diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index e725e90f..0801a46b 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -1467,6 +1467,22 @@ function validateReCAPTCHA($secretKey) {
return $responseJSON->{'success'} === true;
}
+/**
+ * Checks if the user is logged in. Stops script execution if not.
+ *
+ * @param boolean $check2ndFactor check if the 2nd factor was provided if required
+ */
+function enforceUserIsLoggedIn($check2ndFactor = true) {
+ if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) {
+ logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login: ' . $_SERVER["SCRIPT_FILENAME"]);
+ die();
+ }
+ if ($check2ndFactor && isset($_SESSION['2factorRequired'])) {
+ die();
+ logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login (2nd factor not provided): ' . $_SERVER["SCRIPT_FILENAME"]);
+ }
+}
+
class LAMException extends Exception {
private $title;
diff --git a/lam/templates/3rdParty/pla/lib/session_functions.php b/lam/templates/3rdParty/pla/lib/session_functions.php
index 809d8893..ed35ce63 100644
--- a/lam/templates/3rdParty/pla/lib/session_functions.php
+++ b/lam/templates/3rdParty/pla/lib/session_functions.php
@@ -21,6 +21,7 @@ function app_session_start() {
include_once '../../../../lib/config.inc';
include_once '../../../../lib/ldap.inc';
startSecureSession();
+ enforceUserIsLoggedIn();
$config_file = CONFDIR.'config.php';
$config = check_config($config_file);
# If we came via index.php, then set our $config.
diff --git a/lam/templates/account/edit.php b/lam/templates/account/edit.php
index a01b3368..cc530a7e 100644
--- a/lam/templates/account/edit.php
+++ b/lam/templates/account/edit.php
@@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Tilo Lutz
- 2005 - 2016 Roland Gruber
+ 2005 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -47,6 +47,7 @@ include_once('../../lib/modules.inc');
// Start session
startSecureSession();
+enforceUserIsLoggedIn();
// Redirect to startpage if user is not loged in
if (!isLoggedIn()) {
diff --git a/lam/templates/delete.php b/lam/templates/delete.php
index 4b299ebd..437754ef 100644
--- a/lam/templates/delete.php
+++ b/lam/templates/delete.php
@@ -49,6 +49,7 @@ include_once('../lib/modules.inc');
// Start session
startSecureSession();
+enforceUserIsLoggedIn();
if (!checkIfWriteAccessIsAllowed()) {
die();
diff --git a/lam/templates/initsuff.php b/lam/templates/initsuff.php
index 6d3325cb..19603b1c 100644
--- a/lam/templates/initsuff.php
+++ b/lam/templates/initsuff.php
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2015 Roland Gruber
+ Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -39,6 +39,7 @@ include_once("../lib/status.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
if (!checkIfWriteAccessIsAllowed()) {
die();
@@ -196,10 +197,10 @@ include 'main_header.php';
$buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff)));
$container->addElement($buttonContainer);
addSecurityTokenToMetaHTML($container);
-
+
$tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, 'user');
-
+
echo "
\n";
echo "\n";
include 'main_footer.php';
diff --git a/lam/templates/lists/deletelink.php b/lam/templates/lists/deletelink.php
index 1d3974f7..547224d9 100644
--- a/lam/templates/lists/deletelink.php
+++ b/lam/templates/lists/deletelink.php
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2007 - 2013 Roland Gruber
+ Copyright (C) 2007 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -39,6 +39,7 @@ include_once("../../lib/status.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
setlanguage();
diff --git a/lam/templates/lists/list.php b/lam/templates/lists/list.php
index 65e0fc0f..c9c7ab38 100644
--- a/lam/templates/lists/list.php
+++ b/lam/templates/lists/list.php
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2016 Roland Gruber
+ Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -38,6 +38,7 @@ include_once("../../lib/config.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
setlanguage();
diff --git a/lam/templates/lists/userlink.php b/lam/templates/lists/userlink.php
index 043053fc..71a10657 100644
--- a/lam/templates/lists/userlink.php
+++ b/lam/templates/lists/userlink.php
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2010 Roland Gruber
+ Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -39,6 +39,7 @@ include_once("../../lib/status.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
setlanguage();
diff --git a/lam/templates/logout.php b/lam/templates/logout.php
index a664f6f4..70d3a993 100644
--- a/lam/templates/logout.php
+++ b/lam/templates/logout.php
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2006 Roland Gruber
+ Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -44,6 +44,7 @@ include_once("../lib/ldap.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
// log message
$ldapUser = $_SESSION['ldap']->decrypt_login();
diff --git a/lam/templates/main.php b/lam/templates/main.php
index b6f49c1c..8fa2b4a8 100644
--- a/lam/templates/main.php
+++ b/lam/templates/main.php
@@ -4,7 +4,7 @@ namespace LAM\INIT;
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2016 Roland Gruber
+ Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -36,6 +36,7 @@ include_once '../lib/profiles.inc';
// start session
startSecureSession();
+enforceUserIsLoggedIn();
setlanguage();
diff --git a/lam/templates/misc/ajax.php b/lam/templates/misc/ajax.php
index c8936e2d..dd4925f1 100644
--- a/lam/templates/misc/ajax.php
+++ b/lam/templates/misc/ajax.php
@@ -63,6 +63,7 @@ class lamAjax {
validateSecurityToken(false);
if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
+ enforceUserIsLoggedIn();
if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
if (!isset($_SESSION['account'])) die();
$module = $_SESSION['account']->getAccountModule($_GET['module']);
@@ -82,12 +83,13 @@ class lamAjax {
}
$jsonInput = $_POST['jsonInput'];
+ if ($function == 'passwordStrengthCheck') {
+ lamAjax::checkPasswordStrength($jsonInput);
+ }
+ enforceUserIsLoggedIn();
if ($function == 'passwordChange') {
lamAjax::managePasswordChange($jsonInput);
}
- elseif ($function == 'passwordStrengthCheck') {
- lamAjax::checkPasswordStrength($jsonInput);
- }
elseif ($function == 'upload') {
include_once('../../lib/upload.inc');
$typeManager = new \LAM\TYPES\TypeManager();
diff --git a/lam/templates/multiEdit.php b/lam/templates/multiEdit.php
index 274d0ce9..587f6bd5 100644
--- a/lam/templates/multiEdit.php
+++ b/lam/templates/multiEdit.php
@@ -21,7 +21,7 @@ use \htmlInputTextarea;
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2013 - 2016 Roland Gruber
+ Copyright (C) 2013 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -57,6 +57,7 @@ include_once("../lib/status.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
// die if no write access
if (!checkIfWriteAccessIsAllowed()) die();
diff --git a/lam/templates/ou_edit.php b/lam/templates/ou_edit.php
index e5156c50..03fa0b93 100644
--- a/lam/templates/ou_edit.php
+++ b/lam/templates/ou_edit.php
@@ -50,6 +50,7 @@ include_once("../lib/status.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
// die if no write access
if (!checkIfWriteAccessIsAllowed()) die();
diff --git a/lam/templates/pdfedit/pdfmain.php b/lam/templates/pdfedit/pdfmain.php
index acec5114..711d12fa 100644
--- a/lam/templates/pdfedit/pdfmain.php
+++ b/lam/templates/pdfedit/pdfmain.php
@@ -15,13 +15,12 @@ use \htmlInputFileUpload;
use \htmlHelpLink;
use \htmlInputField;
use \htmlHiddenInput;
-use \htmlDiv;
/*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner
- 2005 - 2016 Roland Gruber
+ 2005 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -60,6 +59,7 @@ include_once("../../lib/modules.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
// die if no write access
if (!checkIfWriteAccessIsAllowed()) die();
diff --git a/lam/templates/pdfedit/pdfpage.php b/lam/templates/pdfedit/pdfpage.php
index e1c0f225..aa295ac2 100644
--- a/lam/templates/pdfedit/pdfpage.php
+++ b/lam/templates/pdfedit/pdfpage.php
@@ -19,7 +19,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner
- 2007 - 2016 Roland Gruber
+ 2007 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -62,6 +62,7 @@ include_once('../../lib/xml_parser.inc');
// start session
startSecureSession();
+enforceUserIsLoggedIn();
// die if no write access
if (!checkIfWriteAccessIsAllowed()) die();
diff --git a/lam/templates/profedit/profilemain.php b/lam/templates/profedit/profilemain.php
index 74b434c7..c425e5a4 100644
--- a/lam/templates/profedit/profilemain.php
+++ b/lam/templates/profedit/profilemain.php
@@ -18,7 +18,7 @@ use \htmlInputField;
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2016 Roland Gruber
+ Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -54,6 +54,7 @@ include_once("../../lib/config.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
// die if no write access
if (!checkIfWriteAccessIsAllowed()) die();
diff --git a/lam/templates/profedit/profilepage.php b/lam/templates/profedit/profilepage.php
index 690083a9..57757a22 100644
--- a/lam/templates/profedit/profilepage.php
+++ b/lam/templates/profedit/profilepage.php
@@ -12,7 +12,7 @@ use \htmlHiddenInput;
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2016 Roland Gruber
+ Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -52,6 +52,7 @@ include_once("../../lib/status.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
// die if no write access
if (!checkIfWriteAccessIsAllowed()) die();
diff --git a/lam/templates/schema/schema.php b/lam/templates/schema/schema.php
index 44880e82..6083823c 100644
--- a/lam/templates/schema/schema.php
+++ b/lam/templates/schema/schema.php
@@ -3,7 +3,7 @@
$Id$
Copyright (C) 2004 David Smith
- modified to fit for LDAP Account Manager 2005 - 2012 Roland Gruber
+ modified to fit for LDAP Account Manager 2005 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -29,8 +29,8 @@ $Id$
* @author David Smith
* @author Roland Gruber
*/
-
-
+
+
/** security functions */
include_once("../../lib/security.inc");
/** access to LDAP server */
@@ -42,6 +42,7 @@ require_once("../../lib/schema.inc");
// start session
startSecureSession();
+enforceUserIsLoggedIn();
checkIfToolIsActive('toolSchemaBrowser');
@@ -51,7 +52,7 @@ include '../main_header.php';
$view = isset( $_GET['view'] ) ? $_GET['view'] : 'objectClasses';
-$viewvalue = isset( $_GET['viewvalue'] ) ? $_GET['viewvalue'] : null;
+$viewvalue = isset( $_GET['viewvalue'] ) ? $_GET['viewvalue'] : null;
if( trim( $viewvalue ) == "" )
$viewvalue = null;
if( ! is_null( $viewvalue ) )
@@ -89,7 +90,7 @@ if( $view == 'syntaxes' ) {
echo "