($dirLink)) + continue; + $archiveInfo = readArchiveFromLink ($dirLink); + if (! count ($archiveInfo)) + return; + if ($archiveInfo [T_NEW]) + foreach ($archiveInfo [T_NEW] as [$newName, $cryptKey]) { + if ($fileName != $newName) + continue; + if ($sender == $archiveInfo [T_SENDER]) { + if (valideTime ($dirTime, $fileTime)) { + jirafeau_delete_link ($fileName); + $message .= jirafeau_escape ($fileLink ['file_name'])." est supprimé"; + // check empty dir + $empty = true; + foreach ([T_OLD, T_NEW] as $cat) + if ($empty && isset ($archiveInfo [$cat])) + foreach ($archiveInfo [$cat] as [$l, $c]) + if (count (jirafeau_get_link ($l))) { + $empty = false; + break; + } + if ($empty) { + $message .= " ainsi que l'envoie ".$archiveInfo [T_TIME]." qui est vide."; + jirafeau_delete_link ($dirName); + } else + $message .= "."; + break; + } + setSenderFake ("rm: dir not same time", $sender, null, $dirLink, $fileLink); + $message .= "Cet envoi a été forgée. ". + str_replace (["___FILENAME___", "___DIRTIME___", "___FILETIME___"], + [$fileLink ['file_name'], $dirTime , $fileTime], M_INCONSISTENT_DATES); + break; + } + if (valideTime ($dirTime, $fileTime)) { + setSenderFake ("rm: not owner", $sender, $archiveInfo [T_SENDER], $dirLink, $fileLink); + $message .= "Tentative de supprimer un envoi dont vous n'êtes pas le propriétaire.". + str_replace (["___FILENAME___", "___DIRTIME___", "___FILETIME___"], + [$fileLink ['file_name'], $dirTime , $fileTime], M_INCONSISTENT_DATES); + break; + } + setSenderFake ("rm: find not owner", $archiveInfo [T_SENDER], $sender, $dirLink, $fileLink); + $message .= "Quelqu'un avétait revandiqué cet envoi. (".$sender." != ".$archiveInfo [T_SENDER].")"; + break; + } + } + } +} + // ======================================== if ($doUpload) { $maxtime = time ()+period2seconds ($_REQUEST ['time']); @@ -532,7 +670,7 @@ if (isset ($_REQUEST [A_SENDER]) && !empty ($_REQUEST [A_SENDER])) { // XXX //if (!preg_match ("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/i", $_REQUEST [A_SENDER])) if (!preg_match ("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/i", $_REQUEST [A_SENDER])) - $senderError=true; + $senderError = true; else { cleanToken (); $sender = $_REQUEST [A_SENDER]; @@ -700,8 +838,8 @@ if (isset ($_REQUEST [A_ACTION]) && $_REQUEST [A_ACTION] == T_LOGIN && $sender) // XXX test token $url = $urlBase.$_SERVER ['SCRIPT_NAME']."?".A_SENDER."=".$sender."&".A_TOKEN."=".$token; $result = sendEMail ($sender, "", M_EMAIL_SUBJECT, - str_replace (["___LINK___", "___IP___", "___DATE___"], - [$url, $_SERVER ['HTTP_X_REAL_IP'] , date ("Y-m-d H:i:s")], M_EMAIL_CONTENT)); + str_replace (["___LINK___", "___IP___", "___DATE___"], + [$url, $_SERVER ['HTTP_X_REAL_IP'] , date ("Y-m-d H:i:s")], M_EMAIL_CONTENT)); if ($result) echo M_SEND_TOKEN; else @@ -759,132 +897,12 @@ if (!getLoggedToken ($sender)) else touch (VAR_TOKENS.$sender); -function deleteAction ($linkName) { - global $sender, $token, $message, $doLogout; - - $link = jirafeau_get_link ($linkName); - //$message .= "ln: ".$linkName." l: "."
".print_r ($link, 1)."
mt: ".getTimeFile ($link ['hash'])."
"; - if (!count ($link)) - return; - if (isKazArchive ($link)) { - $dirName = $linkName; - $dirLink = $link; - $dirTime = $dirLink ['upload_date']; - $archiveInfo = readArchiveFromLink ($dirLink); - if (! count ($archiveInfo)) - return; - if ($sender != $archiveInfo [T_SENDER]) { - setSenderFake ("rmdir: not owner", $sender, $archiveInfo [T_SENDER], $dirLink, null); - $message .= "Tentative de supprimer un envoi dont vous n'êtes pas le propriétaire"; - return; - } - $fileToDelete = false; - if ($archiveInfo [T_NEW]) - foreach ($archiveInfo [T_NEW] as [$fileName, $cryptKey]) { - $fileLink = jirafeau_get_link ($fileName); - if (! count ($fileLink)) - continue; - $fileTime = $fileLink ['upload_date']; - if (! valideTime ($dirTime, $fileTime)) { - setSenderFake ("rmdir: newfile not same time", $sender, null, $dirLink, $fileLink); - $message .= "Cet envoi a été forgée". - str_replace (["___FILENAME___", "___DIRTIME___", "___FILETIME___"], - [$fileLink ['file_name'], $dirTime , $fileTime], M_INCONSISTENT_DATES); - return; - } - $fileToDelete = true; - } - $message .= "l'envoi ".$archiveInfo [T_TIME]." est supprimé"; - if ($fileToDelete) - $message .= " avec" : "."; - return; - } - $fileName = $linkName; - $fileLink = $link; - $fileTime = $fileLink ['upload_date']; - $stack = array (VAR_LINKS); - while (($d = array_shift ($stack)) && $d != null) { - if (!file_exists ($d)) - continue; - $dir = scandir ($d); - foreach ($dir as $dirName) { - if (strcmp ($dirName, '.') == 0 || strcmp ($dirName, '..') == 0 || - preg_match ('/\.tmp/i', "$dirName")) { - continue; - } - if (is_dir ($d . $dirName)) { - $stack [] = $d . $dirName . '/'; - continue; - } - $dirLink = jirafeau_get_link ($dirName); - //$dirTime = getTimeFile ($dirLink ['hash']); - $dirTime = $dirLink ['upload_date']; - if (!count ($dirLink)) - continue; - if (!isKazArchive ($dirLink)) - continue; - $archiveInfo = readArchiveFromLink ($dirLink); - if (! count ($archiveInfo)) - return; - if ($archiveInfo [T_NEW]) - foreach ($archiveInfo [T_NEW] as [$newName, $cryptKey]) { - if ($fileName != $newName) - continue; - if ($sender == $archiveInfo [T_SENDER]) { - if (valideTime ($dirTime, $fileTime)) { - jirafeau_delete_link ($fileName); - $message .= jirafeau_escape ($fileLink ['file_name'])." est supprimé"; - // check empty dir - $empty = true; - foreach ([T_OLD, T_NEW] as $cat) - if ($empty && isset ($archiveInfo [$cat])) - foreach ($archiveInfo [$cat] as [$l, $c]) - if (count (jirafeau_get_link ($l))) { - $empty = false; - break; - } - if ($empty) { - $message .= " ainsi que l'envoie ".$archiveInfo [T_TIME]." qui est vide."; - jirafeau_delete_link ($dirName); - } else - $message .= "."; - break; - } - setSenderFake ("rm: dir not same time", $sender, null, $dirLink, $fileLink); - $message .= "Cet envoi a été forgée. ". - str_replace (["___FILENAME___", "___DIRTIME___", "___FILETIME___"], - [$fileLink ['file_name'], $dirTime , $fileTime], M_INCONSISTENT_DATES); - break; - } - if (valideTime ($dirTime, $fileTime)) { - setSenderFake ("rm: not owner", $sender, $archiveInfo [T_SENDER], $dirLink, $fileLink); - $message .= "Tentative de supprimer un envoi dont vous n'êtes pas le propriétaire.". - str_replace (["___FILENAME___", "___DIRTIME___", "___FILETIME___"], - [$fileLink ['file_name'], $dirTime , $fileTime], M_INCONSISTENT_DATES); - break; - } - setSenderFake ("rm: find not owner", $archiveInfo [T_SENDER], $sender, $dirLink, $fileLink); - $message .= "Quelqu'un avétait revandiqué cet envoi. (".$sender." != ".$archiveInfo [T_SENDER].")"; - break; - } - } - } -} - // ======================================== // sender OK, token OK // ======================================== +$admin = isAdmin ($sender); + // delete if (isset ($_REQUEST [A_DELETE])) { if (!preg_match ('/[0-9a-zA-Z_-]+$/', $_REQUEST [A_DELETE])) @@ -896,7 +914,9 @@ if (isset ($_REQUEST [A_DELETE])) { if ($doLogout || (isset ($_REQUEST [A_ACTION]) && $_REQUEST [A_ACTION] == T_LOGOUT)) { rmToken ($sender); require (JIRAFEAU_ROOT . 'lib/template/header.php'); - echo str_replace (["___SENDER___", "___DATE___"], [$sender, jirafeau_get_datetimefield (time ())], M_WELCOME); + echo str_replace (["___SENDER___", "___ADMIN___", "___DATE___"], + [$sender, ($admin ? " (admin)" : ""), jirafeau_get_datetimefield (time ())], + M_WELCOME); if ($message) echo "

Info : ".$message."

"; echo M_LOGOUT; @@ -953,7 +973,9 @@ while ( ($d = array_shift ($stack)) && $d != null) { } } require (JIRAFEAU_ROOT . 'lib/template/header.php'); -echo str_replace (["___SENDER___", "___DATE___"], [$sender, jirafeau_get_datetimefield (time ())], M_WELCOME); +echo str_replace (["___SENDER___", "___ADMIN___", "___DATE___"], + [$sender, ($admin ? " (admin)" : ""), jirafeau_get_datetimefield (time ())], + M_WELCOME); if ($message) echo "

Info : ".$message."

"; echo '