|
1 | 1 | <?php |
2 | | -// Parts of this file are based on index.php (Roundcube version 1.4.8). |
3 | | -// TODO Reduce amount of duplicate code from index.php. We may be able to do that by: |
4 | | -// * removing authenticate hook logic using $_POST. |
5 | | -// * moving login logic to a function provided by base Roundcube |
| 2 | +// Assuming we are inside RC's plugins/jmap dir |
| 3 | +// TODO first change - we no loner use iniset.php |
| 4 | +// TODO finish |
| 5 | +define('RCUBE_ROOT', realpath('../../')); |
| 6 | +#TODO remove define('INSTALL_PATH', RCUBE_ROOT . '/'); |
| 7 | +define('RCUBE_INSTALL_PATH', RCUBE_ROOT . '/'); |
6 | 8 |
|
7 | | -// include environment |
8 | | -require_once __DIR__ . '/../../program/include/iniset.php'; |
| 9 | +// load the Roundcube framework with its autoloader |
| 10 | +require_once RCUBE_ROOT . '/lib/Roundcube/bootstrap.php'; |
| 11 | +// TODO second change - use only rcube instead of RCMAIL |
| 12 | +$RCMAIL = \rcmail::get_instance(\rcube::INIT_WITH_DB | \rcube::INIT_WITH_PLUGINS); |
9 | 13 |
|
10 | | -// init application, start session, init output class, etc. |
11 | | -$RCMAIL = rcmail::get_instance(0, $GLOBALS['env']); |
12 | | - |
13 | | -/// Auth hack BEGIN |
14 | | -// TODO authenticate hook may actually be removed. Unclear if this is required for cPanel auth. |
15 | | -// Set some global POST vars that would be usually set via HTML <input> tags are: |
16 | | -// _task, _action, _timezone, _user, _pass, _token . We set all except for token. |
17 | | -// Token should only be required for an existing session. Also disregarding Timezone for now |
18 | | -$_POST['_user'] = $_SERVER['PHP_AUTH_USER']; |
19 | | -$_POST['_pass'] = $_SERVER['PHP_AUTH_PW']; |
20 | | -$_POST['_action'] = 'login'; |
21 | | -$_POST['_task'] = 'login'; |
| 14 | +$user = $_SERVER['PHP_AUTH_USER']; |
| 15 | +$pass = $_SERVER['PHP_AUTH_PW']; |
22 | 16 |
|
23 | 17 | /// Impersonation / admin auth BEGIN |
24 | 18 | // An array to store the admin user, as well the user-to-impersonate |
|
28 | 22 | // Check if we're dealing with admin auth credentials |
29 | 23 | // and if yes, then take the first part as the admin username |
30 | 24 | // to use for login |
31 | | -if (mb_strpos($_POST['_user'], "*")) { |
32 | | - $users = explode("*", $_POST['_user']); |
33 | | - $_POST['_user'] = $users[0]; |
| 25 | +if (mb_strpos($user, "*")) { |
| 26 | + $users = explode("*", $user); |
| 27 | + $user = $users[0]; |
34 | 28 | } |
35 | | -/// Impersonation / admin auth END |
36 | 29 |
|
| 30 | +/// Authenticate hook |
| 31 | +// TODO authenticate hook may actually be removed. Unclear if this is required for cPanel auth. |
37 | 32 | $pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8'); |
38 | 33 |
|
39 | 34 | $auth = $RCMAIL->plugins->exec_hook('authenticate', array( |
40 | 35 | 'host' => $RCMAIL->autoselect_host(), |
41 | | - 'user' => trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)), |
42 | | - 'pass' => rcube_utils::get_input_value('_pass', rcube_utils::INPUT_POST, true, $pass_charset), |
| 36 | + 'user' => trim(rcube_utils::parse_input_value($_SERVER['PHP_AUTH_USER'])), |
| 37 | + 'pass' => rcube_utils::parse_input_value($_SERVER['PHP_AUTH_PW'], true, $pass_charset), |
43 | 38 | 'valid' => true, // It is always valid in Karlsruhe! |
44 | 39 | 'cookiecheck' => false, // No cookies for you in Karlsruhe! |
45 | 40 | )); |
46 | | -/// Auth hack END |
47 | | - |
48 | | -// Login |
49 | | -// TODO The following contains quite a lot of duplicate code from RC's index.php. |
50 | | -// It may be moved to an own function (except for returning errors via API)? |
51 | | -if ( |
52 | | - $auth['valid'] && !$auth['abort'] |
53 | | - && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], $auth['cookiecheck']) |
54 | | -) { |
55 | | - $logger->info("Successfully logged in as " . $auth['user']); |
56 | | - |
57 | | - // log successful login |
58 | | - $RCMAIL->log_login(); |
59 | | -} else { |
| 41 | + |
| 42 | +// IMAP Login |
| 43 | +$login_success = false; |
| 44 | +if ($auth['valid'] && !$auth['abort']){ |
| 45 | + if($RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], false, true)) { |
| 46 | + $logger->info("Successfully logged in as " . $auth['user']); |
| 47 | + // initialize user object to rcube framework. TODO might not work? |
| 48 | + $RCMAIL->set_user($user); |
| 49 | + $login_success = true; |
| 50 | + } |
| 51 | +} |
| 52 | +if (!$auth['valid'] || $auth['abort'] || !$login_success){ |
60 | 53 | if (!$auth['valid']) { |
61 | 54 | $error_code = rcmail::ERROR_INVALID_REQUEST; |
62 | 55 | } else { |
63 | 56 | $error_code = is_numeric($auth['error']) ? $auth['error'] : $RCMAIL->login_error(); |
64 | 57 | } |
65 | | - |
66 | 58 | $error_labels = array( |
67 | 59 | rcmail::ERROR_STORAGE => 'storageerror', |
68 | 60 | rcmail::ERROR_COOKIES_DISABLED => 'cookiesdisabled', |
|
83 | 75 | $loginError = null; |
84 | 76 |
|
85 | 77 | switch ($error_code) { |
86 | | - case rcmail::ERROR_RATE_LIMIT: |
87 | | - $loginError = 'urn:ietf:params:jmap:error:limit'; |
88 | | - header('HTTP/1.0 429 Too Many Requests'); |
89 | | - break; |
90 | | - case rcmail::ERROR_INVALID_REQUEST: |
91 | | - $loginError = 'urn:ietf:params:jmap:error:notRequest'; |
92 | | - header('HTTP/1.0 400 Bad Request'); |
93 | | - break; |
94 | | - default: |
95 | | - $loginError = '401 Unauthorized'; |
96 | | - header('HTTP/1.0 401 Unauthorized'); |
| 78 | + case rcmail::ERROR_RATE_LIMIT: |
| 79 | + $loginError = 'urn:ietf:params:jmap:error:limit'; |
| 80 | + header('HTTP/1.0 429 Too Many Requests'); |
| 81 | + break; |
| 82 | + case rcmail:ERROR_INVALID_REQUEST: |
| 83 | + $loginError = 'urn:ietf:params:jmap:error:notRequest'; |
| 84 | + header('HTTP/1.0 400 Bad Request'); |
| 85 | + break; |
| 86 | + default: |
| 87 | + $loginError = '401 Unauthorized'; |
| 88 | + header('HTTP/1.0 401 Unauthorized'); |
97 | 89 | } |
98 | 90 |
|
99 | 91 | die($loginError); |
|
0 commit comments