2006-12-02 04:36:16 +00:00
< ? php
/*
2008-12-10 16:59:19 +00:00
* e107 website system
*
2009-11-18 01:06:08 +00:00
* Copyright ( C ) 2008 - 2009 e107 Inc ( e107 . org )
2008-12-10 16:59:19 +00:00
* Released under the terms and conditions of the
* GNU General Public License ( http :// www . gnu . org / licenses / gpl . txt )
*
* Administration Area Authorization
*
* $Source : / cvs_backup / e107_0 . 8 / e107_admin / auth . php , v $
2010-02-10 18:18:01 +00:00
* $Revision $
* $Date $
* $Author $
2009-11-22 14:10:09 +00:00
*/
2006-12-02 04:36:16 +00:00
2009-11-22 14:10:09 +00:00
if ( ! defined ( 'e107_INIT' ))
{
exit ;
}
2006-12-02 04:36:16 +00:00
2009-07-18 10:17:56 +00:00
/* done in class2
2009-11-22 14:10:09 +00:00
@ include_once ( e_LANGUAGEDIR . e_LANGUAGE . " /admin/lan_admin.php " );
@ include_once ( e_LANGUAGEDIR . " English/admin/lan_admin.php " );
*/
2006-12-02 04:36:16 +00:00
if ( ADMIN )
{
2009-10-19 20:09:15 +00:00
define ( 'ADMIN_PAGE' , true );
2008-12-10 16:59:19 +00:00
//don't include it if it'a an AJAX call or not wanted
2009-11-22 14:10:09 +00:00
if ( ! e_AJAX_REQUEST && ! defset ( 'e_NOHEADER' ))
2009-08-19 14:39:57 +00:00
{
2010-05-14 18:45:51 +00:00
// XXX LOGIN AS Temporary solution, we need something smarter, e.g. reserved message stack 'admin' which will be always printed
// inside admin area
if ( e107 :: getUser () -> getSessionDataAs ())
{ // TODO - lan
$asuser = e107 :: getSystemUser ( e107 :: getUser () -> getSessionDataAs (), false );
e107 :: getMessage () -> addInfo ( 'Successfully logged in as ' . ( $asuser && $asuser -> getValue ( 'name' ) ? $asuser -> getValue ( 'name' ) : 'unknown' ) . ' <a href="' . e_ADMIN_ABS . 'users.php?logoutas">[logout]</a>' );
}
2012-11-28 09:35:06 +02:00
// NEW, legacy 3rd party code fix, header called inside the footer o.O
2012-11-29 10:47:26 +02:00
if ( deftrue ( 'e_ADMIN_UI' ))
{
// boot.php already loaded
require_once ( e_ADMIN . " header.php " );
}
else
{
// boot.php is included in admin dispatcher constructor, so do it only for legacy code
require_once ( e_ADMIN . 'boot.php' );
}
2009-08-19 14:39:57 +00:00
}
2010-05-14 18:45:51 +00:00
2009-01-07 15:40:06 +00:00
/*
* FIXME - missing $style for tablerender
* The Solution : parse_admin () without sending it to the browser if it ' s an ajax call
* The Problem : doubled render time for the ajax called page !!!
*/
2006-12-02 04:36:16 +00:00
}
else
{
2008-12-10 16:59:19 +00:00
//login via AJAX call is not allowed
2009-11-22 14:10:09 +00:00
if ( e_AJAX_REQUEST )
2008-12-10 16:59:19 +00:00
{
2009-11-22 14:10:09 +00:00
require_once ( e_HANDLER . 'js_helper.php' );
2008-12-10 16:59:19 +00:00
e_jshelper :: sendAjaxError ( 403 , ADLAN_86 , ADLAN_87 , true );
}
2012-06-18 09:06:20 +00:00
2012-11-29 10:47:26 +02:00
require_once ( e_ADMIN . 'boot.php' );
2012-06-18 09:06:20 +00:00
$sec_img = e107 :: getSecureImg ();
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
$use_imagecode = ( $pref [ 'logcode' ] && extension_loaded ( " gd " ));
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
if ( $_POST [ 'authsubmit' ])
{
$obj = new auth ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
if ( $use_imagecode )
2012-06-13 04:58:43 +00:00
{
2012-06-18 09:06:20 +00:00
if ( $sec_img -> invalidCode ( $_POST [ 'rand_num' ], $_POST [ 'code_verify' ]))
2006-12-02 04:36:16 +00:00
{
2012-06-13 04:58:43 +00:00
e107 :: getRedirect () -> redirect ( 'admin.php?failed' );
2006-12-02 04:36:16 +00:00
exit ;
2012-06-13 04:58:43 +00:00
// echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
// header("location: ../index.php");
// exit;
2006-12-02 04:36:16 +00:00
}
}
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
// require_once (e_HANDLER.'user_handler.php');
$row = $authresult = $obj -> authcheck ( $_POST [ 'authname' ], $_POST [ 'authpass' ], varset ( $_POST [ 'hashchallenge' ], '' ));
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
if ( $row [ 0 ] == " authfail " )
{
$admin_log -> e_log_event ( 4 , __FILE__ . " | " . __FUNCTION__ . " @ " . __LINE__ , " LOGIN " , LAN_ROLL_LOG_11 , " U: " . $tp -> toDB ( $_POST [ 'authname' ]), FALSE , LOG_TO_ROLLING );
2006-12-02 04:36:16 +00:00
echo " <script type='text/javascript'>document.location.href='../index.php'</script> \n " ;
2009-11-22 14:10:09 +00:00
// header("location: ../index.php");
2012-05-24 15:54:25 +00:00
e107 :: getRedirect () -> redirect ( 'admin.php?failed' );
2006-12-02 04:36:16 +00:00
exit ;
2008-06-13 20:20:23 +00:00
}
2009-11-22 14:10:09 +00:00
else
{
$cookieval = $row [ 'user_id' ] . " . " . md5 ( $row [ 'user_password' ]);
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
// $sql->db_Select("user", "*", "user_name='".$tp -> toDB($_POST['authname'])."'");
// list($user_id, $user_name, $userpass) = $sql->db_Fetch();
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
// Calculate class membership - needed for a couple of things
// Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point
$class_list = explode ( ',' , $row [ 'user_class' ]);
if ( $row [ 'user_admin' ] && strlen ( $row [ 'user_perms' ]))
{
$class_list [] = e_UC_ADMIN ;
if ( strpos ( $row [ 'user_perms' ], '0' ) === 0 )
{
$class_list [] = e_UC_MAINADMIN ;
}
2006-12-02 04:36:16 +00:00
}
2009-11-22 14:10:09 +00:00
$class_list [] = e_UC_MEMBER ;
$class_list [] = e_UC_PUBLIC ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$user_logging_opts = array_flip ( explode ( ',' , varset ( $pref [ 'user_audit_opts' ], '' )));
if ( isset ( $user_logging_opts [ USER_AUDIT_LOGIN ]) && in_array ( varset ( $pref [ 'user_audit_class' ], '' ), $class_list ))
{ // Need to note in user audit trail
e107 :: getAdminLog () -> user_audit ( USER_AUDIT_LOGIN , '' , $user_id , $user_name );
}
2010-05-14 18:45:51 +00:00
2010-06-06 04:29:54 +00:00
$edata_li = array ( " user_id " => $row [ 'user_id' ], " user_name " => $row [ 'user_name' ], 'class_list' => implode ( ',' , $class_list ), 'user_admin' => $row [ 'user_admin' ]);
2010-10-26 07:41:20 +00:00
// Fix - set cookie before login trigger
2009-11-22 14:10:09 +00:00
session_set ( e_COOKIE , $cookieval , ( time () + 3600 * 24 * 30 ));
2010-10-26 07:41:20 +00:00
e107 :: getEvent () -> trigger ( " login " , $edata_li );
e107 :: getRedirect () -> redirect ( e_ADMIN_ABS . 'admin.php' );
//echo "<script type='text/javascript'>document.location.href='admin.php'</script>\n";
2006-12-02 04:36:16 +00:00
}
}
2010-05-14 18:45:51 +00:00
2006-12-02 04:36:16 +00:00
$e_sub_cat = 'logout' ;
2012-06-06 23:30:57 +00:00
if ( ADMIN == FALSE )
{
define ( " e_IFRAME " , TRUE );
}
2009-11-22 14:10:09 +00:00
if ( ! defset ( 'NO_HEADER' ))
require_once ( e_ADMIN . " header.php " );
2010-05-14 18:45:51 +00:00
2008-12-10 16:59:19 +00:00
if ( ADMIN == FALSE )
2008-06-13 20:20:23 +00:00
{
2012-06-06 23:30:57 +00:00
// Needs help from Deso, Vesko and Stoev! :-)
e107 :: css ( 'inline' , "
2012-11-28 13:25:41 -08:00
body { text - align : left ; font - size : 15 px ; line - height : 1.5 em ; font - weight : normal ; font - family : Arial , Helvetica , sans - serif ; background : #081D28 url(".e_IMAGE."logo_template_large.png) no-repeat 50% 40px; }
2012-06-06 23:30:57 +00:00
a { color : #F6931E; text-decoration:none; }
a : hover { color : silver ; text - decoration : none ; }
. bold { font - weight : bold ; }
. field { text - align : center ; padding : 5 px }
. field input { padding : 5 px ;
border - width : 1 px ;
border - style : solid ;
border - color : #aaa #c8c8c8 #c8c8c8 #aaa;
background : #fff;
font : 16 px arial , helvetica , sans - serif ;
2012-06-07 00:33:10 +00:00
- moz - border - radius : 4 px ;
- webkit - border - radius : 4 px ;
border - radius : 4 px ;
2012-06-06 23:30:57 +00:00
- moz - box - shadow : 1 px 1 px 2 px #999 inset;
- webkit - box - shadow : 1 px 1 px 2 px #999 inset;
box - shadow : 1 px 1 px 2 px #999 inset;
}
. field input : focus {
border : 1 px solid #F6931E;
}
. field input : hover {
border : 1 px solid #F6931E;
}
2012-11-28 13:25:41 -08:00
2012-06-06 23:30:57 +00:00
#login-admin {
margin - left : auto ;
margin - right : auto ;
2012-11-28 13:25:41 -08:00
margin - top : 12 % ;
2012-06-06 23:30:57 +00:00
width : 400 px ;
2012-11-28 13:25:41 -08:00
/*
2012-06-06 23:30:57 +00:00
padding : 10 px 20 px 0 20 px ;
- moz - border - radius : 5 px ;
- webkit - border - radius : 5 px ;
border - radius : 5 px ;
- moz - box - shadow : 5 px 5 px 20 px #000000;
- webkit - box - shadow : 5 px 5 px 20 px #000000;
box - shadow : 5 px 5 px 20 px #000000;
background - color : #FEFEFE;
2012-11-28 13:25:41 -08:00
*/
2012-06-06 23:30:57 +00:00
}
#login-admin label { display: none; text-align: right }
. admin - submit { text - align : center ; padding : 20 px ; }
2012-06-06 23:37:40 +00:00
. submit { }
2012-06-06 23:30:57 +00:00
2012-06-07 00:33:10 +00:00
. placeholder { color : #bbb; font-style:italic }
2012-06-06 23:30:57 +00:00
2012-06-07 00:33:10 +00:00
::- webkit - input - placeholder { font - style : italic ; color : #bbb; }
2012-06-06 23:30:57 +00:00
2012-06-07 00:33:10 +00:00
:- moz - placeholder { font - style : italic ; color : #bbb; }
2012-06-06 23:30:57 +00:00
2012-07-11 05:14:09 +00:00
h2 { text - align : center ; color : #FAAD3D; }
2012-06-06 23:30:57 +00:00
#username {background: url(".e_IMAGE."admin_images/admins_16.png) no-repeat scroll 7px 7px; padding-left:30px; }
#userpass {background: url(".e_IMAGE."admin_images/lock_16.png) no-repeat scroll 7px 7px; padding-left:30px; }
2012-06-13 04:58:43 +00:00
input [ disabled ] { color : silver ; }
button [ disabled ] span { color : silver ; }
2012-06-06 23:30:57 +00:00
" );
2006-12-02 04:36:16 +00:00
$obj = new auth ;
$obj -> authform ();
2009-11-22 14:10:09 +00:00
if ( ! defset ( 'NO_HEADER' ))
require_once ( e_ADMIN . " footer.php " );
2006-12-02 04:36:16 +00:00
exit ;
}
}
//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
class auth
{
2009-11-22 14:10:09 +00:00
/**
* Admin auth login
* @ return null
*/
2012-06-06 23:30:57 +00:00
public function authform () // NOTE: this should NOT be a template of the admin-template, however themes may style it using css.
2010-05-14 18:45:51 +00:00
{
2009-11-22 14:10:09 +00:00
global $use_imagecode , $sec_img , $pref ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$frm = e107 :: getForm ();
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$incChap = ( vartrue ( $pref [ 'password_CHAP' ], 0 )) ? " onsubmit='hashLoginPassword(this)' " : " " ;
2012-06-06 23:30:57 +00:00
// Start Clean
// NOTE: this should NOT be a template of the admin-template, however themes may style it using css.
$class = ( e_QUERY == 'failed' ) ? " class='e-shake' " : " " ;
$text = " <form id='admin-login' method='post' action=' " . e_SELF . " ' { $incChap } >
2012-11-28 13:25:41 -08:00
< div id = 'login-admin' class = 'well center' >
2012-06-06 23:30:57 +00:00
< div { $class } >
2012-11-28 13:25:41 -08:00
< h3 > " .e_DOMAIN. " admin area </ h3 >
2012-06-06 23:30:57 +00:00
< div class = 'field' >
< label for = 'username' > " .ADLAN_89. " </ label >
< input class = 'tbox e-tip' type = 'text' required = 'required' name = 'authname' placeholder = '".ADLAN_89."' id = 'username' size = '30' value = '' maxlength = '".varset($pref[' loginname_maxlength '], 30)."' />
< div class = 'field-help' > Please enter your username or email </ div >
</ div >
< div class = 'field' >
< label for = 'userpass' > " .ADLAN_90. " </ label >
< input class = 'tbox e-tip' type = 'password' required = 'required' name = 'authpass' placeholder = '".ADLAN_90."' id = 'userpass' size = '30' value = '' maxlength = '30' />
< div class = 'field-help' > Password is required </ div >
</ div > " ;
if ( $use_imagecode )
{
$text .= "
< div class = 'field' >
2012-06-13 04:58:43 +00:00
< label for = 'code_verify' > " .ADLAN_152. " </ label > "
2012-06-18 09:06:20 +00:00
. $sec_img -> renderImage () .
$sec_img -> renderInput () . "
2012-06-06 23:30:57 +00:00
</ div > " ;
}
$text .= " <div class='admin-submit'> "
2012-11-26 21:53:56 -08:00
. $frm -> admin_button ( 'authsubmit' , ADLAN_91 , 'login' );
2012-06-06 23:30:57 +00:00
if ( e107 :: getSession () -> is ( 'challenge' ) && varset ( $pref [ 'password_CHAP' ], 0 ))
{
$text .= " <input type='hidden' name='hashchallenge' id='hashchallenge' value=' " . e107 :: getSession () -> get ( 'challenge' ) . " ' /> \n \n " ;
}
$text .= " </div>
</ div >
</ div >
</ form > " ;
2012-11-26 21:50:08 -08:00
e107 :: getRender () -> tablerender ( " " , $text , 'admin-login' );
2012-06-06 23:30:57 +00:00
echo " <div class='center' style='margin-top:30%; color:silver'><span style='padding:0 40px 0 40px;'><a href='http://e107.org'>Powered by e107</a></span> <a href=' " . e_BASE . " index.php'>Return to Website</a></div> " ;
2006-12-02 04:36:16 +00:00
}
2009-11-22 14:10:09 +00:00
/**
* Admin auth check
* @ param string $authname , entered name
* @ param string $authpass , entered pass
* @ param object $authresponse [ optional ]
* @ return boolean if fail , else result array
*/
public function authcheck ( $authname , $authpass , $authresponse = '' )
2006-12-02 04:36:16 +00:00
{
2008-06-13 20:20:23 +00:00
2009-11-22 14:10:09 +00:00
global $pref ;
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
$tp = e107 :: getParser ();
$sql_auth = e107 :: getDb ( 'sql_auth' );
2010-10-26 07:41:20 +00:00
$user_info = e107 :: getUserSession ();
2010-05-14 18:45:51 +00:00
$reason = '' ;
2009-11-22 14:10:09 +00:00
$authname = $tp -> toDB ( preg_replace ( " / \ sOR \ s| \ =| \ #/ " , " " , trim ( $authname )));
2008-06-13 20:20:23 +00:00
$authpass = trim ( $authpass );
2010-05-14 18:45:51 +00:00
2009-11-22 14:10:09 +00:00
if (( $authpass == '' ) || ( $authname == '' ))
$reason = 'np' ;
if ( strlen ( $authname ) > varset ( $pref [ 'loginname_maxlength' ], 30 ))
$reason = 'lu' ;
2010-05-14 18:45:51 +00:00
2008-06-13 20:20:23 +00:00
if ( ! $reason )
{
2009-11-22 14:10:09 +00:00
if ( $sql_auth -> db_Select ( " user " , " * " , " user_loginname=' { $authname } ' AND user_admin='1' " ))
2006-12-02 04:36:16 +00:00
{
2009-11-22 14:10:09 +00:00
$row = $sql_auth -> db_Fetch ();
2006-12-02 04:36:16 +00:00
}
2009-11-22 14:10:09 +00:00
elseif ( $sql_auth -> db_Select ( " user " , " * " , " user_name=' { $authname } ' AND user_admin='1' " ))
{
$row = $sql_auth -> db_Fetch ();
$authname = $row [ 'user_loginname' ];
}
else
2006-12-02 04:36:16 +00:00
{
2009-11-22 14:10:09 +00:00
$reason = 'iu' ;
2006-12-02 04:36:16 +00:00
}
}
2009-11-22 14:10:09 +00:00
if ( ! $reason && ( $row [ 'user_id' ])) // Can validate password
2010-05-14 18:45:51 +00:00
{
2010-10-26 07:41:20 +00:00
$session = e107 :: getSession ();
if (( $authresponse && $session -> is ( 'challenge' )) && ( $authresponse != $session -> get ( 'challenge' )))
2009-11-22 14:10:09 +00:00
{ // Verify using CHAP (can't handle login by email address - only loginname - although with this code it does still work if the password is stored unsalted)
2010-10-26 07:41:20 +00:00
if (( $pass_result = $user_info -> CheckCHAP ( $session -> get ( 'challenge' ), $authresponse , $authname , $row [ 'user_password' ])) !== PASSWORD_INVALID )
2009-11-22 14:10:09 +00:00
{
return $$row ;
}
}
else
{ // Plaintext password
if (( $pass_result = $user_info -> CheckPassword ( $authpass , $authname , $row [ 'user_password' ])) !== PASSWORD_INVALID )
{
return $row ;
}
}
2008-06-13 20:20:23 +00:00
}
2009-11-22 14:10:09 +00:00
return array ( " authfail " , " reason " => $reason );
2006-12-02 04:36:16 +00:00
}
}
//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
2009-11-22 14:10:09 +00:00
?>