API tools faq
paste
eqeqwan21

index.php

eqeqwan21
Aug 13th, 2025
122
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 13.10 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. require_once 'config/config.php';
  3. require_once 'program/include/iniset.php';
  4.  
  5. session_name("Asteroid2Id");
  6. session_start(['use_strict_mode' => true]);
  7.  
  8. $pdo = null; $odb = null;
  9. $AUTH_MODE = $config['auth_mode'] ?? 'hybrid';
  10. function db_open_lazy() {
  11.     global $pdo, $odb;
  12.     if ($pdo) return $pdo;
  13.     $odb = new ods_db();
  14.     if (!$odb->open()) { return null; }
  15.     $pdo = $odb->db;
  16.     return $pdo;
  17. }
  18.  
  19. function login_via_db(string $login, string $pass): bool {
  20.     global $pdo, $config;
  21.     $pdo = db_open_lazy();
  22.     if (!$pdo) return false;
  23.  
  24.     $stmt = $pdo->prepare('SELECT id, login, password_hash, role FROM user WHERE login = ?');
  25.     $stmt->execute([$login]);
  26.     $u = $stmt->fetch(PDO::FETCH_ASSOC);
  27.     if (!$u || !password_verify($pass, $u['password_hash'])) return false;
  28.  
  29.     $_SESSION['uid']    = (int)$u['id'];
  30.     $_SESSION['role']   = $u['role'];
  31.     $_SESSION['userid'] = $u['login'];
  32.     $_SESSION['admin']  = ($u['role'] === 'admin');
  33.     $_SESSION['db_user']= true;
  34.  
  35.     guardIp($pdo, (int)$u['id'], $u['role'], $u['login']);
  36.     return true;
  37. }
  38.  
  39. function hybrid_autocreate_if_needed(string $login, string $pass): void {
  40.     global $config, $pdo;
  41.     if (empty($config['hybrid_autocreate'])) return;
  42.  
  43.     $pdo = db_open_lazy();
  44.     if (!$pdo) return;
  45.  
  46.     $role = in_array($login, $config['admin'] ?? [], true) ? 'admin' : 'user';
  47.     $chk = $pdo->prepare('SELECT id FROM user WHERE login=?');
  48.     $chk->execute([$login]);
  49.     if ($chk->fetch()) return;
  50.  
  51.     $hash = password_hash($pass, PASSWORD_DEFAULT);
  52.     $ins  = $pdo->prepare('INSERT INTO user(login,password_hash,role,legit_ips,dev_token) VALUES (?,?,?,?,NULL)');
  53.     $ins->execute([$login, $hash, $role, '[]']);
  54. }
  55.  
  56. if (!empty($_SESSION['uid']) && !empty($_SESSION['db_user'])) {
  57.     $pdo = db_open_lazy();
  58.     if ($pdo) {
  59.         guardIp($pdo, (int)$_SESSION['uid'], $_SESSION['role'] ?? 'user', $_SESSION['userid'] ?? '');
  60.     }
  61. }
  62.  
  63. $route = $_GET['do'] ?? 'home';
  64.  
  65. $loginfail = "hide";
  66. if (isset($_POST['inputLogin']) && isset($_POST['inputPassword'])) {
  67.  
  68.     $login = trim($_POST['inputLogin']);
  69.     $pass  = $_POST['inputPassword'];
  70.  
  71.     if ($AUTH_MODE === 'db') {
  72.         if (login_via_db($login, $pass)) {
  73.             $loc = !empty($_POST['back']) ? $_POST['back'] : '?do=form';
  74.             header("Location: $loc"); exit;
  75.         }
  76.         $loginfail = "show";
  77.     }
  78.     elseif ($AUTH_MODE === 'hybrid') {
  79.         if (login_via_db($login, $pass)) {
  80.             $loc = !empty($_POST['back']) ? $_POST['back'] : '?do=form';
  81.             header("Location: $loc"); exit;
  82.         }
  83.  
  84.         $legacy_ok = (
  85.             (in_array($login, $config['admin'] ?? []) && $pass === ($config['admin_pass'][array_search($login, $config['admin'])] ?? '')) ||
  86.             (in_array($login, $config['user']  ?? []) && $pass === ($config['user_pass'][array_search($login, $config['user'])] ?? '')) ||
  87.             (in_array($login, $config['demo']  ?? []) && $pass === ($config['demo_pass'][array_search($login, $config['demo'])] ?? ''))
  88.         );
  89.  
  90.         if ($legacy_ok) {
  91.             $_SESSION['userid'] = $login;
  92.             $_SESSION['admin']  = in_array($login, $config['admin'] ?? [], true);
  93.             $_SESSION['demo']   = in_array($login, $config['demo']  ?? [], true);
  94.  
  95.             hybrid_autocreate_if_needed($login, $pass);
  96.  
  97.             $loc = !empty($_POST['back']) ? $_POST['back'] : '?do=form';
  98.             header("Location: $loc"); exit;
  99.         }
  100.  
  101.         $loginfail = "show";
  102.     }
  103.     else {
  104.         if(
  105.             ($login == ($config['admin'][0] ?? null) && $pass == ($config['admin_pass'][0] ?? null)) ||
  106.             ($login == ($config['admin'][1] ?? null) && $pass == ($config['admin_pass'][1] ?? null)) ||
  107.             ($login == ($config['admin'][2] ?? null) && $pass == ($config['admin_pass'][2] ?? null)) ||
  108.             ($login == ($config['admin'][3] ?? null) && $pass == ($config['admin_pass'][3] ?? null)) ||
  109.             ($login == ($config['admin'][4] ?? null) && $pass == ($config['admin_pass'][4] ?? null)) ||
  110.             ($login == ($config['admin'][5] ?? null) && $pass == ($config['admin_pass'][5] ?? null)) ||
  111.             ($login == ($config['user'][0]  ?? null) && $pass == ($config['user_pass'][0]  ?? null)) ||
  112.             ($login == ($config['user'][1]  ?? null) && $pass == ($config['user_pass'][1]  ?? null)) ||
  113.             ($login == ($config['user'][2]  ?? null) && $pass == ($config['user_pass'][2]  ?? null)) ||
  114.             ($login == ($config['demo'][0]  ?? null) && $pass == ($config['demo_pass'][0]  ?? null)) ||
  115.             ($login == ($config['demo'][1]  ?? null) && $pass == ($config['demo_pass'][1]  ?? null))
  116.         ) {
  117.             $_SESSION['userid'] = $login;
  118.             $_SESSION['admin']  = in_array($login, $config['admin'] ?? [], true);
  119.             $_SESSION['demo']   = in_array($login, $config['demo']  ?? [], true);
  120.  
  121.             $loc = !empty($_POST['back']) ? $_POST['back'] : '?do=form';
  122.             header("Location: $loc"); exit;
  123.         }
  124.         else $loginfail = "show";
  125.     }
  126. }
  127.  
  128. $base_uri = dirname($_SERVER["PHP_SELF"]);
  129. if ($base_uri == '/')
  130.     $base_uri = '';
  131.  
  132.  
  133. if (isset($_GET['n'])) {
  134.     $ds = new ods_device();
  135.     $ds->run();
  136.     exit;
  137. }
  138.  
  139. if (isset($_GET['asterisk'])) {
  140.     if (in_array($_SERVER['REMOTE_ADDR'], $config['aster_whitelist'])) {
  141.         $aster = new ods_aster();
  142.  
  143.         if (isset($_GET['fn']) && $_GET['fn'] == 'callconfirm') {
  144.             if (isset($_GET['id']) && isset($_GET['dialstatus']) && isset($_GET['hangupcause'])) {
  145.                 $ok = $aster->callconfirm($_GET['id'], $_GET['hangupcause'], $_GET['dialstatus']);
  146.                 echo $ok ? 'OK' : 'ERROR';
  147.             }
  148.         }
  149.  
  150.         if (isset($_GET['fn']) && $_GET['fn'] == 'incall') {
  151.             if (isset($_GET['cid']) && isset($_GET['did'])) {
  152.                 $ok = $aster->incall($_GET['did'], $_GET['cid']);
  153.                 echo $ok ? 'OK' : 'ERROR';
  154.             }
  155.         }
  156.     } else {
  157.         header("HTTP/1.1 403 Forbidden");
  158.         echo 'Access denied';
  159.     }
  160.     exit;
  161. }
  162.  
  163. if (strpos($_SERVER['REQUEST_URI'], 'images/tiles/') !== false) {
  164.     session_write_close();
  165.     if (isset($_SESSION['userid'])) {
  166.         $tiles = new ods_tiles();
  167.         $tiles->run($base_uri);
  168.     } else
  169.         header("HTTP/1.1 401 Unauthorized");
  170.  
  171.     exit;
  172. }
  173.  
  174.  
  175. if (strpos($_SERVER['REQUEST_URI'], 'images/') !== false) {
  176.     session_write_close();
  177.     if (isset($_SESSION['userid'])) {
  178.         $svg = new ods_svg();
  179.         $svg->run();
  180.     } else
  181.         header("HTTP/1.1 401 Unauthorized");
  182.     exit;
  183. }
  184.  
  185. $mui = new ods_mui();
  186. $language = $mui->langDetect();
  187. $mui->changeLang($language);
  188.  
  189. if (strpos($_SERVER['REQUEST_URI'], 'js/') !== false) {
  190.     session_write_close();
  191.     if (isset($_SESSION['userid'])) {
  192.         $js = new ods_js();
  193.         $js->run();
  194.     } else
  195.         header("HTTP/1.1 401 Unauthorized");
  196.     exit;
  197. }
  198.  
  199. if ('api' == @$_GET['do']) {
  200.     session_write_close();
  201.     if (isset($_SESSION['userid'])) {
  202.         $api = new ods_api();
  203.         $api->run();
  204.     } else
  205.         header("HTTP/1.1 401 Unauthorized");
  206.     exit;
  207. }
  208.  
  209. $loader = new Twig_Loader_Filesystem('templates');
  210. $options = array();
  211. if ($config['debug'])
  212.     $options['cache'] = false;
  213. else
  214.     $options['cache'] = 'cache/twig_c_cache';
  215. $twig = new Twig_Environment($loader, $options);
  216. $twig->addExtension(new Twig_Extensions_Extension_I18n());
  217.  
  218. $template = 'map.html';
  219. if ('login' == @$_GET['do']) {
  220.     $template = 'login.html';
  221.     if (isset($_SESSION['userid']))
  222.         unset($_SESSION['userid']);
  223. } else {
  224.     if (!isset($_SESSION['userid'])) {
  225.         $loc = $base_uri . '/' . '?do=login';
  226.         $uri = $_SERVER['REQUEST_URI'];
  227.         if (!empty($uri) && !stristr($uri, "login"))
  228.             $loc .= '&b=' . urlencode($uri);
  229.         if (empty($_SERVER['HTTPS'])) {
  230.             sleep(2);
  231.             $loc = $base_uri . '/' . '?do=login';
  232.         }
  233.         header("Location: $loc");
  234.     }
  235. }
  236. if ($template != 'login.html') {
  237.     $do = 'form';
  238.     if (isset($_GET['do']))
  239.         $do = $_GET['do'];
  240.  
  241.     $clearuri = strtok($_SERVER['REQUEST_URI'], '?');
  242.  
  243.     if (in_array($clearuri, [$base_uri, $base_uri . '/'])) {
  244.         //$fn='map';
  245.         $loc = $base_uri . '/' . 'map';
  246.         header("Location: $loc");
  247.         exit();
  248.     } else
  249.         $fn = basename($clearuri);
  250.  
  251.     if (isset($_GET['fn']))
  252.         $fn = $_GET['fn'];
  253.  
  254.     if ('form' == $do)
  255.         $template = $fn . '.html';
  256. }
  257.  
  258. try {
  259.     $template = $twig->loadTemplate($template);
  260. } catch (Exception $e) {
  261.     $debug['error'] = $e->getMessage();
  262.     $template = $twig->loadTemplate('404.html');
  263. }
  264.  
  265. $head['title'] = _("Asteroid");
  266.  
  267. $params = array(
  268.     'version' => $config['version'],
  269.     'configtime' => $config['time'],
  270.     'languages' => $config['languages'],
  271.     'language' => $language,
  272.     'language_ts' => $mui->poTime(),
  273.     'head' => $head,
  274.     'user' => @ $_SESSION['userid'],
  275.     'admin' => @ $_SESSION['admin'],
  276.     'demo' => @ $_SESSION['demo'],
  277.     '_GET' => @$_GET,
  278.     'base_uri' => $base_uri,
  279.     'debugmode' => $config['debug'],
  280.     'dim_width' => $config['dim_width'],
  281.     'dim_maxvalue' => $config['dim_maxvalue'],
  282.     'dim_percent' => $config['dim_percent'],
  283.     'wide_tiles' => $config['wide_tiles'],
  284.     'phone_letters' => $config['phone_letters'],
  285.     'phone_format' => $config['phone_format'],
  286.     'domain' => $_SERVER['SERVER_NAME'],
  287.     'appdata' => $appdata,
  288.     'template' => $template
  289. );
  290.  
  291. if ($params['debugmode'])
  292.     $params['debug'] = $debug;
  293. header("Content-Security-Policy: default-src 'self' 'unsafe-inline'; img-src * 'self' data: https:;");
  294. //  header("Content-Security-Policy: default-src 'self' 'unsafe-inline'; img-src 'self' data:;");
  295. if ($template == 'login.html') {
  296.     $params['loginfail'] = $loginfail;
  297.     header('Cache-Control:  no-cache, must-revalidate');
  298. } elseif ($template == '404.html') {
  299.     header('Cache-Control:  no-store, no-cache, must-revalidate, max-age=0');
  300.     header($_SERVER['SERVER_PROTOCOL'] . " 404 Not Found");
  301. } elseif (isset($_SESSION['userid'])) {
  302.     $kstr = filemtime('templates/' . $template);
  303.     $kstr .= filemtime('config/config.php');
  304.     $kstr .= filemtime('index.php');
  305.     $kstr .= @$_SESSION['userid'];
  306.     $etag = md5($kstr) . '.' . $language;
  307.  
  308.     if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) {
  309.         header('Content-Encoding: gzip');
  310.         ob_start('ob_gzhandler');
  311.     }
  312.     header('Cache-Control: private, must-revalidate');
  313.     header("Etag: $etag");
  314.     header('Vary: Accept-Encoding, Cookie');
  315.     header_remove("Pragma");
  316.     header_remove("Expires");
  317.  
  318.     if (isset($_SERVER['HTTP_IF_NONE_MATCH']) && trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {
  319.         header($_SERVER['SERVER_PROTOCOL'] . " 304 Not Modified");
  320.         exit;
  321.     }
  322. }
  323. if (strpos($_SERVER['REQUEST_URI'], '/users') !== false) {
  324.     if ($_SESSION['userid'] !== 'odmin') {
  325.         header('HTTP/1.1 403 Forbidden');
  326.         exit('Access denied');
  327.     }
  328.     $pdo = db_open_lazy();
  329.     if (!$pdo) {
  330.         header('HTTP/1.1 500 Internal Server Error'); exit('DB error');
  331.     }
  332.  
  333.     require_once 'program/include/ods_admin.php';
  334.     $adm = new ods_admin($pdo);
  335.  
  336.     if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  337.         $uid = (int)($_POST['uid'] ?? 0);
  338.         $act = $_POST['action'] ?? '';
  339.  
  340.         try {
  341.             switch ($act) {
  342.  
  343.                 case 'reset_ip':
  344.                     $adm->resetIp($uid);
  345.                     header('Location: users?resetok=1'); exit;
  346.  
  347.                 case 'reset_device':
  348.                     $adm->resetDevice($uid);
  349.                     header('Location: users?devok=1'); exit;
  350.  
  351.                 case 'lock_ips':
  352.                     $adm->lockIps($uid);
  353.                     header('Location: users?lockok=1'); exit;
  354.  
  355.                 case 'delete_user':
  356.                     if ($uid === (int)$_SESSION['uid']) {
  357.                         header('Location: users?error=own'); exit;
  358.                     }
  359.                     $adm->deleteUser($uid);
  360.                     header('Location: users?delok=1'); exit;
  361.  
  362.                 default:
  363.                     $adm->createUser($_POST);
  364.                     header('Location: users?ok='.urlencode($_POST['login'])); exit;
  365.             }
  366.  
  367.         } catch (Exception $e) {
  368.             header('Location: users?error='.urlencode($e->getMessage())); exit;
  369.         }
  370.     }
  371.  
  372.     $users = $adm->listUsers();
  373.     $template = $twig->loadTemplate('users.html');
  374.     $page = [
  375.         'ok'      => $_GET['ok']      ?? null,
  376.         'resetok' => $_GET['resetok'] ?? null,
  377.         'devok'   => $_GET['devok']   ?? null,
  378.         'lockok'  => $_GET['lockok']  ?? null,
  379.         'delok'   => $_GET['delok']   ?? null,
  380.         'sessionUid' => $_SESSION['uid'],
  381.         'error'   => ($_GET['error'] ?? null) === 'own'
  382.             ? 'Cannot delete your own account'
  383.             : ($_GET['error'] ?? null),
  384.         'users'   => $users,
  385.     ];
  386.  
  387.     echo $twig->render('users.html', array_merge($params, $page));
  388.     $odb->close();
  389.     exit;
  390. }
  391. echo $template->render($params);
  392. if ($odb) { $odb->close(); }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!