From ad1adc9cdd234ce4904a31f244469993a0f2cb7e Mon Sep 17 00:00:00 2001
From: "Matteo Nastasi (mop)" <nastasi@alternativeoutput.it>
Date: Wed, 26 Mar 2014 07:46:31 +0100
Subject: [PATCH] add cmd unix socket with 'userauth' command implemented,
 incomplete usermgmt page added.

---
 TODO.txt                      |   3 +
 sql/sql.d/100-anagr.sql.devel |   3 +-
 web/Obj/sac-a-push.phh        |  19 ++++-
 web/Obj/user.phh              |   2 +-
 web/usermgmt.php              | 155 ++++++++++++++++++++++++++++++++++
 5 files changed, 177 insertions(+), 5 deletions(-)
 create mode 100644 web/usermgmt.php

diff --git a/TODO.txt b/TODO.txt
index 3d779e3..96c8c24 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -32,6 +32,9 @@
        DONE . manage disagreeding users investigation
        DONE . self guaranteed
 
+     DONE . userauth command works
+     DONE . use it by the usermgmt page
+     . finish to implement the user management system
      . email validation
      . account expiration
 
diff --git a/sql/sql.d/100-anagr.sql.devel b/sql/sql.d/100-anagr.sql.devel
index 6b3796a..d65f920 100644
--- a/sql/sql.d/100-anagr.sql.devel
+++ b/sql/sql.d/100-anagr.sql.devel
@@ -11,7 +11,8 @@
 -- define(USER_FLAG_TY_DISABLE, 0x00800000); // done
 
 DELETE FROM #PFX#users WHERE code = 10101;
-INSERT INTO #PFX#users (code, login, pass, email, type, guar_code) VALUES (10101, 'uno', md5('one'), 'uno@pluto.com', CAST (X'00020000' as integer), 10101);
+DELETE FROM #PFX#users WHERE guar_code = 10101 AND code != 10101;
+INSERT INTO #PFX#users (code, login, pass, email, type, guar_code) VALUES (10101, 'uno', md5('one'), 'uno@pluto.com', CAST (X'00410000' as integer), 10101);
 DELETE FROM #PFX#users WHERE code = 10102;
 INSERT INTO #PFX#users (code, login, pass, email, type, guar_code) VALUES (10102, 'due', md5('two'), 'due@pluto.com', CAST (X'00010000' as integer), 10101);
 DELETE FROM #PFX#users WHERE code = 10103;
diff --git a/web/Obj/sac-a-push.phh b/web/Obj/sac-a-push.phh
index 433ec45..b184fb4 100644
--- a/web/Obj/sac-a-push.phh
+++ b/web/Obj/sac-a-push.phh
@@ -937,17 +937,30 @@ class Sac_a_push {
 
     function direct_command($cmdstr)
     {
+        GLOBAL $G_alarm_passwd;
+
         $cmd = cmd_deserialize($cmdstr);
 
         if (!isset($cmd['cmd'])) {
             return cmd_return(500, 'no cmd found');
         }
-        // "cmd" => "userauth", "login" => 'mop', 'private' => 'it_must_be_correct',
+        // "cmd" => "userauth", "sess" => 'xxxxxxxxxxx', 'private' => 'it_must_be_correct',
         //           'the_end' => 'true' );
+        // cmd=userauth&sess=52d796ac08c47&private=yourpasswd192.168.122.152d796ac08c47&the_end=true
         if ($cmd['cmd'] == 'userauth') {
-            if (!isset($cmd['login']) || !isset($cmd['private'])) {
-                return cmd_return(503, 'malformed cmd');
+            if (!isset($cmd['sess']) || !isset($cmd['private'])) {
+                return cmd_return(401, 'malformed cmd');
             }
+            $idx = -1;
+            if (($user = $this->app->get_user($cmd['sess'], &$idx)) == FALSE)
+                return cmd_return(402, 'user not found');
+
+            if (($user->flags & USER_FLAG_TY_ADMIN) == 0x00)
+                return cmd_return(403, 'permission denied');
+
+            if (md5($G_alarm_passwd.$user->ip.$user->sess) != $cmd['private'])
+                return cmd_return(404, 'authentication failed ['.$cmd['private'].']['.$G_alarm_passwd.$user->ip.$user->sess.']');
+
             return cmd_return(200, 'success');
         }
 
diff --git a/web/Obj/user.phh b/web/Obj/user.phh
index 4754969..3e6c4a1 100644
--- a/web/Obj/user.phh
+++ b/web/Obj/user.phh
@@ -60,7 +60,7 @@ define('USER_FLAG_TY_SUPER',   0x020000); // done
 define('USER_FLAG_TY_CERT',    0x040000); // done
 //  ... other usefull status ...
 define('USER_FLAG_TY_FIRONLY', 0x200000); // done
-// define('USER_FLAG_TY_free-to-use', 0x400000); // done
+define('USER_FLAG_TY_ADMIN',   0x400000); // done
 define('USER_FLAG_TY_DISABLE', 0x800000); // done
 
 // ... reasons for disabling account ...
diff --git a/web/usermgmt.php b/web/usermgmt.php
new file mode 100644
index 0000000..79ba9b1
--- /dev/null
+++ b/web/usermgmt.php
@@ -0,0 +1,155 @@
+<?php
+/*
+ *  brisk - usermgmt.php
+ *
+ *  Copyright (C) 2014      Matteo Nastasi
+ *                          mailto: nastasi@alternativeoutput.it
+ *                                  matteo.nastasi@milug.org
+ *                          web: http://www.alternativeoutput.it
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABLILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details. You should have received a
+ * copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc, 59 Temple Place -
+ * Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+$G_base = "";
+
+$mlang_stat_day = array( 'normal match'=> array( 'it' => 'Partite normali',
+                                                 'en' => 'Normal matches' ),
+                         'special match' => array( 'it' => 'Partite speciali',
+                                                   'en' => 'Special matches'),
+
+                         'info_total'=> array( 'it' => 'totali',
+                                               'en' => 'En totali')
+                         );
+
+ini_set("max_execution_time",  "240");
+
+require_once($G_base."Obj/brisk.phh");
+require_once($G_base."Obj/user.phh");
+require_once($G_base."Obj/auth.phh");
+require_once($G_base."Obj/dbase_${G_dbasetype}.phh");
+require_once($G_base."briskin5/Obj/briskin5.phh");
+require_once($G_base."briskin5/Obj/placing.phh");
+require_once($G_base."spush/brisk-spush.phh");
+
+function check_auth()
+{
+    GLOBAL $G_alarm_passwd, $sess, $_POST, $_SERVER;
+
+    $socket = FALSE;
+    $ret = FALSE;
+    $ip = $_SERVER["REMOTE_ADDR"];
+
+    $private = md5($G_alarm_passwd.$ip.$sess);
+    $cmd = array ("cmd" => "userauth", "sess" => $sess, "private" => $private, "the_end" => "true");
+    $cmd_ser = cmd_serialize($cmd);
+    $cmd_len = mb_strlen($cmd_ser, "ASCII");
+    
+    do {
+        if (($socket = stream_socket_client("unix://".USOCK_PATH."2")) == FALSE)
+            break;
+        if (($rwr = fwrite($socket, $cmd_ser, $cmd_len)) == FALSE
+            || $rwr != $cmd_len)
+            break;
+        fflush($socket);
+        if (($buf = fread($socket, 4096)) == FALSE)
+            break;
+        $res = cmd_deserialize($buf);
+        if (!isset($res['val']) || $res['val'] != 200)
+            break;
+        $ret = TRUE;
+    } while (0);
+    if ($socket != FALSE)
+        fclose($socket);
+        
+    return ($ret);
+}
+
+function main($action) {
+    GLOBAL $G_dbpfx, $G_alarm_passwd, $f_mailusers, $sess, $_POST, $_SERVER;
+
+    if (check_auth() == FALSE) {
+        echo "Authentication failed";
+        exit;
+    }
+
+    if (isset($f_mailusers)) {
+        $action = "listnew";
+    }
+
+    if ($action == "listnew") {
+        echo "pippo";
+    }
+    else {
+        do {
+            
+            if (($bdb = BriskDB::create()) == FALSE) {
+                log_crit("stat-day: database connection failed");
+                break;
+            }
+            
+            // retrieve list of active tournaments
+            $usr_sql = sprintf("
+SELECT usr.*, guar.login AS guar_login 
+     FROM %susers AS usr 
+     JOIN %susers AS guar ON guar.code = usr.guar_code 
+     WHERE ( (usr.type & (CAST (X'%x' as integer))) = (CAST (X'%x' as integer)) )
+         AND usr.disa_reas = %d;", 
+                               $G_dbpfx, $G_dbpfx,
+                               USER_FLAG_TY_ALL, USER_FLAG_TY_DISABLE,
+                               USER_DIS_REA_NU_TOBECHK);
+            if (($usr_pg = pg_query($bdb->dbconn->db(), $usr_sql)) == FALSE) {
+                log_crit("stat-day: select from tournaments failed");
+                break;
+            }
+            
+            $usr_n = pg_numrows($usr_pg);
+            printf("Number of tournaments: %d\n", $usr_n);
+
+            $tab_lines = "";
+            // loop on tournaments
+            for ($i = 0 ; $i < $usr_n ; $i++) {
+                // log_crit("stat-day: LOOP i");
+                $usr_obj = pg_fetch_object($usr_pg, $i);
+                
+                $tab_lines .= sprintf("<tr><td><input name=\"f_newuser%d\" type=\"checkbox\" CHECKED></td><td>%s</td><td></td></tr>\n",
+                                      $usr_obj->code, eschtml($usr_obj->login), eschtml($usr_obj->guar_login));
+            }
+            ?>
+<html>
+<body>
+<form action="<?php echo "$PHP_SELF"; ?>" method="POST">
+<table>
+<?php
+     echo $tab_lines;
+?>
+</table>
+<input type="submit" name="f_mailusers" value="Done">
+</form>
+</body>
+</html>
+<?php
+      
+        } while(FALSE);
+    }
+}
+
+if (!isset($f_action)) {
+    $action = FALSE;
+}
+
+main($action);
+
+
+?>
\ No newline at end of file
-- 
2.17.1