2006-12-02 04:36:16 +00:00
< ? php
/*
2008-12-10 16:59:19 +00:00
* e107 website system
*
2009-11-18 01:06:08 +00:00
* Copyright ( C ) 2008 - 2009 e107 Inc ( e107 . org )
2008-12-10 16:59:19 +00:00
* Released under the terms and conditions of the
* GNU General Public License ( http :// www . gnu . org / licenses / gpl . txt )
*
* Administration Area Authorization
*
* $Source : / cvs_backup / e107_0 . 8 / e107_admin / auth . php , v $
2010-02-10 18:18:01 +00:00
* $Revision $
* $Date $
* $Author $
2009-11-22 14:10:09 +00:00
*/
2006-12-02 04:36:16 +00:00
2009-11-22 14:10:09 +00:00
if ( ! defined ( 'e107_INIT' ))
{
exit ;
}
2006-12-02 04:36:16 +00:00
2009-07-18 10:17:56 +00:00
/* done in class2
2009-11-22 14:10:09 +00:00
@ include_once ( e_LANGUAGEDIR . e_LANGUAGE . " /admin/lan_admin.php " );
@ include_once ( e_LANGUAGEDIR . " English/admin/lan_admin.php " );
*/
2006-12-02 04:36:16 +00:00
if ( ADMIN )
{
2009-10-19 20:09:15 +00:00
define ( 'ADMIN_PAGE' , true );
2008-12-10 16:59:19 +00:00
//don't include it if it'a an AJAX call or not wanted
2009-11-22 14:10:09 +00:00
if ( ! e_AJAX_REQUEST && ! defset ( 'e_NOHEADER' ))
2009-08-19 14:39:57 +00:00
{
2010-05-14 18:45:51 +00:00
// XXX LOGIN AS Temporary solution, we need something smarter, e.g. reserved message stack 'admin' which will be always printed
// inside admin area
if ( e107 :: getUser () -> getSessionDataAs ())
{ // TODO - lan
$asuser = e107 :: getSystemUser ( e107 :: getUser () -> getSessionDataAs (), false );
e107 :: getMessage () -> addInfo ( 'Successfully logged in as ' . ( $asuser && $asuser -> getValue ( 'name' ) ? $asuser -> getValue ( 'name' ) : 'unknown' ) . ' <a href="' . e_ADMIN_ABS . 'users.php?logoutas">[logout]</a>' );
}
2009-11-22 14:10:09 +00:00
require_once ( e_ADMIN . " header.php " );
2009-08-19 14:39:57 +00:00
}
2010-05-14 18:45:51 +00:00
2009-01-07 15:40:06 +00:00
/*
* FIXME - missing $style for tablerender
* The Solution : parse_admin () without sending it to the browser if it ' s an ajax call
* The Problem : doubled render time for the ajax called page !!!
*/
2006-12-02 04:36:16 +00:00
}
else
{
2008-12-10 16:59:19 +00:00
//login via AJAX call is not allowed
2009-11-22 14:10:09 +00:00
if ( e_AJAX_REQUEST )
2008-12-10 16:59:19 +00:00
{
2009-11-22 14:10:09 +00:00
require_once ( e_HANDLER . 'js_helper.php' );
2008-12-10 16:59:19 +00:00
e_jshelper :: sendAjaxError ( 403 , ADLAN_86 , ADLAN_87 , true );
}
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
$use_imagecode = ( $pref [ 'logcode' ] && extension_loaded ( " gd " ));
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
if ( $use_imagecode )
{
2009-11-22 14:10:09 +00:00
require_once ( e_HANDLER . " secure_img_handler.php " );
2006-12-02 04:36:16 +00:00
$sec_img = new secure_image ;
}
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
if ( $_POST [ 'authsubmit' ])
{
$obj = new auth ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
if ( $use_imagecode )
2006-12-02 04:36:16 +00:00
{
if ( ! $sec_img -> verify_code ( $_POST [ 'rand_num' ], $_POST [ 'code_verify' ]))
{
echo " <script type='text/javascript'>document.location.href='../index.php'</script> \n " ;
header ( " location: ../index.php " );
exit ;
}
}
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
// require_once (e_HANDLER.'user_handler.php');
$row = $authresult = $obj -> authcheck ( $_POST [ 'authname' ], $_POST [ 'authpass' ], varset ( $_POST [ 'hashchallenge' ], '' ));
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
if ( $row [ 0 ] == " authfail " )
{
$admin_log -> e_log_event ( 4 , __FILE__ . " | " . __FUNCTION__ . " @ " . __LINE__ , " LOGIN " , LAN_ROLL_LOG_11 , " U: " . $tp -> toDB ( $_POST [ 'authname' ]), FALSE , LOG_TO_ROLLING );
2006-12-02 04:36:16 +00:00
echo " <script type='text/javascript'>document.location.href='../index.php'</script> \n " ;
2009-11-22 14:10:09 +00:00
// header("location: ../index.php");
2012-05-24 15:54:25 +00:00
e107 :: getRedirect () -> redirect ( 'admin.php?failed' );
2006-12-02 04:36:16 +00:00
exit ;
2008-06-13 20:20:23 +00:00
}
2009-11-22 14:10:09 +00:00
else
{
$cookieval = $row [ 'user_id' ] . " . " . md5 ( $row [ 'user_password' ]);
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
// $sql->db_Select("user", "*", "user_name='".$tp -> toDB($_POST['authname'])."'");
// list($user_id, $user_name, $userpass) = $sql->db_Fetch();
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
// Calculate class membership - needed for a couple of things
// Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point
$class_list = explode ( ',' , $row [ 'user_class' ]);
if ( $row [ 'user_admin' ] && strlen ( $row [ 'user_perms' ]))
{
$class_list [] = e_UC_ADMIN ;
if ( strpos ( $row [ 'user_perms' ], '0' ) === 0 )
{
$class_list [] = e_UC_MAINADMIN ;
}
2006-12-02 04:36:16 +00:00
}
2009-11-22 14:10:09 +00:00
$class_list [] = e_UC_MEMBER ;
$class_list [] = e_UC_PUBLIC ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$user_logging_opts = array_flip ( explode ( ',' , varset ( $pref [ 'user_audit_opts' ], '' )));
if ( isset ( $user_logging_opts [ USER_AUDIT_LOGIN ]) && in_array ( varset ( $pref [ 'user_audit_class' ], '' ), $class_list ))
{ // Need to note in user audit trail
e107 :: getAdminLog () -> user_audit ( USER_AUDIT_LOGIN , '' , $user_id , $user_name );
}
2010-05-14 18:45:51 +00:00
2010-06-06 04:29:54 +00:00
$edata_li = array ( " user_id " => $row [ 'user_id' ], " user_name " => $row [ 'user_name' ], 'class_list' => implode ( ',' , $class_list ), 'user_admin' => $row [ 'user_admin' ]);
2010-10-26 07:41:20 +00:00
// Fix - set cookie before login trigger
2009-11-22 14:10:09 +00:00
session_set ( e_COOKIE , $cookieval , ( time () + 3600 * 24 * 30 ));
2010-10-26 07:41:20 +00:00
e107 :: getEvent () -> trigger ( " login " , $edata_li );
e107 :: getRedirect () -> redirect ( e_ADMIN_ABS . 'admin.php' );
//echo "<script type='text/javascript'>document.location.href='admin.php'</script>\n";
2006-12-02 04:36:16 +00:00
}
}
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
$e_sub_cat = 'logout' ;
2012-05-24 15:54:25 +00:00
2009-11-22 14:10:09 +00:00
if ( ! defset ( 'NO_HEADER' ))
require_once ( e_ADMIN . " header.php " );
2010-05-14 18:45:51 +00:00
2008-12-10 16:59:19 +00:00
if ( ADMIN == FALSE )
2008-06-13 20:20:23 +00:00
{
2006-12-02 04:36:16 +00:00
$obj = new auth ;
$obj -> authform ();
2009-11-22 14:10:09 +00:00
if ( ! defset ( 'NO_HEADER' ))
require_once ( e_ADMIN . " footer.php " );
2006-12-02 04:36:16 +00:00
exit ;
}
}
//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
class auth
{
2009-11-22 14:10:09 +00:00
/**
* Admin auth login
* @ return null
*/
public function authform () //TODO Template
2010-05-14 18:45:51 +00:00
{
2009-11-22 14:10:09 +00:00
global $use_imagecode , $sec_img , $pref ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$frm = e107 :: getForm ();
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$incChap = ( vartrue ( $pref [ 'password_CHAP' ], 0 )) ? " onsubmit='hashLoginPassword(this)' " : " " ;
2010-05-14 18:45:51 +00:00
2012-05-24 15:54:25 +00:00
$class = ( e_QUERY == 'failed' ) ? " class='e-shake' " : " " ;
$text = " <div { $class } style='padding:20px;text-align:center'>
2009-11-22 14:10:09 +00:00
< form method = 'post' action = '".e_SELF."' { $incChap } >
2006-12-02 04:36:16 +00:00
< table style = 'width:50%' class = 'fborder' >
< tr >
2009-11-22 14:10:09 +00:00
< td rowspan = '4' style = 'vertical-align:middle;width:65px' > " .(file_exists(THEME. " images / password . png " ) ? " < img src = '".THEME_ABS."images/password.png' alt = '' /> \n " : " < img src = '".e_IMAGE."generic/password.png' alt = '' /> \n " ). " </ td >
2006-12-02 04:36:16 +00:00
< td style = 'width:35%' class = 'forumheader3' > " .ADLAN_89. " </ td >
2012-05-13 05:26:11 +00:00
< td class = 'forumheader3' style = 'text-align:center' >< input autofocus class = 'tbox' type = 'text' name = 'authname' id = 'username' size = '30' value = '' maxlength = '".varset($pref[' loginname_maxlength '], 30)."' /> \n </ td >
2007-08-25 05:48:53 +00:00
2006-12-02 04:36:16 +00:00
</ tr >
< tr >
< td style = 'width:35%' class = 'forumheader3' > " .ADLAN_90. " </ td >
2008-06-13 20:20:23 +00:00
< td class = 'forumheader3' style = 'text-align:center' >< input class = 'tbox' type = 'password' name = 'authpass' id = 'userpass' size = '30' value = '' maxlength = '30' /> \n " ;
2010-05-14 18:45:51 +00:00
2010-10-26 07:41:20 +00:00
$session = e107 :: getSession ();
if ( $session -> is ( 'challenge' ) && varset ( $pref [ 'password_CHAP' ], 0 ))
2010-05-14 18:45:51 +00:00
2010-10-26 07:41:20 +00:00
$text .= " <input type='hidden' name='hashchallenge' id='hashchallenge' value=' " . $session -> get ( 'challenge' ) . " ' /> \n \n " ;
2009-11-22 14:10:09 +00:00
$text .= " </td></tr> \n " ;
2010-05-14 18:45:51 +00:00
2008-12-10 16:59:19 +00:00
if ( $use_imagecode )
2008-06-13 20:20:23 +00:00
{
2006-12-02 04:36:16 +00:00
$text .= "
< tr >
< td style = 'width:35%' class = 'forumheader3' > " .ADLAN_152. " </ td >
< td style = 'text-align:center' >
2009-11-22 14:10:09 +00:00
< input type = 'hidden' name = 'rand_num' value = '".$sec_img->random_number."' /> " . $sec_img->r_image (). " < br />< input class = 'tbox' type = 'text' name = 'code_verify' size = '15' maxlength = '20' /></ td >
2006-12-02 04:36:16 +00:00
</ tr >
" ;
}
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
$text .= "
< tr >
2009-11-22 14:10:09 +00:00
< td colspan = '2' class = 'forumheader center' > "
. $frm -> admin_button ( 'authsubmit' , ADLAN_91 ) .
" </td>
2006-12-02 04:36:16 +00:00
</ tr >
</ table >
</ form >
</ div > " ;
2010-05-14 18:45:51 +00:00
2012-05-24 15:54:25 +00:00
// echo $text;
e107 :: getRender () -> tablerender ( ADLAN_92 , $text );
2006-12-02 04:36:16 +00:00
}
2009-11-22 14:10:09 +00:00
/**
* Admin auth check
* @ param string $authname , entered name
* @ param string $authpass , entered pass
* @ param object $authresponse [ optional ]
* @ return boolean if fail , else result array
*/
public function authcheck ( $authname , $authpass , $authresponse = '' )
2006-12-02 04:36:16 +00:00
{
2008-06-13 20:20:23 +00:00
2009-11-22 14:10:09 +00:00
global $pref ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$tp = e107 :: getParser ();
$sql_auth = e107 :: getDb ( 'sql_auth' );
2010-10-26 07:41:20 +00:00
$user_info = e107 :: getUserSession ();
2010-05-14 18:45:51 +00:00
$reason = '' ;
2009-11-22 14:10:09 +00:00
$authname = $tp -> toDB ( preg_replace ( " / \ sOR \ s| \ =| \ #/ " , " " , trim ( $authname )));
2008-06-13 20:20:23 +00:00
$authpass = trim ( $authpass );
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
if (( $authpass == '' ) || ( $authname == '' ))
$reason = 'np' ;
if ( strlen ( $authname ) > varset ( $pref [ 'loginname_maxlength' ], 30 ))
$reason = 'lu' ;
2010-05-14 18:45:51 +00:00
2008-06-13 20:20:23 +00:00
if ( ! $reason )
{
2009-11-22 14:10:09 +00:00
if ( $sql_auth -> db_Select ( " user " , " * " , " user_loginname=' { $authname } ' AND user_admin='1' " ))
2006-12-02 04:36:16 +00:00
{
2009-11-22 14:10:09 +00:00
$row = $sql_auth -> db_Fetch ();
2006-12-02 04:36:16 +00:00
}
2009-11-22 14:10:09 +00:00
elseif ( $sql_auth -> db_Select ( " user " , " * " , " user_name=' { $authname } ' AND user_admin='1' " ))
{
$row = $sql_auth -> db_Fetch ();
$authname = $row [ 'user_loginname' ];
}
else
2006-12-02 04:36:16 +00:00
{
2009-11-22 14:10:09 +00:00
$reason = 'iu' ;
2006-12-02 04:36:16 +00:00
}
}
2009-11-22 14:10:09 +00:00
if ( ! $reason && ( $row [ 'user_id' ])) // Can validate password
2010-05-14 18:45:51 +00:00
{
2010-10-26 07:41:20 +00:00
$session = e107 :: getSession ();
if (( $authresponse && $session -> is ( 'challenge' )) && ( $authresponse != $session -> get ( 'challenge' )))
2009-11-22 14:10:09 +00:00
{ // Verify using CHAP (can't handle login by email address - only loginname - although with this code it does still work if the password is stored unsalted)
2010-10-26 07:41:20 +00:00
if (( $pass_result = $user_info -> CheckCHAP ( $session -> get ( 'challenge' ), $authresponse , $authname , $row [ 'user_password' ])) !== PASSWORD_INVALID )
2009-11-22 14:10:09 +00:00
{
return $$row ;
}
}
else
{ // Plaintext password
if (( $pass_result = $user_info -> CheckPassword ( $authpass , $authname , $row [ 'user_password' ])) !== PASSWORD_INVALID )
{
return $row ;
}
}
2008-06-13 20:20:23 +00:00
}
2009-11-22 14:10:09 +00:00
return array ( " authfail " , " reason " => $reason );
2006-12-02 04:36:16 +00:00
}
}
//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
2009-11-22 14:10:09 +00:00
?>