virtual bool OnWebRequest(CWebSock& WebSock, const CString& sPageName, CTemplate& Tmpl) { CSmartPtr<CWebSession> spSession = WebSock.GetSession(); if (sPageName == "settings") { // Admin Check if (!spSession->IsAdmin()) { return false; } return SettingsPage(WebSock, Tmpl); } else if (sPageName == "adduser") { // Admin Check if (!spSession->IsAdmin()) { return false; } return UserPage(WebSock, Tmpl); } else if (sPageName == "editchan") { CUser* pUser = SafeGetUserFromParam(WebSock); // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } if (!pUser) { WebSock.PrintErrorPage("No such username"); return true; } CString sChan = WebSock.GetParam("name"); if(sChan.empty() && !WebSock.IsPost()) { sChan = WebSock.GetParam("name", false); } CChan* pChan = pUser->FindChan(sChan); if (!pChan) { WebSock.PrintErrorPage("No such channel"); return true; } return ChanPage(WebSock, Tmpl, pUser, pChan); } else if (sPageName == "addchan") { CUser* pUser = SafeGetUserFromParam(WebSock); // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } if (pUser) { return ChanPage(WebSock, Tmpl, pUser); } WebSock.PrintErrorPage("No such username"); return true; } else if (sPageName == "delchan") { CUser* pUser = CZNC::Get().FindUser(WebSock.GetParam("user", false)); // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } if (pUser) { return DelChan(WebSock, pUser); } WebSock.PrintErrorPage("No such username"); return true; } else if (sPageName == "deluser") { if (!spSession->IsAdmin()) { return false; } if (!WebSock.IsPost()) { // Show the "Are you sure?" page: CString sUser = WebSock.GetParam("user", false); CUser* pUser = CZNC::Get().FindUser(sUser); if (!pUser) { WebSock.PrintErrorPage("No such username"); return true; } Tmpl.SetFile("del_user.tmpl"); Tmpl["Username"] = sUser; return true; } // The "Are you sure?" page has been submitted with "Yes", // so we actually delete the user now: CString sUser = WebSock.GetParam("user"); CUser* pUser = CZNC::Get().FindUser(sUser); if (pUser && pUser == spSession->GetUser()) { WebSock.PrintErrorPage("Please don't delete yourself, suicide is not the answer!"); return true; } else if (CZNC::Get().DeleteUser(sUser)) { WebSock.Redirect("listusers"); return true; } WebSock.PrintErrorPage("No such username"); return true; } else if (sPageName == "edituser") { CString sUserName = SafeGetUserNameParam(WebSock); CUser* pUser = CZNC::Get().FindUser(sUserName); if(!pUser) { if(sUserName.empty()) { pUser = spSession->GetUser(); } // else: the "no such user" message will be printed. } // Admin||Self Check if (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) { return false; } if (pUser) { return UserPage(WebSock, Tmpl, pUser); } WebSock.PrintErrorPage("No such username"); return true; } else if (sPageName == "listusers" && spSession->IsAdmin()) { return ListUsersPage(WebSock, Tmpl); } else if (sPageName == "traffic" && spSession->IsAdmin()) { return TrafficPage(WebSock, Tmpl); } else if (sPageName.empty() || sPageName == "index") { return true; } return false; }
CUser* GetNewUser(CWebSock& WebSock, CUser* pUser) { CSmartPtr<CWebSession> spSession = WebSock.GetSession(); CString sUsername = WebSock.GetParam("newuser"); if (sUsername.empty()) { sUsername = WebSock.GetParam("user"); } if (sUsername.empty()) { WebSock.PrintErrorPage("Invalid Submission [Username is required]"); return NULL; } if (pUser) { /* If we are editing a user we must not change the user name */ sUsername = pUser->GetUserName(); } CString sArg = WebSock.GetParam("password"); if (sArg != WebSock.GetParam("password2")) { WebSock.PrintErrorPage("Invalid Submission [Passwords do not match]"); return NULL; } CUser* pNewUser = new CUser(sUsername); if (!sArg.empty()) { CString sSalt = CUtils::GetSalt(); CString sHash = CUser::SaltedHash(sArg, sSalt); pNewUser->SetPass(sHash, CUser::HASH_DEFAULT, sSalt); } VCString vsArgs; WebSock.GetRawParam("servers").Split("\n", vsArgs); unsigned int a = 0; for (a = 0; a < vsArgs.size(); a++) { pNewUser->AddServer(vsArgs[a].Trim_n()); } WebSock.GetRawParam("allowedips").Split("\n", vsArgs); if (vsArgs.size()) { for (a = 0; a < vsArgs.size(); a++) { pNewUser->AddAllowedHost(vsArgs[a].Trim_n()); } } else { pNewUser->AddAllowedHost("*"); } WebSock.GetRawParam("ctcpreplies").Split("\n", vsArgs); for (a = 0; a < vsArgs.size(); a++) { CString sReply = vsArgs[a].TrimRight_n("\r"); pNewUser->AddCTCPReply(sReply.Token(0).Trim_n(), sReply.Token(1, true).Trim_n()); } sArg = WebSock.GetParam("nick"); if (!sArg.empty()) { pNewUser->SetNick(sArg); } sArg = WebSock.GetParam("altnick"); if (!sArg.empty()) { pNewUser->SetAltNick(sArg); } sArg = WebSock.GetParam("statusprefix"); if (!sArg.empty()) { pNewUser->SetStatusPrefix(sArg); } sArg = WebSock.GetParam("ident"); if (!sArg.empty()) { pNewUser->SetIdent(sArg); } sArg = WebSock.GetParam("skin"); if (!sArg.empty()) { pNewUser->SetSkinName(sArg); } sArg = WebSock.GetParam("realname"); if (!sArg.empty()) { pNewUser->SetRealName(sArg); } sArg = WebSock.GetParam("quitmsg"); if (!sArg.empty()) { pNewUser->SetQuitMsg(sArg); } sArg = WebSock.GetParam("chanmodes"); if (!sArg.empty()) { pNewUser->SetDefaultChanModes(sArg); } sArg = WebSock.GetParam("timestampformat"); if (!sArg.empty()) { pNewUser->SetTimestampFormat(sArg); } sArg = WebSock.GetParam("bindhost"); // To change BindHosts be admin or don't have DenySetBindHost if (spSession->IsAdmin() || !spSession->GetUser()->DenySetBindHost()) { if (!sArg.empty()) { pNewUser->SetBindHost(sArg); } } else if (pUser){ pNewUser->SetBindHost(pUser->GetBindHost()); } // First apply the old limit in case the new one is too high if (pUser) pNewUser->SetBufferCount(pUser->GetBufferCount(), true); pNewUser->SetBufferCount(WebSock.GetParam("bufsize").ToUInt()); pNewUser->SetSkinName(WebSock.GetParam("skin")); pNewUser->SetKeepBuffer(WebSock.GetParam("keepbuffer").ToBool()); pNewUser->SetMultiClients(WebSock.GetParam("multiclients").ToBool()); pNewUser->SetBounceDCCs(WebSock.GetParam("bouncedccs").ToBool()); pNewUser->SetUseClientIP(WebSock.GetParam("useclientip").ToBool()); pNewUser->SetTimestampAppend(WebSock.GetParam("appendtimestamp").ToBool()); pNewUser->SetTimestampPrepend(WebSock.GetParam("prependtimestamp").ToBool()); pNewUser->SetTimezoneOffset(WebSock.GetParam("timezoneoffset").ToDouble()); pNewUser->SetJoinTries(WebSock.GetParam("jointries").ToUInt()); pNewUser->SetMaxJoins(WebSock.GetParam("maxjoins").ToUInt()); pNewUser->SetIRCConnectEnabled(WebSock.GetParam("doconnect").ToBool()); if (spSession->IsAdmin()) { pNewUser->SetDenyLoadMod(WebSock.GetParam("denyloadmod").ToBool()); pNewUser->SetDenySetBindHost(WebSock.GetParam("denysetbindhost").ToBool()); } else if (pUser) { pNewUser->SetDenyLoadMod(pUser->DenyLoadMod()); pNewUser->SetDenySetBindHost(pUser->DenySetBindHost()); } // If pUser is not NULL, we are editing an existing user. // Users must not be able to change their own admin flag. if (pUser != CZNC::Get().FindUser(WebSock.GetUser())) { pNewUser->SetAdmin(WebSock.GetParam("isadmin").ToBool()); } else if (pUser) { pNewUser->SetAdmin(pUser->IsAdmin()); } WebSock.GetParamValues("channel", vsArgs); for (a = 0; a < vsArgs.size(); a++) { const CString& sChan = vsArgs[a]; pNewUser->AddChan(sChan.TrimRight_n("\r"), WebSock.GetParam("save_" + sChan).ToBool()); } if (spSession->IsAdmin() || (pUser && !pUser->DenyLoadMod())) { WebSock.GetParamValues("loadmod", vsArgs); for (a = 0; a < vsArgs.size(); a++) { CString sModRet; CString sModName = vsArgs[a].TrimRight_n("\r"); CString sModLoadError; if (!sModName.empty()) { CString sArgs = WebSock.GetParam("modargs_" + sModName); try { if (!pNewUser->GetModules().LoadModule(sModName, sArgs, pNewUser, sModRet)) { sModLoadError = "Unable to load module [" + sModName + "] [" + sModRet + "]"; } } catch (...) { sModLoadError = "Unable to load module [" + sModName + "] [" + sArgs + "]"; } if (!sModLoadError.empty()) { DEBUG(sModLoadError); spSession->AddError(sModLoadError); } } } } else if (pUser) { CModules& Modules = pUser->GetModules(); for (a = 0; a < Modules.size(); a++) { CString sModName = Modules[a]->GetModName(); CString sArgs = Modules[a]->GetArgs(); CString sModRet; CString sModLoadError; try { if (!pNewUser->GetModules().LoadModule(sModName, sArgs, pNewUser, sModRet)) { sModLoadError = "Unable to load module [" + sModName + "] [" + sModRet + "]"; } } catch (...) { sModLoadError = "Unable to load module [" + sModName + "]"; } if (!sModLoadError.empty()) { DEBUG(sModLoadError); spSession->AddError(sModLoadError); } } } return pNewUser; }