From 6854cb3f4d8219cf1829e32122eb2502a916eae9 Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Sat, 1 Feb 2020 09:05:48 +0100 Subject: initial checkin --- scripts/admin.php | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 scripts/admin.php (limited to 'scripts/admin.php') diff --git a/scripts/admin.php b/scripts/admin.php new file mode 100644 index 0000000..08c0caa --- /dev/null +++ b/scripts/admin.php @@ -0,0 +1,185 @@ +perms('is_admin')) { + Flyspray::show_error(4); +} + +$proj = new Project(0); +#I $proj->setCookie(); + +$page->pushTpl('admin.menu.tpl'); + +switch ($area = Req::val('area', 'prefs')) { + case 'users': + $id = Flyspray::usernameToId(Req::val('user_name')); + if (!$id) { + $id = is_numeric(Req::val('user_id')) ? Req::val('user_id') : 0; + } + $theuser = new User($id, $proj); + if ($theuser->isAnon()) { + Flyspray::show_error(5, true, null, $_SESSION['prev_page']); + } + $page->assign('theuser', $theuser); + case 'cat': + case 'editgroup': + // yeah, utterly stupid, is changed in 1.0 already + if (Req::val('area') == 'editgroup') { + $group_details = Flyspray::getGroupDetails(Req::num('id')); + if (!$group_details || $group_details['project_id'] != $proj->id) { + Flyspray::show_error(L('groupnotexist')); + Flyspray::redirect(createURL('pm', 'groups', $proj->id)); + } + $page->uses('group_details'); + } + case 'groups': + case 'newuser': + case 'newuserbulk': + case 'editallusers': + $page->assign('groups', Flyspray::listGroups()); + case 'userrequest': + $sql = $db->query("SELECT * + FROM {admin_requests} + WHERE request_type = 3 AND project_id = 0 AND resolved_by = 0 + ORDER BY time_submitted ASC"); + + $page->assign('pendings', $db->fetchAllArray($sql)); + case 'newproject': + case 'os': + case 'prefs': + case 'resolution': + case 'tasktype': + case 'tag': + case 'status': + case 'version': + case 'newgroup': + $page->setTitle($fs->prefs['page_title'] . L('admintoolboxlong')); + $page->pushTpl('admin.'.$area.'.tpl'); + break; + + case 'translations': + require_once(BASEDIR.'/scripts/langdiff.php'); + break; + + case 'checks': + $hashtypes=$db->query(' + SELECT COUNT(*) c, LENGTH(user_pass) l, + CASE WHEN SUBSTRING(user_pass FROM 1 FOR 1)=\'$\' THEN 1 ELSE 0 END AS s, + SUM(CASE WHEN (SUBSTRING(user_pass FROM 1 FOR 2)=\'$2\' AND SUBSTRING(user_pass FROM 3 FOR 1)=\'$\' ) THEN 1 ELSE 0 END) cr, + SUM(CASE WHEN (SUBSTRING(user_pass FROM 1 FOR 2)=\'$2\' AND SUBSTRING(user_pass FROM 3 FOR 1) IN( \'a\', \'x\', \'y\' ) ) THEN 1 ELSE 0 END) bcr, + SUM(CASE WHEN SUBSTRING(user_pass FROM 1 FOR 3)=\'$1$\' THEN 1 ELSE 0 END) md5crypt, + SUM(CASE WHEN SUBSTRING(user_pass FROM 1 FOR 8)=\'$argon2i\' THEN 1 ELSE 0 END) argon2i + FROM {users} + GROUP BY LENGTH(user_pass), CASE WHEN SUBSTRING(user_pass FROM 1 FOR 1)=\'$\' THEN 1 ELSE 0 END + ORDER BY l ASC, s ASC'); + $hashlengths=''; + $warnhash=0; + $warnhash2=0; + while ($r = $db->fetchRow($hashtypes)){ + $alert=''; + if( $r['l']==32 && $r['s']==0){ $maybe='md5'; $warnhash+=$r['c']; $alert=' style="background-color:#f99"';} + elseif($r['l']==13 && $r['s']==0){ $maybe='CRYPT_STD_DES'; $r['s']=2; $warnhash2+=$r['c']; $alert=' style="background-color:#fc9"';} + elseif($r['l']==40 && $r['s']==0){ $maybe='sha1'; $warnhash+=$r['c']; $alert=' style="background-color:#f99"';} + elseif($r['l']==128 && $r['s']==0){ $maybe='sha512'; $warnhash+=$r['c']; $alert=' style="background-color:#f99"';} + elseif($r['l']==34 && $r['s']==1){ $maybe='CRYPT_MD5';$warnhash2+=$r['c'];$alert=' style="background-color:#fc9"';} + elseif($r['l']==60){$maybe='CRYPT_BLOWFISH';} + elseif($r['s']==1){ + $maybe='other pw hashes'; + if($r['argon2i']>0){$maybe.=': '.$r['argon2i'].' argon2i'; } + }else{$maybe='not detected';} + $hashlengths.=''; + } + $hashlengths.='
strlencountsalted?optionshash algo
'.$r['l'].' '.$r['c'].''.$r['s'].''.$r['bcr'].' '.$r['cr'].' '.$r['md5crypt'].' '.$r['argon2i'].''.$maybe.'
'; + if($warnhash>0){ + $hashlengths.='
'.$warnhash." users with unsalted password hashes.
"; + } + if($warnhash2>0){ + $hashlengths.='
'.$warnhash2." users with salted password hashes, but considered bad algorithms for password hashing.
"; + } + $page->assign('passwdcrypt', $conf['general']['passwdcrypt']); + $page->assign('hashlengths', $hashlengths); + + # info of old temporary unfinished user registration entries, for insights into register bot pattern or for cleanup old entries to free unused usernames as available again. + $statregistrations=$db->query('SELECT COUNT(*) FROM {registrations}'); + $regcount=$db->fetchOne($statregistrations); + $page->assign('regcount', $regcount); + + # show oldest unfinished user registrations + $registrations=$db->query('SELECT reg_time, user_name, email_address FROM {registrations} + ORDER BY reg_time ASC + LIMIT 50'); + $page->assign('registrations', $db->fetchAllArray($registrations)); + + $sinfo=$db->dblink->serverInfo(); + if( ($db->dbtype=='mysqli' || $db->dbtype=='mysql') && isset($sinfo['version'])){ + $fsdb=$db->query("SELECT default_character_set_name, default_collation_name + FROM INFORMATION_SCHEMA.SCHEMATA + WHERE SCHEMA_NAME=?", array($db->dblink->database) + ); + $page->assign('fsdb', $db->fetchRow($fsdb)); + + # TODO Test if Flyspray tables really have default charset utf8mb4 and default collation utf8mb4_unicode_ci. + # TODO Test if the TEXT/CHAR/VARCHAR fields that should have utf8mb_unicode_ci really have it. + # TODO Test if the TEXT/CHAR/VARCHAR fields that should have other collations really have that other collation. + # utf8mb4_unicode_ci may be not optimal for every TEXT/CHAR/VARCHAR field of Flyspray. + # Must be defined explicit for fields that differs from the default in the xmlschemas in the setup/upgrade/* files. + # At the moment (in 2019) the current ADODB 5.20.14 release does not handle that stuff yet. + + if(version_compare($sinfo['version'], '5.5.3')>=0 ){ + $page->assign('utf8mb4upgradable', "Your MySQL supports full utf-8 since 5.5.3. You are using ".$sinfo['version']." and Flyspray tables could be upgraded."); + } else{ + $page->assign('oldmysqlversion', "Your MySQL version ".$sinfo['version']." does not support full utf-8, only up to 3 Byte chars. No emojis for instance. Consider upgrading your MySQL server version."); + } + + $fstables=$db->query("SELECT table_name, table_collation, engine as table_type, create_options, table_comment + FROM INFORMATION_SCHEMA.tables + WHERE table_schema=? AND table_name LIKE '".$db->dbprefix."%' + ORDER BY table_name ASC", array($db->dblink->database) + ); + $page->assign('fstables', $db->fetchAllArray($fstables)); + + $fsfields=$db->query(" + SELECT table_name, column_name, column_default, data_type, character_set_name, collation_name, column_type, column_comment + FROM INFORMATION_SCHEMA.columns + WHERE table_schema=? AND table_name LIKE '".$db->dbprefix."%' + ORDER BY table_name ASC, ordinal_position ASC", array($db->dblink->database) + ); + $page->assign('fsfields', $db->fetchAllArray($fsfields)); + + } elseif($db->dbtype=='pgsql'){ + $fstables=$db->query("SELECT table_name, '' AS table_collation, table_type, '' AS create_options, '-' AS table_comment + FROM INFORMATION_SCHEMA.tables + WHERE table_catalog=? AND table_name LIKE '".$db->dbprefix."%' + ORDER BY table_name ASC", array($db->dblink->database) + ); + $page->assign('fstables', $db->fetchAllArray($fstables)); + + $fsfields=$db->query(" + SELECT table_name, column_name, column_default, data_type as column_type, character_set_name, collation_name, '-' AS column_comment + FROM INFORMATION_SCHEMA.columns + WHERE table_catalog=? AND table_name LIKE '".$db->dbprefix."%' + ORDER BY table_name ASC, ordinal_position ASC", array($db->dblink->database) + ); + $page->assign('fsfields', $db->fetchAllArray($fsfields)); + } + $page->assign('adodbversion', $db->dblink->version()); + $page->assign('htmlpurifierversion', HTMLPurifier::VERSION); + $page->pushTpl('admin.'.$area.'.tpl'); + break; + default: + Flyspray::show_error(6); +} + +?> -- cgit v1.2.3-70-g09d2