* @package admin * @copyright (c) 2014-19 by Ralf Becker * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License */ use EGroupware\Api; use EGroupware\Api\Framework; use EGroupware\Api\Acl; use EGroupware\Api\Etemplate; /** * UI for admin: edit/add account */ class admin_account { /** * Functions callable via menuaction * * @var array */ public $public_functions = array( 'delete' => true, ); /** * Hook to edit account data via "Account" tab in addressbook edit dialog * * @param array $content * @return array * @throws Api\Exception\NotFound */ public function addressbook_edit(array $content) { if ((string)$content['owner'] === '0' && $GLOBALS['egw_info']['user']['apps']['admin']) { $deny_edit = $content['account_id'] ? $GLOBALS['egw']->acl->check('account_access', 16, 'admin') : $GLOBALS['egw']->acl->check('account_access', 4, 'admin'); //error_log(__METHOD__."() contact_id=$content[contact_id], account_id=$content[account_id], deny_edit=".array2string($deny_edit)); if (!$content['account_id'] && $deny_edit) return; // no right to add new accounts, should not happen by AB ACL // load our translations Api\Translation::add_app('admin'); if ($content['id']) // existing account { // invalidate account, before reading it, to code with changed to DB or LDAP outside EGw Api\Accounts::cache_invalidate((int)$content['account_id']); if (!($account = $GLOBALS['egw']->accounts->read($content['account_id']))) { throw new Api\Exception\NotFound('Account data NOT found!'); } if ($account['account_expires'] == -1) $account['account_expires'] = ''; unset($account['account_pwd']); // do NOT send to client $account['account_groups'] = array_keys($account['memberships']); $acl = new Acl($content['account_id']); $acl->read_repository(); $account['anonymous'] = $acl->check('anonymous', 1, 'phpgwapi'); $account['changepassword'] = !$acl->check('nopasswordchange', 1, 'preferences'); $auth = new Api\Auth(); if (($account['account_lastpwd_change'] = $auth->getLastPwdChange($account['account_lid'])) === false) { $account['account_lastpwd_change'] = null; } $account['mustchangepassword'] = isset($account['account_lastpwd_change']) && (string)$account['account_lastpwd_change'] === '0'; } else // new account { $account = array( 'account_status' => 'A', 'account_groups' => array(), 'anonymous' => false, 'changepassword' => true, //old default: (bool)$GLOBALS['egw_info']['server']['change_pwd_every_x_days'], 'mustchangepassword' => false, 'account_primary_group' => $GLOBALS['egw']->accounts->name2id('Default'), 'homedirectory' => $GLOBALS['egw_info']['server']['ldap_account_home'], 'loginshell' => $GLOBALS['egw_info']['server']['ldap_account_shell'], ); } // should we show extra ldap attributes home-directory and login-shell $account['ldap_extra_attributes'] = $GLOBALS['egw_info']['server']['ldap_extra_attributes'] && get_class($GLOBALS['egw']->accounts->backend) === 'EGroupware\\Api\\Accounts\\Ldap'; $readonlys = array(); // at least ADS does not allow to unset it and SQL backend does not implement it either if ($account['mustchangepassword']) { $readonlys['mustchangepassword'] = true; } if ($deny_edit) { foreach(array_keys($account) as $key) { $readonlys[$key] = true; } $readonlys['account_passwd'] = $readonlys['account_passwd2'] = true; } return array( 'name' => 'admin.account', 'prepend' => true, 'label' => 'Account', 'data' => $account, // save old values to only trigger save, if one of the following values change (contact data get saved anyway) 'preserve' => empty($content['id']) ? array() : array('old_account' => array_intersect_key($account, array_flip(array( 'account_lid', 'account_status', 'account_groups', 'anonymous', 'changepassword', 'mustchangepassword', 'account_primary_group', 'homedirectory', 'loginshell', 'account_expires', 'account_firstname', 'account_lastname', 'account_email'))), 'deny_edit' => $deny_edit), 'readonlys' => $readonlys, 'pre_save_callback' => $deny_edit ? null : 'admin_account::addressbook_pre_save', ); } } /** * Hook called by addressbook prior to saving addressbook data * * @param array &$content * @throws Exception for errors * @return string Success message */ public static function addressbook_pre_save(&$content) { if (!isset($content['mustchangepassword'])) { $content['mustchangepassword'] = true; // was readonly because already set } $content['account_firstname'] = $content['n_given']; $content['account_lastname'] = $content['n_family']; $content['account_email'] = $content['email']; if($content['account_passwd'] && $content['account_passwd'] !== $content['account_passwd_2']) { throw new Api\Exception\WrongUserinput('Passwords are not the same'); } if (!empty($content['old_account'])) { $old = array_diff_assoc($content['old_account'], $content); // array_diff_assoc compares everything as string (cast to string) if ($content['old_account']['account_groups'] != $content['account_groups']) { $old['account_groups'] = $content['old_account']['account_groups']; } if($content['account_passwd']) { // Don't put password into history $old['account_passwd'] = ''; } } if ($content['deny_edit'] || $old === array()) { return ''; // no need to save account data, if nothing changed } //error_log(__METHOD__."(".array2string($content).")"); $account = array(); foreach(array( // need to copy/rename some fields named different in account and contact 'n_given' => 'account_firstname', 'n_family' => 'account_lastname', 'email' => 'account_email', 'account_groups', // copy following fields to account 'account_lid', 'changepassword', 'anonymous', 'mustchangepassword', 'account_passwd', 'account_passwd_2', 'account_primary_group', 'account_expires', 'account_status', 'homedirectory', 'loginshell', 'requested', 'requested_email', 'comment', // admin_cmd documentation (EPL) ) as $c_name => $a_name) { if (is_int($c_name)) $c_name = $a_name; // only record real changes if (isset($content['old_account']) && // currently LDAP (and probably also AD and UCS) can not skip unchanged fields! get_class($GLOBALS['egw']->accounts->backend) === 'EGroupware\\Api\\Accounts\\Sql' && (!isset($content[$c_name]) && $c_name !== 'account_expires' || // account_expires is not set when empty! $content['old_account'][$a_name] == $content[$c_name])) { continue; // no change --> no need to log setting it to identical value } switch($a_name) { case 'account_expires': case 'account_status': $account['account_expires'] = $content['account_expires'] ? $content['account_expires'] : ($content['account_status'] ? 'never' : 'already'); break; case 'changepassword': // boolean values: admin_cmd_edit_user understands '' as NOT set case 'anonymous': case 'mustchangepassword': $account[$a_name] = (boolean)$content[$c_name]; break; default: $account[$a_name] = $content[$c_name]; break; } } // Make sure primary group is in account groups if (isset($account['account_groups']) && $account['account_primary_group'] && !in_array($account['account_primary_group'], (array)$account['account_groups'])) { $account['account_groups'][] = $account['account_primary_group']; } $cmd = new admin_cmd_edit_user(array( 'account' => (int)$content['account_id'], 'set' => $account, 'old' => $old, )+(array)$content['admin_cmd']); $cmd->run(); Api\Json\Response::get()->call('egw.refresh', '', 'admin', $cmd->account, $content['account_id'] ? 'edit' : 'add'); $addressbook_bo = new Api\Contacts(); if (!($content['id'] = Api\Accounts::id2name($cmd->account, 'person_id')) || !($contact = $addressbook_bo->read($content['id']))) { throw new Api\Exception\AssertionFailed("Can't find contact of just created account!"); } // for a new account a new contact was created, need to merge that data with $content if (!$content['account_id']) { $content['account_id'] = $cmd->account; $content = array_merge($contact, $content); } else // for updated account, we need to refresh etag { $content['etag'] = $contact['etag']; } } /** * Delete an account * * @param array $content =null */ public static function delete(array $content=null) { if (!is_array($content)) { if (isset($_GET['contact_id']) && ($account_id = $GLOBALS['egw']->accounts->name2id((int)$_GET['contact_id'], 'person_id'))) { $content = array( 'account_id' => $account_id, 'contact_id' => (int)$_GET['contact_id'], ); } else { $content = array('account_id' => (int)$_GET['account_id']); } //error_log(__METHOD__."() \$_GET[account_id]=$_GET[account_id], \$_GET[contact_id]=$_GET[contact_id] content=".array2string($content)); } if ($GLOBALS['egw']->acl->check('account_access',32,'admin') || $GLOBALS['egw_info']['user']['account_id'] == $content['account_id']) { Framework::window_close(lang('Permission denied!!!')); } if ($content['delete']) { $cmd = new admin_cmd_delete_account(array( 'account' => $content['account_id'], 'new_user' => $content['new_owner'], 'is_user' => $content['account_id'] > 0, 'change_apps' => $content['delete_apps'] ) + (array)$content['admin_cmd']); $msg = $cmd->run(); if ($content['contact_id']) { Framework::refresh_opener($msg, 'addressbook', $content['contact_id'], 'delete'); } else { Framework::refresh_opener($msg, 'admin', $content['account_id'], 'delete'); } Framework::window_close(); } $sel_options = array(); $preserve = $content; // Get a count of entries owned by the user $counts = $GLOBALS['egw']->accounts->get_account_entry_counts($content['account_id']); foreach($counts as $app => $counts) { $entry = Api\Link::get_registry($app, 'entries'); if(!$entry) { $entry = lang('Entries'); } if($counts['total'] && Api\Hooks::exists('deleteaccount', $app)) { $content['delete_apps'][] = $app; $sel_options['delete_apps'][] = array( 'value' => $app, 'label' => lang($app) . ': ' . $counts['total'] . ' '.$entry ); } else if ($counts['total']) { // These ones don't support the needed hook $content['counts'][] = array( 'app' => $app, 'count' => $counts['total'] . ' '.$entry ); } } // Add filemanager home directory in as special case, hook is in the API if(Api\Vfs::file_exists('/home/'.$GLOBALS['egw']->accounts->id2name($content['account_id']))) { $app = 'filemanager'; $sel_options['delete_apps'][] = array( 'value' => $app, 'label' => lang($app) . ': /home' ); $content['delete_apps'][] = $app; } $tpl = new Etemplate('admin.account.delete'); $tpl->exec('admin_account::delete', $content, $sel_options, array(), $preserve, 2); } /** * Delete a group via ajax * * @param int $account_id * @param String[] $data Optional data * @param string $etemplate_exec_id to check against CSRF */ public static function ajax_delete_group($account_id, $data, $etemplate_exec_id) { Api\Etemplate\Request::csrfCheck($etemplate_exec_id, __METHOD__, func_get_args()); $cmd = new admin_cmd_delete_account(Api\Accounts::id2name(Api\Accounts::id2name($account_id)), null, false, (array)$data['admin_cmd']); $msg = $cmd->run(); Api\Json\Response::get()->call('egw.refresh', $msg, 'admin', $account_id, 'delete'); } /** * Check entered data and return error-msg via json data or null * * @param array $data values for account_id and account_lid * @param string $changed name of addressbook widget triggering change eg. "email", "n_given" or "n_family" */ public static function ajax_check(array $data, $changed) { // warn if anonymous user is renamed, as it breaks eg. sharing and Collabora if ($changed == 'account_lid' && Api\Accounts::id2name($data['account_id']) === 'anonymous' && $data['account_lid'] !== 'anonymous') { Api\Json\Response::get()->data(lang("Renaming user 'anonymous' will break file sharing and Collabora Online Office!")); return; } // for 1. password field just check password complexity if ($changed == 'account_passwd') { $data['account_fullname'] = $data['account_firstname'].' '.$data['account_lastname']; if (($error = Api\Auth::crackcheck($data['account_passwd'], null, null, null, $data))) { $error .= "\n\n".lang('If you ignore that error as admin, you should check "%1"!', lang('Must change password upon next login')); } Api\Json\Response::get()->data($error); return; } // generate default email address, but only for new Api\Accounts if (!$data['account_id'] && in_array($changed, array('n_given', 'n_family', 'account_lid'))) { $email = Api\Accounts::email($data['account_firstname'], $data['account_lastname'], $data['account_lid']); if ($email && $email[0] != '@' && strpos($email, '@')) // only add valid email addresses { Api\Json\Response::get()->assign('addressbook-edit_email', 'value', $email); } } if (!$data['account_lid'] && !$data['account_id']) return; // makes no sense to check before // set home-directory when account_lid is entered, but only for new Api\Accounts if ($changed == 'account_lid' && !$data['account_id'] && $GLOBALS['egw_info']['server']['ldap_extra_attributes'] && $GLOBALS['egw_info']['server']['ldap_account_home']) { Api\Json\Response::get()->assign('addressbook-edit_homedirectory', 'value', $GLOBALS['egw_info']['server']['ldap_account_home'].'/'.preg_replace('/[^a-z0-9_.-]/i', '', Api\Translation::to_ascii($data['account_lid']))); } // set dummy membership to get no error about no members yet $data['account_memberships'] = array($data['account_primary_user'] = $GLOBALS['egw_info']['user']['account_primary_group']); try { $cmd = new admin_cmd_edit_user($data['account_id'], $data); $cmd->run(null, false, false, true); } catch(Exception $e) { Api\Json\Response::get()->data($e->getMessage()); } } }