Admin kann Passwörter ändern. Kleinere Fixes

2019-11-22 14:30:22 +01:00 · 2019-11-22 14:30:22 +01:00 · 24e4cb92be
parent c37c9a0525
commit 24e4cb92be
6 changed files with 74 additions and 7 deletions
--- a/public/admin.php
+++ b/public/admin.php
@ -72,6 +72,18 @@ echo '</select> (benutze nicht ' .  "'" . ')</label>
 <label>Neues Passwort wiederholen<input type="password" name="newmailpwrep"/></label>
 <input type="submit" name="submit" value="Hinzufügen"/>
 </form>
+<h3>Passwort einer Email-Adresse ändern:</h3>
+<form name="changemailpwadm" method=POST action="bin/changemailpwadm.php">
+<label>Zu ändernde Mail:<select name="changemailid">';
+    $abfrage = "SELECT `id`, `username`, `domain` FROM `accounts`";
+    $result = $dbh->query($abfrage);
+    while ($emails = $result->fetch()) {
+        echo '<option value="' . htmlentities($emails['id']) . '">' . htmlentities($emails['username']) . '@' . $emails['domain'] . '</option>';
+    }
+    echo '</select></label>';
+    echo '<label>Neues Passwort: <input type="password" name="newmailpw" /></label><label>Neues Passwort wiederholen: <input type="password" name="newmailpwrep" /></label>
+<input type="submit" name="submit" value="ÄNDERN"/>
+</form>
 <h3>Emailadresse entfernen:</h3>
 <form name="deletemail" method=POST action="bin/deletemail.php">
 <label>Delete Mail:<select name="mailuserID">';
--- a/public/bin/changemailpw.php
+++ b/public/bin/changemailpw.php
@ -27,7 +27,7 @@ if ($_SESSION['log'] == 1) {
        $newmailpw = $_POST['newmailpw'];
        $oldmailpw = $_POST['oldmailpw'];
        if (strpos($newmailpw, "'") !== false) {
-            header("Location: settings.php?wrongsymbols=1");
+            header("Location: ../settings.php?wrongsymbols=1");
            exit;
        }
        $mailusername = $_SESSION['username'];
--- a/public/bin/changemailpwadm.php
+++ b/public/bin/changemailpwadm.php
@ -0,0 +1,50 @@
+<?php
+/*  Mailadminscript
+    Copyright (C) 2019  Paul Schürholz contact AT roteserver . de
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>. */
+$config = parse_ini_file('../../private/config.ini');
+try {
+    $dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
+} catch (PDOException $e) {
+    //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen
+    echo 'Connection failed';
+}
+session_start();
+if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) {
+    if (strpos($_POST['newmailpw'] , "'") !== false) {
+        header("Location: ../admin.php?wrongsymbols=1");
+        exit;
+    }
+    if ($_POST['newmailpw'] == $_POST['newmailpwrep']) {
+        if (strlen($_POST['newmailpw'] ) >= 8) {
+            $newmailpwhashed = password_hash($_POST['newmailpw'] , PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]);
+            $eintrag = "UPDATE `accounts` SET `password` = :newmailpwhashed WHERE `id` LIKE :id";
+            $sth = $dbh->prepare($eintrag);
+            $sth->execute(array(':newmailpwhashed' => $newmailpwhashed, ':id' => $_POST['changemailid']));
+            header("Location: ../settings.php?success=1");
+            exit;
+        }
+        else {
+            header("Location: ../admin.php?pwtoshort=1");
+            exit;
+        }
+    }
+    else {
+        header("Location: ../admin.php?pwnotequal=1");
+        exit;
+    }
+}
+header("Location: index.php");
+?>
--- a/public/bin/createmailuser.php
+++ b/public/bin/createmailuser.php
@ -69,7 +69,7 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail
            $sth = $dbh->prepare($abfrage);
            $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain));
            $result = $sth->fetchAll();
-            print_r($result);
+            //print_r($result);
            if ($result[0][1] !== 1) {
                $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]);
                //$createdtimestamp = date("Y-m-d H:i:s");
@ -84,7 +84,7 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail
                //     $eintrag = "UPDATE `mailserver`.`virtual_users` SET `active`='0' WHERE `email` LIKE :newmailusernamefull";
                // }
                //else {
-                    $eintrag = "INSERT INTO `accounts` (`username`, `domain`, `password`, `quota`, `enabled`, `sendonly`, `admin`) VALUES (:newmailusername, :newmaildomain, :newmailpwhashed, '2048', '1', '0', '0')"; // Maildaten in MailServer DB eintragen
+                    $eintrag = "INSERT INTO `accounts` (`username`, `domain`, `password`, `quota`, `enabled`, `forcepwreset`, `sendonly`, `admin`) VALUES (:newmailusername, :newmaildomain, :newmailpwhashed, '2048', '1', '0', '0', '0')"; // Maildaten in MailServer DB eintragen
                    $sth = $dbh->prepare($eintrag);
                    $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain, ':newmailpwhashed' => $newmailpwhashed));
                    //$maildirpath = $config['mailfolderpath'] . $newmailusername;
@ -138,8 +138,9 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail
 }
 session_start();
 if ($_SESSION['log'] == 1 AND $_SESSION['admin'] == 1) {
-    print_r($_POST);
+    //print_r($_POST);
    createmailuser($_POST['newmailusername'], $_POST['newmaildomainid'], $_POST['newmailpw'], $_POST['newmailpwrep'], 1);
+    header("Location: ../admin.php");
    exit;
 }
 if ($config['allowregistration']) {
--- a/public/bin/deletemail.php
+++ b/public/bin/deletemail.php
@ -52,7 +52,12 @@ if ($_SESSION['log'] == 1) {
    $sth->execute(array(':mailuserID' => $mailuserID));
    //$maildirpath = $config['mailfolderpath'] . $result[0]['username'];
    //delete_directory($maildirpath);
-    header("Location: ../admin.php?success=1");
+    if ($_SESSION['admin'] == 1) {
+        header("Location: ../admin.php?success=1");
+    }
+    else {
+        header("Location: ../logout.php");
+    }
    exit;
 }
 header("Location: ../index.php");
--- a/public/settings.php
+++ b/public/settings.php
@ -60,12 +60,11 @@ if ($_SESSION['log'] == 1) {
    if ($config['maildirencryption']) {
        echo '<label><p style="font-size: x-small">Schlüssel-Neuerstellung erzwingen</p><p style="font-size: small">ACHTUNG! Alle alten Mails werden dann wahrscheinlich nicht mehr lesbar sein!<input type="checkbox" name="forcekeyregen"/></p></label>';
    }
-    echo '<input type="submit" value="Abschicken"/>
+    echo '<input type="submit" value="Abschicken"/></form>
    <h3>Diese Mailadresse löschen:</h3>
    <form name="deletemail" method=POST action="bin/deletemail.php">
    <input type="submit" value="LÖSCHEN"/>
    </form>';
-
    echo '</body>
    </html>';
    exit;