Odyssey
AdmAddAuth.prg
1 <?php
2 require_once("$admLibrary/ck_aticket.i");
3 
4  // ** DEFINE GLOBAL VALUES
5  $HCUSMSFROM = "noreply@homecu.net";
6  $HCUSTALETIME = 40;
7 
8 $dms_ok=array( 'action'=> array("filter" => FILTER_SANITIZE_STRING), 'use_to_send'=> array("filter" => FILTER_SANITIZE_STRING), "code" => array("filter" => FILTER_SANITIZE_STRING));
9 
10 HCU_ImportVars($SYSENV, "LOGOUT", $dms_ok);
11 extract($SYSENV["LOGOUT"]);
12 
13 #
14 $main_url = $menu_link;
15 $self= "$menu_link?ft=$ft";
16 $content= "";
17 $msg= "";
18 
19 if ( isset($action) ) {
20  if ( $action == "send_out_of_band") {
21  //adding cu_sms for sending text
22  require_once(dirname(__FILE__) . '/../../shared/library/cu_sms.i');
23  require_once(dirname(__FILE__) . '/../../banking/library/cu_credentials.i');
24  if ( $use_to_send == "sms" ) {
25  $sql = "SELECT usersms FROM cuadminusers WHERE cu = '$Cu' AND user_name = '$Cn'";
26 
27  } else if ( $use_to_send == "email" ) {
28  $sql = "SELECT email FROM cuadminusers WHERE cu = '$Cu' AND user_name = '$Cn'";
29  } else if ( $use_to_send == "have_code" ) {
30  $action = "wait_for_code";
31  } else {
32  $msg .= "Invalid selection of how to send the access code.";
33  }
34 
35  if ( empty( $msg ) && $action != "wait_for_code") {
36  $sth = db_query($sql,$dbh);
37 
38  if ( list($sendTo) = db_fetch_array($sth,0) ) {
39  db_free_result($sth);
40 
41  } else {
42  $msg .= "Unable to read user record";
43  }
44  }
45 
46  if ( empty($msg) ) {
47 
48  // creatin, storing, and sending access code the same way
49  // we do it for home banking users
50  $authResp = generateAuthcode();
51  if (!$authResp['authcode'] || !$authResp['authexpires']) {
52  throw new Exception('Generate Access Code Failed');
53  }
54 
55  if (!setAdminAuthcode($dbh, $Cu, $Cn, $authResp['authcode'])) {
56  throw new Exception('Save Access Code Failed');
57  }
58 
59  if (!sendAdminAuthcode($dbh, $Cu, $authResp, $sendTo, $use_to_send)) {
60  throw new Exception('Send Access Code Failed');
61  }
62 
63  $action = "wait_for_code";
64  }
65  } else if ( $action == "confirm_remote" ) {
66 
67  // check validity
68  $sql = "SELECT cau.userconfirm, ca.retrylimit
69  FROM cuadminusers cau
70  INNER JOIN cuadmin ca ON ca.cu = cau.cu
71  WHERE cau.cu = '$Cu'
72  AND cau.user_name = '$Cn'";
73  $sth = db_query( $sql, $dbh );
74 
75  if ( list($savedConfirm, $retryLimit) = db_fetch_array($sth,0) ) {
76  db_free_result($sth);
77  $confirmParts = explode( "|", $savedConfirm );
78 
79  // check the time and retry count
80  $now = time();
81  if ( ($now - $confirmParts[2]) > 60 * $HCUSTALETIME ) {
82  $msg .= "Too much time has passed. Code expired.";
83  } else if ( $_SERVER["REMOTE_ADDR"] != $confirmParts[1] ) {
84  $msg .= "Access is from a different location. Please try again.";
85  } else if ( $confirmParts[3] >= $retryLimit ) {
86  $msg .= "Retry limit exceeded. Please start over.";
87 
88  $contents= "";
89  $contents.= "<div class='row'>Retry limit exceeded. Please start over.</div>";
90  $contents.= "<div class='hcu-edit-buttons k-state-default row'><a id='logoutBtn' class='k-button k-primary' href='\\\\#'>Logout</a></div>";
91 
92  printKendoWindow($menu_link, $contents);
93  exit;
94 
95  } else if ( trim( $code ) != $confirmParts[0] ) {
96  $msg .= "Invalid access code. Please retry.";
97 
98  // increase the retry count
99  $confirmParts[3]++;
100  $confirmToUpdate = implode( "|", $confirmParts );
101 
102  $sql = "UPDATE cuadminusers
103  SET userconfirm = '$confirmToUpdate'
104  WHERE user_name = '$Cn' AND
105  cu = '$Cu'";
106 
107  $save_rs = db_query( $sql, $dbh );
108 
109  $action = "wait_for_code";
110  } else {
111  // made it! save the IP and clear the code
112  $sql = "UPDATE cuadminusers
113  SET userconfirm = '',
114  remoteip = '" . prep_save($confirmParts[1]) . "'
115  WHERE user_name = '$Cn' AND
116  cu = '$Cu'";
117 
118  $save_rs = db_query( $sql, $dbh );
119 
120  // send an email to the address of record
121  $sql = "SELECT cau.email, ca.orgname FROM cuadminusers cau INNER JOIN cuadmin ca ON ca.cu = cau.cu WHERE cau.cu = '$Cu' AND cau.user_name = '$Cn'";
122  $sth = db_query($sql,$dbh);
123 
124  if ( list($sendTo, $orgName) = db_fetch_array($sth,0) ) {
125  db_free_result($sth);
126 
127  // send the access code to the user (either email or SMS/email)
128  $notify = new ErrorMail;
129  $notify->mailto="$sendTo";
130  $notify->mailfromname="$orgName";
131  $notify->subject='Updated remote access';
132  $notify->msgbody = "The remote access for your HomeCU Admin account was changed. If you did not make this change please let your system administrator know immediately.\n";
133  $notify->callingfunction = __FUNCTION__;
134  $notify->file = __FILE__;
135  $notify->cu = $Cu;
136  $notify->SendMail();
137 
138  // now go to where they really wanted to go
139  $returnAddress = urldecode($_COOKIE['Tx_aURI']);
140  if ( !strlen( trim( $returnAddress ) ) ) {
141  $returnAddress = "/admbin/main.prg?ft=";
142  }
143  }
144 
145  header("Location: " . $returnAddress);
146  exit; // https://stackoverflow.com/questions/3553698/php-should-i-call-exit-after-calling-location-header
147  }
148  } else {
149  $msg .= "Unable to read confirmation information.";
150  }
151  }
152 }
153 
154  $isAllowedRemoteAccess = false;
155 
156  if (isset($Cn) && isset($Cu)) {
157  // see if user is allowed remote access
158  // also get the email, sms
159  $sql = "select email, userflags, usersms
160  from cuadminusers
161  where user_name = '$Cn'
162  and cu = '$Cu' ";
163  $sth = db_query($sql,$dbh);
164  if ( list( $email, $userflags, $sms ) = db_fetch_array( $sth, 0 ) ) {
165  $isAllowedRemoteAccess = ($userflags & GetAdminUserFlagsValue("ADM_REMOTE_ACCESS_ALLOWED")) > 0;
166  }
167  }
168 
169 
170  if ( $isAllowedRemoteAccess ) {
171  if (isset($action) && $action == "wait_for_code" ) {
172 
173  $contents= "";
174  $contents.= "<form action='$self' method='POST' name='continue'><input type='hidden' name='action' value='confirm_remote' />";
175  $contents.= "<div class='row'><label class='col-xs-5'>Enter Code:</label><div class='col-xs-7'><input type='text' name='code' class='k-input k-textbox hcu-all-100'></div></div></form>";
176  $contents.= "<div class='hcu-edit-buttons k-state-default row'><a id='logoutBtn' href='\\\\#'>Logout</a>&nbsp;&nbsp;&nbsp;";
177  $contents.= "<a id='submitBtn' class='k-button k-primary' href='\\\\#'><i class='fa fa-check'></i>Submit</a></div>";
178 
179  } else {
180  $email = trim( $email );
181  $sms = trim( $sms );
182 
183  // mask the email
184  $emailParts = explode( "@", $email );
185 
186  $maskedEmail = "";
187  if ( strlen( $emailParts[0] ) > 3 ) {
188  $maskedEmail .= substr( $email, 0, 3 ) . str_repeat( "x", strlen( $emailParts[0] ) - 3 );
189  } else {
190  $maskedEmail .= $emailParts[0];
191  }
192 
193  $maskedEmail .= "x";
194 
195  if ( strlen( $emailParts[1] ) > 7 ) {
196  $maskedEmail .= str_repeat( "x", strlen( $emailParts[1] ) - 7 ) . substr( $email, -7 );
197  } else {
198  $maskedEmail .= $emailParts[1];
199  }
200 
201  // mask the SMS phone number, if there is one, from the phone/email address
202  $maskedSMS = "";
203  if ( strlen( $sms ) > 0 ) {
204  if ( strpos( $sms, "@" ) > 0 ) {
205  $smsParts = explode( "@", $sms );
206  $smsNumber = $smsParts[0];
207  } else {
208  $smsNumber = $sms;
209  }
210  $maskedSMS = substr( $smsNumber, 0, 4 ) . "xxxx" . substr( $smsNumber, -2 );
211  }
212 
213  $thisChecked = strlen( $maskedSMS ) == 0 ? "checked" : "";
214 
215  $contents= "";
216  $contents.= "<form action='$self' method='POST' name='continue'><input type='hidden' name='action' value='send_out_of_band' />";
217  $contents.= "<div class='row'>You are attempting to access this system from an unknown location. <br>";
218  $contents.= "In order to obtain an access code, please select how you would like the access code to be sent. <br>";
219  $contents.= "The access code will expire after 15 minutes.</div>";
220  $contents.= strlen($maskedSMS) > 0 ? "<div class='radio'><input type='radio' name='use_to_send' value='sms' checked />Text to $maskedSMS</div>" : "";
221  $contents.= "<div class='radio'><input type='radio' name='use_to_send' value='email' $thisChecked />Email to $maskedEmail</div>";
222  $contents.= "<div class='radio'><input type='radio' name='use_to_send' value='have_code' />Already have access code</div></form>";
223  $contents.= "<div class='hcu-edit-buttons k-state-default row'><a id='logoutBtn' href='\\\\#'>Logout</a>&nbsp;&nbsp;&nbsp;";
224  $contents.= "<a id='submitBtn' class='k-button k-primary' href='\\\\#'><i class='fa fa-check'></i>Submit</a></div>";
225 
226  ?>
227 
228 
229  <?php
230  }
231  } else {
232 
233  $contents= "";
234  $contents.= "You do not have permissions for remote access.";
235  $contents.= "<div class='hcu-edit-buttons k-state-default row'><a id='logoutBtn' class='k-button k-primary' href='\\\\#'>Logout</a></div>";
236  }
237 
238 if (strlen($contents) > 0)
239  printKendoWindow($menu_link, $contents, $msg);
240 
241 function printKendoWindow($menu_link, $contents, $msg="") {
242  $logoutForm= "<form name='logout' action='$menu_link?ft=70' method='post'>";
243  echo $logoutForm;
244  $fullContents= "<div id='permissionFormStatusField'></div><div class='container-fluid hcu-template'>";
245  $fullContents.= strlen($msg) > 0 ? "<div class='row k-block k-error-colored hcuSpacer'>$msg</div>" : "";
246  $fullContents.= $contents;
247  $fullContents.= "</div>";
248  ?>
249  <script type="text/javascript">
250 
251  $(document).ready(function() {
252  var permissionsDialog= $("<div id='permissionsDialog'></div>").appendTo("body").kendoWindow({
253  visible: false,
254  modal: true,
255  resizable: false,
256  draggable: true,
257  title: "HomeCU Remote Admin Permissions",
258  minWidth: 330, <?php // To show all of the title. ?>
259  content: {
260  template: "<?php echo $fullContents; ?>"
261  }
262  }).data("kendoWindow");
263 
264  permissionsDialog.open().center();
265 
266  $("#logoutBtn").click(function() {
267  $("[name='logout']").submit();
268  });
269  $("#submitBtn").click(function() {
270  $("[name='continue']").submit();
271  });
272  });
273  </script>
274 <?php }
Generated by   doxygen 1.8.15