func (this *WHMCS) handleToken(w http.ResponseWriter, r *http.Request, db *lobster.Database, session *lobster.Session) { if session.IsLoggedIn() { lobster.RedirectMessage(w, r, "/panel/dashboard", lobster.L.Info("already_logged_in")) return } r.ParseForm() token := r.Form.Get("token") if len(token) != TOKEN_LENGTH { http.Error(w, "bad token", 403) } rows := db.Query("SELECT id, user_id FROM whmcs_tokens WHERE token = ? AND time > DATE_SUB(NOW(), INTERVAL 1 MINUTE)", token) if !rows.Next() { http.Error(w, "invalid token", 403) } var rowId, userId int rows.Scan(&rowId, &userId) rows.Close() db.Exec("DELETE FROM whmcs_tokens WHERE id = ?", rowId) session.UserId = userId // we do not grant admin privileges on the session for WHMCS login log.Printf("Authentication via WHMCS for user_id=%d (%s)", userId, r.RemoteAddr) lobster.LogAction(db, userId, lobster.ExtractIP(r.RemoteAddr), "Logged in via WHMCS", "") http.Redirect(w, r, "/panel/dashboard", 303) }
func panelSupportOpen(w http.ResponseWriter, r *http.Request, session *lobster.Session, frameParams lobster.FrameParams) { if r.Method == "POST" { form := new(SupportOpenForm) err := decoder.Decode(form, r.PostForm) if err != nil { http.Redirect(w, r, "/panel/support/open", 303) return } ticketId, err := ticketOpen(session.UserId, form.Name, form.Message, false) if err != nil { lobster.RedirectMessage(w, r, "/panel/support/open", L.FormatError(err)) } else { lobster.LogAction(session.UserId, lobster.ExtractIP(r.RemoteAddr), "Open ticket", fmt.Sprintf("Subject: %s; Ticket ID: %d", form.Name, ticketId)) http.Redirect(w, r, fmt.Sprintf("/panel/support/%d", ticketId), 303) } return } lobster.RenderTemplate( w, "panel", "support_open", lobster.PanelFormParams{Frame: frameParams, Token: lobster.CSRFGenerate(session)}, ) }
func adminSupportTicketClose(w http.ResponseWriter, r *http.Request, session *lobster.Session, frameParams lobster.FrameParams) { ticketId, err := strconv.Atoi(mux.Vars(r)["id"]) if err != nil { lobster.RedirectMessage(w, r, "/admin/support", L.FormattedError("invalid_ticket")) return } ticketClose(session.UserId, ticketId) lobster.LogAction(session.UserId, lobster.ExtractIP(r.RemoteAddr), "Close ticket", fmt.Sprintf("Ticket ID: %d", ticketId)) lobster.RedirectMessage(w, r, fmt.Sprintf("/admin/support/%d", ticketId), L.Success("ticket_closed")) }
func panelSupportTicketReply(w http.ResponseWriter, r *http.Request, session *lobster.Session, frameParams lobster.FrameParams) { ticketId, err := strconv.Atoi(mux.Vars(r)["id"]) if err != nil { lobster.RedirectMessage(w, r, "/panel/support", L.FormattedError("invalid_ticket")) return } form := new(SupportTicketReplyForm) err = decoder.Decode(form, r.PostForm) if err != nil { http.Redirect(w, r, fmt.Sprintf("/panel/support/%d", ticketId), 303) return } err = ticketReply(session.UserId, ticketId, form.Message, false) if err != nil { lobster.RedirectMessage(w, r, fmt.Sprintf("/panel/support/%d", ticketId), L.FormatError(err)) } else { lobster.LogAction(session.UserId, lobster.ExtractIP(r.RemoteAddr), "Ticket reply", fmt.Sprintf("Ticket ID: %d", ticketId)) http.Redirect(w, r, fmt.Sprintf("/panel/support/%d", ticketId), 303) } }