Merge pull request #24 from LDAPAccountManager/2factor_auth

2factor auth

lam/lib/2factor.inc

@@ -1,6 +1,7 @@
 <?php
 namespace LAM\LIB\TWO_FACTOR;
 use \selfServiceProfile;
+use \LAMConfig;
 
 /*
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
@@ -58,15 +59,15 @@ interface TwoFactorProvider {
  */
 class PrivacyIDEAProvider implements TwoFactorProvider {
 
-	private $profile;
+	private $config;
 
 	/**
 	 * Constructor.
 	 *
-	 * @param selfServiceProfile $profile profile
+	 * @param TwoFactorConfiguration $config configuration
 	 */
-	public function __construct(&$profile) {
-		$this->profile = $profile;
+	public function __construct(&$config) {
+		$this->config = $config;
 	}
 
 	/**
@@ -99,7 +100,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function authenticate($user, $password) {
 		$curl = $this->getCurl();
-		$url = $this->profile->twoFactorAuthenticationURL . "/auth";
+		$url = $this->config->twoFactorAuthenticationURL . "/auth";
 		curl_setopt($curl, CURLOPT_URL, $url);
 		$header = array('Accept: application/json');
 		curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
@@ -137,7 +138,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function getCurl() {
 		$curl = curl_init();
-		if ($this->profile->twoFactorAuthenticationInsecure) {
+		if ($this->config->twoFactorAuthenticationInsecure) {
 			curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
 			curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
 		}
@@ -154,7 +155,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function getSerialsForUser($user, $token) {
 		$curl = $this->getCurl();
-		$url = $this->profile->twoFactorAuthenticationURL . "/token/?user=" . $user;
+		$url = $this->config->twoFactorAuthenticationURL . "/token/?user=" . $user;
 		curl_setopt($curl, CURLOPT_URL, $url);
 		$header = array('Authorization: ' . $token, 'Accept: application/json');
 		curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
@@ -192,7 +193,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function verify($token, $serial, $twoFactorInput) {
 		$curl = $this->getCurl();
-		$url = $this->profile->twoFactorAuthenticationURL . "/validate/check";
+		$url = $this->config->twoFactorAuthenticationURL . "/validate/check";
 		curl_setopt($curl, CURLOPT_URL, $url);
 		$options = array(
 			'pass' => $twoFactorInput,
@@ -225,15 +226,25 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
  */
 class TwoFactorProviderService {
 
-	private $profile;
+	/** 2factor authentication disabled */
+	const TWO_FACTOR_NONE = 'none';
+	/** 2factor authentication via privacyIDEA */
+	const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
+
+	private $config;
 
 	/**
 	 * Constructor.
 	 *
-	 * @param selfServiceProfile $profile profile
+	 * @param selfServiceProfile|LAMConfig $configObj profile
 	 */
-	public function __construct(&$profile) {
-		$this->profile = $profile;
+	public function __construct(&$configObj) {
+		if ($configObj instanceof selfServiceProfile) {
+			$this->config = $this->getConfigSelfService($configObj);
+		}
+		else {
+			$this->config = $this->getConfigAdmin($configObj);
+		}
 	}
 
 	/**
@@ -244,10 +255,49 @@ class TwoFactorProviderService {
 	 * @throws \Exception unable to get provider
 	 */
 	public function getProvider() {
-		if ($this->profile->twoFactorAuthentication == selfServiceProfile::TWO_FACTOR_PRIVACYIDEA) {
-			return new PrivacyIDEAProvider($this->profile);
+		if ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) {
+			return new PrivacyIDEAProvider($this->config);
 		}
-		throw new \Exception('Invalid provider: ' . $this->profile->twoFactorAuthentication);
+		throw new \Exception('Invalid provider: ' . $this->config->twoFactorAuthentication);
+	}
+
+	/**
+	 * Returns the configuration from self service.
+	 *
+	 * @param selfServiceProfile $profile profile
+	 * @return TwoFactorConfiguration configuration
+	 */
+	private function getConfigSelfService(&$profile) {
+		$config = new TwoFactorConfiguration();
+		$config->twoFactorAuthentication = $profile->twoFactorAuthentication;
+		$config->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure;
+		$config->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL;
+		return $config;
+	}
+
+	/**
+	 * Returns the configuration for admin interface.
+	 *
+	 * @param LAMConfig $conf configuration
+	 * @return TwoFactorConfiguration configuration
+	 */
+	private function getConfigAdmin($conf) {
+		$config = new TwoFactorConfiguration();
+		$config->twoFactorAuthentication = $conf->getTwoFactorAuthentication();
+		$config->twoFactorAuthenticationInsecure = $conf->getTwoFactorAuthenticationInsecure();
+		$config->twoFactorAuthenticationURL = $conf->getTwoFactorAuthenticationURL();
+		return $config;
 	}
 
 }
+
+/**
+ * Configuration settings for 2-factor authentication.
+ *
+ * @author Roland Gruber
+ */
+class TwoFactorConfiguration {
+	public $twoFactorAuthentication = null;
+	public $twoFactorAuthenticationURL = null;
+	public $twoFactorAuthenticationInsecure = false;
+}

lam/lib/account.inc

@@ -1467,6 +1467,22 @@ function validateReCAPTCHA($secretKey) {
 	return $responseJSON->{'success'} === true;
 }
 
+/**
+ * Checks if the user is logged in. Stops script execution if not.
+ *
+ * @param boolean $check2ndFactor check if the 2nd factor was provided if required
+ */
+function enforceUserIsLoggedIn($check2ndFactor = true) {
+	if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) {
+		logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login: ' . $_SERVER["SCRIPT_FILENAME"]);
+		die();
+	}
+	if ($check2ndFactor && isset($_SESSION['2factorRequired'])) {
+		die();
+		logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login (2nd factor not provided): ' . $_SERVER["SCRIPT_FILENAME"]);
+	}
+}
+
 class LAMException extends Exception {
 
 	private $title;

lam/lib/config.inc

@@ -1,9 +1,10 @@
 <?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -31,11 +32,13 @@ $Id$
 */
 
 /** Used to print messages. */
-include_once("status.inc");
+include_once "status.inc";
 /** Used to get module information. */
-include_once("modules.inc");
+include_once "modules.inc";
 /** Used to get type information. */
-include_once("types.inc");
+include_once "types.inc";
+/** 2-factor */
+include_once '2factor.inc';
 
 /**
  * Sets the environment variables for custom SSL CA certificates.
@@ -567,6 +570,13 @@ class LAMConfig {
 	/** job configuration */
 	private $jobSettings = array();
 
+	private $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
+	private $twoFactorAuthenticationURL = 'https://localhost';
+	private $twoFactorAuthenticationInsecure = false;
+	private $twoFactorAuthenticationLabel = null;
+	private $twoFactorAuthenticationOptional = false;
+	private $twoFactorAuthenticationCaption = '';
+
 	/** List of all settings in config file */
 	private $settings = array("ServerURL", "useTLS", "followReferrals", 'pagedResults', "Passwd", "Admins", "treesuffix",
 		"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", 'serverDisplayName',
@@ -576,7 +586,9 @@ class LAMConfig {
 		'loginSearchPassword', 'timeZone', 'jobsBindUser', 'jobsBindPassword', 'jobsDatabase', 'jobToken', 'jobs',
 		'jobsDBHost', 'jobsDBPort', 'jobsDBUser', 'jobsDBPassword', 'jobsDBName', 'pwdResetAllowSpecificPassword',
 		'pwdResetAllowScreenPassword', 'pwdResetForcePasswordChange', 'pwdResetDefaultPasswordOutput',
-		'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword'
+		'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword', 'twoFactorAuthentication', 'twoFactorAuthenticationURL',
+		'twoFactorAuthenticationInsecure', 'twoFactorAuthenticationLabel', 'twoFactorAuthenticationOptional',
+		'twoFactorAuthenticationCaption'
 	);
 
 
@@ -816,6 +828,12 @@ class LAMConfig {
 			if (!in_array("pwdResetAllowScreenPassword", $saved)) array_push($file_array, "\n" . "pwdResetAllowScreenPassword: " . $this->pwdResetAllowScreenPassword . "\n");
 			if (!in_array("pwdResetForcePasswordChange", $saved)) array_push($file_array, "\n" . "pwdResetForcePasswordChange: " . $this->pwdResetForcePasswordChange . "\n");
 			if (!in_array("pwdResetDefaultPasswordOutput", $saved)) array_push($file_array, "\n" . "pwdResetDefaultPasswordOutput: " . $this->pwdResetDefaultPasswordOutput . "\n");
+			if (!in_array("twoFactorAuthentication", $saved)) array_push($file_array, "\n" . "twoFactorAuthentication: " . $this->twoFactorAuthentication . "\n");
+			if (!in_array("twoFactorAuthenticationURL", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationURL: " . $this->twoFactorAuthenticationURL . "\n");
+			if (!in_array("twoFactorAuthenticationInsecure", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationInsecure: " . $this->twoFactorAuthenticationInsecure . "\n");
+			if (!in_array("twoFactorAuthenticationLabel", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationLabel: " . $this->twoFactorAuthenticationLabel . "\n");
+			if (!in_array("twoFactorAuthenticationOptional", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationOptional: " . $this->twoFactorAuthenticationOptional . "\n");
+			if (!in_array("twoFactorAuthenticationCaption", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationCaption: " . $this->twoFactorAuthenticationCaption . "\n");
 			// check if all module settings were added
 			$m_settings = array_keys($this->moduleSettings);
 			for ($i = 0; $i < sizeof($m_settings); $i++) {
@@ -2044,6 +2062,116 @@ class LAMConfig {
 	public function setPwdResetDefaultPasswordOutput($pwdResetDefaultPasswordOutput) {
 		$this->pwdResetDefaultPasswordOutput = $pwdResetDefaultPasswordOutput;
 	}
+	/**
+	 * Returns the authentication type.
+	 *
+	 * @return string $twoFactorAuthentication authentication type
+	 */
+	public function getTwoFactorAuthentication() {
+		if (empty($this->twoFactorAuthentication)) {
+			return TwoFactorProviderService::TWO_FACTOR_NONE;
+		}
+		return $this->twoFactorAuthentication;
+	}
+
+	/**
+	 * Sets the authentication type.
+	 *
+	 * @param string $twoFactorAuthentication authentication type
+	 */
+	public function setTwoFactorAuthentication($twoFactorAuthentication) {
+		$this->twoFactorAuthentication = $twoFactorAuthentication;
+	}
+
+	/**
+	 * Returns the authentication URL.
+	 *
+	 * @return string $twoFactorAuthenticationURL authentication URL
+	 */
+	public function getTwoFactorAuthenticationURL() {
+		return $this->twoFactorAuthenticationURL;
+	}
+
+	/**
+	 * Sets the authentication URL.
+	 *
+	 * @param string $twoFactorAuthenticationURL authentication URL
+	 */
+	public function setTwoFactorAuthenticationURL($twoFactorAuthenticationURL) {
+		$this->twoFactorAuthenticationURL = $twoFactorAuthenticationURL;
+	}
+
+	/**
+	 * Returns if SSL certificate verification is turned off.
+	 *
+	 * @return bool $twoFactorAuthenticationInsecure SSL certificate verification is turned off
+	 */
+	public function getTwoFactorAuthenticationInsecure() {
+		return $this->twoFactorAuthenticationInsecure;
+	}
+
+	/**
+	 * Sets if SSL certificate verification is turned off.
+	 *
+	 * @param boolean $twoFactorAuthenticationInsecure SSL certificate verification is turned off
+	 */
+	public function setTwoFactorAuthenticationInsecure($twoFactorAuthenticationInsecure) {
+		$this->twoFactorAuthenticationInsecure = $twoFactorAuthenticationInsecure;
+	}
+
+	/**
+	 * Returns the authentication label.
+	 *
+	 * @return string $twoFactorAuthenticationLabel authentication label
+	 */
+	public function getTwoFactorAuthenticationLabel() {
+		return $this->twoFactorAuthenticationLabel;
+	}
+
+	/**
+	 * Sets the authentication label.
+	 *
+	 * @param string $twoFactorAuthenticationLabel authentication label
+	 */
+	public function setTwoFactorAuthenticationLabel($twoFactorAuthenticationLabel) {
+		$this->twoFactorAuthenticationLabel = $twoFactorAuthenticationLabel;
+	}
+
+	/**
+	 * Returns if 2nd factor is optional.
+	 *
+	 * @return bool $twoFactorAuthenticationOptional 2nd factor is optional
+	 */
+	public function getTwoFactorAuthenticationOptional() {
+		return $this->twoFactorAuthenticationOptional;
+	}
+
+	/**
+	 * Sets if 2nd factor is optional.
+	 *
+	 * @param boolean $twoFactorAuthenticationOptional 2nd factor is optional
+	 */
+	public function setTwoFactorAuthenticationOptional($twoFactorAuthenticationOptional) {
+		$this->twoFactorAuthenticationOptional = $twoFactorAuthenticationOptional;
+	}
+
+	/**
+	 * Returns the caption HTML.
+	 *
+	 * @return string $twoFactorAuthenticationCaption caption HTML
+	 */
+	public function getTwoFactorAuthenticationCaption() {
+		return $this->twoFactorAuthenticationCaption;
+	}
+
+	/**
+	 * Sets the caption HTML.
+	 *
+	 * @param string $twoFactorAuthenticationCaption caption HTML
+	 */
+	public function setTwoFactorAuthenticationCaption($twoFactorAuthenticationCaption) {
+		$this->twoFactorAuthenticationCaption = $twoFactorAuthenticationCaption;
+	}
 
 }
 

lam/lib/selfService.inc

@@ -1,4 +1,5 @@
-<?PHP
+<?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$
 
@@ -31,9 +32,11 @@ $Id$
 */
 
 /** modules */
-include_once("modules.inc");
+include_once "modules.inc";
 /** account types */
-include_once("types.inc");
+include_once "types.inc";
+/** 2-factor */
+include_once '2factor.inc';
 
 /**
  * Returns if this is a LAM Pro installation.
@@ -302,11 +305,6 @@ function isSelfService() {
  */
 class selfServiceProfile {
 
-	/** 2factor authentication disabled */
-	const TWO_FACTOR_NONE = 'none';
-	/** 2factor authentication via privacyIDEA */
-	const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
-
 	/** server address */
 	public $serverURL;
 
@@ -381,7 +379,7 @@ class selfServiceProfile {
 
 	public $timeZone = 'Europe/London';
 
-	public $twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
+	public $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
 	public $twoFactorAuthenticationURL = 'https://localhost';
 	public $twoFactorAuthenticationInsecure = false;
 	public $twoFactorAuthenticationLabel = null;
@@ -425,7 +423,7 @@ class selfServiceProfile {
 		$this->enforceLanguage = true;
 		$this->followReferrals = 0;
 		$this->timeZone = 'Europe/London';
-		$this->twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
+		$this->twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
 		$this->twoFactorAuthenticationURL = 'https://localhost';
 		$this->twoFactorAuthenticationInsecure = false;
 		$this->twoFactorAuthenticationLabel = null;

lam/templates/3rdParty/pla/lib/session_functions.php

@@ -21,6 +21,7 @@ function app_session_start() {
 	include_once '../../../../lib/config.inc';
 	include_once '../../../../lib/ldap.inc';
 	startSecureSession();
+	enforceUserIsLoggedIn();
 	$config_file = CONFDIR.'config.php';
 	$config = check_config($config_file);
 	# If we came via index.php, then set our $config.

lam/templates/account/edit.php

@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Tilo Lutz
-                2005 - 2016  Roland Gruber
+                2005 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -47,6 +47,7 @@ include_once('../../lib/modules.inc');
 
 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // Redirect to startpage if user is not loged in
 if (!isLoggedIn()) {

lam/templates/config/confmain.php

@@ -1,9 +1,10 @@
 <?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -37,6 +38,8 @@ include_once("../../lib/config.inc");
 include_once("../../lib/modules.inc");
 /** access to tools */
 include_once("../../lib/tools.inc");
+/** 2-factor */
+include_once '../../lib/2facto.inc';
 
 // start session
 if (strtolower(session_module_name()) == 'files') {
@@ -523,8 +526,40 @@ $searchPasswordInput->setIsPassword(true);
 $securitySettingsContent->addElement($searchPasswordInput, true);
 // HTTP authentication
 $securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
-$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
+$securitySettingsContent->addElement(new htmlSpacer(null, '30px'), true);
+
+// 2factor authentication
+if (extension_loaded('curl')) {
+	$securitySettingsContent->addElement(new htmlSubTitle(_("2-factor authentication")), true);
+	$twoFactorOptions = array(
+			_('None') => TwoFactorProviderService::TWO_FACTOR_NONE,
+			_('privacyIDEA') => TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA,
+	);
+	$twoFactorSelect = new htmlTableExtendedSelect('twoFactor', $twoFactorOptions, array($conf->getTwoFactorAuthentication()), _('Provider'), '514');
+	$twoFactorSelect->setHasDescriptiveElements(true);
+	$twoFactorSelect->setTableRowsToHide(array(
+			TwoFactorProviderService::TWO_FACTOR_NONE => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
+	));
+	$twoFactorSelect->setTableRowsToShow(array(
+			TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
+	));
+	$securitySettingsContent->addElement($twoFactorSelect, true);
+	$twoFactorUrl = new htmlTableExtendedInputField(_("Base URL"), 'twoFactorURL', $conf->getTwoFactorAuthenticationURL(), '515');
+	$twoFactorUrl->setRequired(true);
+	$securitySettingsContent->addElement($twoFactorUrl, true);
+	$twoFactorLabel = new htmlTableExtendedInputField(_("Label"), 'twoFactorLabel', $conf->getTwoFactorAuthenticationLabel(), '517');
+	$securitySettingsContent->addElement($twoFactorLabel, true);
+	$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorOptional', $conf->getTwoFactorAuthenticationOptional(), _('Optional'), '519'), true);
+	$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorInsecure', $conf->getTwoFactorAuthenticationInsecure(), _('Disable certificate check'), '516'), true);
+	$securitySettingsContent->addElement(new htmlSpacer(null, '5px'), true);
+	$twoFactorCaption = new htmlTableExtendedInputTextarea('twoFactorCaption', $conf->getTwoFactorAuthenticationCaption(), '80', '4', _("Caption"), '518');
+	$twoFactorCaption->setIsRichEdit(true);
+	$twoFactorCaption->alignment = htmlElement::ALIGN_TOP;
+	$securitySettingsContent->addElement($twoFactorCaption, true);
+}
+
 // new password
+$securitySettingsContent->addElement(new htmlSubTitle(_("Profile password")), true);
 $password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
 $password1->setIsPassword(true);
 $password2 = new htmlTableExtendedInputField(_("Reenter password"), 'passwd2');
@@ -551,10 +586,12 @@ $buttonContainer->addElement($cancelButton, true);
 $buttonContainer->addElement(new htmlSpacer(null, '10px'), true);
 parseHtml(null, $buttonContainer, array(), false, $tabindex, 'user');
 
-echo "</form>\n";
-echo "</body>\n";
-echo "</html>\n";
-
+?>
+</form>
+<script type="text/javascript" src="../lib/extra/ckeditor/ckeditor.js"></script>
+</body>
+</html>
+<?php
 
 /**
  * Checks user input and saves the entered settings.
@@ -711,6 +748,15 @@ function checkInput() {
 		}
 	}
 	$conf->setToolSettings($toolSettings);
+	// 2-factor
+	if (extension_loaded('curl')) {
+		$conf->setTwoFactorAuthentication($_POST['twoFactor']);
+		$conf->setTwoFactorAuthenticationURL($_POST['twoFactorURL']);
+		$conf->setTwoFactorAuthenticationInsecure(isset($_POST['twoFactorInsecure']) && ($_POST['twoFactorInsecure'] == 'on'));
+		$conf->setTwoFactorAuthenticationLabel($_POST['twoFactorLabel']);
+		$conf->setTwoFactorAuthenticationOptional(isset($_POST['twoFactorOptional']) && ($_POST['twoFactorOptional'] == 'on'));
+		$conf->setTwoFactorAuthenticationCaption(str_replace(array("\r", "\n"), array('', ''), $_POST['twoFactorCaption']));
+	}
 	// check if password was changed
 	if (isset($_POST['passwd1']) && ($_POST['passwd1'] != '')) {
 		if ($_POST['passwd1'] != $_POST['passwd2']) {

lam/templates/delete.php

@@ -49,6 +49,7 @@ include_once('../lib/modules.inc');
 
 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 if (!checkIfWriteAccessIsAllowed()) {
 	die();

lam/templates/initsuff.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2015  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -39,6 +39,7 @@ include_once("../lib/status.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 if (!checkIfWriteAccessIsAllowed()) {
 	die();
@@ -196,10 +197,10 @@ include 'main_header.php';
 	$buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff)));
 	$container->addElement($buttonContainer);
 	addSecurityTokenToMetaHTML($container);
-	
+
 	$tabindex = 1;
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
-	
+
 	echo "</form><br>\n";
 	echo "</div>\n";
 include 'main_footer.php';

lam/templates/lists/deletelink.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2007 - 2013  Roland Gruber
+  Copyright (C) 2007 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -39,6 +39,7 @@ include_once("../../lib/status.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 setlanguage();
 

lam/templates/lists/list.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -38,6 +38,7 @@ include_once("../../lib/config.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 setlanguage();
 

lam/templates/lists/userlink.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2010  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -39,6 +39,7 @@ include_once("../../lib/status.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 setlanguage();
 

lam/templates/login.php

@@ -1,4 +1,6 @@
 <?php
+use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
+
 /*
 $Id$
 
@@ -324,6 +326,14 @@ function display_LoginPage($config_object, $cfgMain) {
 			StatusMessage("INFO", _("Your settings were successfully saved."), htmlspecialchars($_GET['selfserviceSaveOk']));
 			echo "<br>";
 		}
+		if (isset($_GET['2factor']) && ($_GET['2factor'] == 'error')) {
+			StatusMessage('ERROR', _("Unable to start 2-factor authentication."));
+			echo "<br>";
+		}
+		elseif (isset($_GET['2factor']) && ($_GET['2factor'] == 'noToken')) {
+			StatusMessage('ERROR', _("Unable to start 2-factor authentication because no tokens were found."));
+			echo "<br>";
+		}
 		if (!empty($config_object)) {
 		?>
 		<br><br>
@@ -636,8 +646,20 @@ if(!empty($_POST['checklogin'])) {
 		addSecurityTokenToSession();
 		// logging
 		logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.');
-		// Load main frame
-		metaRefresh("./main.php");
+		// Load main frame or 2 factor page
+		if ($_SESSION['config']->getTwoFactorAuthentication() == TwoFactorProviderService::TWO_FACTOR_NONE) {
+			metaRefresh("./main.php");
+		}
+		else {
+			$_SESSION['2factorRequired'] = true;
+			if (($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($_SESSION['config']->getHttpAuthentication() == 'true')) {
+				$_SESSION['user2factor'] = $_SERVER['PHP_AUTH_USER'];
+			}
+			else {
+				$_SESSION['user2factor'] = $_POST['username'];
+			}
+			metaRefresh("./login2Factor.php");
+		}
 		die();
 	}
 	else {

lam/templates/login2Factor.php

@@ -0,0 +1,241 @@
+<?php
+namespace LAM\LOGIN;
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
+use \htmlResponsiveRow;
+use \htmlGroup;
+use \htmlOutputText;
+use \htmlSpacer;
+use \htmlSelect;
+use \htmlInputField;
+use \htmlButton;
+/*
+$Id$
+
+  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
+  Copyright (C) 2017  Roland Gruber
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+*/
+
+/**
+* This page redirects to the correct start page after checking 2nd factor.
+*
+* @package main
+* @author Roland Gruber
+*/
+
+/** config object */
+include_once '../lib/config.inc';
+
+// start session
+startSecureSession();
+
+setlanguage();
+
+$config = $_SESSION['config'];
+$ldap = $_SESSION['ldap'];
+$credentials = $ldap->decrypt_login();
+$password = $credentials[1];
+$user = $_SESSION['user2factor'];
+if (get_preg($user, 'dn')) {
+	$user = extractRDNValue($user);
+}
+
+// get serials
+try {
+	$service = new TwoFactorProviderService($config);
+	$provider = $service->getProvider();
+	$serials = $provider->getSerials($user, $password);
+}
+catch (\Exception $e) {
+	logNewMessage(LOG_ERR, 'Unable to get 2-factor serials for ' . $user . ' ' . $e->getMessage());
+	metaRefresh("login.php?2factor=error");
+	die();
+}
+
+$twoFactorLabel = empty($config->getTwoFactorAuthenticationLabel()) ? _('PIN+Token') : $config->getTwoFactorAuthenticationLabel();
+
+if (sizeof($serials) == 0) {
+	if ($config->getTwoFactorAuthenticationOptional()) {
+		unset($_SESSION['2factorRequired']);
+		unset($_SESSION['user2factor']);
+		metaRefresh("main.php");
+		die();
+	}
+	else {
+		metaRefresh("login.php?2factor=noToken");
+		die();
+	}
+}
+
+if (isset($_POST['logout'])) {
+	// destroy session
+	session_destroy();
+	unset($_SESSION);
+	// redirect to login page
+	metaRefresh("login.php");
+	exit();
+}
+
+if (isset($_POST['submit'])) {
+	$twoFactorInput = $_POST['2factor'];
+	$serial = $_POST['serial'];
+	if (empty($twoFactorInput) || !in_array($serial, $serials)) {
+		$errorMessage = _(sprintf('Please enter "%s".', $twoFactorLabel));
+	}
+	else {
+		$twoFactorValid = false;
+		try {
+			$twoFactorValid = $provider->verify2ndFactor($user, $password, $serial, $twoFactorInput);
+		}
+		catch (\Exception $e) {
+			logNewMessage(LOG_WARNING, '2-factor verification failed: ' . $e->getMessage());
+		}
+		if ($twoFactorValid) {
+			unset($_SESSION['2factorRequired']);
+			unset($_SESSION['user2factor']);
+			metaRefresh("main.php");
+			die();
+		}
+		else {
+			$errorMessage = _(sprintf('Verification failed.', $twoFactorLabel));
+		}
+	}
+}
+
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html class="no-js">
+<head>
+<meta http-equiv="content-type" content="text/html; charset=UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta http-equiv="pragma" content="no-cache">
+		<meta http-equiv="cache-control" content="no-cache">
+	<title><?php echo _("Login"); ?></title>
+	<link rel="stylesheet" type="text/css" href="../style/responsive/105_normalize.css">
+	<link rel="stylesheet" type="text/css" href="../style/responsive/110_foundation.css">
+	<?php
+		// include all CSS files
+		$cssDirName = dirname(__FILE__) . '/../style';
+		$cssDir = dir($cssDirName);
+		$cssFiles = array();
+		$cssEntry = $cssDir->read();
+		while ($cssEntry !== false) {
+			if (substr($cssEntry, strlen($cssEntry) - 4, 4) == '.css') {
+				$cssFiles[] = $cssEntry;
+			}
+			$cssEntry = $cssDir->read();
+		}
+		sort($cssFiles);
+		foreach ($cssFiles as $cssEntry) {
+			echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../style/" . $cssEntry . "\">\n";
+		}
+		if (isset($profile->additionalCSS) && ($profile->additionalCSS != '')) {
+			$CSSlinks = explode("\n", $profile->additionalCSS);
+			for ($i = 0; $i < sizeof($CSSlinks); $i++) {
+				$CSSlinks[$i] = trim($CSSlinks[$i]);
+				if ($CSSlinks[$i] == '') {
+					continue;
+				}
+				echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"" . $CSSlinks[$i] . "\">\n";
+			}
+		}
+	?>
+</head>
+<body class="admin">
+<?php
+
+// include all JavaScript files
+$jsDirName = dirname(__FILE__) . '/lib';
+$jsDir = dir($jsDirName);
+$jsFiles = array();
+while ($jsEntry = $jsDir->read()) {
+	if (substr($jsEntry, strlen($jsEntry) - 3, 3) != '.js') continue;
+	$jsFiles[] = $jsEntry;
+}
+sort($jsFiles);
+foreach ($jsFiles as $jsEntry) {
+	echo "<script type=\"text/javascript\" src=\"lib/" . $jsEntry . "\"></script>\n";
+}
+?>
+
+	<script type="text/javascript" src="lib/extra/responsive/200_modernizr.js"></script>
+	<script type="text/javascript" src="lib/extra/responsive/250_foundation.js"></script>
+	<table border=0 width="100%" class="lamHeader ui-corner-all">
+		<tr>
+			<td align="left" height="30">
+				<a class="lamLogo" href="http://www.ldap-account-manager.org/" target="new_window">LDAP Account Manager</a>
+			</td>
+		<td align="right" height=20>
+		</td>
+		</tr>
+	</table>
+
+	<br><br>
+
+	<form enctype="multipart/form-data" action="login2Factor.php" method="post" autocomplete="off">
+<?php
+echo $config->getTwoFactorAuthenticationCaption();
+
+?>
+	<div class="centeredTable">
+	<div class="roundedShadowBox limitWidth">
+<?php
+
+	$group = new htmlGroup();
+	$row = new htmlResponsiveRow();
+	// error
+	if (!empty($errorMessage)) {
+		$row->add(new \htmlStatusMessage('ERROR', $errorMessage), 12);
+		$row->add(new htmlSpacer('1em', '1em'), 12);
+	}
+	// serial
+	$row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left');
+	$serialSelect = new htmlSelect('serial', $serials);
+	$row->add($serialSelect, 12);
+	// token
+	$row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left');
+	$twoFactorInput = new htmlInputField('2factor', '');
+	$twoFactorInput->setFieldSize(null);
+	$twoFactorInput->setIsPassword(true);
+	$row->add($twoFactorInput, 12);
+	$row->add(new htmlSpacer('1em', '1em'), 12);
+	$submit = new htmlButton('submit', _("Submit"));
+	$submit->setCSSClasses(array('fullwidth'));
+	$row->add($submit, 12, 12, 12, 'fullwidth');
+	$row->add(new htmlSpacer('0.5em', '0.5em'), 12);
+	$logout = new htmlButton('logout', _("Cancel"));
+	$logout->setCSSClasses(array('fullwidth'));
+	$row->add($logout, 12);
+	$group->addElement($row);
+
+	$tabindex = 1;
+	addSecurityTokenToMetaHTML($group);
+	parseHtml(null, $group, array(), false, $tabindex, 'user');
+
+?>
+	</div>
+	</div>
+	</form>
+	<br><br>
+
+	<script type="text/javascript">
+		$(document).foundation();
+		myElement = document.getElementsByName('2factor')[0];
+		myElement.focus();
+	</script>
+</body>
+</html>

lam/templates/logout.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2006  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -44,6 +44,7 @@ include_once("../lib/ldap.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // log message
 $ldapUser = $_SESSION['ldap']->decrypt_login();

lam/templates/main.php

@@ -4,7 +4,7 @@ namespace LAM\INIT;
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -36,6 +36,7 @@ include_once '../lib/profiles.inc';
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 setlanguage();
 

lam/templates/misc/ajax.php

@@ -63,6 +63,7 @@ class lamAjax {
 		validateSecurityToken(false);
 
 		if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
+			enforceUserIsLoggedIn();
 			if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
 				if (!isset($_SESSION['account'])) die();
 				$module = $_SESSION['account']->getAccountModule($_GET['module']);
@@ -82,12 +83,13 @@ class lamAjax {
 		}
 
 		$jsonInput = $_POST['jsonInput'];
+		if ($function == 'passwordStrengthCheck') {
+			lamAjax::checkPasswordStrength($jsonInput);
+		}
+		enforceUserIsLoggedIn();
 		if ($function == 'passwordChange') {
 			lamAjax::managePasswordChange($jsonInput);
 		}
-		elseif ($function == 'passwordStrengthCheck') {
-			lamAjax::checkPasswordStrength($jsonInput);
-		}
 		elseif ($function == 'upload') {
 			include_once('../../lib/upload.inc');
 			$typeManager = new \LAM\TYPES\TypeManager();

lam/templates/multiEdit.php

@@ -21,7 +21,7 @@ use \htmlInputTextarea;
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2013 - 2016  Roland Gruber
+  Copyright (C) 2013 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -57,6 +57,7 @@ include_once("../lib/status.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/ou_edit.php

@@ -50,6 +50,7 @@ include_once("../lib/status.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/pdfedit/pdfmain.php

@@ -15,13 +15,12 @@ use \htmlInputFileUpload;
 use \htmlHelpLink;
 use \htmlInputField;
 use \htmlHiddenInput;
-use \htmlDiv;
 /*
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Michael Duergner
-                2005 - 2016  Roland Gruber
+                2005 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -60,6 +59,7 @@ include_once("../../lib/modules.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/pdfedit/pdfpage.php

@@ -19,7 +19,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Michael Duergner
-                2007 - 2016  Roland Gruber
+                2007 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -62,6 +62,7 @@ include_once('../../lib/xml_parser.inc');
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/profedit/profilemain.php

@@ -18,7 +18,7 @@ use \htmlInputField;
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -54,6 +54,7 @@ include_once("../../lib/config.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/profedit/profilepage.php

@@ -12,7 +12,7 @@ use \htmlHiddenInput;
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -52,6 +52,7 @@ include_once("../../lib/status.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/schema/schema.php

@@ -3,7 +3,7 @@
 $Id$
 
   Copyright (C) 2004 David Smith
-  modified to fit for LDAP Account Manager 2005 - 2012 Roland Gruber
+  modified to fit for LDAP Account Manager 2005 - 2017 Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -29,8 +29,8 @@ $Id$
  * @author David Smith
  * @author Roland Gruber
  */
- 
- 
+
+
 /** security functions */
 include_once("../../lib/security.inc");
 /** access to LDAP server */
@@ -42,6 +42,7 @@ require_once("../../lib/schema.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 checkIfToolIsActive('toolSchemaBrowser');
 
@@ -51,7 +52,7 @@ include '../main_header.php';
 
 
 $view = isset( $_GET['view'] ) ? $_GET['view'] : 'objectClasses';
-$viewvalue = isset( $_GET['viewvalue'] ) ? $_GET['viewvalue'] : null; 
+$viewvalue = isset( $_GET['viewvalue'] ) ? $_GET['viewvalue'] : null;
 if( trim( $viewvalue ) == "" )
     $viewvalue = null;
 if( ! is_null( $viewvalue ) )
@@ -89,7 +90,7 @@ if( $view == 'syntaxes' ) {
 	echo "<tr><th>" . _('Syntax OID') . "</th><th>" . _('Description') . "</th></tr>\n";
 	flush();
 	$counter=1;
-	$schema_syntaxes = get_schema_syntaxes(null); 
+	$schema_syntaxes = get_schema_syntaxes(null);
 	if( ! $schema_syntaxes ) StatusMessage("ERROR", _("Unable to retrieve schema!"), "");
 	foreach( $schema_syntaxes as $syntax ) {
 		$counter++;
@@ -107,7 +108,7 @@ if( $view == 'syntaxes' ) {
 	flush();
 	$schema_attrs = get_schema_attributes(null);
 	$schema_object_classes = get_schema_objectclasses(null);
-	if( ! $schema_attrs || ! $schema_object_classes ) 
+	if( ! $schema_attrs || ! $schema_object_classes )
 		StatusMessage("ERROR", _("Unable to retrieve schema!"), "");
 
 	?>
@@ -116,7 +117,7 @@ if( $view == 'syntaxes' ) {
         <select name="viewvalue" onChange="submit()">
 	<option value=""> - all -</option>
 
-	<?php foreach( $schema_attrs as $attr ) { 		
+	<?php foreach( $schema_attrs as $attr ) {
                     echo( '<option value="'
                          .$attr->getName()
                          .'" '
@@ -130,7 +131,7 @@ if( $view == 'syntaxes' ) {
 	<br />
 	<table class="schema_attr" width="100%">
 
-	<?php 
+	<?php
     foreach( $schema_attrs  as $attr ) {
 	  if ( is_null( $viewvalue ) || 0 == strcasecmp( $viewvalue, $attr->getName() ) ) {
         if( ! is_null( $viewvalue ) )
@@ -218,13 +219,13 @@ if( $view == 'syntaxes' ) {
 		  echo number_format( $attr->getMaxLength() ) ." ";
 		  if (  $attr->getMaxLength()>1) {echo _('characters');}
 		  else { echo _('character')  ;}
-	                        } 
+	                        }
 		echo "</td>\n";
 		echo "</tr>\n\n";
 
 		echo "<tr class=\"" . (++$counter%2==0?'even':'odd') . "\">\n";
 		echo "<td>"._('Aliases')."</td>\n";
-		echo "<td>"; 
+		echo "<td>";
 		if( count( $attr->getAliases() ) == 0 )
 			echo '('._('none').')';
 		else
@@ -251,7 +252,7 @@ if( $view == 'syntaxes' ) {
 	echo "</table>\n";
 
 } elseif( $view == 'matching_rules' ) {
-        $schema_matching_rules = get_schema_matching_rules(null); 
+        $schema_matching_rules = get_schema_matching_rules(null);
 	echo '<small>' . _('Jump to a matching rule').'</small><br />';
 	echo '<form  action="schema.php" method="get">';
         echo '<input type="hidden" name="view" value="matching_rules" />';
@@ -260,7 +261,7 @@ if( $view == 'syntaxes' ) {
 		foreach( $schema_matching_rules as $rule ) {
 		  echo '<option value="'.$rule->getName().'"'.($rule->getName()==$viewvalue? ' selected ': '').'>'.$rule->getName().'</option>';
 		}
-        
+
         echo '</select>';
        	echo '<input type="submit" value="'._('Go').'" />';
 	echo '</form>';
@@ -268,7 +269,7 @@ if( $view == 'syntaxes' ) {
 	echo "<tr><th>" . _('Matching rule OID') . "</th><th>" . _('Name') . "</th><th>"._('Used by attributes')."</th></tr>\n";
 	flush();
 	$counter=1;
-	$schema_matching_rules = get_schema_matching_rules(null); 
+	$schema_matching_rules = get_schema_matching_rules(null);
 	if( ! $schema_matching_rules ) StatusMessage("ERROR", _("Unable to retrieve schema!"), "");
 	foreach( $schema_matching_rules as $rule ) {
 		$counter++;
@@ -300,7 +301,7 @@ if( $view == 'syntaxes' ) {
 	}
 	echo "</table>\n";
 
-} elseif( $view == 'objectClasses' ) { 
+} elseif( $view == 'objectClasses' ) {
 	flush();
 	$schema_oclasses = get_schema_objectclasses(null);
 	if( ! $schema_oclasses ) StatusMessage("ERROR", _("Unable to retrieve schema!"), "");
@@ -310,7 +311,7 @@ if( $view == 'syntaxes' ) {
 	<select name="viewvalue"
 	onChange="submit()">
         <option value=""> - all - </option>
-	<?php foreach( $schema_oclasses as $name => $oclass ) { 
+	<?php foreach( $schema_oclasses as $name => $oclass ) {
 		echo '<option value="'
 		     .$oclass->getName()
                      .'"'
@@ -323,8 +324,8 @@ if( $view == 'syntaxes' ) {
 
         <?php flush(); ?>
 
-    <?php foreach( $schema_oclasses as $name => $oclass ) { 
-        foreach( $oclass->getSupClasses() as $parent_name ) { 
+    <?php foreach( $schema_oclasses as $name => $oclass ) {
+        foreach( $oclass->getSupClasses() as $parent_name ) {
             $parent_name = $parent_name;
             if( isset( $schema_oclasses[ $parent_name ] ) ) {
                 $schema_oclasses[ $parent_name ]->addChildObjectClass( $oclass->getName() );
@@ -337,9 +338,9 @@ if( $view == 'syntaxes' ) {
 	<?php foreach( $schema_oclasses as $name => $oclass ) {
 	  if ( $viewvalue==null || 0 == strcasecmp( $viewvalue, $oclass->getName() ) ){
         if( ! is_null( $viewvalue ) )
-            $viewed = true; 
+            $viewed = true;
         ?>
-        
+
 		<h4 class="schema_oclass"><?php echo $oclass->getName(); ?></h4>
 		<h4 class="schema_oclass_sub"><?php echo _('OID'); ?>: <b><?php echo $oclass->getOID(); ?></b></h4>
 		<?php if( $oclass->getDescription() ) { ?>
@@ -350,12 +351,12 @@ if( $view == 'syntaxes' ) {
 			<h4 class="schema_oclass_sub"><?php echo _('This object class is obsolete.'); ?></h4>
 		<?php } ?>
 
-		<h4 class="schema_oclass_sub"><?php echo _('Inherits from'); ?>: <b><?php 
+		<h4 class="schema_oclass_sub"><?php echo _('Inherits from'); ?>: <b><?php
 		if( count( $oclass->getSupClasses() ) == 0 )
 			echo "(" . _('none') . ")";
 		else
 			foreach( $oclass->getSupClasses() as $i => $object_class ) {
-				echo '<a title="' . _('Jump to an object class') . ' " 
+				echo '<a title="' . _('Jump to an object class') . ' "
 					href="?view='.$view.'&amp;viewvalue='.htmlspecialchars( $object_class ) ;
 				echo '">' . htmlspecialchars( $object_class ) . '</a>';
 				if( $i < count( $oclass->getSupClasses() ) - 1 )
@@ -363,14 +364,14 @@ if( $view == 'syntaxes' ) {
 		}
 		?></b></h4>
 
-		<h4 class="schema_oclass_sub"><?php echo _('Parent to'); ?>: <b><?php 
+		<h4 class="schema_oclass_sub"><?php echo _('Parent to'); ?>: <b><?php
         if( 0 == strcasecmp( $oclass->getName(), 'top' ) )
             echo "(<a href=\"schema.php?view=objectClasses\">all</a>)";
 		elseif( count( $oclass->getChildObjectClasses() ) == 0 )
 			echo "(" . _('none') . ")";
 		else
 			foreach( $oclass->getChildObjectClasses() as $i => $object_class ) {
-				echo '<a title="' . _('Jump to an object class') . ' " 
+				echo '<a title="' . _('Jump to an object class') . ' "
 					href="?view='.$view.'&amp;viewvalue='.htmlspecialchars( $object_class ) ;
 				echo '">' . htmlspecialchars( $object_class ) . '</a>';
 				if( $i < count( $oclass->getChildObjectClasses() ) - 1 )
@@ -400,12 +401,12 @@ if( $view == 'syntaxes' ) {
 					echo "</li>\n";
 				}
 				echo "</ul>";
-			} else				
+			} else
 				echo "<center>(" . _('none') . ")</center>\n";
 			?>
 		</td>
 		<td width="50%">
-		<?php 
+		<?php
 		if( count( $oclass->getMayAttrs($schema_oclasses) ) > 0 ) {
 			echo '<ul class="schema">';
 			foreach( $oclass->getMayAttrs($schema_oclasses) as $attr ) {
@@ -422,7 +423,7 @@ if( $view == 'syntaxes' ) {
 			}
 			echo "</ul>";
 		}
-		else				
+		else
 			echo "<center>(" . _('none') . ")</center>\n";
 	?>
 

lam/templates/serverInfo.php

@@ -3,18 +3,18 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2009 - 2012  Roland Gruber
+  Copyright (C) 2009 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
-  
+
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
-  
+
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
@@ -35,6 +35,7 @@ include_once("../lib/config.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 checkIfToolIsActive('toolServerInformation');
 

lam/templates/tests/index.php

@@ -3,18 +3,18 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2012  Roland Gruber
+  Copyright (C) 2006 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
-  
+
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
-  
+
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
@@ -35,6 +35,7 @@ include_once("../../lib/config.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/tests/lamdaemonTest.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2016  Roland Gruber
+  Copyright (C) 2006 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -36,6 +36,7 @@ include_once("../../lib/config.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/tests/schemaTest.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2007 - 2016  Roland Gruber
+  Copyright (C) 2007 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -39,6 +39,7 @@ include_once("../../lib/schema.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();

lam/templates/tools.php

@@ -3,18 +3,18 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2011  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
-  
+
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
-  
+
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
@@ -37,6 +37,7 @@ include_once("../lib/tools.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 setlanguage();
 

lam/templates/tree/treeViewContainer.php

@@ -3,18 +3,18 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2010 - 2011  Roland Gruber
+  Copyright (C) 2010 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
-  
+
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
-  
+
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
@@ -36,6 +36,7 @@ include_once("../../lib/config.inc");
 
 // start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 setlanguage();
 

lam/templates/upload/massBuildAccounts.php

@@ -48,6 +48,7 @@ include_once('../../lib/modules.inc');
 
 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // check if this tool may be run
 checkIfToolIsActive('toolFileUpload');

lam/templates/upload/massDoUpload.php

@@ -45,6 +45,7 @@ include_once('../../lib/pdf.inc');
 
 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // check if this tool may be run
 checkIfToolIsActive('toolFileUpload');

lam/templates/upload/masscreate.php

@@ -62,6 +62,7 @@ include_once('../../lib/upload.inc');
 
 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();
 
 // check if this tool may be run
 checkIfToolIsActive('toolFileUpload');

lam/tmp/.gitignore

@@ -1 +0,0 @@
-/*.jpg