Merge pull request #24 from LDAPAccountManager/2factor_auth

2factor auth
2017-02-11 22:37:24 +01:00 · 2017-02-11 22:37:24 +01:00 · 968b6ebd22
parent 5274f7d048 c0ea7ecf34
commit 968b6ebd22
41 changed files with 2010 additions and 13580 deletions
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
--- a/lam/docs/manual-sources/images/configProfiles11.png
+++ b/lam/docs/manual-sources/images/configProfiles11.png
--- a/lam/docs/manual-sources/images/configProfiles12.png
+++ b/lam/docs/manual-sources/images/configProfiles12.png
--- a/lam/docs/manual-sources/images/configProfiles13.png
+++ b/lam/docs/manual-sources/images/configProfiles13.png
--- a/lam/docs/manual-sources/images/configProfiles7.png
+++ b/lam/docs/manual-sources/images/configProfiles7.png
--- a/lam/docs/manual-sources/images/configProfiles8.png
+++ b/lam/docs/manual-sources/images/configProfiles8.png
--- a/lam/lib/2factor.inc
+++ b/lam/lib/2factor.inc
@ -1,6 +1,7 @@
 <?php
 namespace LAM\LIB\TWO_FACTOR;
 use \selfServiceProfile;
+use \LAMConfig;

 /*
  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
@ -58,15 +59,15 @@ interface TwoFactorProvider {
 */
 class PrivacyIDEAProvider implements TwoFactorProvider {

-	private $profile;
+	private $config;

 	/**
 	 * Constructor.
 	 *
-	 * @param selfServiceProfile $profile profile
+	 * @param TwoFactorConfiguration $config configuration
 	 */
-	public function __construct(&$profile) {
-		$this->profile = $profile;
+	public function __construct(&$config) {
+		$this->config = $config;
 	}

 	/**
@ -99,7 +100,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function authenticate($user, $password) {
 		$curl = $this->getCurl();
-		$url = $this->profile->twoFactorAuthenticationURL . "/auth";
+		$url = $this->config->twoFactorAuthenticationURL . "/auth";
 		curl_setopt($curl, CURLOPT_URL, $url);
 		$header = array('Accept: application/json');
 		curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
@ -137,7 +138,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function getCurl() {
 		$curl = curl_init();
-		if ($this->profile->twoFactorAuthenticationInsecure) {
+		if ($this->config->twoFactorAuthenticationInsecure) {
 			curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
 			curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
 		}
@ -154,7 +155,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function getSerialsForUser($user, $token) {
 		$curl = $this->getCurl();
-		$url = $this->profile->twoFactorAuthenticationURL . "/token/?user=" . $user;
+		$url = $this->config->twoFactorAuthenticationURL . "/token/?user=" . $user;
 		curl_setopt($curl, CURLOPT_URL, $url);
 		$header = array('Authorization: ' . $token, 'Accept: application/json');
 		curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
@ -192,7 +193,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 	 */
 	private function verify($token, $serial, $twoFactorInput) {
 		$curl = $this->getCurl();
-		$url = $this->profile->twoFactorAuthenticationURL . "/validate/check";
+		$url = $this->config->twoFactorAuthenticationURL . "/validate/check";
 		curl_setopt($curl, CURLOPT_URL, $url);
 		$options = array(
 			'pass' => $twoFactorInput,
@ -225,15 +226,25 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
 */
 class TwoFactorProviderService {

-	private $profile;
+	/** 2factor authentication disabled */
+	const TWO_FACTOR_NONE = 'none';
+	/** 2factor authentication via privacyIDEA */
+	const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
+
+	private $config;

 	/**
 	 * Constructor.
 	 *
-	 * @param selfServiceProfile $profile profile
+	 * @param selfServiceProfile|LAMConfig $configObj profile
 	 */
-	public function __construct(&$profile) {
-		$this->profile = $profile;
+	public function __construct(&$configObj) {
+		if ($configObj instanceof selfServiceProfile) {
+			$this->config = $this->getConfigSelfService($configObj);
+		}
+		else {
+			$this->config = $this->getConfigAdmin($configObj);
+		}
 	}

 	/**
@ -244,10 +255,49 @@ class TwoFactorProviderService {
 	 * @throws \Exception unable to get provider
 	 */
 	public function getProvider() {
-		if ($this->profile->twoFactorAuthentication == selfServiceProfile::TWO_FACTOR_PRIVACYIDEA) {
-			return new PrivacyIDEAProvider($this->profile);
+		if ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) {
+			return new PrivacyIDEAProvider($this->config);
 		}
-		throw new \Exception('Invalid provider: ' . $this->profile->twoFactorAuthentication);
+		throw new \Exception('Invalid provider: ' . $this->config->twoFactorAuthentication);
+	}
+
+	/**
+	 * Returns the configuration from self service.
+	 *
+	 * @param selfServiceProfile $profile profile
+	 * @return TwoFactorConfiguration configuration
+	 */
+	private function getConfigSelfService(&$profile) {
+		$config = new TwoFactorConfiguration();
+		$config->twoFactorAuthentication = $profile->twoFactorAuthentication;
+		$config->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure;
+		$config->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL;
+		return $config;
+	}
+
+	/**
+	 * Returns the configuration for admin interface.
+	 *
+	 * @param LAMConfig $conf configuration
+	 * @return TwoFactorConfiguration configuration
+	 */
+	private function getConfigAdmin($conf) {
+		$config = new TwoFactorConfiguration();
+		$config->twoFactorAuthentication = $conf->getTwoFactorAuthentication();
+		$config->twoFactorAuthenticationInsecure = $conf->getTwoFactorAuthenticationInsecure();
+		$config->twoFactorAuthenticationURL = $conf->getTwoFactorAuthenticationURL();
+		return $config;
 	}

 }
+
+/**
+ * Configuration settings for 2-factor authentication.
+ *
+ * @author Roland Gruber
+ */
+class TwoFactorConfiguration {
+	public $twoFactorAuthentication = null;
+	public $twoFactorAuthenticationURL = null;
+	public $twoFactorAuthenticationInsecure = false;
+}
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@ -1467,6 +1467,22 @@ function validateReCAPTCHA($secretKey) {
 	return $responseJSON->{'success'} === true;
 }

+/**
+ * Checks if the user is logged in. Stops script execution if not.
+ *
+ * @param boolean $check2ndFactor check if the 2nd factor was provided if required
+ */
+function enforceUserIsLoggedIn($check2ndFactor = true) {
+	if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) {
+		logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login: ' . $_SERVER["SCRIPT_FILENAME"]);
+		die();
+	}
+	if ($check2ndFactor && isset($_SESSION['2factorRequired'])) {
+		die();
+		logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login (2nd factor not provided): ' . $_SERVER["SCRIPT_FILENAME"]);
+	}
+}
+
 class LAMException extends Exception {

 	private $title;
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@ -1,9 +1,10 @@
 <?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -31,11 +32,13 @@ $Id$
 */

 /** Used to print messages. */
-include_once("status.inc");
+include_once "status.inc";
 /** Used to get module information. */
-include_once("modules.inc");
+include_once "modules.inc";
 /** Used to get type information. */
-include_once("types.inc");
+include_once "types.inc";
+/** 2-factor */
+include_once '2factor.inc';

 /**
 * Sets the environment variables for custom SSL CA certificates.
@ -567,6 +570,13 @@ class LAMConfig {
 	/** job configuration */
 	private $jobSettings = array();

+	private $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
+	private $twoFactorAuthenticationURL = 'https://localhost';
+	private $twoFactorAuthenticationInsecure = false;
+	private $twoFactorAuthenticationLabel = null;
+	private $twoFactorAuthenticationOptional = false;
+	private $twoFactorAuthenticationCaption = '';
+
 	/** List of all settings in config file */
 	private $settings = array("ServerURL", "useTLS", "followReferrals", 'pagedResults', "Passwd", "Admins", "treesuffix",
 		"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", 'serverDisplayName',
@ -576,7 +586,9 @@ class LAMConfig {
 		'loginSearchPassword', 'timeZone', 'jobsBindUser', 'jobsBindPassword', 'jobsDatabase', 'jobToken', 'jobs',
 		'jobsDBHost', 'jobsDBPort', 'jobsDBUser', 'jobsDBPassword', 'jobsDBName', 'pwdResetAllowSpecificPassword',
 		'pwdResetAllowScreenPassword', 'pwdResetForcePasswordChange', 'pwdResetDefaultPasswordOutput',
-		'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword'
+		'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword', 'twoFactorAuthentication', 'twoFactorAuthenticationURL',
+		'twoFactorAuthenticationInsecure', 'twoFactorAuthenticationLabel', 'twoFactorAuthenticationOptional',
+		'twoFactorAuthenticationCaption'
 	);


@ -816,6 +828,12 @@ class LAMConfig {
 			if (!in_array("pwdResetAllowScreenPassword", $saved)) array_push($file_array, "\n" . "pwdResetAllowScreenPassword: " . $this->pwdResetAllowScreenPassword . "\n");
 			if (!in_array("pwdResetForcePasswordChange", $saved)) array_push($file_array, "\n" . "pwdResetForcePasswordChange: " . $this->pwdResetForcePasswordChange . "\n");
 			if (!in_array("pwdResetDefaultPasswordOutput", $saved)) array_push($file_array, "\n" . "pwdResetDefaultPasswordOutput: " . $this->pwdResetDefaultPasswordOutput . "\n");
+			if (!in_array("twoFactorAuthentication", $saved)) array_push($file_array, "\n" . "twoFactorAuthentication: " . $this->twoFactorAuthentication . "\n");
+			if (!in_array("twoFactorAuthenticationURL", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationURL: " . $this->twoFactorAuthenticationURL . "\n");
+			if (!in_array("twoFactorAuthenticationInsecure", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationInsecure: " . $this->twoFactorAuthenticationInsecure . "\n");
+			if (!in_array("twoFactorAuthenticationLabel", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationLabel: " . $this->twoFactorAuthenticationLabel . "\n");
+			if (!in_array("twoFactorAuthenticationOptional", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationOptional: " . $this->twoFactorAuthenticationOptional . "\n");
+			if (!in_array("twoFactorAuthenticationCaption", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationCaption: " . $this->twoFactorAuthenticationCaption . "\n");
 			// check if all module settings were added
 			$m_settings = array_keys($this->moduleSettings);
 			for ($i = 0; $i < sizeof($m_settings); $i++) {
@ -2044,6 +2062,116 @@ class LAMConfig {
 	public function setPwdResetDefaultPasswordOutput($pwdResetDefaultPasswordOutput) {
 		$this->pwdResetDefaultPasswordOutput = $pwdResetDefaultPasswordOutput;
 	}
+	/**
+	 * Returns the authentication type.
+	 *
+	 * @return string $twoFactorAuthentication authentication type
+	 */
+	public function getTwoFactorAuthentication() {
+		if (empty($this->twoFactorAuthentication)) {
+			return TwoFactorProviderService::TWO_FACTOR_NONE;
+		}
+		return $this->twoFactorAuthentication;
+	}
+
+	/**
+	 * Sets the authentication type.
+	 *
+	 * @param string $twoFactorAuthentication authentication type
+	 */
+	public function setTwoFactorAuthentication($twoFactorAuthentication) {
+		$this->twoFactorAuthentication = $twoFactorAuthentication;
+	}
+
+	/**
+	 * Returns the authentication URL.
+	 *
+	 * @return string $twoFactorAuthenticationURL authentication URL
+	 */
+	public function getTwoFactorAuthenticationURL() {
+		return $this->twoFactorAuthenticationURL;
+	}
+
+	/**
+	 * Sets the authentication URL.
+	 *
+	 * @param string $twoFactorAuthenticationURL authentication URL
+	 */
+	public function setTwoFactorAuthenticationURL($twoFactorAuthenticationURL) {
+		$this->twoFactorAuthenticationURL = $twoFactorAuthenticationURL;
+	}
+
+	/**
+	 * Returns if SSL certificate verification is turned off.
+	 *
+	 * @return bool $twoFactorAuthenticationInsecure SSL certificate verification is turned off
+	 */
+	public function getTwoFactorAuthenticationInsecure() {
+		return $this->twoFactorAuthenticationInsecure;
+	}
+
+	/**
+	 * Sets if SSL certificate verification is turned off.
+	 *
+	 * @param boolean $twoFactorAuthenticationInsecure SSL certificate verification is turned off
+	 */
+	public function setTwoFactorAuthenticationInsecure($twoFactorAuthenticationInsecure) {
+		$this->twoFactorAuthenticationInsecure = $twoFactorAuthenticationInsecure;
+	}
+
+	/**
+	 * Returns the authentication label.
+	 *
+	 * @return string $twoFactorAuthenticationLabel authentication label
+	 */
+	public function getTwoFactorAuthenticationLabel() {
+		return $this->twoFactorAuthenticationLabel;
+	}
+
+	/**
+	 * Sets the authentication label.
+	 *
+	 * @param string $twoFactorAuthenticationLabel authentication label
+	 */
+	public function setTwoFactorAuthenticationLabel($twoFactorAuthenticationLabel) {
+		$this->twoFactorAuthenticationLabel = $twoFactorAuthenticationLabel;
+	}
+
+	/**
+	 * Returns if 2nd factor is optional.
+	 *
+	 * @return bool $twoFactorAuthenticationOptional 2nd factor is optional
+	 */
+	public function getTwoFactorAuthenticationOptional() {
+		return $this->twoFactorAuthenticationOptional;
+	}
+
+	/**
+	 * Sets if 2nd factor is optional.
+	 *
+	 * @param boolean $twoFactorAuthenticationOptional 2nd factor is optional
+	 */
+	public function setTwoFactorAuthenticationOptional($twoFactorAuthenticationOptional) {
+		$this->twoFactorAuthenticationOptional = $twoFactorAuthenticationOptional;
+	}
+
+	/**
+	 * Returns the caption HTML.
+	 *
+	 * @return string $twoFactorAuthenticationCaption caption HTML
+	 */
+	public function getTwoFactorAuthenticationCaption() {
+		return $this->twoFactorAuthenticationCaption;
+	}
+
+	/**
+	 * Sets the caption HTML.
+	 *
+	 * @param string $twoFactorAuthenticationCaption caption HTML
+	 */
+	public function setTwoFactorAuthenticationCaption($twoFactorAuthenticationCaption) {
+		$this->twoFactorAuthenticationCaption = $twoFactorAuthenticationCaption;
+	}

 }

--- a/lam/lib/selfService.inc
+++ b/lam/lib/selfService.inc
@ -1,4 +1,5 @@
-<?PHP
+<?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$

@ -31,9 +32,11 @@ $Id$
 */

 /** modules */
-include_once("modules.inc");
+include_once "modules.inc";
 /** account types */
-include_once("types.inc");
+include_once "types.inc";
+/** 2-factor */
+include_once '2factor.inc';

 /**
 * Returns if this is a LAM Pro installation.
@ -302,11 +305,6 @@ function isSelfService() {
 */
 class selfServiceProfile {

-	/** 2factor authentication disabled */
-	const TWO_FACTOR_NONE = 'none';
-	/** 2factor authentication via privacyIDEA */
-	const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
-
 	/** server address */
 	public $serverURL;

@ -381,7 +379,7 @@ class selfServiceProfile {

 	public $timeZone = 'Europe/London';

-	public $twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
+	public $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
 	public $twoFactorAuthenticationURL = 'https://localhost';
 	public $twoFactorAuthenticationInsecure = false;
 	public $twoFactorAuthenticationLabel = null;
@ -425,7 +423,7 @@ class selfServiceProfile {
 		$this->enforceLanguage = true;
 		$this->followReferrals = 0;
 		$this->timeZone = 'Europe/London';
-		$this->twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
+		$this->twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
 		$this->twoFactorAuthenticationURL = 'https://localhost';
 		$this->twoFactorAuthenticationInsecure = false;
 		$this->twoFactorAuthenticationLabel = null;
--- a/lam/templates/3rdParty/pla/lib/session_functions.php
+++ b/lam/templates/3rdParty/pla/lib/session_functions.php
@ -21,6 +21,7 @@ function app_session_start() {
 	include_once '../../../../lib/config.inc';
 	include_once '../../../../lib/ldap.inc';
 	startSecureSession();
+	enforceUserIsLoggedIn();
 	$config_file = CONFDIR.'config.php';
 	$config = check_config($config_file);
 	# If we came via index.php, then set our $config.
--- a/lam/templates/account/edit.php
+++ b/lam/templates/account/edit.php
@ -4,7 +4,7 @@ $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2003 - 2006  Tilo Lutz
-                2005 - 2016  Roland Gruber
+                2005 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -47,6 +47,7 @@ include_once('../../lib/modules.inc');

 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // Redirect to startpage if user is not loged in
 if (!isLoggedIn()) {
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@ -1,9 +1,10 @@
 <?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -37,6 +38,8 @@ include_once("../../lib/config.inc");
 include_once("../../lib/modules.inc");
 /** access to tools */
 include_once("../../lib/tools.inc");
+/** 2-factor */
+include_once '../../lib/2facto.inc';

 // start session
 if (strtolower(session_module_name()) == 'files') {
@ -523,8 +526,40 @@ $searchPasswordInput->setIsPassword(true);
 $securitySettingsContent->addElement($searchPasswordInput, true);
 // HTTP authentication
 $securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
-$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
+$securitySettingsContent->addElement(new htmlSpacer(null, '30px'), true);
+
+// 2factor authentication
+if (extension_loaded('curl')) {
+	$securitySettingsContent->addElement(new htmlSubTitle(_("2-factor authentication")), true);
+	$twoFactorOptions = array(
+			_('None') => TwoFactorProviderService::TWO_FACTOR_NONE,
+			_('privacyIDEA') => TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA,
+	);
+	$twoFactorSelect = new htmlTableExtendedSelect('twoFactor', $twoFactorOptions, array($conf->getTwoFactorAuthentication()), _('Provider'), '514');
+	$twoFactorSelect->setHasDescriptiveElements(true);
+	$twoFactorSelect->setTableRowsToHide(array(
+			TwoFactorProviderService::TWO_FACTOR_NONE => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
+	));
+	$twoFactorSelect->setTableRowsToShow(array(
+			TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
+	));
+	$securitySettingsContent->addElement($twoFactorSelect, true);
+	$twoFactorUrl = new htmlTableExtendedInputField(_("Base URL"), 'twoFactorURL', $conf->getTwoFactorAuthenticationURL(), '515');
+	$twoFactorUrl->setRequired(true);
+	$securitySettingsContent->addElement($twoFactorUrl, true);
+	$twoFactorLabel = new htmlTableExtendedInputField(_("Label"), 'twoFactorLabel', $conf->getTwoFactorAuthenticationLabel(), '517');
+	$securitySettingsContent->addElement($twoFactorLabel, true);
+	$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorOptional', $conf->getTwoFactorAuthenticationOptional(), _('Optional'), '519'), true);
+	$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorInsecure', $conf->getTwoFactorAuthenticationInsecure(), _('Disable certificate check'), '516'), true);
+	$securitySettingsContent->addElement(new htmlSpacer(null, '5px'), true);
+	$twoFactorCaption = new htmlTableExtendedInputTextarea('twoFactorCaption', $conf->getTwoFactorAuthenticationCaption(), '80', '4', _("Caption"), '518');
+	$twoFactorCaption->setIsRichEdit(true);
+	$twoFactorCaption->alignment = htmlElement::ALIGN_TOP;
+	$securitySettingsContent->addElement($twoFactorCaption, true);
+}
+
 // new password
+$securitySettingsContent->addElement(new htmlSubTitle(_("Profile password")), true);
 $password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
 $password1->setIsPassword(true);
 $password2 = new htmlTableExtendedInputField(_("Reenter password"), 'passwd2');
@ -551,10 +586,12 @@ $buttonContainer->addElement($cancelButton, true);
 $buttonContainer->addElement(new htmlSpacer(null, '10px'), true);
 parseHtml(null, $buttonContainer, array(), false, $tabindex, 'user');

-echo "</form>\n";
-echo "</body>\n";
-echo "</html>\n";
-
+?>
+</form>
+<script type="text/javascript" src="../lib/extra/ckeditor/ckeditor.js"></script>
+</body>
+</html>
+<?php

 /**
 * Checks user input and saves the entered settings.
@ -711,6 +748,15 @@ function checkInput() {
 		}
 	}
 	$conf->setToolSettings($toolSettings);
+	// 2-factor
+	if (extension_loaded('curl')) {
+		$conf->setTwoFactorAuthentication($_POST['twoFactor']);
+		$conf->setTwoFactorAuthenticationURL($_POST['twoFactorURL']);
+		$conf->setTwoFactorAuthenticationInsecure(isset($_POST['twoFactorInsecure']) && ($_POST['twoFactorInsecure'] == 'on'));
+		$conf->setTwoFactorAuthenticationLabel($_POST['twoFactorLabel']);
+		$conf->setTwoFactorAuthenticationOptional(isset($_POST['twoFactorOptional']) && ($_POST['twoFactorOptional'] == 'on'));
+		$conf->setTwoFactorAuthenticationCaption(str_replace(array("\r", "\n"), array('', ''), $_POST['twoFactorCaption']));
+	}
 	// check if password was changed
 	if (isset($_POST['passwd1']) && ($_POST['passwd1'] != '')) {
 		if ($_POST['passwd1'] != $_POST['passwd2']) {
--- a/lam/templates/delete.php
+++ b/lam/templates/delete.php
@ -49,6 +49,7 @@ include_once('../lib/modules.inc');

 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();

 if (!checkIfWriteAccessIsAllowed()) {
 	die();
--- a/lam/templates/initsuff.php
+++ b/lam/templates/initsuff.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2015  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -39,6 +39,7 @@ include_once("../lib/status.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 if (!checkIfWriteAccessIsAllowed()) {
 	die();
--- a/lam/templates/lists/deletelink.php
+++ b/lam/templates/lists/deletelink.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2007 - 2013  Roland Gruber
+  Copyright (C) 2007 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -39,6 +39,7 @@ include_once("../../lib/status.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 setlanguage();

--- a/lam/templates/lists/list.php
+++ b/lam/templates/lists/list.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -38,6 +38,7 @@ include_once("../../lib/config.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 setlanguage();

--- a/lam/templates/lists/userlink.php
+++ b/lam/templates/lists/userlink.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2010  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -39,6 +39,7 @@ include_once("../../lib/status.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 setlanguage();

--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@ -1,4 +1,6 @@
 <?php
+use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
+
 /*
 $Id$

@ -324,6 +326,14 @@ function display_LoginPage($config_object, $cfgMain) {
 			StatusMessage("INFO", _("Your settings were successfully saved."), htmlspecialchars($_GET['selfserviceSaveOk']));
 			echo "<br>";
 		}
+		if (isset($_GET['2factor']) && ($_GET['2factor'] == 'error')) {
+			StatusMessage('ERROR', _("Unable to start 2-factor authentication."));
+			echo "<br>";
+		}
+		elseif (isset($_GET['2factor']) && ($_GET['2factor'] == 'noToken')) {
+			StatusMessage('ERROR', _("Unable to start 2-factor authentication because no tokens were found."));
+			echo "<br>";
+		}
 		if (!empty($config_object)) {
 		?>
 		<br><br>
@ -636,8 +646,20 @@ if(!empty($_POST['checklogin'])) {
 		addSecurityTokenToSession();
 		// logging
 		logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.');
-		// Load main frame
-		metaRefresh("./main.php");
+		// Load main frame or 2 factor page
+		if ($_SESSION['config']->getTwoFactorAuthentication() == TwoFactorProviderService::TWO_FACTOR_NONE) {
+			metaRefresh("./main.php");
+		}
+		else {
+			$_SESSION['2factorRequired'] = true;
+			if (($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($_SESSION['config']->getHttpAuthentication() == 'true')) {
+				$_SESSION['user2factor'] = $_SERVER['PHP_AUTH_USER'];
+			}
+			else {
+				$_SESSION['user2factor'] = $_POST['username'];
+			}
+			metaRefresh("./login2Factor.php");
+		}
 		die();
 	}
 	else {
--- a/lam/templates/login2Factor.php
+++ b/lam/templates/login2Factor.php
@ -0,0 +1,241 @@
+<?php
+namespace LAM\LOGIN;
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
+use \htmlResponsiveRow;
+use \htmlGroup;
+use \htmlOutputText;
+use \htmlSpacer;
+use \htmlSelect;
+use \htmlInputField;
+use \htmlButton;
+/*
+$Id$
+
+  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
+  Copyright (C) 2017  Roland Gruber
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+*/
+
+/**
+* This page redirects to the correct start page after checking 2nd factor.
+*
+* @package main
+* @author Roland Gruber
+*/
+
+/** config object */
+include_once '../lib/config.inc';
+
+// start session
+startSecureSession();
+
+setlanguage();
+
+$config = $_SESSION['config'];
+$ldap = $_SESSION['ldap'];
+$credentials = $ldap->decrypt_login();
+$password = $credentials[1];
+$user = $_SESSION['user2factor'];
+if (get_preg($user, 'dn')) {
+	$user = extractRDNValue($user);
+}
+
+// get serials
+try {
+	$service = new TwoFactorProviderService($config);
+	$provider = $service->getProvider();
+	$serials = $provider->getSerials($user, $password);
+}
+catch (\Exception $e) {
+	logNewMessage(LOG_ERR, 'Unable to get 2-factor serials for ' . $user . ' ' . $e->getMessage());
+	metaRefresh("login.php?2factor=error");
+	die();
+}
+
+$twoFactorLabel = empty($config->getTwoFactorAuthenticationLabel()) ? _('PIN+Token') : $config->getTwoFactorAuthenticationLabel();
+
+if (sizeof($serials) == 0) {
+	if ($config->getTwoFactorAuthenticationOptional()) {
+		unset($_SESSION['2factorRequired']);
+		unset($_SESSION['user2factor']);
+		metaRefresh("main.php");
+		die();
+	}
+	else {
+		metaRefresh("login.php?2factor=noToken");
+		die();
+	}
+}
+
+if (isset($_POST['logout'])) {
+	// destroy session
+	session_destroy();
+	unset($_SESSION);
+	// redirect to login page
+	metaRefresh("login.php");
+	exit();
+}
+
+if (isset($_POST['submit'])) {
+	$twoFactorInput = $_POST['2factor'];
+	$serial = $_POST['serial'];
+	if (empty($twoFactorInput) || !in_array($serial, $serials)) {
+		$errorMessage = _(sprintf('Please enter "%s".', $twoFactorLabel));
+	}
+	else {
+		$twoFactorValid = false;
+		try {
+			$twoFactorValid = $provider->verify2ndFactor($user, $password, $serial, $twoFactorInput);
+		}
+		catch (\Exception $e) {
+			logNewMessage(LOG_WARNING, '2-factor verification failed: ' . $e->getMessage());
+		}
+		if ($twoFactorValid) {
+			unset($_SESSION['2factorRequired']);
+			unset($_SESSION['user2factor']);
+			metaRefresh("main.php");
+			die();
+		}
+		else {
+			$errorMessage = _(sprintf('Verification failed.', $twoFactorLabel));
+		}
+	}
+}
+
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html class="no-js">
+<head>
+<meta http-equiv="content-type" content="text/html; charset=UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta http-equiv="pragma" content="no-cache">
+		<meta http-equiv="cache-control" content="no-cache">
+	<title><?php echo _("Login"); ?></title>
+	<link rel="stylesheet" type="text/css" href="../style/responsive/105_normalize.css">
+	<link rel="stylesheet" type="text/css" href="../style/responsive/110_foundation.css">
+	<?php
+		// include all CSS files
+		$cssDirName = dirname(__FILE__) . '/../style';
+		$cssDir = dir($cssDirName);
+		$cssFiles = array();
+		$cssEntry = $cssDir->read();
+		while ($cssEntry !== false) {
+			if (substr($cssEntry, strlen($cssEntry) - 4, 4) == '.css') {
+				$cssFiles[] = $cssEntry;
+			}
+			$cssEntry = $cssDir->read();
+		}
+		sort($cssFiles);
+		foreach ($cssFiles as $cssEntry) {
+			echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../style/" . $cssEntry . "\">\n";
+		}
+		if (isset($profile->additionalCSS) && ($profile->additionalCSS != '')) {
+			$CSSlinks = explode("\n", $profile->additionalCSS);
+			for ($i = 0; $i < sizeof($CSSlinks); $i++) {
+				$CSSlinks[$i] = trim($CSSlinks[$i]);
+				if ($CSSlinks[$i] == '') {
+					continue;
+				}
+				echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"" . $CSSlinks[$i] . "\">\n";
+			}
+		}
+	?>
+</head>
+<body class="admin">
+<?php
+
+// include all JavaScript files
+$jsDirName = dirname(__FILE__) . '/lib';
+$jsDir = dir($jsDirName);
+$jsFiles = array();
+while ($jsEntry = $jsDir->read()) {
+	if (substr($jsEntry, strlen($jsEntry) - 3, 3) != '.js') continue;
+	$jsFiles[] = $jsEntry;
+}
+sort($jsFiles);
+foreach ($jsFiles as $jsEntry) {
+	echo "<script type=\"text/javascript\" src=\"lib/" . $jsEntry . "\"></script>\n";
+}
+?>
+
+	<script type="text/javascript" src="lib/extra/responsive/200_modernizr.js"></script>
+	<script type="text/javascript" src="lib/extra/responsive/250_foundation.js"></script>
+	<table border=0 width="100%" class="lamHeader ui-corner-all">
+		<tr>
+			<td align="left" height="30">
+				<a class="lamLogo" href="http://www.ldap-account-manager.org/" target="new_window">LDAP Account Manager</a>
+			</td>
+		<td align="right" height=20>
+		</td>
+		</tr>
+	</table>
+
+	<br><br>
+
+	<form enctype="multipart/form-data" action="login2Factor.php" method="post" autocomplete="off">
+<?php
+echo $config->getTwoFactorAuthenticationCaption();
+
+?>
+	<div class="centeredTable">
+	<div class="roundedShadowBox limitWidth">
+<?php
+
+	$group = new htmlGroup();
+	$row = new htmlResponsiveRow();
+	// error
+	if (!empty($errorMessage)) {
+		$row->add(new \htmlStatusMessage('ERROR', $errorMessage), 12);
+		$row->add(new htmlSpacer('1em', '1em'), 12);
+	}
+	// serial
+	$row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left');
+	$serialSelect = new htmlSelect('serial', $serials);
+	$row->add($serialSelect, 12);
+	// token
+	$row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left');
+	$twoFactorInput = new htmlInputField('2factor', '');
+	$twoFactorInput->setFieldSize(null);
+	$twoFactorInput->setIsPassword(true);
+	$row->add($twoFactorInput, 12);
+	$row->add(new htmlSpacer('1em', '1em'), 12);
+	$submit = new htmlButton('submit', _("Submit"));
+	$submit->setCSSClasses(array('fullwidth'));
+	$row->add($submit, 12, 12, 12, 'fullwidth');
+	$row->add(new htmlSpacer('0.5em', '0.5em'), 12);
+	$logout = new htmlButton('logout', _("Cancel"));
+	$logout->setCSSClasses(array('fullwidth'));
+	$row->add($logout, 12);
+	$group->addElement($row);
+
+	$tabindex = 1;
+	addSecurityTokenToMetaHTML($group);
+	parseHtml(null, $group, array(), false, $tabindex, 'user');
+
+?>
+	</div>
+	</div>
+	</form>
+	<br><br>
+
+	<script type="text/javascript">
+		$(document).foundation();
+		myElement = document.getElementsByName('2factor')[0];
+		myElement.focus();
+	</script>
+</body>
+</html>
--- a/lam/templates/logout.php
+++ b/lam/templates/logout.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2006  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -44,6 +44,7 @@ include_once("../lib/ldap.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // log message
 $ldapUser = $_SESSION['ldap']->decrypt_login();
--- a/lam/templates/main.php
+++ b/lam/templates/main.php
@ -4,7 +4,7 @@ namespace LAM\INIT;
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -36,6 +36,7 @@ include_once '../lib/profiles.inc';

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 setlanguage();

--- a/lam/templates/misc/ajax.php
+++ b/lam/templates/misc/ajax.php
@ -63,6 +63,7 @@ class lamAjax {
 		validateSecurityToken(false);

 		if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
+			enforceUserIsLoggedIn();
 			if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
 				if (!isset($_SESSION['account'])) die();
 				$module = $_SESSION['account']->getAccountModule($_GET['module']);
@ -82,12 +83,13 @@ class lamAjax {
 		}

 		$jsonInput = $_POST['jsonInput'];
+		if ($function == 'passwordStrengthCheck') {
+			lamAjax::checkPasswordStrength($jsonInput);
+		}
+		enforceUserIsLoggedIn();
 		if ($function == 'passwordChange') {
 			lamAjax::managePasswordChange($jsonInput);
 		}
-		elseif ($function == 'passwordStrengthCheck') {
-			lamAjax::checkPasswordStrength($jsonInput);
-		}
 		elseif ($function == 'upload') {
 			include_once('../../lib/upload.inc');
 			$typeManager = new \LAM\TYPES\TypeManager();
--- a/lam/templates/multiEdit.php
+++ b/lam/templates/multiEdit.php
@ -21,7 +21,7 @@ use \htmlInputTextarea;
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2013 - 2016  Roland Gruber
+  Copyright (C) 2013 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -57,6 +57,7 @@ include_once("../lib/status.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/ou_edit.php
+++ b/lam/templates/ou_edit.php
@ -50,6 +50,7 @@ include_once("../lib/status.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/pdfedit/pdfmain.php
+++ b/lam/templates/pdfedit/pdfmain.php
@ -15,13 +15,12 @@ use \htmlInputFileUpload;
 use \htmlHelpLink;
 use \htmlInputField;
 use \htmlHiddenInput;
-use \htmlDiv;
 /*
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2003 - 2006  Michael Duergner
-                2005 - 2016  Roland Gruber
+                2005 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -60,6 +59,7 @@ include_once("../../lib/modules.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/pdfedit/pdfpage.php
+++ b/lam/templates/pdfedit/pdfpage.php
@ -19,7 +19,7 @@ $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2003 - 2006  Michael Duergner
-                2007 - 2016  Roland Gruber
+                2007 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -62,6 +62,7 @@ include_once('../../lib/xml_parser.inc');

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/profedit/profilemain.php
+++ b/lam/templates/profedit/profilemain.php
@ -18,7 +18,7 @@ use \htmlInputField;
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -54,6 +54,7 @@ include_once("../../lib/config.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/profedit/profilepage.php
+++ b/lam/templates/profedit/profilepage.php
@ -12,7 +12,7 @@ use \htmlHiddenInput;
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -52,6 +52,7 @@ include_once("../../lib/status.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/schema/schema.php
+++ b/lam/templates/schema/schema.php
@ -3,7 +3,7 @@
 $Id$

  Copyright (C) 2004 David Smith
-  modified to fit for LDAP Account Manager 2005 - 2012 Roland Gruber
+  modified to fit for LDAP Account Manager 2005 - 2017 Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -42,6 +42,7 @@ require_once("../../lib/schema.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 checkIfToolIsActive('toolSchemaBrowser');

--- a/lam/templates/serverInfo.php
+++ b/lam/templates/serverInfo.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2009 - 2012  Roland Gruber
+  Copyright (C) 2009 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -35,6 +35,7 @@ include_once("../lib/config.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 checkIfToolIsActive('toolServerInformation');

--- a/lam/templates/tests/index.php
+++ b/lam/templates/tests/index.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2012  Roland Gruber
+  Copyright (C) 2006 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -35,6 +35,7 @@ include_once("../../lib/config.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/tests/lamdaemonTest.php
+++ b/lam/templates/tests/lamdaemonTest.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2016  Roland Gruber
+  Copyright (C) 2006 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -36,6 +36,7 @@ include_once("../../lib/config.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/tests/schemaTest.php
+++ b/lam/templates/tests/schemaTest.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2007 - 2016  Roland Gruber
+  Copyright (C) 2007 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -39,6 +39,7 @@ include_once("../../lib/schema.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // die if no write access
 if (!checkIfWriteAccessIsAllowed()) die();
--- a/lam/templates/tools.php
+++ b/lam/templates/tools.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2011  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -37,6 +37,7 @@ include_once("../lib/tools.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 setlanguage();

--- a/lam/templates/tree/treeViewContainer.php
+++ b/lam/templates/tree/treeViewContainer.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2010 - 2011  Roland Gruber
+  Copyright (C) 2010 - 2017  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -36,6 +36,7 @@ include_once("../../lib/config.inc");

 // start session
 startSecureSession();
+enforceUserIsLoggedIn();

 setlanguage();

--- a/lam/templates/upload/massBuildAccounts.php
+++ b/lam/templates/upload/massBuildAccounts.php
@ -48,6 +48,7 @@ include_once('../../lib/modules.inc');

 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // check if this tool may be run
 checkIfToolIsActive('toolFileUpload');
--- a/lam/templates/upload/massDoUpload.php
+++ b/lam/templates/upload/massDoUpload.php
@ -45,6 +45,7 @@ include_once('../../lib/pdf.inc');

 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // check if this tool may be run
 checkIfToolIsActive('toolFileUpload');
--- a/lam/templates/upload/masscreate.php
+++ b/lam/templates/upload/masscreate.php
@ -62,6 +62,7 @@ include_once('../../lib/upload.inc');

 // Start session
 startSecureSession();
+enforceUserIsLoggedIn();

 // check if this tool may be run
 checkIfToolIsActive('toolFileUpload');
--- a/lam/tmp/.gitignore
+++ b/lam/tmp/.gitignore
@ -1 +0,0 @@
-/*.jpg