source: bearmail/lib/BearMail/Web/Login.pm @ 432

Last change on this file since 432 was 432, checked in by zecrazytux, 10 years ago

Added basic warning message when users mistype their email or password, see #6

File size: 2.7 KB
Line 
1package BearMail::Web::Login;
2
3# Copyright (C) 2009 Bearstech - http://bearstech.com/
4#
5# This program is free software: you can redistribute it and/or modify
6# it under the terms of the GNU General Public License as published by
7# the Free Software Foundation, either version 3 of the License, or
8# (at your option) any later version.
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program.  If not, see <http://www.gnu.org/licenses/>.
17
18# Login webui page - part of bearmail
19
20use strict;
21use base 'BearMail::Web';
22use Digest::MD5 qw(md5_hex);
23
24sub login : StartRunMode {
25    my $self = shift;
26
27    my $q = $self->query;
28    my $email = $q->param('email') || '';
29    my $pass  = $q->param('password') || '';
30
31    # We can't proceed with login if we don't have both params
32    return $self->login_page() if $email eq '' or $pass eq '';
33
34    # FIXME: need to handle simple user login too
35
36    # First check simple domain login
37    my $domain_pass = $self->{b}->get_postmasters()->{$email};
38    return $self->login_ok($email, 'postmaster')
39        if defined $domain_pass and $domain_pass eq md5_hex($pass);
40
41    # Then try master password, but only on amdin|root logins to prevent
42    # users discovering domain/master password collisiona by accident
43    my $master_pass = $self->cfg('master_password');
44    return $self->login_ok($email, 'admin')
45        if defined $master_pass and $master_pass eq md5_hex($pass) and
46           $email =~ /^(admin(inistrator)?|root)$/i;
47
48    if((defined $domain_pass) or ($email =~ /^(admin(inistrator)?|root)$/i)) {
49      return $self->login_page("password");
50    } else {
51      return $self->login_page("email");
52    }
53}
54
55sub login_page {
56    my $self = shift;
57    my $error = shift;
58
59    my $tmpl = $self->load_tmpl('login.html');
60    $tmpl->param("error_".$error => 1) if $error;
61
62    return $tmpl->output;
63}
64
65sub login_ok {
66    my $self = shift;
67    my ($user, $level) = @_;
68
69    # Store authentified user in session (privileges should be checked at
70    # every operation instead of being stored in s{level}, FIXME)
71    $self->session->param('user', $user);
72    $self->session->param('level', $level);
73
74    # Redirect to the original page the user intended to go, or some fitting
75    # default page depending on user privileges.
76    my %default = (
77      user       => 'address_edit',
78      postmaster => 'address_list',
79      admin      => 'domain_list',
80    );
81    my $intent = $self->session->param('intent') || $default{$level};
82    return $self->redirect($self->url($intent));
83}
84
851;
Note: See TracBrowser for help on using the repository browser.