3 # Modify or create a webmin user
5 require './acl-lib.pl';
6 &foreign_require("webmin", "webmin-lib.pl");
9 # Check for special button clicks, and redirect
10 if ($in{'but_clone'}) {
11 &redirect("edit_user.cgi?clone=".&urlize($in{'old'}));
14 elsif ($in{'but_log'}) {
15 &redirect("../webminlog/search.cgi?uall=0&mall=1&tall=1&user=".
19 elsif ($in{'but_switch'}) {
20 &redirect("switch.cgi?user=".&urlize($in{'old'}));
23 elsif ($in{'but_delete'}) {
24 &redirect("delete_user.cgi?user=".&urlize($in{'old'}));
31 $in{'name'} = $in{'old'} if (!$access{'rename'});
32 &can_edit_user($in{'old'}) || &error($text{'save_euser'});
33 $old = &get_user($in{'old'});
34 $old || &error($text{'edit_egone'});
35 $user{'proto'} = $old->{'proto'};
36 $user{'id'} = $old->{'id'};
39 $access{'create'} || &error($text{'save_ecreate'});
41 &error_setup($text{'save_err'});
43 # Validate username, and check for a clash
44 $in{'name'} =~ /^[A-z0-9\-\_\.\@]+$/ && $in{'name'} !~ /^\@/ ||
45 &error(&text('save_ename', $in{'name'}));
46 $in{'name'} eq 'webmin' && &error($text{'save_enamewebmin'});
47 if (!$in{'old'} || $in{'old'} ne $in{'name'}) {
48 $clash = &get_user($in{'name'});
49 $clash && &error(&text('save_edup', $in{'name'}));
51 !$access{'logouttime'} || $in{'logouttime_def'} ||
52 $in{'logouttime'} =~ /^\d+$/ || &error($text{'save_elogouttime'});
53 !$access{'minsize'} || $in{'minsize_def'} ||
54 $in{'minsize'} =~ /^\d+$/ || &error($text{'save_eminsize'});
57 if ($in{'pass_def'} == 0) {
58 $in{'pass'} =~ /:/ && &error($text{'save_ecolon'});
60 # Check password quality, unless this is a temp password
61 $perr = &check_password_restrictions($in{'name'}, $in{'pass'});
62 $perr && &error(&text('save_epass', $perr));
66 # Validate force change
68 &get_miniserv_config(\%miniserv);
69 $miniserv{'passwd_mode'} == 2 ||
70 &error(&text('save_etemp', '../webmin/edit_session.cgi'));
74 # Find logged-in webmin user
76 if ($u->{'name'} eq $base_remote_user) {
81 # Find the current group
83 foreach $g (&list_groups()) {
84 if (&indexof($in{'old'}, @{$g->{'members'}}) >= 0) {
90 if (&supports_rbac()) {
92 $user{'rbacdeny'} = $in{'rbacdeny'};
96 # Just store the skill and risk levels
97 $user{'skill'} = $in{'skill'};
98 $user{'risk'} = $in{'risk'};
99 delete($user{'modules'});
102 if (defined($in{'group'})) {
103 # Check if group is allowed
104 if ($access{'gassign'} ne '*') {
105 local @gcan = split(/\s+/, $access{'gassign'});
106 $in{'group'} && &indexof($in{'group'}, @gcan) >= 0 ||
107 !$in{'group'} && &indexof('_none', @gcan) >= 0 ||
108 $oldgroup && $oldgroup->{'name'} eq $in{'group'} ||
109 &error($text{'save_egroup'});
112 # Store group membership
113 $newgroup = &get_group($in{'group'});
114 if ($in{'group'} ne ($oldgroup ? $oldgroup->{'name'} : '')) {
115 # Group has changed - update the member lists
118 $oldgroup->{'members'} =
119 [ grep { $_ ne $in{'old'} }
120 @{$oldgroup->{'members'}} ];
121 &modify_group($oldgroup->{'name'}, $oldgroup);
125 push(@{$newgroup->{'members'}}, $in{'name'});
126 &modify_group($in{'group'}, $newgroup);
129 elsif ($in{'old'} ne $in{'name'} && $oldgroup && $newgroup) {
130 # Name has changed - rename in group
131 local $idx = &indexof(
132 $in{'old'}, @{$oldgroup->{'members'}});
133 $oldgroup->{'members'}->[$idx] = $in{'name'};
134 &modify_group($oldgroup->{'name'}, $oldgroup);
138 # Store manually selected modules
139 @mcan = $access{'mode'} == 1 ? @{$me->{'modules'}} :
140 $access{'mode'} == 2 ? split(/\s+/, $access{'mods'}) :
142 map { $mcan{$_}++ } @mcan;
144 @mods = split(/\0/, $in{'mod'});
146 $mcan{$m} || &error(&text('save_emod', $m));
149 # Add modules that this user already has, but were not
150 # allowed to be changed or are not available for this OS
151 foreach $m (@{$old->{'modules'}}) {
152 push(@mods, $m) if (!$mcan{$m});
155 if ($base_remote_user eq $in{'old'} &&
156 &indexof("acl", @mods) == -1 &&
157 (!$newgroup || &indexof("acl", @{$newgroup->{'modules'}}) == -1)) {
158 &error($text{'save_edeny'});
162 # Remove modules from the old group
163 @mods = grep { &indexof($_, @{$oldgroup->{'modules'}}) < 0 }
167 if (!$in{'old'} && $access{'perms'}) {
168 # Copy .acl files from creator to new user
169 ©_acl_files($me->{'name'}, $in{'name'}, $me->{'modules'});
173 # Add modules from group to list
177 if (&indexof($m, @{$newgroup->{'modules'}}) < 0);
179 @mods = &unique(@mods, @{$newgroup->{'modules'}});
180 $user{'ownmods'} = \@ownmods;
182 # Copy ACL files for group
183 local $name = $in{'old'} ? $in{'old'} : $in{'name'};
184 ©_group_user_acl_files($in{'group'}, $name,
185 [ @{$newgroup->{'modules'}}, "" ]);
187 $user{'modules'} = \@mods;
188 delete($user{'skill'});
189 delete($user{'risk'});
193 $salt = chr(int(rand(26))+65).chr(int(rand(26))+65);
194 $user{'name'} = $in{'name'};
195 $user{'lang'} = !$access{'lang'} ? $old->{'lang'} :
196 $in{'lang_def'} ? undef : $in{'lang'};
197 if (!$access{'theme'}) {
198 $user{'theme'} = $old->{'theme'};
199 $user{'overlay'} = $old->{'overlay'};
202 $user{'theme'} = $in{'theme_def'} ? undef : $in{'theme'};
203 $user{'overlay'} = $in{'overlay_def'} ? undef : $in{'overlay'};
204 if ($user{'overlay'} && !$user{'theme'}) {
205 &error($text{'save_eoverlay'});
208 $user{'cert'} = !$access{'chcert'} ? $old->{'cert'} :
209 $in{'cert_def'} ? undef : $in{'cert'};
210 $user{'notabs'} = !$access{'cats'} ? $old->{'notabs'} : $in{'notabs'};
211 $user{'logouttime'} = !$access{'logouttime'} ? $old->{'logouttime'} :
212 $in{'logouttime_def'} ? undef : $in{'logouttime'};
213 $user{'minsize'} = !$access{'minsize'} ? $old->{'minsize'} :
214 $in{'minsize_def'} ? undef : $in{'minsize'};
215 $user{'nochange'} = !$access{'nochange'} || !defined($in{'nochange'}) ?
216 $old->{'nochange'} : $in{'nochange'};
217 $user{'lastchange'} = $old->{'lastchange'};
218 $user{'olds'} = $old->{'olds'};
219 $user{'real'} = $in{'real'} =~ /\S/ ? $in{'real'} : undef;
220 $raddr = $ENV{'REMOTE_ADDR'};
221 if ($access{'ips'}) {
223 @hosts = split(/\s+/, $in{"ips"});
224 if (!@hosts) { &error($text{'save_enone'}); }
225 foreach $h (@hosts) {
226 $err = &webmin::valid_allow($h);
227 &error($err) if ($err);
231 if ($in{'ipmode'} == 1) {
232 $user{'allow'} = join(" ", @ips);
233 if ($old->{'name'} eq $base_remote_user &&
234 !&webmin::ip_match($raddr, @ips)) {
235 &error(&text('save_eself', $raddr));
238 elsif ($in{'ipmode'} == 2) {
239 $user{'deny'} = join(" ", @ips);
240 if ($old->{'name'} eq $base_remote_user &&
241 &webmin::ip_match($raddr, @ips)) {
242 &error(&text('save_eself', $raddr));
247 $user{'allow'} = $old->{'allow'};
248 $user{'deny'} = $old->{'deny'};
250 if ($in{'pass_def'} == 0) {
252 $user{'pass'} = &encrypt_password($in{'pass'});
255 elsif ($in{'pass_def'} == 1) {
256 # No change in password
257 $user{'pass'} = $in{'oldpass'};
260 elsif ($in{'pass_def'} == 3) {
261 # Unix authentication
265 elsif ($in{'pass_def'} == 4) {
267 $user{'pass'} = '*LK*';
270 elsif ($in{'pass_def'} == 5) {
271 # External authentcation
276 # Password synchronization (deprecated)
277 &foreign_check("useradmin") || &error($text{'save_eos'});
278 &foreign_require("useradmin", "user-lib.pl");
279 foreach $uu (&useradmin::list_users()) {
280 $user{'pass'} = $uu->{'pass'}
281 if ($uu->{'user'} eq $in{'name'});
283 defined($user{'pass'}) ||
284 &error(&text('save_eunix', $in{'name'}));
288 # Update allowed days and hours
289 if ($access{'times'}) {
290 # Save the allowed days
291 if (!$in{'days_def'}) {
292 @days = split(/\0/, $in{'days'});
293 @days || &error($text{'save_edays'});
294 $user{'days'} = join(",", @days);
296 if (!$in{'hours_def'}) {
297 foreach $t ('from', 'to') {
298 $h = $in{'hours_h'.$t};
299 $m = $in{'hours_m'.$t};
300 $h =~ /^\d+$/ && $h >= 0 &&
301 $h < 24 || &error($text{'save_ehours'});
302 $m =~ /^\d+$/ && $m >= 0 &&
303 $m < 60 || &error($text{'save_ehours'});
304 $user{'hours'.$t} = "$h.$m";
305 $mins{$t} = $h*60+$m;
307 $mins{'from'} < $mins{'to'} || &error($text{'save_ehours2'});
311 $user{'days'} = $old->{'days'};
312 $user{'hoursfrom'} = $old->{'hoursfrom'};
313 $user{'hoursto'} = $old->{'hoursto'};
316 # Check for temporary password lock
317 if (!$in{'lock'} && $user{'pass'} =~ /^\!(.*)$/) {
320 elsif ($in{'lock'} && $user{'pass'} !~ /^\!/ && $in{'pass_def'} <= 1) {
321 $user{'pass'} = "!".$user{'pass'};
324 # Check for force change
325 $user{'temppass'} = $in{'temp'};
328 # update user and all ACLs
329 &modify_user($in{'old'}, \%user);
330 if ($in{'old'} ne $user{'name'}) {
331 # Change username in other user's ACLs
332 foreach $u (&list_users()) {
333 %uaccess = &get_module_acl($u->{'name'});
334 local @au = split(/\s+/, $uaccess{'users'});
335 local $idx = &indexof($in{'old'}, @au);
337 $au[$idx] = $in{'name'};
338 $uaccess{'users'} = join(" ", @au);
339 &save_module_acl(\%uaccess, $u->{'name'});
345 # create and add to access list
346 &create_user(\%user, $in{'clone'});
347 if ($access{'users'} ne '*') {
348 $access{'users'} .= " ".$in{'name'};
349 &save_module_acl(\%access);
353 if ($in{'old'} && $in{'acl_security_form'} && !$newgroup) {
354 # Update user's global ACL
355 &foreign_require("", "acl_security.pl");
356 &foreign_call("", "acl_security_save", \%uaccess, \%in);
357 $aclfile = "$config_directory/$in{'name'}.acl";
358 &lock_file($aclfile);
359 &save_module_acl(\%uaccess, $in{'name'}, "", 1);
360 chmod(0640, $aclfile) if (-r $aclfile);
361 &unlock_file($aclfile);
366 delete($in{'oldpass'});
368 &webmin_log("modify", "user", $in{'old'}, \%in);
371 &webmin_log("create", "user", $user{'name'}, \%in);