<?php

/***************************************************************************
 *
 * vMail.Admin2:  $Id: login.php,v 1.0 15/02/2006 juan Exp $
 *
 ***************************************************************************/

/***************************************************************************
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 ***************************************************************************/

/***************************************************************************
 *
 * @CRITICAL ERROR ID Class: 2800 series
 *
 ***************************************************************************/

define('IN_VMA',TRUE);
define('VMA_LOGIN',TRUE);
define('LOGIN_EMPTY',1);
define('LOGIN_INVALID',2);
define('CODE_EMPTY',3);
define('CODE_INVALID',4);
define('SQ_REDIRECT',5);
define('DOMAIN_DISABLED',6);
define('USER_DISABLED',7);

$root	= '.';
$ext	= substr(strrchr(__FILE__,'.'),1);
require (sprintf('%s/includes/common.%s',$root,$ext));
require (sprintf('%s/includes/functions/password_tools.%s',$root,$ext));

unset($enable_autologin);
if ( ($config['cookie_expire'] > 0) && !($config['cookie_expire'] == 0) && !($config['cookie_expire'] == '0:') && !($config['cookie_expire'] == '0:0') )
{
	$enable_autologin = TRUE;
}

/**
*
* Anti-bot verification image
*
* Verify gd extension is loaded
* Verify "convert" exists (part of ImageMagick)
* Verify TTF for image exists
*
* disable image if any condition is met
*
**/
$graphic_ary = array(1,3);
if ( in_array($config['security_graphic'],$graphic_ary) )
{
	/**
	*
	* Start session, setup user env
	*
	**/
	if ( empty($user->data) )
	{
		$user->session_begin();
		$user->setup();
	}
	
	if ( isset($config['enable_convert']) && $user->style['sc_graphic']['font'] && @file_exists($user->style['sc_graphic']['font']) && extension_loaded('gd') )
	{
		$display_graphic = TRUE;
		
		if ( isset($_GET['confirm_id']) && !empty($_GET['confirm_id']) )
		{
			security_graphic(htmlspecialchars($_GET['confirm_id']));
			exit;
		}
	}
}

/**
*
* Check and set text parameters
*
*/
$params = array(
	'login'			=> 'login',
	'password'		=> 'password',
	'code'			=> 'code',
	'confirm_id'	=> 'confirm_id',
	'autologin'		=> 'autologin',
	'sqr'				=> 'sqr'
);

while( list($var,$param) = @each($params) )
{
	if ( !empty($_POST[$param]) )
	{
		$$var = is_integer($_POST[$param]) ? (int)$_POST[$param]: htmlspecialchars($_POST[$param]);
	}
	else
	{
		unset($$var);
	}
}

/**
*
* Log user in, make checks, blah blah blah
* Please let me know if you make any code changes which
* happens to improve security, etc..
*
**/
if ( isset($_POST) && isset($_POST['submit']) )
{
	list(,$domain) = preg_split('/@/',$login);
	unset($login_failed);
	
	if ( (empty($login) || empty($password)) )
	{
		$login_failed = LOGIN_EMPTY;
	}
	
	else if ( !empty($login) && !empty($password) )
	{
		if ( isset($display_graphic) )
		{
			if ( !isset($code) )
			{
				$login_failed = CODE_EMPTY;		
			}
			else if ( !isset($confirm_id) )
			{
				$login_failed = CODE_INVALID;
			}
			else
			{
				$sql = sprintf("SELECT code
									FROM %s
									WHERE confirm_id = '%s'
									AND token = '%s'",
									CONFIRM_TABLE,$confirm_id,$user->data['token']);
				
				if ( !($result = $db->sql_query($sql)) )
				{
					report_error(GENERAL_ERROR,'Error 27601: '.sprintf(_('Unable to query: %s'),CONFIRM_TABLE),$sql, __FILE__,__LINE__);
				}
				if ( $row = $db->sql_fetchrow($result) )
				{
					$db->sql_freeresult($result);
					if ( !($row['code'] == $code) )
					{
						$login_failed = CODE_INVALID;
					}
				}
			}
		}
		
		if ( !isset($login_failed) )
		{
			if ( isset($domain) && !empty($domain) )
			{
				$sql = sprintf("SELECT user_id, domain_id, password, active
									FROM %s
									WHERE %s = '%s'",
									USERS_TABLE,USERS_USER,$login);
			}
			else
			{
				$sql = sprintf("SELECT %s FROM %s WHERE destination = '%s'",TRANSPORT_DOMAIN,TRANSPORT_TABLE,LOCAL);
				$result = $db->sql_query($sql);
				$row = $db->sql_fetchrow($result);
				$user_extends_domain = sprintf('%s@%s',$login,$row['domain']);
				$db->sql_freeresult();
				unset($sql,$result,$row);
				
				$sql = sprintf("SELECT user_id, domain_id, password, active
									FROM %1\$s
									WHERE (%2\$s = '%3\$s' AND user_level = '%4\$d')
									OR (%2\$s = '%5\$s')",
									USERS_TABLE,USERS_USER,$login,ROOT,$user_extends_domain);
			}

			if ( !($result = $db->sql_query($sql)) )
			{
				report_error(GENERAL_ERROR,'Error 2820: '.sprintf(_('Unable to query: %s'),USERS_TABLE),$sql,__FILE__,__LINE__);
			}
			
			if ( !($row = $db->sql_fetchrow($result)) )
			{
				$login_failed = LOGIN_INVALID;
			}
			
			$user_count = get_count(USERS_TABLE,'user_id','WHERE domain_id <> 0');
			$domaindata = get_domain_data($row['domain_id']);
			$password	= $password;
			$db_salt		= $db_password = $row['password'];
			
//			if ( !($row['domain_id'] == DISABLE) )
			{
				if (!($row['domain_id'] == DISABLE) and (($user_count > 0) && !($domaindata['active'] == ENABLE)) )
				{
					$login_failed = DOMAIN_DISABLED;
				}
				else if ( !($row['active'] == ENABLE) )
				{
					$login_failed = USER_DISABLED;
				}
				else if ( !(crypt_password($password,$db_salt) === $db_password) )
				{
					$login_failed = LOGIN_INVALID;
				}
			}
			
			if ( !isset($login_failed) )
			{
				/**
				*
				* Clean up confirm table
				*
				**/
				$sql = sprintf("DELETE FROM %s
									WHERE token = '%s'",
									CONFIRM_TABLE,$user->data['token']);
				
				if ( !$db->sql_query($sql) )
				{
					report_error(GENERAL_ERROR,'Error 2821: '.sprintf(_('Unable to query: %s'),CONFIRM_TABLE),$sql,__LINE__,__FILE__);
				}
				clean_confirm_table();
				
				$user->session_create($row['user_id'],$user_ip,$autologin);
				redirect(append_sid(sprintf('index.%s',$ext)));
				exit;
			}
		}
	}
}

/**
*
* Start session, setup user env
*
**/
if ( empty($user->data) )
{
	$user->session_begin();
	$user->setup();
}

/**
*
* Log user out
*
**/
if ( isset($_GET['logout']) && $_GET['logout'] == TRUE )
{
	$user->session_kill($user->data['session_id'],$user->data['user_id']);
	end_transaction(GENERAL_MESSAGE,_('Your session has been terminated'),append_sid(sprintf('index.%s',$ext)),'logout');
	exit;
}

/**
*
* Redirect to index if user is already logged in
*
**/
if ( $user->data['logged_in'] )
{
	$this_redirect	= sprintf('index.%s',$ext);
	redirect(append_sid($this_redirect));
}

/**
*
* Begin page setup
*
**/
page_header();
$template->set_filenames(array(
	'login' => 'login.html')
);

if ( isset($enable_autologin) )
{
	$template->assign_block_vars('autologin_checkbox',array(
		'L_AUTOLOGIN'			=> _('Remember Me'),
		'L_AUTOLOGINEXPLAIN' => sprintf(_('Select this option only if you %sDO NOT%s share this computer (cookies must be enabled).'),'<strong>','</strong>'))
	);	
}

if ( isset($sqr) )
{
	$login_failed = SQ_REDIRECT;
}
if ( isset($login_failed) )
{
	switch ( $login_failed )
	{
		case SQ_REDIRECT:
			$error = _('To administer your account,<br />you must re-authenticate yourself.');
		break;
		
		case LOGIN_EMPTY:
			$error = _('Account login or password empty');
		break;
		
		case LOGIN_INVALID:
			$error = _('Invalid account login or password');
		break;
		
		case CODE_EMPTY:
			$error = _('Security code cannot be left blank');
		break;
		
		case CODE_INVALID:
			$error = _('Security codes did not match');
		break;
		
		case DOMAIN_DISABLED:
			$error = _('Domain is currenly disabled');
		break;
		
		case USER_DISABLED:
			$error = _('Account is currently disabled');
		break;
		
		default:
		break;
	}
	
	$template->assign_block_vars('login_error',array(
		'L_LOGINERROR'	=> sprintf('* %s *',$error))
	);
}

if ( isset($display_graphic) )
{
	$confirm_id	= md5(uniqid($user_ip));
	$sql = sprintf("INSERT INTO %s
						(confirm_id, token, code, time)
						VALUES ('%s', '%s', '%s', '%d')",
						CONFIRM_TABLE,$confirm_id,$user->data['token'],generate_code(),$config['current_time']);
	
	if ( !$db->sql_query($sql) )
	{
		report_error(GENERAL_ERROR,'Error 28201: '.sprintf(_('Unable to query: %s'),CONFIRM_TABLE),$sql, __FILE__,__LINE__);
	}
	
	$template->assign_block_vars('display_security_graphic',array(
		'CONFIRMID'		=> $confirm_id,
		
		'L_GFX'			=> _('Security Code'),
		'L_GFXEXPLAIN'	=> _('Enter the characters exactly as you see them. <a class="small" href="javascript:location.reload()">Click here</a> for a new code.'))
	);
}

$template->assign_vars(array(
	'BACKGROUNDTOP'	=> $user->style['login_logo_top'],
	'BACKGROUNDLEFT'	=> $user->style['login_logo_left'],
	'VERSION'			=> defined('CANIDATE_VERSION') ? sprintf("%s_%s",$config['version'],CANIDATE_VERSION) : $config['version'],
	
	'L_ACCOUNTLOGIN'	=> _('Account Login'),
	'L_PASSWORD'		=> _('Password'),
	'L_LOGIN'			=> _('Login'),
		
	'U_FORM'				=> append_sid(sprintf('login.%s',$ext)))
);

$template->display('login');
$template->destroy();
page_footer();

?>