mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-01-17 04:38:27 +01:00
Code Issues Releases Wiki Activity

Admin login page now using the same auth routine as the main site.

Browse Source 
e_MULTISITE_MATCH check added to main cookie() function.
This commit is contained in:
Cameron 2021-01-21 08:06:20 -08:00
parent accd5d1240
commit 2e301d2c73
3 changed files with 63 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
class2.php
View File

@ -1746,18 +1746,43 @@ function cookie($name, $value, $expire=0, $path = e_HTTP, $domain = '', $secure
{
return null;
}
/*
if(!e_SUBDOMAIN || (defined('MULTILANG_SUBDOMAIN') && MULTILANG_SUBDOMAIN === true))
{
$domain = (e_DOMAIN !== false) ? ".".e_DOMAIN : "";
}
}
*/
if((empty($domain) && !e_SUBDOMAIN) || (defined('MULTILANG_SUBDOMAIN') && MULTILANG_SUBDOMAIN === true))
{
$domain = (e_DOMAIN !== false) ? ".".e_DOMAIN : '';
}
if(defined('e_MULTISITE_MATCH') && deftrue('e_ADMIN_AREA'))
{
$path = '/';
}
setcookie($name, $value, $expire, $path, $domain, $secure, true);
}
// generic function for retaining values across pages. ie. cookies or sessions.
//
/**
*
* generic function for retaining values across pages. ie. cookies or sessions.
* @deprecated Use e107::getUserSession()->makeUserCookie($userData, $autologin); instead.
* @param $name
* @param $value
* @param string $expire
* @param string $path
* @param string $domain
* @param int $secure
*/
function session_set($name, $value, $expire='', $path = e_HTTP, $domain = '', $secure = 0)
{
//$userData = ['user_name
// e107::getUserSession()->makeUserCookie($userData, $autologin);
global $pref;
if ($pref['user_tracking'] === 'session')
{

181
e107_admin/auth.php
View File

@ -24,9 +24,6 @@ e107::getDebug()->logTime('(Start auth.php)');
define('e_CAPTCHA_FONTCOLOR','#F9A533');
// Required for a clean v1.x -> v2 upgrade.
$core = e107::getConfig('core');
@ -121,14 +118,15 @@ else
}
require_once(e_ADMIN.'boot.php');
$sec_img = e107::getSecureImg();
$use_imagecode = (vartrue($pref['admincode']) && extension_loaded("gd"));
if ($_POST['authsubmit'])
// login check.
if(!empty($_POST['authsubmit']))
{
$obj = new auth;
if ($use_imagecode)
{
@ -136,84 +134,32 @@ else
{
e107::getRedirect()->redirect('admin.php?failed');
exit;
// echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
// header("location: ../index.php");
// exit;
}
}
// require_once (e_HANDLER.'user_handler.php');
/** @var array $row */
$row = $authresult = $obj->authcheck($_POST['authname'], $_POST['authpass'], varset($_POST['hashchallenge'], ''));
if ($row[0] == "authfail")
if(!$result = e107::getUser()->login($_POST['authname'], $_POST['authpass'], false, varset($_POST['hashchallenge']), true))
{
e107::coreLan('log_messages', true);
$admin_log->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", LAN_ROLL_LOG_11, "U: ".$tp->toDB($_POST['authname']), FALSE, LOG_TO_ROLLING);
echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
e107::coreLan('log_messages', true);
e107::getLog()->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", LAN_ROLL_LOG_11, "U: ".$tp->toDB($_POST['authname']), FALSE, LOG_TO_ROLLING);
echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
e107::getRedirect()->redirect('admin.php?failed');
exit;
e107::getRedirect()->redirect('admin.php?failed');
exit;
}
else
{
$reHashedPass = e107::getUserSession()->rehashPassword($row,$_POST['authpass']);
if($reHashedPass !==false)
{
e107::getLog()->add('ADMINPW_02', '', E_LOG_INFORMATIVE, '', LOG_TO_ADMIN, $row);
$row['user_password'] = $reHashedPass;
}
e107::getRedirect()->go('admin');
exit;
$cookieval = $row['user_id'].".".md5($row['user_password']);
// Calculate class membership - needed for a couple of things
// Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point
$class_list = explode(',', $row['user_class']);
if ($row['user_admin'] && strlen($row['user_perms']))
{
$class_list[] = e_UC_ADMIN;
if (strpos($row['user_perms'], '0') === 0)
{
$class_list[] = e_UC_MAINADMIN;
}
}
$class_list[] = e_UC_MEMBER;
$class_list[] = e_UC_PUBLIC;
if (in_array(varset($pref['user_audit_class'], ''), $class_list))
{
e107::getLog()->user_audit(USER_AUDIT_LOGIN, ['Login via admin page'], $row['user_id'], $row['user_name']);
}
$edata_li = array("user_id"=>$row['user_id'], "user_name"=>$row['user_name'], 'class_list'=>implode(',', $class_list), 'user_admin'=> $row['user_admin']);
// Fix - set cookie before login trigger
$sessionLife = (int) e107::getPref('session_lifetime', ( 3600 * 24 * 30)); // default 1 month.
if($sessionLife > 0)
{
$sessionLife = time() + $sessionLife;
}
session_set(e_COOKIE, $cookieval, $sessionLife);
unset($sessionLife,$cookieval);
// ---
e107::getEvent()->trigger("login", $edata_li);
e107::getRedirect()->redirect(e_ADMIN_ABS.'admin.php');
//echo "<script type='text/javascript'>document.location.href='admin.php'</script>\n";
}
}
$e_sub_cat = 'logout';
if (ADMIN == FALSE)
{
@ -407,91 +353,6 @@ class auth
}
/**
* Admin auth check
* @param string $authname, entered name
* @param string $authpass, entered pass
* @param object $authresponse [optional]
* @return array if fail, 'authfail' will contain a message.
*
*/
public function authcheck($authname, $authpass, $authresponse = '')
{
$pref = e107::getPref();
$tp = e107::getParser();
$sql_auth = e107::getDb('sql_auth');
$user_info = e107::getUserSession();
$reason = '';
$authname = $tp->toDB(preg_replace("/\sOR\s|\=|\#/", "", trim($authname)));
$authpass = trim($authpass);
if ((($authpass == '') && ($authresponse == '')) || ($authname == ''))
$reason = 'np';
if (strlen($authname) > varset($pref['loginname_maxlength'], 30))
$reason = 'lu';
if (!$reason)
{
if ($sql_auth->select("user", "*", "user_loginname='{$authname}' AND user_admin = 1 "))
{
$row = $sql_auth->fetch();
}
elseif ($sql_auth->select("user", "*", "(user_name='{$authname}' OR user_email='{$authname}' ) AND user_admin=1 "))
{
$row = $sql_auth->fetch();
$authname = $row['user_loginname'];
}
else
{
$reason = 'iu';
}
}
if (!$reason && ($row['user_id'])) // Can validate password
{
$session = e107::getSession();
if (($authresponse && $session->is('prevchallenge')) && ($authresponse != $session->get('prevchallenge')))
{ // Verify using CHAP (can't handle login by email address - only loginname - although with this code it does still work if the password is stored unsalted)
/*
$title = 'Login via admin';
$extra_text = 'C: '.$session->get('challenge').' PC: '.$session->get('prevchallenge').' PPC: '.$session->get('prevprevchallenge').' R:'.$authresponse.' P:'.$row['user_password'];
$text = 'CHAP: '.$username.' ('.$extra_text.')';
$title = e107::getParser()->toDB($title);
$text = e107::getParser()->toDB($text);
e107::getAdminLog()->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", $title, $text, FALSE, LOG_TO_ROLLING);
$logfp = fopen(e_LOG.'authlog.txt', 'a+'); fwrite($logfp, $title.': '.$text."\n"); fclose($logfp);
*/
if (($pass_result = $user_info->CheckCHAP($session->get('prevchallenge'), $authresponse, $authname, $row['user_password'])) !== PASSWORD_INVALID)
{
return $row;
}
}
else
{ // Plaintext password
/*
$title = 'Login via admin';
$extra_text = 'C: '.$session->get('challenge').' PC: '.$session->get('prevchallenge').' PPC: '.$session->get('prevprevchallenge').' R:'.$authresponse.' P:'.$row['user_password'];
$text = 'STD: '.$username.' ('.$extra_text.')';
$title = e107::getParser()->toDB($title);
$text = e107::getParser()->toDB($text);
e107::getAdminLog()->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", $title, $text, FALSE, LOG_TO_ROLLING);
// $logfp = fopen(e_LOG.'authlog.txt', 'a+'); fwrite($logfp, $title.': '.$text."\n"); fclose($logfp);
*/
if (($pass_result = $user_info->CheckPassword($authpass, $authname, $row['user_password'])) !== PASSWORD_INVALID)
{
return $row;
}
}
}
return array("authfail", "reason"=>$reason);
}
}
//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
?>

33
e107_handlers/login.php
View File

@ -685,32 +685,27 @@ class userlogin
// Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point
$class_list = $this->userMethods->addCommonClasses($userData, true);
// $user_logging_opts = e107::getConfig()->get('user_audit_opts');
/* if (in_array(varset($pref['user_audit_class'],''), $class_list))
{ // Need to note in user audit trail
$log = e107::getLog();
$log->user_audit(USER_AUDIT_LOGIN,'', $user_id, $user_name);
}*/
$edata_li = array('user_id' => $userData['user_id'], 'user_name' => $userData['user_name'], 'class_list' => implode(',', $class_list), /*'remember_me' => $autologin,*/
'user_admin' => $userData['user_admin'], 'user_email' => $userData['user_email']);
$userAuditPref = e107::getPref('user_audit_class', e_UC_NOBODY);
if (check_class($userAuditPref, $class_list))
{
e107::getLog()->user_audit(USER_AUDIT_LOGIN,'', $edata_li);
}
e107::getEvent()->trigger("login", $edata_li);
if(check_class(e_UC_NEWUSER, $class_list))
// // 'New user' probationary period expired - we can take them out of the class
if(check_class(e_UC_NEWUSER, $class_list) && $this->userMethods->newUserExpired($userData['user_join']))
{
if($this->userMethods->newUserExpired($userData['user_join'])) // 'New user' probationary period expired - we can take them out of the class
{
$userData['user_class'] = e107::getUserClass()->ucRemove(e_UC_NEWUSER, $userData['user_class']);
// $this->e107->admin_log->addEvent(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login new user complete",$userData['user_class'],FALSE,FALSE);
e107::getDb()->update('user', "`user_class` = '" . $userData['user_class'] . "' WHERE `user_id`=" . $userData['user_id'] . " LIMIT 1");
$edata_li = array('user_id' => $userData['user_id'], 'user_name' => $userData['user_name'], 'class_list' => $userData['user_class'], 'user_email' => $userData['user_email']);
e107::getEvent()->trigger('userNotNew', $edata_li);
}
$userData['user_class'] = e107::getUserClass()->ucRemove(e_UC_NEWUSER, $userData['user_class']);
// $this->e107->admin_log->addEvent(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login new user complete",$userData['user_class'],FALSE,FALSE);
e107::getDb()->update('user', "`user_class` = '" . $userData['user_class'] . "' WHERE `user_id`=" . $userData['user_id'] . " LIMIT 1");
$edata_li = array('user_id' => $userData['user_id'], 'user_name' => $userData['user_name'], 'class_list' => $userData['user_class'], 'user_email' => $userData['user_email']);
e107::getEvent()->trigger('userNotNew', $edata_li);
}
return $cookieval;