|
@@ -7,11 +7,8 @@
|
|
|
* entry is assigned a new random token, which is used in
|
|
* entry is assigned a new random token, which is used in
|
|
|
* salting subsequent password checks.
|
|
* salting subsequent password checks.
|
|
|
*/
|
|
*/
|
|
|
-
|
|
|
|
|
define('INSTALLEDVERSION', '1.30');
|
|
define('INSTALLEDVERSION', '1.30');
|
|
|
-
|
|
|
|
|
require __DIR__ . '/vendor/autoload.php';
|
|
require __DIR__ . '/vendor/autoload.php';
|
|
|
-
|
|
|
|
|
$databaseConfig = parse_ini_file('databaseLocation.ini.php', true);
|
|
$databaseConfig = parse_ini_file('databaseLocation.ini.php', true);
|
|
|
define('USER_HOME', $databaseConfig['databaseLocation'] . '/users/');
|
|
define('USER_HOME', $databaseConfig['databaseLocation'] . '/users/');
|
|
|
define('DATABASE_LOCATION', $databaseConfig['databaseLocation'] . '/');
|
|
define('DATABASE_LOCATION', $databaseConfig['databaseLocation'] . '/');
|
|
@@ -34,11 +31,18 @@
|
|
|
if(!empty($databaseConfig['smtpHostPassword'])) : define('SMTPHOSTPASSWORD', $databaseConfig['smtpHostPassword']); else : define('SMTPHOSTPASSWORD', ''); endif;
|
|
if(!empty($databaseConfig['smtpHostPassword'])) : define('SMTPHOSTPASSWORD', $databaseConfig['smtpHostPassword']); else : define('SMTPHOSTPASSWORD', ''); endif;
|
|
|
if(!empty($databaseConfig['smtpHostSenderName'])) : define('SMTPHOSTSENDERNAME', $databaseConfig['smtpHostSenderName']); else : define('SMTPHOSTSENDERNAME', 'Organizr'); endif;
|
|
if(!empty($databaseConfig['smtpHostSenderName'])) : define('SMTPHOSTSENDERNAME', $databaseConfig['smtpHostSenderName']); else : define('SMTPHOSTSENDERNAME', 'Organizr'); endif;
|
|
|
if(!empty($databaseConfig['smtpHostSenderEmail'])) : define('SMTPHOSTSENDEREMAIL', $databaseConfig['smtpHostSenderEmail']); else : define('SMTPHOSTSENDEREMAIL', 'no-reply@Organizr'); endif;
|
|
if(!empty($databaseConfig['smtpHostSenderEmail'])) : define('SMTPHOSTSENDEREMAIL', $databaseConfig['smtpHostSenderEmail']); else : define('SMTPHOSTSENDEREMAIL', 'no-reply@Organizr'); endif;
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
|
|
+ if(!empty($databaseConfig['authType'])) : define('AUTHTYPE', $databaseConfig['authType']); else : define('AUTHTYPE', ''); endif;
|
|
|
|
|
+ if(!empty($databaseConfig['authBackend'])) : define('AUTHBACKEND', $databaseConfig['authBackend']); else : define('AUTHBACKEND', ''); endif;
|
|
|
|
|
+ if(!empty($databaseConfig['authBackendHost'])) : define('AUTHBACKENDHOST', $databaseConfig['authBackendHost']); else : define('AUTHBACKENDHOST', ''); endif;
|
|
|
|
|
+ if(!empty($databaseConfig['authBackendPort'])) : define('AUTHBACKENDPORT', $databaseConfig['authBackendPort']); else : define('AUTHBACKENDPORT', ''); endif;
|
|
|
|
|
+ if(!empty($databaseConfig['authBackendDomain'])) : define('AUTHBACKENDDOMAIN', $databaseConfig['authBackendDomain']); else : define('AUTHBACKENDDOMAIN', ''); endif;
|
|
|
|
|
+ if(!empty($databaseConfig['authBackendCreate'])) : define('AUTHBACKENDCREATE', $databaseConfig['authBackendCreate']); else : define('AUTHBACKENDCREATE', 'false'); endif;
|
|
|
|
|
+
|
|
|
if(!file_exists('homepageSettings.ini.php')){ touch('homepageSettings.ini.php'); }
|
|
if(!file_exists('homepageSettings.ini.php')){ touch('homepageSettings.ini.php'); }
|
|
|
-
|
|
|
|
|
$homepageConfig = parse_ini_file('homepageSettings.ini.php', true);
|
|
$homepageConfig = parse_ini_file('homepageSettings.ini.php', true);
|
|
|
- if(!empty($homepageConfig['plexURL'])) : define('PLEXURL', $homepageConfig['plexURL']); else : define('PLEXURL', ''); endif;
|
|
|
|
|
|
|
+
|
|
|
|
|
+ if(!empty($homepageConfig['plexURL'])) : define('PLEXURL', $homepageConfig['plexURL']); else : define('PLEXURL', ''); endif;
|
|
|
if(!empty($homepageConfig['plexPort'])) : define('PLEXPORT', $homepageConfig['plexPort']); else : define('PLEXPORT', ''); endif;
|
|
if(!empty($homepageConfig['plexPort'])) : define('PLEXPORT', $homepageConfig['plexPort']); else : define('PLEXPORT', ''); endif;
|
|
|
if(!empty($homepageConfig['plexToken'])) : define('PLEXTOKEN', $homepageConfig['plexToken']); else : define('PLEXTOKEN', ''); endif;
|
|
if(!empty($homepageConfig['plexToken'])) : define('PLEXTOKEN', $homepageConfig['plexToken']); else : define('PLEXTOKEN', ''); endif;
|
|
|
if(!empty($homepageConfig['plexRecentMovie'])) : define('PLEXRECENTMOVIE', $homepageConfig['plexRecentMovie']); else : define('PLEXRECENTMOVIE', 'false'); endif;
|
|
if(!empty($homepageConfig['plexRecentMovie'])) : define('PLEXRECENTMOVIE', $homepageConfig['plexRecentMovie']); else : define('PLEXRECENTMOVIE', 'false'); endif;
|
|
@@ -74,32 +78,26 @@
|
|
|
if(!empty($homepageConfig['calendarEndDay'])) : define('CALENDARENDDAY', $homepageConfig['calendarEndDay']); else : define('CALENDARENDDAY', '30'); endif;
|
|
if(!empty($homepageConfig['calendarEndDay'])) : define('CALENDARENDDAY', $homepageConfig['calendarEndDay']); else : define('CALENDARENDDAY', '30'); endif;
|
|
|
if(!empty($homepageConfig['sickrageKey'])) : define('SICKRAGEKEY', $homepageConfig['sickrageKey']); else : define('SICKRAGEKEY', ''); endif;
|
|
if(!empty($homepageConfig['sickrageKey'])) : define('SICKRAGEKEY', $homepageConfig['sickrageKey']); else : define('SICKRAGEKEY', ''); endif;
|
|
|
if(!empty($homepageConfig['sickrageURL'])) : define('SICKRAGEURL', $homepageConfig['sickrageURL']); else : define('SICKRAGEURL', ''); endif;
|
|
if(!empty($homepageConfig['sickrageURL'])) : define('SICKRAGEURL', $homepageConfig['sickrageURL']); else : define('SICKRAGEURL', ''); endif;
|
|
|
-
|
|
|
|
|
|
|
|
|
|
if(file_exists('custom.css')) : define('CUSTOMCSS', 'true'); else : define('CUSTOMCSS', 'false'); endif;
|
|
if(file_exists('custom.css')) : define('CUSTOMCSS', 'true'); else : define('CUSTOMCSS', 'false'); endif;
|
|
|
$notifyExplode = explode("-", NOTIFYEFFECT);
|
|
$notifyExplode = explode("-", NOTIFYEFFECT);
|
|
|
define('FAIL_LOG', 'loginLog.json');
|
|
define('FAIL_LOG', 'loginLog.json');
|
|
|
date_default_timezone_set(TIMEZONE);
|
|
date_default_timezone_set(TIMEZONE);
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
class User
|
|
class User
|
|
|
{
|
|
{
|
|
|
// =======================================================================
|
|
// =======================================================================
|
|
|
// IMPORTANT VALUES THAT YOU *NEED* TO CHANGE FOR THIS TO BE SECURE
|
|
// IMPORTANT VALUES THAT YOU *NEED* TO CHANGE FOR THIS TO BE SECURE
|
|
|
// =======================================================================
|
|
// =======================================================================
|
|
|
-
|
|
|
|
|
// Keeping this location on ./... means that it will be publically visible to all,
|
|
// Keeping this location on ./... means that it will be publically visible to all,
|
|
|
// and you need to use htaccess rules or some such to ensure no one
|
|
// and you need to use htaccess rules or some such to ensure no one
|
|
|
// grabs your user's data.
|
|
// grabs your user's data.
|
|
|
-
|
|
|
|
|
//const USER_HOME = "../users/";
|
|
//const USER_HOME = "../users/";
|
|
|
-
|
|
|
|
|
// In order for users to be notified by email of certain things, set this to true.
|
|
// In order for users to be notified by email of certain things, set this to true.
|
|
|
// Note that the server you run this on should have sendmail in order for
|
|
// Note that the server you run this on should have sendmail in order for
|
|
|
// notification emails to work. Also note that password resetting doesn't work
|
|
// notification emails to work. Also note that password resetting doesn't work
|
|
|
// unless mail notification is turned on.
|
|
// unless mail notification is turned on.
|
|
|
-
|
|
|
|
|
const use_mail = ENABLEMAIL;
|
|
const use_mail = ENABLEMAIL;
|
|
|
-
|
|
|
|
|
// This value should point to a directory that is not available to web users.
|
|
// This value should point to a directory that is not available to web users.
|
|
|
// If your documents are in ./public_html, for instance., then put database
|
|
// If your documents are in ./public_html, for instance., then put database
|
|
|
// in something like ./database - that way, you don't have to rely on
|
|
// in something like ./database - that way, you don't have to rely on
|
|
@@ -109,23 +107,18 @@
|
|
|
// By default it's set to the stupidly dangerous and publically accessible same
|
|
// By default it's set to the stupidly dangerous and publically accessible same
|
|
|
// base dir as your web page. So change it, because people are going to try
|
|
// base dir as your web page. So change it, because people are going to try
|
|
|
// to download your database file. And succeed.
|
|
// to download your database file. And succeed.
|
|
|
-
|
|
|
|
|
//const DATABASE_LOCATION = "../";
|
|
//const DATABASE_LOCATION = "../";
|
|
|
-
|
|
|
|
|
// if this is set to "true", registration failure due to known usernames is reported,
|
|
// if this is set to "true", registration failure due to known usernames is reported,
|
|
|
// and login failures are explained as either the wrong username or the wrong password.
|
|
// and login failures are explained as either the wrong username or the wrong password.
|
|
|
// You really want to set this to 'false', but it's on true by default because goddamnit
|
|
// You really want to set this to 'false', but it's on true by default because goddamnit
|
|
|
// I'm going to confront you with security issues right off the bat =)
|
|
// I'm going to confront you with security issues right off the bat =)
|
|
|
-
|
|
|
|
|
const unsafe_reporting = false;
|
|
const unsafe_reporting = false;
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
Think about security for a moment. On the one hand, you want your website
|
|
Think about security for a moment. On the one hand, you want your website
|
|
|
to not reveal whether usernames are already taken, so when people log in
|
|
to not reveal whether usernames are already taken, so when people log in
|
|
|
you will want to say "username or password incorrect". However, you also want
|
|
you will want to say "username or password incorrect". However, you also want
|
|
|
to be able to tell people that they can't register because the username they
|
|
to be able to tell people that they can't register because the username they
|
|
|
picked is already taken.
|
|
picked is already taken.
|
|
|
-
|
|
|
|
|
Because these are mutually exclusive, you can't do both using this framework.
|
|
Because these are mutually exclusive, you can't do both using this framework.
|
|
|
You can either use unsafe reporting, where the system will will tell you that
|
|
You can either use unsafe reporting, where the system will will tell you that
|
|
|
a username exists, both during registration and login, or you can use safe
|
|
a username exists, both during registration and login, or you can use safe
|
|
@@ -133,79 +126,56 @@
|
|
|
similarity, not exact match. But then it also won't say which of the username
|
|
similarity, not exact match. But then it also won't say which of the username
|
|
|
or password in a login attempt was incorrect.
|
|
or password in a login attempt was incorrect.
|
|
|
**/
|
|
**/
|
|
|
-
|
|
|
|
|
// =======================================================================
|
|
// =======================================================================
|
|
|
// You can modify the following values, but they're not security related
|
|
// You can modify the following values, but they're not security related
|
|
|
// =======================================================================
|
|
// =======================================================================
|
|
|
-
|
|
|
|
|
// rename this to whatever you like
|
|
// rename this to whatever you like
|
|
|
const DATABASE_NAME = "users";
|
|
const DATABASE_NAME = "users";
|
|
|
-
|
|
|
|
|
// this is the session timeout. If someone hasn't performed any page requests
|
|
// this is the session timeout. If someone hasn't performed any page requests
|
|
|
// in [timeout] seconds, they're considered logged out.
|
|
// in [timeout] seconds, they're considered logged out.
|
|
|
const time_out = 604800;
|
|
const time_out = 604800;
|
|
|
-
|
|
|
|
|
// You'll probably want to change this to something sensible. If your site is
|
|
// You'll probably want to change this to something sensible. If your site is
|
|
|
// www.sockmonkey.com, then you want this to be "sockmonkey.com"
|
|
// www.sockmonkey.com, then you want this to be "sockmonkey.com"
|
|
|
const DOMAIN_NAME = "Organizr";
|
|
const DOMAIN_NAME = "Organizr";
|
|
|
-
|
|
|
|
|
// This is going to be the "from" address
|
|
// This is going to be the "from" address
|
|
|
const MAILER_NAME = "noreply@organizr";
|
|
const MAILER_NAME = "noreply@organizr";
|
|
|
-
|
|
|
|
|
// if you want people to be able to reply to a real address, override
|
|
// if you want people to be able to reply to a real address, override
|
|
|
// this variable to "yourmail@somedomain.ext" here.
|
|
// this variable to "yourmail@somedomain.ext" here.
|
|
|
const MAILER_REPLYTO = "noreply@organizr";
|
|
const MAILER_REPLYTO = "noreply@organizr";
|
|
|
-
|
|
|
|
|
// =======================================================================
|
|
// =======================================================================
|
|
|
// Don't modify any variables beyond this point =)
|
|
// Don't modify any variables beyond this point =)
|
|
|
// =======================================================================
|
|
// =======================================================================
|
|
|
-
|
|
|
|
|
// this is the global error message. If anything goes wrong, this tells you why.
|
|
// this is the global error message. If anything goes wrong, this tells you why.
|
|
|
var $error = "";
|
|
var $error = "";
|
|
|
-
|
|
|
|
|
// progress log
|
|
// progress log
|
|
|
var $info_log = array();
|
|
var $info_log = array();
|
|
|
-
|
|
|
|
|
// Information logging
|
|
// Information logging
|
|
|
function info($string) { $this->info_log[] = $string; }
|
|
function info($string) { $this->info_log[] = $string; }
|
|
|
-
|
|
|
|
|
// error log
|
|
// error log
|
|
|
var $error_log = array();
|
|
var $error_log = array();
|
|
|
-
|
|
|
|
|
// Error logging
|
|
// Error logging
|
|
|
function error($string) { $this->error_log[] = $string; }
|
|
function error($string) { $this->error_log[] = $string; }
|
|
|
-
|
|
|
|
|
// all possible values for a hexadecimal number
|
|
// all possible values for a hexadecimal number
|
|
|
var $hex = "0123456789abcdef";
|
|
var $hex = "0123456789abcdef";
|
|
|
-
|
|
|
|
|
// all possible values for an ascii password, skewed a bit so the number to letter ratio is closer to 1:1
|
|
// all possible values for an ascii password, skewed a bit so the number to letter ratio is closer to 1:1
|
|
|
var $ascii = "0a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6A7B8C9D0E1F2G3H4I5J6K7L8M9N0O1P2Q3R4S5T6U7V8W9X0Y1Z23456789";
|
|
var $ascii = "0a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6A7B8C9D0E1F2G3H4I5J6K7L8M9N0O1P2Q3R4S5T6U7V8W9X0Y1Z23456789";
|
|
|
-
|
|
|
|
|
// the regular expression for email matching (see http://www.regular-expressions.info/email.html)
|
|
// the regular expression for email matching (see http://www.regular-expressions.info/email.html)
|
|
|
const emailregexp = "/[a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?/";
|
|
const emailregexp = "/[a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?/";
|
|
|
-
|
|
|
|
|
// the regular expression for SHA1 hash matching
|
|
// the regular expression for SHA1 hash matching
|
|
|
const sha1regexp = "/[0123456789abcdef]{40,40}/";
|
|
const sha1regexp = "/[0123456789abcdef]{40,40}/";
|
|
|
-
|
|
|
|
|
// this will tell us whether the client that requested the page is authenticated or not.
|
|
// this will tell us whether the client that requested the page is authenticated or not.
|
|
|
var $authenticated = false;
|
|
var $authenticated = false;
|
|
|
-
|
|
|
|
|
// the guest user name
|
|
// the guest user name
|
|
|
const GUEST_USER = "guest user";
|
|
const GUEST_USER = "guest user";
|
|
|
-
|
|
|
|
|
// this will contain the user name for the user doing the page request
|
|
// this will contain the user name for the user doing the page request
|
|
|
var $username = User::GUEST_USER;
|
|
var $username = User::GUEST_USER;
|
|
|
-
|
|
|
|
|
// if this is a properly logged in user, this will contain the data directory location for this user
|
|
// if this is a properly logged in user, this will contain the data directory location for this user
|
|
|
var $userdir = false;
|
|
var $userdir = false;
|
|
|
-
|
|
|
|
|
// the user's email address, if logged in.
|
|
// the user's email address, if logged in.
|
|
|
var $email = "";
|
|
var $email = "";
|
|
|
-
|
|
|
|
|
// the user's role in the system
|
|
// the user's role in the system
|
|
|
var $role = "";
|
|
var $role = "";
|
|
|
var $group = "";
|
|
var $group = "";
|
|
|
-
|
|
|
|
|
// global database handle
|
|
// global database handle
|
|
|
var $database = false;
|
|
var $database = false;
|
|
|
|
|
|
|
@@ -230,7 +200,6 @@
|
|
|
|
|
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
-
|
|
|
|
|
// class object constructor
|
|
// class object constructor
|
|
|
function __construct($registration_callback=false)
|
|
function __construct($registration_callback=false)
|
|
|
{
|
|
{
|
|
@@ -241,25 +210,19 @@
|
|
|
}else{
|
|
}else{
|
|
|
$_SESSION["username"] = $_COOKIE['OrganizrU'];
|
|
$_SESSION["username"] = $_COOKIE['OrganizrU'];
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// file location for the user database
|
|
// file location for the user database
|
|
|
$dbfile = DATABASE_LOCATION . User::DATABASE_NAME . ".db";
|
|
$dbfile = DATABASE_LOCATION . User::DATABASE_NAME . ".db";
|
|
|
-
|
|
|
|
|
// do we need to build a new database?
|
|
// do we need to build a new database?
|
|
|
$rebuild = false;
|
|
$rebuild = false;
|
|
|
if(!file_exists($dbfile)) { $rebuild = true;}
|
|
if(!file_exists($dbfile)) { $rebuild = true;}
|
|
|
-
|
|
|
|
|
// bind the database handler
|
|
// bind the database handler
|
|
|
$this->database = new PDO("sqlite:" . $dbfile);
|
|
$this->database = new PDO("sqlite:" . $dbfile);
|
|
|
-
|
|
|
|
|
// If we need to rebuild, the file will have been automatically made by the PDO call,
|
|
// If we need to rebuild, the file will have been automatically made by the PDO call,
|
|
|
// but we'll still need to define the user table before we can use the database.
|
|
// but we'll still need to define the user table before we can use the database.
|
|
|
if($rebuild) { $this->rebuild_database($dbfile); }
|
|
if($rebuild) { $this->rebuild_database($dbfile); }
|
|
|
-
|
|
|
|
|
// finally, process the page request.
|
|
// finally, process the page request.
|
|
|
$this->process($registration_callback);
|
|
$this->process($registration_callback);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// this function rebuilds the database if there is no database to work with yet
|
|
// this function rebuilds the database if there is no database to work with yet
|
|
|
function rebuild_database($dbfile)
|
|
function rebuild_database($dbfile)
|
|
|
{
|
|
{
|
|
@@ -269,7 +232,6 @@
|
|
|
$this->database->exec($create);
|
|
$this->database->exec($create);
|
|
|
$this->database->commit();
|
|
$this->database->commit();
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// process a page request
|
|
// process a page request
|
|
|
function process(&$registration_callback=false)
|
|
function process(&$registration_callback=false)
|
|
|
{
|
|
{
|
|
@@ -288,7 +250,6 @@
|
|
|
// we only allow password resetting if we can send notification mails
|
|
// we only allow password resetting if we can send notification mails
|
|
|
elseif($operation == "reset" && User::use_mail) { $this->reset_password(); }
|
|
elseif($operation == "reset" && User::use_mail) { $this->reset_password(); }
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// if the previous operations didn't authorise the current user,
|
|
// if the previous operations didn't authorise the current user,
|
|
|
// see if they're already marked as authorised in the database.
|
|
// see if they're already marked as authorised in the database.
|
|
|
if(!$this->authenticated) {
|
|
if(!$this->authenticated) {
|
|
@@ -296,23 +257,19 @@
|
|
|
if($username != User::GUEST_USER) {
|
|
if($username != User::GUEST_USER) {
|
|
|
$this->authenticated = $this->authenticate_user($username,"");
|
|
$this->authenticated = $this->authenticate_user($username,"");
|
|
|
if($this->authenticated) { $this->mark_user_active($username); }}}
|
|
if($this->authenticated) { $this->mark_user_active($username); }}}
|
|
|
-
|
|
|
|
|
// at this point we can make some globals available.
|
|
// at this point we can make some globals available.
|
|
|
$this->username = $_SESSION["username"];
|
|
$this->username = $_SESSION["username"];
|
|
|
$this->userdir = ($this->username !=User::GUEST_USER? USER_HOME . $this->username : false);
|
|
$this->userdir = ($this->username !=User::GUEST_USER? USER_HOME . $this->username : false);
|
|
|
$this->email = $this->get_user_email($this->username);
|
|
$this->email = $this->get_user_email($this->username);
|
|
|
$this->role = $this->get_user_role($this->username);
|
|
$this->role = $this->get_user_role($this->username);
|
|
|
//$this->group = $this->get_user_group($this->username);
|
|
//$this->group = $this->get_user_group($this->username);
|
|
|
-
|
|
|
|
|
// clear database
|
|
// clear database
|
|
|
$this->database->commit();
|
|
$this->database->commit();
|
|
|
$this->database = null;
|
|
$this->database = null;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// ---------------------
|
|
// ---------------------
|
|
|
// validation passthroughs
|
|
// validation passthroughs
|
|
|
// ---------------------
|
|
// ---------------------
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Called when the requested POST operation is "login"
|
|
* Called when the requested POST operation is "login"
|
|
|
*/
|
|
*/
|
|
@@ -321,6 +278,7 @@
|
|
|
// get relevant values
|
|
// get relevant values
|
|
|
$username = $_POST["username"];
|
|
$username = $_POST["username"];
|
|
|
$sha1 = $_POST["sha1"];
|
|
$sha1 = $_POST["sha1"];
|
|
|
|
|
+ $password = $_POST["password"];
|
|
|
$rememberMe = $_POST["rememberMe"];
|
|
$rememberMe = $_POST["rememberMe"];
|
|
|
// step 1: someone could have bypassed the javascript validation, so validate again.
|
|
// step 1: someone could have bypassed the javascript validation, so validate again.
|
|
|
if(!$this->validate_user_name($username)) {
|
|
if(!$this->validate_user_name($username)) {
|
|
@@ -330,13 +288,8 @@
|
|
|
$this->info("<strong>log in error:</strong> password did not pass validation");
|
|
$this->info("<strong>log in error:</strong> password did not pass validation");
|
|
|
return false; }
|
|
return false; }
|
|
|
// step 2: if validation passed, log the user in
|
|
// step 2: if validation passed, log the user in
|
|
|
- if($rememberMe == "true") {
|
|
|
|
|
- return $this->login_user($username, $sha1, true);
|
|
|
|
|
- }else{
|
|
|
|
|
- return $this->login_user($username, $sha1, false);
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ return $this->login_user($username, $sha1, $rememberMe == "true", $password);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Called when the requested POST operation is "logout"
|
|
* Called when the requested POST operation is "logout"
|
|
|
*/
|
|
*/
|
|
@@ -351,7 +304,6 @@
|
|
|
// step 2: if validation passed, log the user out
|
|
// step 2: if validation passed, log the user out
|
|
|
return $this->logout_user($username);
|
|
return $this->logout_user($username);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Users should always have the option to unregister
|
|
* Users should always have the option to unregister
|
|
|
*/
|
|
*/
|
|
@@ -366,7 +318,6 @@
|
|
|
// step 2: if validation passed, drop the user from the system
|
|
// step 2: if validation passed, drop the user from the system
|
|
|
return $this->unregister_user($username);
|
|
return $this->unregister_user($username);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Called when the requested POST operation is "register"
|
|
* Called when the requested POST operation is "register"
|
|
|
*/
|
|
*/
|
|
@@ -398,17 +349,11 @@
|
|
|
$subject = User::DOMAIN_NAME . " registration";
|
|
$subject = User::DOMAIN_NAME . " registration";
|
|
|
$body = <<<EOT
|
|
$body = <<<EOT
|
|
|
Hi,
|
|
Hi,
|
|
|
-
|
|
|
|
|
this is an automated message to let you know that someone signed up at $domain_name with the user name "$username", using this email address as mailing address.
|
|
this is an automated message to let you know that someone signed up at $domain_name with the user name "$username", using this email address as mailing address.
|
|
|
-
|
|
|
|
|
Because of the way our user registration works, we have no idea which password was used to register this account (it gets one-way hashed by the browser before it is sent to our user registration system, so that we don't know your password either), so if you registered this account, hopefully you wrote your password down somewhere.
|
|
Because of the way our user registration works, we have no idea which password was used to register this account (it gets one-way hashed by the browser before it is sent to our user registration system, so that we don't know your password either), so if you registered this account, hopefully you wrote your password down somewhere.
|
|
|
-
|
|
|
|
|
However, if you ever forget your password, you can click the "I forgot my password" link in the log-in section for $domain_name and you will be sent an email containing a new, ridiculously long and complicated password that you can use to log in. You can change your password after logging in, but that's up to you. No one's going to guess it, or brute force it, but if other people can read your emails, it's generally a good idea to change passwords.
|
|
However, if you ever forget your password, you can click the "I forgot my password" link in the log-in section for $domain_name and you will be sent an email containing a new, ridiculously long and complicated password that you can use to log in. You can change your password after logging in, but that's up to you. No one's going to guess it, or brute force it, but if other people can read your emails, it's generally a good idea to change passwords.
|
|
|
-
|
|
|
|
|
If you were not the one to register this account, you can either contact us the normal way or —much easier— you can ask the system to reset the password for the account, after which you can simply log in with the temporary password and delete the account. That'll teach whoever pretended to be you not to mess with you!
|
|
If you were not the one to register this account, you can either contact us the normal way or —much easier— you can ask the system to reset the password for the account, after which you can simply log in with the temporary password and delete the account. That'll teach whoever pretended to be you not to mess with you!
|
|
|
-
|
|
|
|
|
Of course, if you did register it yourself, welcome to $domain_name!
|
|
Of course, if you did register it yourself, welcome to $domain_name!
|
|
|
-
|
|
|
|
|
- the $domain_name team
|
|
- the $domain_name team
|
|
|
EOT;
|
|
EOT;
|
|
|
$headers = "From: $from\r\n";
|
|
$headers = "From: $from\r\n";
|
|
@@ -417,10 +362,8 @@ EOT;
|
|
|
//mail($email, $subject, $body, $headers);
|
|
//mail($email, $subject, $body, $headers);
|
|
|
$this->startEmail($email, $username, $subject, $body);
|
|
$this->startEmail($email, $username, $subject, $body);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
return $registered;
|
|
return $registered;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Called when the requested POST operation is "update"
|
|
* Called when the requested POST operation is "update"
|
|
|
*/
|
|
*/
|
|
@@ -441,7 +384,6 @@ EOT;
|
|
|
// step 2: if validation passed, update the user's information
|
|
// step 2: if validation passed, update the user's information
|
|
|
return $this->update_user($username, $email, $sha1, $role);
|
|
return $this->update_user($username, $email, $sha1, $role);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Reset a user's password
|
|
* Reset a user's password
|
|
|
*/
|
|
*/
|
|
@@ -449,12 +391,10 @@ EOT;
|
|
|
{
|
|
{
|
|
|
// get the email for which we should reset
|
|
// get the email for which we should reset
|
|
|
$email = $_POST["email"];
|
|
$email = $_POST["email"];
|
|
|
-
|
|
|
|
|
// step 1: someone could have bypassed the javascript validation, so validate again.
|
|
// step 1: someone could have bypassed the javascript validation, so validate again.
|
|
|
if(preg_match(User::emailregexp, $email)==0) {
|
|
if(preg_match(User::emailregexp, $email)==0) {
|
|
|
$this->info("email address did not pass validation");
|
|
$this->info("email address did not pass validation");
|
|
|
return false; }
|
|
return false; }
|
|
|
-
|
|
|
|
|
// step 2: if validation passed, see if there is a matching user, and reset the password if there is
|
|
// step 2: if validation passed, see if there is a matching user, and reset the password if there is
|
|
|
$newpassword = $this->random_ascii_string(64);
|
|
$newpassword = $this->random_ascii_string(64);
|
|
|
$sha1 = sha1($newpassword);
|
|
$sha1 = sha1($newpassword);
|
|
@@ -462,16 +402,13 @@ EOT;
|
|
|
$username = "";
|
|
$username = "";
|
|
|
$token = "";
|
|
$token = "";
|
|
|
foreach($this->database->query($query) as $data) { $username = $data["username"]; $token = $data["token"]; break; }
|
|
foreach($this->database->query($query) as $data) { $username = $data["username"]; $token = $data["token"]; break; }
|
|
|
-
|
|
|
|
|
// step 2a: if there was no user to reset a password for, stop.
|
|
// step 2a: if there was no user to reset a password for, stop.
|
|
|
if($username == "" || $token == "") return false;
|
|
if($username == "" || $token == "") return false;
|
|
|
-
|
|
|
|
|
// step 2b: if there was a user to reset a password for, reset it.
|
|
// step 2b: if there was a user to reset a password for, reset it.
|
|
|
$dbpassword = $this->token_hash_password($username, $sha1, $token);
|
|
$dbpassword = $this->token_hash_password($username, $sha1, $token);
|
|
|
$update = "UPDATE users SET password = '$dbpassword' WHERE email= '$email'";
|
|
$update = "UPDATE users SET password = '$dbpassword' WHERE email= '$email'";
|
|
|
$this->database->exec($update);
|
|
$this->database->exec($update);
|
|
|
$this->info("Email has been sent with new password");
|
|
$this->info("Email has been sent with new password");
|
|
|
-
|
|
|
|
|
// step 3: notify the user of the new password
|
|
// step 3: notify the user of the new password
|
|
|
$from = User::MAILER_NAME;
|
|
$from = User::MAILER_NAME;
|
|
|
$replyto = User::MAILER_REPLYTO;
|
|
$replyto = User::MAILER_REPLYTO;
|
|
@@ -479,17 +416,11 @@ EOT;
|
|
|
$subject = User::DOMAIN_NAME . " password reset request";
|
|
$subject = User::DOMAIN_NAME . " password reset request";
|
|
|
$body = <<<EOT
|
|
$body = <<<EOT
|
|
|
Hi,
|
|
Hi,
|
|
|
-
|
|
|
|
|
this is an automated message to let you know that someone requested a password reset for the $domain_name user account with user name "$username", which is linked to this email address.
|
|
this is an automated message to let you know that someone requested a password reset for the $domain_name user account with user name "$username", which is linked to this email address.
|
|
|
-
|
|
|
|
|
We've reset the password to the following 64 character string, so make sure to copy/paste it without any leading or trailing spaces:
|
|
We've reset the password to the following 64 character string, so make sure to copy/paste it without any leading or trailing spaces:
|
|
|
-
|
|
|
|
|
$newpassword
|
|
$newpassword
|
|
|
-
|
|
|
|
|
If you didn't even know this account existed, now is the time to log in and delete it. How dare people use your email address to register accounts! Of course, if you did register it yourself, but you didn't request the reset, some jerk is apparently reset-spamming. We hope he gets run over by a steam shovel driven by rabid ocelots or something.
|
|
If you didn't even know this account existed, now is the time to log in and delete it. How dare people use your email address to register accounts! Of course, if you did register it yourself, but you didn't request the reset, some jerk is apparently reset-spamming. We hope he gets run over by a steam shovel driven by rabid ocelots or something.
|
|
|
-
|
|
|
|
|
Then again, it's far more likely that you did register this account, and you simply forgot the password so you asked for the reset yourself, in which case: here's your new password, and thank you for your patronage at $domain_name!
|
|
Then again, it's far more likely that you did register this account, and you simply forgot the password so you asked for the reset yourself, in which case: here's your new password, and thank you for your patronage at $domain_name!
|
|
|
-
|
|
|
|
|
- the $domain_name team
|
|
- the $domain_name team
|
|
|
EOT;
|
|
EOT;
|
|
|
$headers = "From: $from\r\n";
|
|
$headers = "From: $from\r\n";
|
|
@@ -498,18 +429,15 @@ EOT;
|
|
|
//mail($email, $subject, $body, $headers);
|
|
//mail($email, $subject, $body, $headers);
|
|
|
$this->startEmail($email, $username, $subject, $body);
|
|
$this->startEmail($email, $username, $subject, $body);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// ------------------
|
|
// ------------------
|
|
|
// specific functions
|
|
// specific functions
|
|
|
// ------------------
|
|
// ------------------
|
|
|
-
|
|
|
|
|
// session management: set session values
|
|
// session management: set session values
|
|
|
function setSession($username, $token)
|
|
function setSession($username, $token)
|
|
|
{
|
|
{
|
|
|
$_SESSION["username"]=$username;
|
|
$_SESSION["username"]=$username;
|
|
|
$_SESSION["token"]=$token;
|
|
$_SESSION["token"]=$token;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// session management: reset session values
|
|
// session management: reset session values
|
|
|
function resetSession()
|
|
function resetSession()
|
|
|
{
|
|
{
|
|
@@ -525,7 +453,6 @@ EOT;
|
|
|
setcookie("cookiePassword", '', time() - 3600, '/', DOMAIN);
|
|
setcookie("cookiePassword", '', time() - 3600, '/', DOMAIN);
|
|
|
setcookie("cookiePassword", '', time() - 3600, '/');
|
|
setcookie("cookiePassword", '', time() - 3600, '/');
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Validate a username. Empty usernames or names
|
|
* Validate a username. Empty usernames or names
|
|
|
* that are modified by making them SQL safe are
|
|
* that are modified by making them SQL safe are
|
|
@@ -538,7 +465,6 @@ EOT;
|
|
|
if(!$validated) { $this->error = "user name did not pass validation."; $this->error("user name did not pass validation."); }
|
|
if(!$validated) { $this->error = "user name did not pass validation."; $this->error("user name did not pass validation."); }
|
|
|
return $validated;
|
|
return $validated;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Clean strings for SQL insertion as string in SQLite (single quote enclosed).
|
|
* Clean strings for SQL insertion as string in SQLite (single quote enclosed).
|
|
|
* Note that if the cleaning changes the string, this system won't insert.
|
|
* Note that if the cleaning changes the string, this system won't insert.
|
|
@@ -551,7 +477,6 @@ EOT;
|
|
|
$replace = array('', '', '');
|
|
$replace = array('', '', '');
|
|
|
return trim(str_replace($search, $replace, $string));
|
|
return trim(str_replace($search, $replace, $string));
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Verify that the given username is allowed
|
|
* Verify that the given username is allowed
|
|
|
* to perform the given operation.
|
|
* to perform the given operation.
|
|
@@ -563,17 +488,12 @@ EOT;
|
|
|
|
|
|
|
|
// logged in, but do the tokens match?
|
|
// logged in, but do the tokens match?
|
|
|
$token = $this->get_user_token($username);
|
|
$token = $this->get_user_token($username);
|
|
|
-
|
|
|
|
|
if(MULTIPLELOGIN == "false"){
|
|
if(MULTIPLELOGIN == "false"){
|
|
|
|
|
|
|
|
if(isset($_COOKIE["Organizr"])){
|
|
if(isset($_COOKIE["Organizr"])){
|
|
|
-
|
|
|
|
|
if($_COOKIE["Organizr"] == $token){
|
|
if($_COOKIE["Organizr"] == $token){
|
|
|
-
|
|
|
|
|
return true;
|
|
return true;
|
|
|
-
|
|
|
|
|
}else{
|
|
}else{
|
|
|
-
|
|
|
|
|
$this->error("cookie token mismatch for $username");
|
|
$this->error("cookie token mismatch for $username");
|
|
|
unset($_COOKIE['Organizr']);
|
|
unset($_COOKIE['Organizr']);
|
|
|
setcookie('Organizr', '', time() - 3600, '/', DOMAIN);
|
|
setcookie('Organizr', '', time() - 3600, '/', DOMAIN);
|
|
@@ -585,18 +505,14 @@ EOT;
|
|
|
setcookie("cookiePassword", '', time() - 3600, '/', DOMAIN);
|
|
setcookie("cookiePassword", '', time() - 3600, '/', DOMAIN);
|
|
|
setcookie("cookiePassword", '', time() - 3600, '/');
|
|
setcookie("cookiePassword", '', time() - 3600, '/');
|
|
|
return false;
|
|
return false;
|
|
|
-
|
|
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
}else{
|
|
}else{
|
|
|
-
|
|
|
|
|
if($token != $_SESSION["token"]) {
|
|
if($token != $_SESSION["token"]) {
|
|
|
|
|
|
|
|
$this->error("token mismatch for $username");
|
|
$this->error("token mismatch for $username");
|
|
|
return false;
|
|
return false;
|
|
|
|
|
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// active, using the correct token -> authenticated
|
|
// active, using the correct token -> authenticated
|
|
|
setcookie("cookiePassword", COOKIEPASSWORD, time() + (86400 * 7), "/", DOMAIN);
|
|
setcookie("cookiePassword", COOKIEPASSWORD, time() + (86400 * 7), "/", DOMAIN);
|
|
|
return true;
|
|
return true;
|
|
@@ -611,7 +527,6 @@ EOT;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Unicode friendly(ish) version of strtolower
|
|
* Unicode friendly(ish) version of strtolower
|
|
|
* see: http://ca3.php.net/manual/en/function.strtolower.php#91805
|
|
* see: http://ca3.php.net/manual/en/function.strtolower.php#91805
|
|
@@ -630,7 +545,6 @@ EOT;
|
|
|
"Ь", "Э", "Ю", "Я" );
|
|
"Ь", "Э", "Ю", "Я" );
|
|
|
return str_replace($convert_from, $convert_to, $string);
|
|
return str_replace($convert_from, $convert_to, $string);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* This functions flattens user name strings for similarity comparison purposes
|
|
* This functions flattens user name strings for similarity comparison purposes
|
|
|
*/
|
|
*/
|
|
@@ -646,7 +560,6 @@ EOT;
|
|
|
// finally, collapse case
|
|
// finally, collapse case
|
|
|
return $this->strtolower_utf8($string);
|
|
return $this->strtolower_utf8($string);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* We don't require assloads of personal information.
|
|
* We don't require assloads of personal information.
|
|
|
* A username and a password are all we want. The rest
|
|
* A username and a password are all we want. The rest
|
|
@@ -662,7 +575,6 @@ EOT;
|
|
|
foreach($this->database->query($queryAdmin) as $data) {
|
|
foreach($this->database->query($queryAdmin) as $data) {
|
|
|
$newRole = "user";
|
|
$newRole = "user";
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
// Does user already exist? (see notes on safe reporting)
|
|
// Does user already exist? (see notes on safe reporting)
|
|
|
if(User::unsafe_reporting) {
|
|
if(User::unsafe_reporting) {
|
|
|
$query = "SELECT username FROM users WHERE username LIKE '$username'";
|
|
$query = "SELECT username FROM users WHERE username LIKE '$username'";
|
|
@@ -679,7 +591,6 @@ EOT;
|
|
|
$this->error = "<strong>$username</strong> is not allowed, because it is too similar to other user names.";
|
|
$this->error = "<strong>$username</strong> is not allowed, because it is too similar to other user names.";
|
|
|
$this->error("<strong>$username</strong> is not allowed, because it is too similar to other user names.");
|
|
$this->error("<strong>$username</strong> is not allowed, because it is too similar to other user names.");
|
|
|
return false; }}
|
|
return false; }}
|
|
|
-
|
|
|
|
|
// Is email address already in use? (see notes on safe reporting)
|
|
// Is email address already in use? (see notes on safe reporting)
|
|
|
$query = "SELECT * FROM users WHERE email = '$email'";
|
|
$query = "SELECT * FROM users WHERE email = '$email'";
|
|
|
foreach($this->database->query($query) as $data) {
|
|
foreach($this->database->query($query) as $data) {
|
|
@@ -687,7 +598,6 @@ EOT;
|
|
|
$this->error = "this email address is already in use by someone else.";
|
|
$this->error = "this email address is already in use by someone else.";
|
|
|
$this->error("this email address is already in use by someone else.");
|
|
$this->error("this email address is already in use by someone else.");
|
|
|
return false; }
|
|
return false; }
|
|
|
-
|
|
|
|
|
// This user can be registered
|
|
// This user can be registered
|
|
|
$insert = "INSERT INTO users (username, email, password, token, role, active, last) ";
|
|
$insert = "INSERT INTO users (username, email, password, token, role, active, last) ";
|
|
|
$insert .= "VALUES ('$username', '$email', '$dbpassword', '', '$newRole', 'false', '') ";
|
|
$insert .= "VALUES ('$username', '$email', '$dbpassword', '', '$newRole', 'false', '') ";
|
|
@@ -708,86 +618,116 @@ EOT;
|
|
|
$this->error("unknown database error occured.");
|
|
$this->error("unknown database error occured.");
|
|
|
return false;
|
|
return false;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Log a user in
|
|
* Log a user in
|
|
|
*/
|
|
*/
|
|
|
- function login_user($username, $sha1, $remember)
|
|
|
|
|
- {
|
|
|
|
|
|
|
+ function login_user($username, $sha1, $remember, $password) {
|
|
|
|
|
|
|
|
- function buildLog($username, $authType){
|
|
|
|
|
-
|
|
|
|
|
- if(file_exists(FAIL_LOG)) {
|
|
|
|
|
-
|
|
|
|
|
|
|
+ function buildLog($username, $authType) {
|
|
|
|
|
+ if(file_exists(FAIL_LOG)) {
|
|
|
$getFailLog = str_replace("\r\ndate", "date", file_get_contents(FAIL_LOG));
|
|
$getFailLog = str_replace("\r\ndate", "date", file_get_contents(FAIL_LOG));
|
|
|
-
|
|
|
|
|
$gotFailLog = json_decode($getFailLog, true);
|
|
$gotFailLog = json_decode($getFailLog, true);
|
|
|
-
|
|
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
$failLogEntryFirst = array('logType' => 'login_log', 'auth' => array(array('date' => date("Y-m-d H:i:s"), 'username' => $username, 'ip' => $_SERVER['REMOTE_ADDR'], 'auth_type' => $authType)));
|
|
$failLogEntryFirst = array('logType' => 'login_log', 'auth' => array(array('date' => date("Y-m-d H:i:s"), 'username' => $username, 'ip' => $_SERVER['REMOTE_ADDR'], 'auth_type' => $authType)));
|
|
|
-
|
|
|
|
|
$failLogEntry = array('date' => date("Y-m-d H:i:s"), 'username' => $username, 'ip' => $_SERVER['REMOTE_ADDR'], 'auth_type' => $authType);
|
|
$failLogEntry = array('date' => date("Y-m-d H:i:s"), 'username' => $username, 'ip' => $_SERVER['REMOTE_ADDR'], 'auth_type' => $authType);
|
|
|
-
|
|
|
|
|
if(isset($gotFailLog)) {
|
|
if(isset($gotFailLog)) {
|
|
|
-
|
|
|
|
|
array_push($gotFailLog["auth"], $failLogEntry);
|
|
array_push($gotFailLog["auth"], $failLogEntry);
|
|
|
-
|
|
|
|
|
$writeFailLog = str_replace("date", "\r\ndate", json_encode($gotFailLog));
|
|
$writeFailLog = str_replace("date", "\r\ndate", json_encode($gotFailLog));
|
|
|
-
|
|
|
|
|
- }else{
|
|
|
|
|
-
|
|
|
|
|
|
|
+ } else {
|
|
|
$writeFailLog = str_replace("date", "\r\ndate", json_encode($failLogEntryFirst));
|
|
$writeFailLog = str_replace("date", "\r\ndate", json_encode($failLogEntryFirst));
|
|
|
-
|
|
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
return $writeFailLog;
|
|
return $writeFailLog;
|
|
|
-
|
|
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
- // transform sha1 into real password
|
|
|
|
|
- $dbpassword = $this->token_hash_password($username, $sha1, $this->get_user_token($username));
|
|
|
|
|
- if($dbpassword==$sha1) {
|
|
|
|
|
- $this->info("password hashing is not implemented.");
|
|
|
|
|
- return false; }
|
|
|
|
|
-
|
|
|
|
|
- // perform the authentication step
|
|
|
|
|
- $query = "SELECT password FROM users WHERE username = '$username'";
|
|
|
|
|
- foreach($this->database->query($query) as $data) {
|
|
|
|
|
- if($dbpassword==$data["password"]) {
|
|
|
|
|
|
|
+
|
|
|
|
|
+ // External Authentication
|
|
|
|
|
+ $authSuccess = false;
|
|
|
|
|
+ $function = 'plugin_auth_'.AUTHBACKEND;
|
|
|
|
|
+ switch (AUTHTYPE) {
|
|
|
|
|
+ case 'external':
|
|
|
|
|
+ if (function_exists($function)) {
|
|
|
|
|
+ $authSuccess = $function($username, $password);
|
|
|
|
|
+ }
|
|
|
|
|
+ break;
|
|
|
|
|
+ case 'both':
|
|
|
|
|
+ if (function_exists($function)) {
|
|
|
|
|
+ $authSuccess = $function($username, $password);
|
|
|
|
|
+ }
|
|
|
|
|
+ default: // Internal
|
|
|
|
|
+ if (!$authSuccess) {
|
|
|
|
|
+ // perform the internal authentication step
|
|
|
|
|
+ $query = "SELECT password FROM users WHERE username = '$username'";
|
|
|
|
|
+ foreach($this->database->query($query) as $data) {
|
|
|
|
|
+
|
|
|
|
|
+ if (password_verify($password, $data["password"])) { // Better
|
|
|
|
|
+ $authSuccess = true;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ // Legacy - Less Secure
|
|
|
|
|
+ $dbpassword = $this->token_hash_password($username, $sha1, $this->get_user_token($username));
|
|
|
|
|
+ if($dbpassword==$data["password"]) {
|
|
|
|
|
+ $authSuccess = true;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if ($authSuccess) {
|
|
|
|
|
+ // Make sure user exists in database
|
|
|
|
|
+ $query = "SELECT username FROM users WHERE username = '$username'";
|
|
|
|
|
+ $userExists = false;
|
|
|
|
|
+ foreach($this->database->query($query) as $data) {
|
|
|
|
|
+ if ($data['username'] == $username) {
|
|
|
|
|
+ $userExists = true;
|
|
|
|
|
+ break;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if ($userExists) {
|
|
|
// authentication passed - 1) mark active and update token
|
|
// authentication passed - 1) mark active and update token
|
|
|
$this->mark_user_active($username);
|
|
$this->mark_user_active($username);
|
|
|
$this->setSession($username, $this->update_user_token($username, $sha1, false));
|
|
$this->setSession($username, $this->update_user_token($username, $sha1, false));
|
|
|
// authentication passed - 2) signal authenticated
|
|
// authentication passed - 2) signal authenticated
|
|
|
- if($remember == "true") {
|
|
|
|
|
- setcookie("Organizr", $this->get_user_token($username), time() + (86400 * 7), "/", DOMAIN);
|
|
|
|
|
- setcookie("OrganizrU", $username, time() + (86400 * 7), "/", DOMAIN);
|
|
|
|
|
-
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ if($remember == "true") {
|
|
|
|
|
+ setcookie("Organizr", $this->get_user_token($username), time() + (86400 * 7), "/", DOMAIN);
|
|
|
|
|
+ setcookie("OrganizrU", $username, time() + (86400 * 7), "/", DOMAIN);
|
|
|
|
|
+
|
|
|
|
|
+ }
|
|
|
$this->info("Welcome $username");
|
|
$this->info("Welcome $username");
|
|
|
- file_put_contents(FAIL_LOG, buildLog($username, "good_auth"));
|
|
|
|
|
- chmod(FAIL_LOG, 0660);
|
|
|
|
|
- setcookie("cookiePassword", COOKIEPASSWORD, time() + (86400 * 7), "/", DOMAIN);
|
|
|
|
|
- return true;
|
|
|
|
|
-
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ file_put_contents(FAIL_LOG, buildLog($username, "good_auth"));
|
|
|
|
|
+ chmod(FAIL_LOG, 0660);
|
|
|
|
|
+ setcookie("cookiePassword", COOKIEPASSWORD, time() + (86400 * 7), "/", DOMAIN);
|
|
|
|
|
+ return true;
|
|
|
|
|
+ } else if (AUTHBACKENDCREATE !== 'false') {
|
|
|
|
|
+ // Create User
|
|
|
|
|
+ debug_out('Place Create Code Here!',1);
|
|
|
|
|
+ } else {
|
|
|
|
|
+ // authentication failed
|
|
|
|
|
+ //$this->info("Successful Backend Auth, No User in DB, Create Set to False");
|
|
|
|
|
+ file_put_contents(FAIL_LOG, buildLog($username, "bad_auth"));
|
|
|
|
|
+ chmod(FAIL_LOG, 0660);
|
|
|
|
|
+ if(User::unsafe_reporting) { $this->error = "Successful Backend Auth, $username not in DB, Create Set to False."; $this->error("Successful Backend Auth, $username not in DB, Create Set to False."); }
|
|
|
|
|
+ else { $this->error = "Not permitted to login as this user, please contact an administrator."; $this->error("Not permitted to login as this user, please contact an administrator"); }
|
|
|
|
|
+ return false;
|
|
|
|
|
+ }
|
|
|
|
|
+ } else if (!$authSuccess) {
|
|
|
// authentication failed
|
|
// authentication failed
|
|
|
//$this->info("password mismatch for $username");
|
|
//$this->info("password mismatch for $username");
|
|
|
- file_put_contents(FAIL_LOG, buildLog($username, "bad_auth"));
|
|
|
|
|
- chmod(FAIL_LOG, 0660);
|
|
|
|
|
|
|
+ file_put_contents(FAIL_LOG, buildLog($username, "bad_auth"));
|
|
|
|
|
+ chmod(FAIL_LOG, 0660);
|
|
|
if(User::unsafe_reporting) { $this->error = "incorrect password for $username."; $this->error("incorrect password for $username."); }
|
|
if(User::unsafe_reporting) { $this->error = "incorrect password for $username."; $this->error("incorrect password for $username."); }
|
|
|
else { $this->error = "the specified username/password combination is incorrect."; $this->error("the specified username/password combination is incorrect."); }
|
|
else { $this->error = "the specified username/password combination is incorrect."; $this->error("the specified username/password combination is incorrect."); }
|
|
|
- return false; }
|
|
|
|
|
-
|
|
|
|
|
- // authentication could not take place
|
|
|
|
|
- //$this->info("there was no user $username in the database");
|
|
|
|
|
- file_put_contents(FAIL_LOG, buildLog($username, "bad_auth"));
|
|
|
|
|
- chmod(FAIL_LOG, 0660);
|
|
|
|
|
- if(User::unsafe_reporting) { $this->error = "user $username is unknown."; $this->error("user $username is unknown."); }
|
|
|
|
|
- else { $this->error = "you either did not correctly input your username, or password (... or both)."; $this->error("you either did not correctly input your username, or password (... or both)."); }
|
|
|
|
|
- return false;
|
|
|
|
|
|
|
+ return false;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ // authentication could not take place
|
|
|
|
|
+ //$this->info("there was no user $username in the database");
|
|
|
|
|
+ file_put_contents(FAIL_LOG, buildLog($username, "bad_auth"));
|
|
|
|
|
+ chmod(FAIL_LOG, 0660);
|
|
|
|
|
+ if(User::unsafe_reporting) { $this->error = "user $username is unknown."; $this->error("user $username is unknown."); }
|
|
|
|
|
+ else { $this->error = "you either did not correctly input your username, or password (... or both)."; $this->error("you either did not correctly input your username, or password (... or both)."); }
|
|
|
|
|
+ return false;
|
|
|
|
|
+ }
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Update a user's information
|
|
* Update a user's information
|
|
|
*/
|
|
*/
|
|
@@ -805,7 +745,6 @@ EOT;
|
|
|
$this->database->exec($update); }
|
|
$this->database->exec($update); }
|
|
|
$this->info("updated the information for <strong>$username</strong>");
|
|
$this->info("updated the information for <strong>$username</strong>");
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Log a user out.
|
|
* Log a user out.
|
|
|
*/
|
|
*/
|
|
@@ -826,7 +765,6 @@ EOT;
|
|
|
setcookie("cookiePassword", '', time() - 3600, '/');
|
|
setcookie("cookiePassword", '', time() - 3600, '/');
|
|
|
return true;
|
|
return true;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Drop a user from the system
|
|
* Drop a user from the system
|
|
|
*/
|
|
*/
|
|
@@ -841,7 +779,6 @@ EOT;
|
|
|
$this->info("and we deleted user directory $dir");
|
|
$this->info("and we deleted user directory $dir");
|
|
|
return true;
|
|
return true;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* The incoming password will already be a sha1 print (40 bytes) long,
|
|
* The incoming password will already be a sha1 print (40 bytes) long,
|
|
|
* but for the database we want it to be hased as sha256 (using 64 bytes).
|
|
* but for the database we want it to be hased as sha256 (using 64 bytes).
|
|
@@ -850,7 +787,6 @@ EOT;
|
|
|
{
|
|
{
|
|
|
return hash("sha256", $username . $sha1 . $token);
|
|
return hash("sha256", $username . $sha1 . $token);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Get a user's email address
|
|
* Get a user's email address
|
|
|
*/
|
|
*/
|
|
@@ -861,7 +797,6 @@ EOT;
|
|
|
foreach($this->database->query($query) as $data) { return $data["email"]; }}
|
|
foreach($this->database->query($query) as $data) { return $data["email"]; }}
|
|
|
return "";
|
|
return "";
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Get a user's role
|
|
* Get a user's role
|
|
|
*/
|
|
*/
|
|
@@ -880,7 +815,6 @@ EOT;
|
|
|
foreach($this->database->query($query) as $data) { return $data["group"]; }}
|
|
foreach($this->database->query($query) as $data) { return $data["group"]; }}
|
|
|
return User::GUEST_USER;
|
|
return User::GUEST_USER;
|
|
|
}*/
|
|
}*/
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Get the user token
|
|
* Get the user token
|
|
|
*/
|
|
*/
|
|
@@ -890,7 +824,6 @@ EOT;
|
|
|
foreach($this->database->query($query) as $data) { return $data["token"]; }
|
|
foreach($this->database->query($query) as $data) { return $data["token"]; }
|
|
|
return false;
|
|
return false;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Update the user's token and password upon successful login
|
|
* Update the user's token and password upon successful login
|
|
|
*/
|
|
*/
|
|
@@ -900,7 +833,6 @@ EOT;
|
|
|
$token = $this->random_hex_string(32);
|
|
$token = $this->random_hex_string(32);
|
|
|
$update = "UPDATE users SET token = '$token' WHERE username = '$username'";
|
|
$update = "UPDATE users SET token = '$token' WHERE username = '$username'";
|
|
|
$this->database->exec($update);
|
|
$this->database->exec($update);
|
|
|
-
|
|
|
|
|
// update the user's password
|
|
// update the user's password
|
|
|
$newpassword = $this->token_hash_password($username, $sha1, $token);
|
|
$newpassword = $this->token_hash_password($username, $sha1, $token);
|
|
|
$update = "UPDATE users SET password = '$newpassword' WHERE username = '$username'";
|
|
$update = "UPDATE users SET password = '$newpassword' WHERE username = '$username'";
|
|
@@ -908,10 +840,8 @@ EOT;
|
|
|
if($noMsg == "false"){
|
|
if($noMsg == "false"){
|
|
|
$this->info("token and password updated for <strong>$username</strong>");
|
|
$this->info("token and password updated for <strong>$username</strong>");
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
return $token;
|
|
return $token;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Mark a user as active.
|
|
* Mark a user as active.
|
|
|
*/
|
|
*/
|
|
@@ -922,7 +852,6 @@ EOT;
|
|
|
//$this->info("$username has been marked currently active.");
|
|
//$this->info("$username has been marked currently active.");
|
|
|
return true;
|
|
return true;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Check if user can be considered active
|
|
* Check if user can be considered active
|
|
|
*/
|
|
*/
|
|
@@ -935,7 +864,6 @@ EOT;
|
|
|
$last = intval($data["last"]);
|
|
$last = intval($data["last"]);
|
|
|
$active = $data["active"];
|
|
$active = $data["active"];
|
|
|
break; }
|
|
break; }
|
|
|
-
|
|
|
|
|
if($active=="true") {
|
|
if($active=="true") {
|
|
|
$diff = time() - $last;
|
|
$diff = time() - $last;
|
|
|
if($diff >= User::time_out) {
|
|
if($diff >= User::time_out) {
|
|
@@ -944,12 +872,10 @@ EOT;
|
|
|
return false; }
|
|
return false; }
|
|
|
//$this->info("$username is active");
|
|
//$this->info("$username is active");
|
|
|
return true; }
|
|
return true; }
|
|
|
-
|
|
|
|
|
$this->error("<strong>$username</strong> is not active");
|
|
$this->error("<strong>$username</strong> is not active");
|
|
|
$this->resetSession();
|
|
$this->resetSession();
|
|
|
return false;
|
|
return false;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Random hex string generator
|
|
* Random hex string generator
|
|
|
*/
|
|
*/
|
|
@@ -960,7 +886,6 @@ EOT;
|
|
|
while($len-->0) { $string .= $this->hex[mt_rand(0, $max)]; }
|
|
while($len-->0) { $string .= $this->hex[mt_rand(0, $max)]; }
|
|
|
return $string;
|
|
return $string;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Random password string generator
|
|
* Random password string generator
|
|
|
*/
|
|
*/
|
Cerothen