From fd22dbfb817ffb515f2a35d5e83ccefbc076c2dd Mon Sep 17 00:00:00 2001 From: e107steved Date: Tue, 1 Jan 2008 21:26:23 +0000 Subject: [PATCH] login-related logging etc --- e107_admin/admin_log.php | 13 +-- e107_handlers/admin_log_class.php | 7 +- e107_handlers/login.php | 92 +++++++++++-------- .../English/admin/lan_log_messages.php | 4 +- e107_languages/English/lan_login.php | 17 ++-- 5 files changed, 74 insertions(+), 59 deletions(-) diff --git a/e107_admin/admin_log.php b/e107_admin/admin_log.php index d860d283a..affe79624 100644 --- a/e107_admin/admin_log.php +++ b/e107_admin/admin_log.php @@ -11,8 +11,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_admin/admin_log.php,v $ -| $Revision: 1.8 $ -| $Date: 2007-12-29 22:32:58 $ +| $Revision: 1.9 $ +| $Date: 2008-01-01 21:26:16 $ | $Author: e107steved $ | | Preferences: @@ -371,7 +371,8 @@ $audit_checkboxes = array( USER_AUDIT_NEW_PW => RL_LAN_076, USER_AUDIT_PW_RES => RL_LAN_078, USER_AUDIT_NEW_EML => RL_LAN_077, - USER_AUDIT_NEW_SET => RL_LAN_079 + USER_AUDIT_NEW_SET => RL_LAN_079, + USER_AUDIT_ADD_ADMIN => RL_LAN_080 ); //Uncomment once inherited user classes @@ -391,7 +392,7 @@ $audit_checkboxes = array( // Uncomment once inherited userclasses $text .= "\n"; // $text .= r_userclass('user_audit_class', varset($pref['user_audit_class'],''),'off','nobody,admin,user,classes'); $text .= " @@ -703,8 +704,8 @@ $col_fields = array('adminlog' => array('cf_datestring','dblog_type','dblog_ip', // $val = $tp->toHTML($row['dblog_title'],FALSE,'RAWTEXT,defs'); if (defined($val)) $val = constant($val); break; - case 'dblog_username' : - $val = $row['dblog_userid'] ? $row['dblog_username'] : 'Anonymous'; + case 'dblog_user_name' : + $val = $row['dblog_user_id'] ? $row['dblog_user_name'] : LAN_ANONYMOUS; break; case 'dblog_caller' : $val = $row['dblog_caller']; diff --git a/e107_handlers/admin_log_class.php b/e107_handlers/admin_log_class.php index e8489d524..30cae7fb6 100644 --- a/e107_handlers/admin_log_class.php +++ b/e107_handlers/admin_log_class.php @@ -12,8 +12,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/admin_log_class.php,v $ -| $Revision: 1.7 $ -| $Date: 2007-12-29 22:07:42 $ +| $Revision: 1.8 $ +| $Date: 2008-01-01 21:26:16 $ | $Author: e107steved $ To do: @@ -78,6 +78,7 @@ class e_admin_log { define('USER_AUDIT_NEW_EML',17); // User changed email define('USER_AUDIT_PW_RES',18); // Password reset define('USER_AUDIT_NEW_SET',19); // User changed other settings + define('USER_AUDIT_ADD_ADMIN',20); // User added by admin } /** @@ -232,7 +233,7 @@ Generic log entry point // $id and $u_name are left blank except for admin edits and user login, where they specify the id and login name of the 'target' user function user_audit($event_type, $event_data, $id = '', $u_name = '') { - global $e107, $tp; + global $e107, $tp, $pref; list($time_usec, $time_sec) = explode(" ", microtime()); // Log event time immediately to minimise uncertainty // See whether we should log this diff --git a/e107_handlers/login.php b/e107_handlers/login.php index a178efdef..14176116b 100644 --- a/e107_handlers/login.php +++ b/e107_handlers/login.php @@ -12,8 +12,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/login.php,v $ -| $Revision: 1.12 $ -| $Date: 2007-12-31 17:20:55 $ +| $Revision: 1.13 $ +| $Date: 2008-01-01 21:26:16 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -22,8 +22,10 @@ if (!defined('e107_INIT')) { exit; } include_lan(e_LANGUAGEDIR.e_LANGUAGE."/lan_login.php"); -class userlogin { - function userlogin($username, $userpass, $autologin) { +class userlogin +{ + function userlogin($username, $userpass, $autologin) + { /* Constructor # Class called when user attempts to log in # @@ -38,40 +40,49 @@ class userlogin { $username = trim($username); $userpass = trim($userpass); if($username == "" || $userpass == "") - { - define("LOGINMESSAGE", LAN_27."

"); - return FALSE; + { // Required fields blank + define("LOGINMESSAGE", LAN_LOGIN_20."

"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_01',$username,FALSE,LOG_TO_ROLLING); + return FALSE; } - if(!is_object($sql)){ - $sql = new db; - } + if(!is_object($sql)) { $sql = new db; } $fip = $e107->getip(); // $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'IP: '.$fip,FALSE,LOG_TO_ROLLING); - $e107->check_ban("banlist_ip='{$fip}' ",FALSE); + $e107->check_ban("banlist_ip='{$fip}' ",FALSE); // This will exit if a ban is in force // if($sql -> db_Select("banlist", "*", "banlist_ip='{$fip}' ")) { exit;} $autologin = intval($autologin); - if ($pref['auth_method'] && $pref['auth_method'] != "e107") { - $auth_file = e_PLUGIN."alt_auth/".$pref['auth_method']."_auth.php"; - if (file_exists($auth_file)) { - require_once(e_PLUGIN."alt_auth/alt_auth_login_class.php"); - $result = new alt_login($pref['auth_method'], $username, $userpass); - } + if ($pref['auth_method'] && $pref['auth_method'] != "e107") + { + $auth_file = e_PLUGIN."alt_auth/".$pref['auth_method']."_auth.php"; + if (file_exists($auth_file)) + { + require_once(e_PLUGIN."alt_auth/alt_auth_login_class.php"); + $result = new alt_login($pref['auth_method'], $username, $userpass); + } } - if ($pref['logcode'] && extension_loaded("gd")) { - require_once(e_HANDLER."secure_img_handler.php"); - $sec_img = new secure_image; - if (!$sec_img->verify_code($_POST['rand_num'], $_POST['code_verify'])) { - define("LOGINMESSAGE", LAN_303."

"); - return FALSE; - } + if ($pref['logcode'] && extension_loaded("gd")) + { + require_once(e_HANDLER."secure_img_handler.php"); + $sec_img = new secure_image; + if (!$sec_img->verify_code($_POST['rand_num'], $_POST['code_verify'])) + { // Invalid code + define("LOGINMESSAGE", LAN_LOGIN_23."

"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_02','',FALSE,LOG_TO_ROLLING); + return FALSE; + } } $username = preg_replace("/\sOR\s|\=|\#/", "", $username); - $username = substr($username, 0, 30); + if (strlen($username) > varset($pref['loginname_maxlength'],30)) + { // Error - invalid username + define("LOGINMESSAGE", LAN_LOGIN_21."

"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_08',$username,FALSE,LOG_TO_ROLLING); + return FALSE; + } $ouserpass = $userpass; $userpass = md5($ouserpass); @@ -81,23 +92,24 @@ class userlogin { $userpass = md5(utf8_decode($ouserpass)); } -// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'Doing final checks',FALSE,LOG_TO_ROLLING); if (!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."'")) { // Invalid user - define("LOGINMESSAGE", LAN_300."

"); + define("LOGINMESSAGE", LAN_LOGIN_21."

"); $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', 0, '".LAN_LOGIN_14." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username)."'"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_04',$username,FALSE,LOG_TO_ROLLING); $this -> checkibr($fip); return FALSE; } else if(!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."' AND user_password = '{$userpass}'")) { // Invalid user/password combination - define("LOGINMESSAGE", LAN_300."

"); + define("LOGINMESSAGE", LAN_LOGIN_21."

"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_03',$username,FALSE,LOG_TO_ROLLING); return FALSE; } else if(!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."' AND user_password = '{$userpass}' AND user_ban!=2 ")) - { // Banned user - define("LOGINMESSAGE", LAN_302."

"); -// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'User is banned: '.$tp -> toDB($username),FALSE,LOG_TO_ROLLING); + { // User not fully signed up - hasn't activated account + define("LOGINMESSAGE", LAN_LOGIN_22."

"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_05',$username,FALSE,LOG_TO_ROLLING); $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', 0, '".LAN_LOGIN_15." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username)."'"); $this -> checkibr($fip); return FALSE; @@ -109,11 +121,13 @@ class userlogin { if ($ret!='') { define("LOGINMESSAGE", $ret."

"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_06',$username,FALSE,LOG_TO_ROLLING); return FALSE; } else { // Trigger events happy as well $lode = $sql -> db_Fetch(); // Get user info + $lode['user_perms'] = trim($lode['user_perms']); $user_id = $lode['user_id']; $user_name = $lode['user_name']; $user_xup = $lode['user_xup']; @@ -123,12 +137,13 @@ class userlogin { { if($sql -> db_Select("online", "online_ip", "online_user_id='".$user_id.".".$user_name."'")) { - define("LOGINMESSAGE", LAN_304."

"); - $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '$fip', '$user_id', '".LAN_LOGIN_16." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' "); + define("LOGINMESSAGE", LAN_LOGIN_24."

"); + $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_07',"U: {$username} IP: {$fip}",FALSE,LOG_TO_ROLLING); + $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', '{$user_id}', '".LAN_LOGIN_16." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' "); $this -> checkibr($fip); return FALSE; - } } + } $cookieval = $user_id.".".md5($userpass); if($user_xup) @@ -143,7 +158,7 @@ class userlogin { else { if ($autologin == 1) - { + { // Cookie valid for up to 30 days cookie($pref['cookie_name'], $cookieval, (time() + 3600 * 24 * 30)); } else @@ -156,6 +171,7 @@ class userlogin { // Calculate class membership - needed for a couple of things + // Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point $class_list = explode(',',$lode['user_class']); if ($lode['user_admin'] && strlen($lode['user_perms'])) { @@ -174,7 +190,7 @@ class userlogin { $admin_log->user_audit(USER_AUDIT_LOGIN,'', $user_id,$user_name); } - $edata_li = array("user_id" => $user_id, "user_name" => $username, 'class_list' => implode(',',$class_list)); + $edata_li = array("user_id" => $user_id, "user_name" => $username, 'class_list' => implode(',',$class_list), 'remember_me' => $autologin); $e_event->trigger("login", $edata_li); $redir = (e_QUERY ? e_SELF."?".e_QUERY : e_SELF); @@ -182,8 +198,6 @@ class userlogin { if (isset($pref['frontpage_force']) && is_array($pref['frontpage_force'])) { // See if we're to force a page immediately following login - assumes $pref['frontpage_force'] is an ordered list of rules - // Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point - $lode['user_perms'] = trim($lode['user_perms']); // $log_info = "New user: ".$lode['user_name']." Class: ".$lode['user_class']." Admin: ".$lode['user_admin']." Perms: ".$lode['user_perms']; // $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login Start",$log_info,FALSE,FALSE); // $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","New User class",implode(',',$class_list),FALSE,FALSE); @@ -222,7 +236,7 @@ class userlogin { { $e107->add_ban(4,LAN_LOGIN_18,$fip,1); // $sql -> db_Insert("banlist", "'$fip', '1', '".LAN_LOGIN_18."' "); - $sql -> db_Insert("generic", "0, 'auto_banned', '".time()."', 0, '$fip', '$user_id', '".LAN_LOGIN_20.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' "); + $sql -> db_Insert("generic", "0, 'auto_banned', '".time()."', 0, '{$fip}', '{$user_id}', '".LAN_LOGIN_20.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' "); } } } diff --git a/e107_languages/English/admin/lan_log_messages.php b/e107_languages/English/admin/lan_log_messages.php index e4b56d8dc..8f3f5affb 100644 --- a/e107_languages/English/admin/lan_log_messages.php +++ b/e107_languages/English/admin/lan_log_messages.php @@ -1,6 +1,6 @@ here."); -define("LAN_303", "Incorrect code entered."); -define("LAN_304", "That username/password combination is already in use."); define("LAN_LOGIN_1", "User name"); define("LAN_LOGIN_2", "User password"); define("LAN_LOGIN_3", "Protected server"); @@ -27,12 +22,16 @@ define("LAN_LOGIN_10", "Click to login"); define("LAN_LOGIN_11", "Register as a New User"); define("LAN_LOGIN_12", "Forgot Password"); define("LAN_LOGIN_13", "Please enter text in image"); - define("LAN_LOGIN_14", "User attempted to login with unrecognised user name"); define("LAN_LOGIN_15", "User attempted to login with incorrect password"); define("LAN_LOGIN_16", "User attempted to login with username/password combination that was already in use"); define("LAN_LOGIN_17", "User password (hashed)"); define("LAN_LOGIN_18", "Auto-ban: More than 10 failed login attempts"); define("LAN_LOGIN_19", "> 10 failed login attempts"); +define("LAN_LOGIN_20", "You left required field(s) blank"); +define("LAN_LOGIN_21", "Incorrect login. The entered data doesn't match to a registered user. Check if you have the CAPS-LOCK key activated as logins on this site are case sensitive"); +define("LAN_LOGIN_22", "You have not activated your account. You should have received an email with instructions on how to confirm your account. If not, please click here."); +define("LAN_LOGIN_23", "Incorrect code entered."); +define("LAN_LOGIN_24", "That username/password combination is already in use."); ?> \ No newline at end of file