2.1.27

Fix for #2452, #2438, #2401, #2416
nilsteampassnet · Oct 28, 2018 · 84f3da5 · 84f3da5
1 parent 505f03f
commit 84f3da5
Show file tree

Hide file tree

Showing 10 changed files with 81 additions and 50 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -22,6 +22,13 @@ RUN echo && \
   echo "max_execution_time = 120" >> /usr/local/etc/php/conf.d/docker-vars.ini && \
 echo
 
+# Fix API URL, BUG: API not working in container. #2100
+# Search last } and insert configuration rows before
+RUN sed -i '/^}/i \
+  location /api/ {\
+          try_files $uri $uri/ /api/index.php?$args;\
+  }' /etc/nginx/sites-enabled/default.conf
+
 COPY teampass-docker-start.sh /teampass-docker-start.sh
 
 # Configure nginx-php-fpm image to pull our code.

diff --git a/changelog.txt b/changelog.txt
@@ -1,9 +1,12 @@
 2.1.27
 24/
+ #2452 Fix API URL
+ #2438 Add new user fails due to missing default for not null fields
  #2436 Undefined variable: user_id in api/functions.php
  #2432 Empty item URL automatically fills with 'https://'
  #2426 New option to force admin user to get connect using 2 factor code
  #2416 Backslash in user's password
+ #2401 New LDAP account has full access when they log in for the first time
 
 23/
  #2419 Cannot show password by using item menu bars entry

diff --git a/includes/language/english.php b/includes/language/english.php
@@ -14,6 +14,7 @@
  */
 global $LANG;
 $LANG = array (
+    '2fa_authentication_selector' => '',
     'user_ga_code' => 'Email Google Authentication to user',
     'send_ga_code' => 'Set and email Google Authentication code',
     'error_no_email' => 'This user has no email address set!',

diff --git a/install/install.queries.php b/install/install.queries.php
@@ -648,8 +648,8 @@ function encryptFollowingDefuse($message, $ascii_key)
                             `psk` varchar(400) NULL,
                             `ga` varchar(50) NULL,
                             `ga_temporary_code` VARCHAR(20) NOT NULL DEFAULT 'none',
-                            `avatar` varchar(1000) NULL,
-                            `avatar_thumb` varchar(1000) NULL,
+                            `avatar` varchar(1000) NULL DEFAULT NULL,
+                            `avatar_thumb` varchar(1000) NULL DEFAULT NULL,
                             `upgrade_needed` BOOLEAN NOT NULL DEFAULT FALSE,
                             `treeloadstrategy` varchar(30) NOT null DEFAULT 'full',
                             `can_manage_all_users` tinyint(1) NOT NULL DEFAULT '0',

diff --git a/install/upgrade_run_2.1.27.php b/install/upgrade_run_2.1.27.php
@@ -1045,6 +1045,20 @@ function replace_a_line($data)
 );
 
 
+// alter table USERS
+mysqli_query(
+    $db_link,
+    "ALTER TABLE `".$pre."users` CHANGE `avatar` `avatar` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL, CHANGE `avatar_thumb` `avatar_thumb` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL;"
+);
+
+
+// alter table NESTED_TREE
+mysqli_query(
+    $db_link,
+    "ALTER TABLE `".$pre."nested_tree` CHANGE `nleft` `nleft` INT(11) NULL DEFAULT NULL, CHANGE `nright` `nright` INT(11) NULL DEFAULT NULL, CHANGE `nlevel` `nlevel` INT(11) NULL DEFAULT NULL;"
+);"
+
+
 
 // add new field for items_change
 mysqli_query(

diff --git a/items.php b/items.php
@@ -41,15 +41,14 @@
 require_once $SETTINGS['cpassman_dir'].'/sources/main.functions.php';
 require_once $SETTINGS['cpassman_dir'].'/includes/libraries/protect/SuperGlobal/SuperGlobal.php';
 $superGlobal = new protect\SuperGlobal\SuperGlobal();
-
+            
 // Prepare GET variables
 $get_group = $superGlobal->get("group", "GET");
 $get_id = $superGlobal->get("id", "GET");
 
 // Prepare SESSION variables
 $session_user_admin = $superGlobal->get("user_admin", "SESSION");
 
-
 if ($session_user_admin === '1'
     && (isset($SETTINGS_EXT['admin_full_right']) === true && $SETTINGS_EXT['admin_full_right'] === true)
     || isset($SETTINGS_EXT['admin_full_right']) === false
@@ -84,6 +83,7 @@
     }
 }
 
+
 // Hidden things
 echo '
 <input type="hidden" name="hid_cat" id="hid_cat" value="', $get_group !== null ? $get_group : "", '" />

diff --git a/sources/core.php b/sources/core.php
@@ -419,6 +419,7 @@ function delTree($dir)
             $SETTINGS
         );
 
+
         // user type
         if (isset($LANG) === true) {
             if ($_SESSION['user_admin'] === '1') {

diff --git a/sources/identify.php b/sources/identify.php
@@ -175,6 +175,12 @@
                                 'personal_folder' => '1'
                             )
                         );
+
+                        // Rebuild tree
+                        $tree = new SplClassLoader('Tree\NestedTree', $SETTINGS['cpassman_dir'].'/includes/libraries');
+                        $tree->register();
+                        $tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
+                        $tree->rebuild();
                     }
                 }
             }
@@ -413,7 +419,7 @@ function identifyUser(
         $dbgDuo = fopen($SETTINGS['path_to_files_folder']."/duo.debug.txt", "a");
 
         fputs(
-            $dbgDuo,
+            /** @scrutinizer ignore-type */ $dbgDuo,
             "Content of data sent '".filter_var($sentData, FILTER_SANITIZE_STRING)."'\n"
         );
     }
@@ -798,7 +804,9 @@ function identifyUser(
                 if ($debugLdap == 1) {
                     fputs($dbgLdap, "expiry check of user $auth_username returned: $_UserExpiry\n\n");
                 }
-                if (is_array($_UserExpiry) === false && strstr($_UserExpiry, "not expire") === false) {
+                if (is_array($_UserExpiry) === false
+                    && strstr($_UserExpiry, "not expire") === false
+                ) {
                     echo '[{"value" : "user_not_exists '.$auth_username.'", "text":""}]';
                     exit();
                 }
@@ -940,6 +948,12 @@ function identifyUser(
                     'personal_folder' => '1'
                 )
             );
+
+            // Rebuild tree
+            $tree = new SplClassLoader('Tree\NestedTree', $SETTINGS['cpassman_dir'].'/includes/libraries');
+            $tree->register();
+            $tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
+            $tree->rebuild();
         }
         $proceedIdentification = true;
         $user_initial_creation_through_ldap = true;
@@ -994,7 +1008,7 @@ function identifyUser(
                         $data['id']
                     );
 
-                    echo '[{"value" : "<img src=\"'.$new_2fa_qr.'\">", "user_admin":"', /** @scrutinizer ignore-type */ isset($_SESSION['user_admin']) ? $antiXss->xss_clean($_SESSION['user_admin']) : "", '", "initial_url" : "'.@$_SESSION['initial_url'].'", "error" : "'.$logError.'"}]';
+                    echo '[{"value" : "<img src=\"'.$new_2fa_qr.'\">", "user_admin":"', isset($_SESSION['user_admin']) ? $antiXss->xss_clean($_SESSION['user_admin']) : "", '", "initial_url" : "'.@$_SESSION['initial_url'].'", "error" : "'.$logError.'"}]';
 
                     exit();
                 }
@@ -1265,15 +1279,16 @@ function identifyUser(
             $_SESSION['fin_session'] = (integer) (time() + $_SESSION['user_settings']['session_duration']);
 
             /* If this option is set user password MD5 is used as personal SALTKey */
-            if (isset($SETTINGS['use_md5_password_as_salt']) &&
-                $SETTINGS['use_md5_password_as_salt'] == 1
+            if (isset($SETTINGS['use_md5_password_as_salt'])
+                && $SETTINGS['use_md5_password_as_salt'] == 1
             ) {
                 $_SESSION['user_settings']['clear_psk'] = md5($passwordClear);
-                $tmp = encrypt($_SESSION['user_settings']['clear_psk'], "");
-                if ($tmp !== false) {
+                //$tmp = encrypt($_SESSION['user_settings']['clear_psk'], "");
+                $encryptedPSK = cryption($passwordClear, '', 'encrypt');
+                if (empty($encryptedPSK['string']) === false) {
                     setcookie(
                         "TeamPass_PFSK_".md5($_SESSION['user_id']),
-                        $tmp,
+                        $encryptedPSK['string'],
                         time() + 60 * 60 * 24 * $SETTINGS['personal_saltkey_cookie_duration'],
                         '/'
                     );
@@ -1360,39 +1375,20 @@ function identifyUser(
             }
 
             // Get user's rights
-            if ($user_initial_creation_through_ldap === false) {
-                identifyUserRights(
-                    $data['groupes_visibles'],
-                    $_SESSION['groupes_interdits'],
-                    $data['admin'],
-                    $data['fonction_id'],
-                    $server,
-                    $user,
-                    $pass,
-                    $database,
-                    $port,
-                    $encoding,
-                    $SETTINGS
-                );
-            } else {
-                // is new LDAP user. Show only his personal folder
-                if ($SETTINGS['enable_pf_feature'] === '1') {
-                    $_SESSION['personal_visible_groups'] = array($data['id']);
-                    $_SESSION['personal_folders'] = array($data['id']);
-                } else {
-                    $_SESSION['personal_visible_groups'] = array();
-                    $_SESSION['personal_folders'] = array();
-                }
-                $_SESSION['all_non_personal_folders'] = array();
-                $_SESSION['groupes_visibles'] = array();
-                $_SESSION['groupes_visibles_list'] = "";
-                $_SESSION['read_only_folders'] = array();
-                $_SESSION['list_folders_limited'] = "";
-                $_SESSION['list_folders_editable_by_role'] = array();
-                $_SESSION['list_restricted_folders_for_items'] = array();
-                $_SESSION['nb_folders'] = 1;
-                $_SESSION['nb_roles'] = 0;
-            }
+            identifyUserRights(
+                $data['groupes_visibles'],
+                $_SESSION['groupes_interdits'],
+                $data['admin'],
+                $data['fonction_id'],
+                $server,
+                $user,
+                $pass,
+                $database,
+                $port,
+                $encoding,
+                $SETTINGS
+            );
+
             // Get some more elements
             $_SESSION['screenHeight'] = $dataReceived['screenHeight'];
             // Get last seen items

diff --git a/sources/main.functions.php b/sources/main.functions.php
@@ -732,7 +732,6 @@ function identifyUserRights(
                 }
             }
         }
-
         // Clean arrays
         $listAllowedFolders = array_unique($listAllowedFolders);
         $groupesVisiblesUser = explode(';', trimElement($groupesVisiblesUser, ";"));
@@ -801,20 +800,25 @@ function identifyUserRights(
                 $_SESSION['user_id'],
                 1
             );
+
             if (empty($persoFld['id']) === false) {
                 if (in_array($persoFld['id'], $listAllowedFolders) === false) {
                     array_push($_SESSION['personal_folders'], $persoFld['id']);
                     array_push($listAllowedFolders, $persoFld['id']);
                     array_push($_SESSION['personal_visible_groups'], $persoFld['id']);
+
                     // get all descendants
-                    $ids = $tree->getDescendants($persoFld['id'], true, false);
+                    $ids = $tree->getDescendants($persoFld['id'], false, false);
                     foreach ($ids as $ident) {
-                        array_push($listAllowedFolders, $ident->id);
-                        array_push($_SESSION['personal_visible_groups'], $ident->id);
-                        array_push($_SESSION['personal_folders'], $ident->id);
+                        if ($ident->personal_folder === 1) {
+                            array_push($listAllowedFolders, $ident->id);
+                            array_push($_SESSION['personal_visible_groups'], $ident->id);
+                            array_push($_SESSION['personal_folders'], $ident->id);
+                        }
                     }
                 }
             }
+
             // get list of readonly folders when pf is disabled.
             $_SESSION['personal_folders'] = array_unique($_SESSION['personal_folders']);
             // rule - if one folder is set as W or N in one of the Role, then User has access as W

diff --git a/sources/tree.php b/sources/tree.php
@@ -314,6 +314,8 @@ function recursiveTree($nodeId)
     $session_list_folders_limited = $superGlobal->get("list_folders_limited", "SESSION");
     $session_read_only_folders = $superGlobal->get("read_only_folders", "SESSION");
 
+
+
     // Be sure that user can only see folders he/she is allowed to
     if (in_array($completTree[$nodeId]->id, $session_forbiden_pfs) === false
         || in_array($completTree[$nodeId]->id, $session_groupes_visibles) === true
@@ -368,6 +370,9 @@ function recursiveTree($nodeId)
             }
         }
 
+        //echo " >> ".$nodeId." ; ".$displayThisNode." ;; ";
+        //print_r($session_groupes_visibles);
+
         if ($displayThisNode === true) {
             // get info about current folder
             DB::query(