README update

config updates
Config file updates
2018-06-08 16:58:07 +09:00 · 2018-06-08 16:48:42 +09:00 · 2018-06-08 16:46:25 +09:00 · 2018-06-08 16:41:35 +09:00 · 2018-06-06 18:58:09 +09:00 · 2018-06-04 18:53:28 +09:00
21 changed files with 504 additions and 239 deletions
--- a/README.md
+++ b/README.md
@@ -18,7 +18,9 @@ The active branch, which is the namespace branch

 ### legacy

-The old non namepsace format layout. This will only get bug fixes and no new development
+The old non namepsace format layout.
+This is fully deprecated and will no longer be maintaned.
+last tested PHP 5.6 and PHP 7.0

 ### namespace

--- a/www/admin/class_test.php
+++ b/www/admin/class_test.php
@@ -1,4 +1,5 @@
 <?php
+
 $DEBUG_ALL_OVERRIDE = 0; // set to 1 to debug on live/remote server locations
 $DEBUG_ALL = 1;
 $PRINT_ALL = 1;
@@ -15,7 +16,9 @@ define('USE_DATABASE', true);
 // sample config
 require("config.inc");
 // set session name
-DEFINE('SET_SESSION_NAME', EDIT_SESSION_NAME);
+if (!defined('SET_SESSION_NAME')) {
+	DEFINE('SET_SESSION_NAME', EDIT_SESSION_NAME);
+}
 // define log file id
 DEFINE('LOG_FILE_ID', 'classTest');
 // set language for l10n
@@ -181,8 +184,14 @@ print "OTHER SCHEMA INSERT STATUS: ".$status." | PK NAME: ".$basic->pk_name.", P
 // time string thest
 $timestamp = 5887998.33445;
 $time_string = $basic->timeStringFormat($timestamp);
+print "PLANE TIME STRING: ".$timestamp."<br>";
 print "TIME STRING TEST: ".$time_string."<br>";
-print "REVERSE TIME STRING: ".$basic->stringToTime($time_string);
+print "REVERSE TIME STRING: ".$basic->stringToTime($time_string)."<br>";
+if (round($timestamp, 4) == $basic->stringToTime($time_string)) {
+	print "REVERSE TIME STRING MATCH<br>";
+} else {
+	print "REVERSE TRIME STRING DO NOT MATCH<br>";
+}

 // magic links test
 print $basic->magicLinks('user@bubu.at').'<br>';
--- a/www/admin/files.php
+++ b/www/admin/files.php
@@ -52,6 +52,9 @@ if (!$show_type) {
 	$show_type = 'P';
 }

+// set edit access array
+$edit_access_ids = array_keys($cms->user_unit);
+
 // yes no list (online)
 $yesno_list['f'] = 'No';
 $yesno_list['t'] = 'Yes';
@@ -262,9 +265,16 @@ if ($cms->action == 'delete' && $cms->action_yes == 'true') {
 	}
 	if (QUEUE == 'live_queue') {
 		$q = "INSERT INTO ".GLOBAL_DB_SCHEMA.".live_queue (queue_key, key_value, key_name, type, target, data, group_key, action, file) VALUES (";
-		$q .= "'".$cms->queue_name."', '".$file_uid."', 'file_uid', 'DELETE', 'file', '', '".$cms->queue_key."', '".$cms->action."', '".BASE.MEDIA.$cms->data_path[$file_type].PUBLIC_SCHEMA."_".$file_uid."')";
+		$q .= "'".$cms->queue_name."', '".$file_uid."', 'file_uid', 'DELETE', 'file', '', '".$cms->queue_key."', '".$cms->action."', '".
+		$q .= BASE.MEDIA.$cms->data_path[$file_type].PUBLIC_SCHEMA."_".$file_uid."')";
 	}
 	@unlink(BASE.MEDIA.$cms->data_path[$file_type].DEV_SCHEMA."_".$file_uid);
+	// wipe out any old cache data for this new upload
+	if (is_array(glob($cms->cache_pictures."thumb_".TEST_SCHEMA."_".$file_uid."*"))) {
+		foreach (glob($cms->cache_pictures."thumb_".TEST_SCHEMA."_".$file_uid."*") as $filename) {
+			@unlink($filename);
+		}
+	}
 	unset($file_uid);
 	unset($file_id);
 	$delete_done = 1;
@@ -297,6 +307,12 @@ if ($cms->action_flag == 'set_live' && $cms->action = 'set_delete') {
 		$q_del = "DELETE FROM ".PUBLIC_SCHEMA.".file WHERE file_uid = '".$res['pkid'].'"';
 		$cms->db_exec($q_del);
 		@unlink(BASE.MEDIA.$cms->data_path[$res['type']].PUBLIC_SCHEMA."_".$res['file_uid']);
+		// wipe out any old cache data for this new upload
+		if (is_array(glob($cms->cache_pictures."thumb_".LIVE_SCHEMA."_".$file_uid."*"))) {
+			foreach (glob($cms->cache_pictures."thumb_".LIVE_SCHEMA."_".$file_uid."*") as $filename) {
+				@unlink($filename);
+			}
+		}
 	}
 	$q = "DELETE FROM ".LOGIN_DB_SCHEMA.".set_live WHERE table_name = '".$cms->page_name."' AND delete_flag = 't'";
 	$cms->db_exec($q);
@@ -304,13 +320,21 @@ if ($cms->action_flag == 'set_live' && $cms->action = 'set_delete') {
 if (DEV_SCHEMA != PUBLIC_SCHEMA) {
 	// read out possible deleted, to add "delete from live"
 	$q = "SELECT pkid FROM ".LOGIN_DB_SCHEMA.".set_live WHERE table_name = '".$cms->page_name."' AND delete_flag = 't'";
+	if ($cms->access_rights['base_acl'] < 90) {
+		$q .= "AND edit_access_id IN (".join(',', $edit_access_ids).") ";
+	}
 	while ($res = $cms->db_return($q, 3)) {
 		$cms->DATA['set_delete'][]['pkid'] = $res['pkid'];
 	}
 }
 // get th max entries
 $q = "SELECT COUNT(file_uid) FROM file ";
-$q_search_where = "WHERE type in ('".str_replace(',', "','", $show_type)."') ";
+$q_search_where = "WHERE ";
+// only for current edit_access id, unless it is an admin user, then he can see all of them
+if ($cms->access_rights['base_acl'] < 90) {
+	$q_search_where .= "edit_access_id IN (".join(',', $edit_access_ids).") AND ";
+}
+$q_search_where .= "type in ('".str_replace(',', "','", $show_type)."') ";
 if ($search_what) {
 	$q_search_where .= "AND LOWER(name_en) LIKE '%".addslashes(strtolower($search_what))."%' OR name_ja LIKE '%".addslashes($search_what)."%' OR LOWER(file_name) LIKE '%".addslashes(strtolower($search_what))."%' ";
 }
--- a/www/admin/set_paths.inc
+++ b/www/admin/set_paths.inc
@@ -117,3 +117,5 @@ if (false === strstr(LAYOUT.DEFAULT_TEMPLATE.LANG, $cms->lang_dir) || strcasecmp
 //	$cms->debug("LANGUAGE", "L: $lang | ".$cms->lang_dir." | MO File: ".$cms->l->mofile);
 $cms->debug("LANGUAGE", "SL: ".$_SESSION['DEFAULT_CHARSET']." | ".$_SESSION['LANG']." | ".$_SESSION['DEFAULT_LANG']);
 $cms->debug("TEMPLATE", "P: ".$smarty->getTemplateDir()[0]);
+
+# __END__
--- a/www/admin/smarty.inc
+++ b/www/admin/smarty.inc
@@ -90,7 +90,7 @@ $cms->DEBUG_DATA['DEBUG'] = @$DEBUG_TMPL;
 // create main data array
 $cms->CONTENT_DATA = array_merge($cms->HEADER, $cms->DATA, $cms->DEBUG_DATA);
 // data is 1:1 mapping (all vars, values, etc)
-while (list($key, $value) = each($cms->CONTENT_DATA)) {
+foreach ($cms->CONTENT_DATA as $key => $value) {
 	$smarty->assign($key, $value);
 }
 if (is_dir(BASE.TEMPLATES_C)) {
@@ -100,3 +100,5 @@ if (is_dir(BASE.CACHE)) {
 	$smarty->setCacheDir(BASE.CACHE);
 }
 $smarty->display($MASTER_TEMPLATE_NAME, $TEMPLATE.$lang, $TEMPLATE.$lang);
+
+# __END__
--- a/www/admin/table_arrays/array_edit_access.inc
+++ b/www/admin/table_arrays/array_edit_access.inc
@@ -1,4 +1,4 @@
-<?
+<?php
 $edit_access = array (
 	"table_array" => array (
 		"edit_access_id" => array (
@@ -74,3 +74,5 @@ $edit_access = array (
 		)
 	)
 );
+
+# __END__
--- a/www/admin/table_arrays/array_edit_groups.inc
+++ b/www/admin/table_arrays/array_edit_groups.inc
@@ -1,4 +1,4 @@
-<?
+<?php
 $edit_groups = array (
 	"table_array" => array (
 		"edit_group_id" => array (
@@ -97,3 +97,5 @@ $edit_groups = array (
 		) // edit pages ggroup
 	)
 );
+
+# __END__
--- a/www/admin/table_arrays/array_edit_languages.inc
+++ b/www/admin/table_arrays/array_edit_languages.inc
@@ -1,4 +1,4 @@
-<?
+<?php
 $edit_languages=array (
 	"table_array" => array (
 		"edit_language_id" => array (
@@ -70,3 +70,5 @@ $edit_languages=array (
 	),
 	"table_name" => "edit_language"
 );
+
+# __END__
--- a/www/admin/table_arrays/array_edit_menu_group.inc
+++ b/www/admin/table_arrays/array_edit_menu_group.inc
@@ -1,4 +1,4 @@
-<?
+<?php
 $edit_menu_group = array (
 	"table_array" => array (
 		"edit_menu_group_id" => array (
@@ -35,3 +35,5 @@ $edit_menu_group = array (
 		)
 	)
 );
+
+# __END__
--- a/www/admin/table_arrays/array_edit_pages.inc
+++ b/www/admin/table_arrays/array_edit_pages.inc
@@ -1,4 +1,4 @@
-<?
+<?php
 $edit_pages = array (
 	"table_array" => array (
 		"edit_page_id" => array (
@@ -26,7 +26,7 @@ $edit_pages = array (
 			"int" => 1,
 			"order" => 1
 		),
-/*			"flag" => array (
+		/* "flag" => array (
 			"value" => $GLOBALS["flag"],
 			"output_name" => "Page Flag",
 			"type" => "drop_down_array",
@@ -175,3 +175,5 @@ $edit_pages = array (
 		) // query_string element list
 	) // element list
 );
+
+# __END__
--- a/www/admin/table_arrays/array_edit_schemes.inc
+++ b/www/admin/table_arrays/array_edit_schemes.inc
@@ -1,4 +1,4 @@
-<?
+<?php
 $edit_schemes = array (
 	"table_array" => array (
 		"edit_scheme_id" => array (
@@ -53,3 +53,4 @@ $edit_schemes = array (
 	)
 ); // main array

+# __END__
--- a/www/admin/table_arrays/array_edit_users.inc
+++ b/www/admin/table_arrays/array_edit_users.inc
@@ -1,4 +1,4 @@
-<?
+<?php
 $edit_users = array (
 	"table_array" => array (
 		"edit_user_id" => array (
@@ -251,3 +251,5 @@ $edit_users = array (
 		) // edit pages ggroup
 	)
 );
+
+# __END__
--- a/www/admin/table_arrays/array_edit_visible_group.inc
+++ b/www/admin/table_arrays/array_edit_visible_group.inc
@@ -1,30 +1,32 @@
-<?
-	$edit_visible_group = array (
-		"table_array" => array (
-			"edit_visible_group_id" => array (
-				"value" => $GLOBALS["edit_visible_group_id"],
-				"type" => "hidden",
-				"pk" => 1
-			),
-			"name" => array (
-				"value" => $GLOBALS["name"],
-				"output_name" => $this->l->__("Group name"),
-				"mandatory" => 1,
-				"type" => "text"
-			),
-			"flag" => array (
-				"value" => $GLOBALS["flag"],
-				"output_name" => $this->l->__("Flag"),
-				"mandatory" => 1,
-				"type" => "text",
-				"error_check" => "alphanumeric|unique"
-			)
+<?php
+$edit_visible_group = array (
+	"table_array" => array (
+		"edit_visible_group_id" => array (
+			"value" => $GLOBALS["edit_visible_group_id"],
+			"type" => "hidden",
+			"pk" => 1
 		),
-		"table_name" => "edit_visible_group",
-		"load_query" => "SELECT edit_visible_group_id, name FROM edit_visible_group ORDER BY name",
-		"show_fields" => array (
-			array (
-				"name" => "name"
-			)
+		"name" => array (
+			"value" => $GLOBALS["name"],
+			"output_name" => $this->l->__("Group name"),
+			"mandatory" => 1,
+			"type" => "text"
+		),
+		"flag" => array (
+			"value" => $GLOBALS["flag"],
+			"output_name" => $this->l->__("Flag"),
+			"mandatory" => 1,
+			"type" => "text",
+			"error_check" => "alphanumeric|unique"
 		)
-	);
+	),
+	"table_name" => "edit_visible_group",
+	"load_query" => "SELECT edit_visible_group_id, name FROM edit_visible_group ORDER BY name",
+	"show_fields" => array (
+		array (
+			"name" => "name"
+		)
+	)
+);
+
+# __END__
--- a/www/configs/config.inc
+++ b/www/configs/config.inc
@@ -1,6 +1,6 @@
 <?
 /********************************************************************
-* AUTHOR: Clemens "Gullevek" Schwaighofer (www.gullevek.org)
+* AUTHOR: Clemens Schwaighofer
 * CREATED: 2003/06/10
 * SHORT DESCRIPTION:
 *   configuration file
@@ -9,79 +9,82 @@

 /************* SESSION NAMES *************/
 // backend
-DEFINE('EDIT_SESSION_NAME', "<ADMIN SESSION NAME>");
+DEFINE('EDIT_SESSION_NAME', '<ADMIN SESSION NAME>');
 // frontend
-DEFINE('SESSION_NAME', "<SESSION NAME>");
+DEFINE('SESSION_NAME', '<SESSION NAME>');
 // set the session name
 define('SET_SESSION_NAME', EDIT_SESSION_NAME);

 /************* LANGUAGE / ENCODING *******/
-DEFINE('DEFAULT_LANG', "en_utf8");
+DEFINE('DEFAULT_LANG', 'en_utf8');
 // default web page encoding setting
-DEFINE('DEFAULT_ENCODING', "UTF-8");
+DEFINE('DEFAULT_ENCODING', 'UTF-8');

 /************* PATHS *********************/
+// directory seperator
+DEFINE('DS', DIRECTORY_SEPARATOR);
 // ** NEW/BETTER DIR DECLARATIONS **
 // path to original file (if symlink)
-DEFINE('DIR', __DIR__."/");
-// libs base path based on DIR
-DEFINE('LIBDIR', DIR.'libs/');
-// SMARTY path based on DIR
-DEFINE('SMARTYDIR', DIR.'Smarty/');
-// table arrays for Class Form
-DEFINE('TABLEARRAYDIR', DIR.'table_arrays/');
+DEFINE('DIR', __DIR__.DS);
+// base dir root folder level
+DEFINE('BASE', str_replace('configs', '', __DIR__));

 // ** OLD DIR DECLARATIONS **
 // path to document root of file called
-DEFINE('ROOT', getcwd()."/");
+DEFINE('ROOT', getcwd().DS);
 // libs path
-DEFINE('LIBS', "libs/");
+DEFINE('LIB', 'lib'.DS);
+DEFINE('LIBS', 'lib'.DS);
 // includes (strings, arrays for static, etc)
-DEFINE('INCLUDES', "includes/");
+DEFINE('INCLUDES', 'includes'.DS);
 // layout base path
-DEFINE('LAYOUT', 'layout/');
+DEFINE('LAYOUT', 'layout'.DS);
 // pic-root (compatible to CMS)
-DEFINE('PICTURES', "images/");
+DEFINE('PICTURES', 'images'.DS);
 // images
-DEFINE('IMAGES', "images/");
+DEFINE('IMAGES', 'images'.DS);
 // icons (below the images/ folder)
-DEFINE('ICONS', 'icons/');
+DEFINE('ICONS', 'icons'.DS);
 // media
-DEFINE('MEDIA', "media/");
+DEFINE('MEDIA', 'media'.DS);
 // flash-root (below media)
-DEFINE('FLASH', "flash/");
+DEFINE('FLASH', 'flash'.DS);
 // uploads (anything to keep)
-DEFINE('UPLOADS', "uploads/");
+DEFINE('UPLOADS', 'uploads'.DS);
 // files (binaries) (below media)
-DEFINE('BINARIES', "binaries/");
+DEFINE('BINARIES', 'binaries'.DS);
 // files (videos) (below media)
-DEFINE('VIDEOS', "videos/");
+DEFINE('VIDEOS', 'videos'.DS);
 // files (documents) (below media)
-DEFINE('DOCUMENTS', "documents/");
+DEFINE('DOCUMENTS', 'documents'.DS);
 // files (pdfs) (below media)
-DEFINE('PDFS', "documents/");
+DEFINE('PDFS', 'documents'.DS);
+// CSV
+DEFINE('CSV', 'csv'.DS);
 // css
-DEFINE('CSS', "css/");
+DEFINE('CSS', 'css'.DS);
 // js
-DEFINE('JS', "javascript/");
+DEFINE('JS', 'javascript'.DS);
 // table arrays
-DEFINE('TABLE_ARRAYS', "table_arrays/");
+DEFINE('TABLE_ARRAYS', 'table_arrays'.DS);
 // smarty libs path
-DEFINE('SMARTY', "Smarty/");
+DEFINE('SMARTY', 'Smarty'.DS);
 // po langs
-DEFINE('LANG', "lang/");
+DEFINE('LANG', 'lang'.DS);
 // cache path
-DEFINE('CACHE', "cache/");
+DEFINE('CACHE', 'cache'.DS);
 // temp path
-DEFINE('TMP', "tmp/");
+DEFINE('TMP', 'tmp'.DS);
 // log files
-DEFINE('LOG', 'log/');
+DEFINE('LOG', 'log'.DS);
+// compiled template folder
+DEFINE('TEMPLATES_C', 'templates_c'.DS);
 // template base
-DEFINE('TEMPLATES', "templates/");
+DEFINE('TEMPLATES', 'templates'.DS);
 // frontend template dir', only for admin
-DEFINE('TEMPLATES_FRONTEND', "templates_frontend/");
+DEFINE('TEMPLATES_FRONTEND', 'templates_frontend'.DS);
 // default template
-DEFINE('DEFAULT_TEMPLATE', "default/");
+DEFINE('DEFAULT_TEMPLATE', 'default'.DS);
 // default template file
 DEFINE('DEFAULT_TEMPLATE_FILE', 'default.tpl');

@@ -99,14 +102,14 @@ DEFINE('DEFAULT_ACL_SEND', 70);
 DEFINE('DEFAULT_ACL_DEL', 80);
 DEFINE('DEFAULT_ACL_ADMIN', 100); */
 // SSL host name
-//	DEFINE('SSL_HOST', "ssl.host.name");
+//	DEFINE('SSL_HOST', 'ssl.host.name');
 // error page strictness, Default is 3
 // 1: only show error page as the last mesure if really no mid & aid can be loaded and found at all
 // 2: if template not found, do not search, show error template
 // 3: if default template is not found, show error template, do not fall back to default tree
 // 4: very strict, even on normal fixable errors through error
 //	DEFINE('ERROR_STRICT', 3);
-// allow page caching in general, set to "FALSE" if you do debugging or development!
+// allow page caching in general, set to 'FALSE' if you do debugging or development!
 //	DEFINE('ALLOW_SMARTY_CACHE', FALSE);
 // cache life time, in seconds, default here is 2 days (172800s)
 // -1 is never expire cache
@@ -131,6 +134,11 @@ DEFINE('PAGE_WIDTH', 800);
 // the default template name
 DEFINE('MASTER_TEMPLATE_NAME', 'main_body.tpl');

+// below two can be defined here, but they should be
+// defined in either the header file or the file itself
+/************* LOGGING *******************/
+// DEFINE('LOG_FILE_ID', '');
+
 /************* QUEUE TABLE *************/
 // if we have a dev/live system
 // set_live is a per page/per item
@@ -142,37 +150,38 @@ DEFINE('MASTER_TEMPLATE_NAME', 'main_body.tpl');
 DEFINE('PUBLIC_SCHEMA', 'public');
 DEFINE('DEV_SCHEMA', 'public');
 DEFINE('TEST_SCHEMA', 'public');
+DEFINE('LIVE_SCHEMA', 'public');

 // non constant part
 /************* DB ACCESS *****************/
 // please be VERY carefull only to change the right side
 $DB_CONFIG = array (
-	"<db id>" => array (
-		"db_name" => "<database>",
-		"db_user" => "<user>",
-		"db_pass" => "<password>",
-		"db_host" => "<host>",
-		"db_port" => "5432",
-		"db_schema" => "public", // if not set, uses public
-		"db_type" => "pgsql",
-		"db_encoding" => '',
-		"db_ssl" => 'disable' // allow, disable, require, prefer
+	'<db id>' => array (
+		'db_name' => '<database>',
+		'db_user' => '<user>',
+		'db_pass' => '<password>',
+		'db_host' => '<host>',
+		'db_port' => '5432',
+		'db_schema' => 'public', // if not set, uses public
+		'db_type' => 'pgsql',
+		'db_encoding' => '',
+		'db_ssl' => 'disable' // allow, disable, require, prefer
 	)
 );

 // File and Folder paths
 // ID is TARGET (first array element)
-//	$PATHS["test"]["csv_path"] = "";
-//	$PATHS["test"]["perl_bin"] = "";
-//	$PATHS["test"]["redirect_url"] = "";
+//	$PATHS['test']['csv_path'] = '';
+//	$PATHS['test']['perl_bin'] = '';
+//	$PATHS['test']['redirect_url'] = '';

 // each host has a different db_host
 // development host
-$DB_HOST['<host>'] = "<db id>";
+$DB_HOST['<host>'] = '<db id>';
 // target host (live)
-//	$DB_TARGET_HOST['<host>'] = "<DB ID>";
+//	$DB_TARGET_HOST['<host>'] = '<DB ID>';
 // url redirect database
-//	$DB_URL_REDIRECT_HOST['<host>'] = "<DB ID>";
+//	$DB_URL_REDIRECT_HOST['<host>'] = '<DB ID>';
 // location flagging
 // test/dev/live
 $LOCATION['<host>'] = '<test|live|remote|etc>';
@@ -188,9 +197,9 @@ $USE_DATABASE = defined('USE_DATABASE') ? USE_DATABASE : true;
 // live frontend pages
 // ** missing live domains **
 // get the name without the port
-list($HOST_NAME, $PORT) = array_pad(explode(":", $_SERVER['HTTP_HOST'], 2), 2, null);
+list($HOST_NAME) = array_pad(explode(':', $_SERVER['HTTP_HOST'], 2), 2, null);
 if (!$DB_HOST[$HOST_NAME] && $USE_DATABASE) {
-	echo "No matching DB config found. Contact Admin<br>";
+	echo 'No matching DB config found. Contact Admin<br>';
 	exit -1;
 }

@@ -217,11 +226,11 @@ DEFINE('SHOW_ALL_ERRORS', false); // show all errors if debug_all & show_error_h
 $G_TITLE = '<OVERALL PAGE TITLE>';

 /************ STYLE SHEETS / JS **********/
-$EDIT_STYLESHEET = "edit.css";
-$EDIT_JAVASCRIPT = "edit.js";
+$EDIT_STYLESHEET = 'edit.css';
+$EDIT_JAVASCRIPT = 'edit.js';

-$STYLESHEET = "frontend.css";
-$JAVASCRIPT = "frontend.js";
+$STYLESHEET = 'frontend.css';
+$JAVASCRIPT = 'frontend.js';

 /************* CONVERT *******************/
 $paths = array (
@@ -231,14 +240,14 @@ $paths = array (
 );
 // find convert
 foreach ($paths as $path) {
-	if (file_exists($path."/convert") && is_file($path."/convert")) {
+	if (file_exists($path.DS.'convert') && is_file($path.DS.'convert')) {
 		// image magick convert location
-		DEFINE('CONVERT', $path."/convert");
+		DEFINE('CONVERT', $path.DS.'convert');
 	}
 }

 // turn off debug if debug flag is OFF
-if (DEBUG == false) {
+if (defined('DEBUG') && DEBUG == false) {
 	$ECHO_ALL = 0;
 	$DEBUG_ALL = 0;
 	$PRINT_ALL = 0;
@@ -249,27 +258,7 @@ if (DEBUG == false) {
 // any other global definitons here
 //	DEFINE('SOME_ID', <SOME VALUE>);

-// function that will be called on top of each class include to load the class
-function _spl_autoload($include_file)
-{
-	// where to search for the files to include
-	$dirs = array (
-		LIBDIR,
-		SMARTYDIR,
-		TABLEARRAYDIR,
-		'',
-		LIBS,
-		SMARTY,
-		TABLE_ARRAYS,
-		__DIR__.'/'.LIBS,
-		__DIR__.'/'.SMARTY
-	);
-	// try to find and load the class ifle
-	foreach ($dirs as $folder) {
-		if (file_exists($folder.$include_file))	{
-			require_once($folder.$include_file);
-			return true;
-		}
-	}
-	return false;
-}
+// read auto loader
+require BASE.LIB.'autoloader.php';
+
+# __END__
--- a/www/configs/config.template.inc
+++ b/www/configs/config.template.inc
@@ -1,6 +1,6 @@
 <?php
 /********************************************************************
-* AUTHOR: Clemens "Gullevek" Schwaighofer (www.gullevek.org)
+* AUTHOR: Clemens Schwaighofer
 * CREATED: 2003/06/10
 * SHORT DESCRIPTION:
 *   configuration file
@@ -59,6 +59,8 @@ DEFINE('VIDEOS', "videos".DS);
 DEFINE('DOCUMENTS', "documents".DS);
 // files (pdfs) (below media)
 DEFINE('PDFS', "documents".DS);
+// CSV
+DEFINE('CSV', 'csv'.DS);
 // css
 DEFINE('CSS', "css".DS);
 // js
@@ -75,6 +77,8 @@ DEFINE('CACHE', "cache".DS);
 DEFINE('TMP', "tmp".DS);
 // log files
 DEFINE('LOG', 'log'.DS);
+// compiled template folder
+DEFINE('TEMPLATES_C', 'templates_c'.DS);
 // template base
 DEFINE('TEMPLATES', "templates".DS);
 // frontend template dir', only for admin
@@ -141,6 +145,7 @@ DEFINE('MASTER_TEMPLATE_NAME', 'main_body.tpl');
 DEFINE('PUBLIC_SCHEMA', 'public');
 DEFINE('DEV_SCHEMA', 'public');
 DEFINE('TEST_SCHEMA', 'public');
+DEFINE('LIVE_SCHEMA', 'public');

 // non constant part
 /************* DB ACCESS *****************/
--- a/www/layout/admin/default/css/edit.css
+++ b/www/layout/admin/default/css/edit.css
@@ -272,7 +272,7 @@ input[type="text"]:focus, textarea:focus, select:focus {
 }

 /* spacer for line break in float elements */
-.spacer {
+.clr, .spacer {
 	clear: both;
 }

--- a/www/lib/CoreLibs/ACL/Login.inc
+++ b/www/lib/CoreLibs/ACL/Login.inc
@@ -69,8 +69,17 @@ class Login extends \CoreLibs\DB\IO
 	private $logout; // logout button
 	private $login_error; // login error code, can be matched to the array login_error_msg, which holds the string
 	private $password_change = false; // if this is set to true, the user can change passwords
+	private $password_change_ok = false; // password change was successful
 	private $pw_change_deny_users = array (); // array of users for which the password change is forbidden

+	// if we have password change we need to define some rules
+	private $password_min_length = 8;
+	// can have several regexes, if nothing set, all is ok
+	private $password_valid_chars = array (
+		// '^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!@#$%]{8,}$',
+		// '^(?.*(\pL)u)(?=.*(\pN)u)(?=.*([^\pL\pN])u).{8,}',
+	);
+
 	// all possible login error conditions
 	private $login_error_msg = array ();
 	// this is an array holding all strings & templates passed from the outside (translation)
@@ -99,7 +108,8 @@ class Login extends \CoreLibs\DB\IO

 		// no session could be found at all
 		if (!session_id()) {
-			echo "<b>Session not started!</b><br>Use 'session_start();'.<br>For less problems with other session, you can set a session name with 'session_name(\"name\");'.<br>";
+			echo "<b>Session not started!</b><br>Use 'session_start();'.<br>";
+			echo "For less problems with other session, you can set a session name with 'session_name(\"name\");'.<br>";
 			exit;
 		}

@@ -107,7 +117,15 @@ class Login extends \CoreLibs\DB\IO

 		// if we have a search path we need to set it, to use the correct DB to login
 		// check what schema to use. if there is a login schema use this, else check if there is a schema set in the config, or fall back to DB_SCHEMA if this exists, if this also does not exists use public schema
-		$SCHEMA = defined('LOGIN_DB_SCHEMA') ? LOGIN_DB_SCHEMA : ($db_config['db_schema'] ? $db_config['db_schema'] : (defined('DB_SCHEMA') ? DB_SCHEMA : 'public'));
+		if (defined('LOGIN_DB_SCHEMA')) {
+			$SCHEMA = LOGIN_DB_SCHEMA;
+		} elseif ($db_config['db_schema']) {
+			$SCHEMA = $db_config['db_schema'];
+		} elseif (defined('DB_SCHEMA')) {
+			$SCHEMA = DB_SCHEMA;
+		} else {
+			$SCHEMA = 'public';
+		}
 		// set schema if schema differs to schema set in db conneciton
 		if ($this->dbGetSchema() && $this->dbGetSchema() != $SCHEMA) {
 			$this->dbExec("SET search_path TO ".$SCHEMA);
@@ -229,6 +247,61 @@ class Login extends \CoreLibs\DB\IO
 		parent::__destruct();
 	}

+	// METHOD: loginPasswordCheck
+	// PARAMS: hash, optional password, to override
+	// RETURN: true or false
+	// DESC  : checks if password is valid, sets internal error login variable
+	private function loginPasswordCheck($hash, $password = '')
+	{
+		// check with what kind of prefix the password begins:
+		// $2a$ or $2y$: BLOWFISCH
+		// $1$: MD5
+		// $ and one alphanumeric letter, 13 chars long, but nor $ at the end: STD_DESC
+		// if no $ => normal password
+		// NOW, if we have a password encoded, but not the correct encoder available, throw special error
+		$password_ok = false;
+		if (!$password) {
+			$password = $this->password;
+		}
+		if ((preg_match("/^\\$2(a|y)\\$/", $hash) && CRYPT_BLOWFISH != 1) ||
+			(preg_match("/^\\$1\\$/", $hash) && CRYPT_MD5 != 1) ||
+			(preg_match("/^\\$[0-9A-Za-z.]{12}$/", $hash) && CRYPT_STD_DES != 1)
+		) {
+			// this means password cannot be decrypted because of missing crypt methods
+			$this->login_error = 9999;
+			$password_ok = false;
+		} elseif ((preg_match("/^\\$2(a)\\$/", $hash) ||
+			// old password have $07$ so we check this
+			(preg_match("/^\\$2(y)\\$/", $hash) && preg_match("/\\$07\\$/", $hash)) ||
+			preg_match("/^\\$1\\$/", $hash) ||
+			preg_match("/^\\$[0-9A-Za-z.]{12}$/", $hash)) &&
+			!$this->verifyCryptString($password, $hash)
+		) {
+			// check passwword as crypted, $2a$ or $2y$ is blowfish start, $1$ is MD5 start, $\w{12} is standard DES
+			// this is only for OLD $07$ password
+			$this->login_error = 1011;
+			$password_ok = false;
+		} elseif (preg_match("/^\\$2y\\$/", $hash) &&
+			!$this->passwordVerify($password, $hash)
+		) {
+			// this is the new password hash methid, is only $2y$
+			$this->login_error = 1013;
+			$password_ok = false;
+		} elseif (!preg_match("/^\\$2(a|y)\\$/", $hash) &&
+			!preg_match("/^\\$1\\$/", $hash) &&
+			!preg_match("/^\\$[0-9A-Za-z.]{12}$/", $hash) &&
+			$hash != $password
+		) {
+			// check old plain password, case sensitive
+			$this->login_error = 1012;
+			$password_ok = false;
+		} else {
+			// all ok
+			$password_ok = true;
+		}
+		return $password_ok;
+	}
+
 	// METHOD: loginLoginUser
 	// WAS   : login_login_user
 	// PARAMS: none
@@ -242,11 +315,13 @@ class Login extends \CoreLibs\DB\IO
 				$this->login_error = 102;
 			} else {
 				// we have to get the themes in here too
-				$q = "SELECT eu.edit_user_id, username, password, eu.edit_group_id, eg.name AS edit_group_name, admin, eu.login_error_count, eu.login_error_date_last, eu.login_error_date_first, eu.strict, eu.locked, ";
+				$q = "SELECT eu.edit_user_id, username, password, eu.edit_group_id, eg.name AS edit_group_name, admin, ";
+				$q .= "eu.login_error_count, eu.login_error_date_last, eu.login_error_date_first, eu.strict, eu.locked, ";
 				$q .= "debug, db_debug, ";
 				$q .= "eareu.level AS user_level, eareu.type AS user_type, ";
 				$q .= "eareg.level AS group_level, eareg.type AS group_type, ";
-				$q .= "eu.enabled, el.short_name AS lang_short, el.iso_name AS lang_iso, first.header_color AS first_header_color, second.header_color AS second_header_color, second.template ";
+				$q .= "eu.enabled, el.short_name AS lang_short, el.iso_name AS lang_iso, first.header_color AS first_header_color, ";
+				$q .= "second.header_color AS second_header_color, second.template ";
 				$q .= "FROM edit_user eu ";
 				$q .= "LEFT JOIN edit_scheme second ON (second.edit_scheme_id = eu.edit_scheme_id AND second.enabled = 1), ";
 				$q .= "edit_language el, edit_group eg, ";
@@ -265,13 +340,6 @@ class Login extends \CoreLibs\DB\IO
 				} else {
 					// if login errors is half of max errors and the last login error was less than 10s ago, forbid any new login try

-					// check with what kind of prefix the password begins:
-					// $2a$ or $2y$: BLOWFISCH
-					// $1$: MD5
-					// $ and one alphanumeric letter, 13 chars long, but nor $ at the end: STD_DESC
-					// if no $ => normal password
-					// NOW, if we have a password encoded, but not the correct encoder available, throw special error
-
 					// check flow
 					// - user is enabled
 					// - user is not locked
@@ -285,27 +353,16 @@ class Login extends \CoreLibs\DB\IO
 					} elseif ($res['locked']) {
 						// user is locked, either set or auto set
 						$this->login_error = 105;
-					} elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) && CRYPT_BLOWFISH != 1) ||
-						(preg_match("/^\\$1\\$/", $res['password']) && CRYPT_MD5 != 1) ||
-						(preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && CRYPT_STD_DES != 1)
-					) {
-						// this means password cannot be decrypted because of missing crypt methods
-						$this->login_error = 9999;
-					} elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) ||
-						preg_match("/^\\$1\\$/", $res['password']) ||
-						preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password'])) &&
-						!$this->verifyCryptString($this->password, $res['password'])
-					) {
-						// check passwword as crypted, $2a$ or $2y$ is blowfish start, $1$ is MD5 start, $\w{12} is standard DES
-						$this->login_error = 1011;
-					} elseif (!preg_match("/^\\$2(a|y)\\$/", $res['password']) &&
-						!preg_match("/^\\$1\\$/", $res['password']) &&
-						!preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) &&
-						$res['password'] != $this->password
-					) {
-						// check old plain password, non case sensitive
-						$this->login_error = 1012;
+					} elseif (!$this->loginPasswordCheck($res['password'])) {
+						// none to be set, set in login password check
 					} else {
+						// check if the current password is an invalid hash and do a rehash and set password
+						// $this->debug('LOGIN', 'Hash: '.$res['password'].' -> VERIFY: '.($this->passwordVerify($this->password, $res['password']) ? 'OK' : 'FAIL').' => HASH: '.($this->passwordRehashCheck($res['password']) ? 'NEW NEEDED' : 'OK'));
+						if ($this->passwordRehashCheck($res['password'])) {
+							// update password hash to new one now
+							$q = "UPDATE edit_user SET password = '".$this->dbEscapeString($this->passwordSet($this->password))."' WHERE edit_user_id = ".$res['edit_user_id'];
+							$this->dbExec($q);
+						}
 						// normal user processing
 						// set class var and session var
 						$_SESSION["EUID"] = $this->euid = $res["edit_user_id"];
@@ -335,7 +392,8 @@ class Login extends \CoreLibs\DB\IO
 							$pages = array();
 							$edit_page_ids = array();
 							// set pages access
-							$q = "SELECT ep.edit_page_id, filename, ep.name AS edit_page_name, ep.order_number AS edit_page_order, menu, popup, popup_x, popup_y, online, ear.level, ear.type ";
+							$q = "SELECT ep.edit_page_id, filename, ep.name AS edit_page_name, ep.order_number AS edit_page_order, menu, ";
+							$q .= "popup, popup_x, popup_y, online, ear.level, ear.type ";
 							$q .= "FROM edit_page ep, edit_page_access epa, edit_access_right ear ";
 							$q .= "WHERE ep.edit_page_id = epa.edit_page_id AND ear.edit_access_right_id = epa.edit_access_right_id ";
 							$q .= "AND epa.enabled = 1 AND epa.edit_group_id = ".$res["edit_group_id"]." ";
@@ -548,6 +606,7 @@ class Login extends \CoreLibs\DB\IO
 			$this->acl['admin'] = 1;
 			$this->acl['base'] = 100;
 		} else {
+			$this->acl['admin'] = 0;
 			// now go throw the flow and set the correct ACL
 			// user > page > group
 			// group ACL 0
@@ -618,7 +677,7 @@ class Login extends \CoreLibs\DB\IO
 		// set the full acl list too
 		$this->acl['acl_list'] = $_SESSION['DEFAULT_ACL_LIST'];
 		// debug
-//			$this->debug('ACL', $this->print_ar($this->acl));
+		// $this->debug('ACL', $this->print_ar($this->acl));
 	}

 	// METHOD: loginCheckEditAccess
@@ -635,6 +694,28 @@ class Login extends \CoreLibs\DB\IO
 		}
 	}

+	// METHOD: loginPasswordChangeValidPassword
+	// PARAMS: the new password
+	// RETURN: true or false
+	// DESC  : checks if the password is in a valid format
+	private function loginPasswordChangeValidPassword($password)
+	{
+		$is_valid_password = true;
+		// check for valid in regex arrays in list
+		if (is_array($this->password_valid_chars)) {
+			foreach ($this->password_valid_chars as $password_valid_chars) {
+				if (!preg_match("/$password_valid_chars/", $password)) {
+					$is_valid_password = false;
+				}
+			}
+		}
+		// check for min length
+		if (strlen($password) < $this->password_min_length) {
+			$is_valid_password = false;
+		}
+		return $is_valid_password;
+	}
+
 	// METHOD: loginPasswordChange
 	// WAS   : login_password_change
 	// PARAMS: none
@@ -646,7 +727,7 @@ class Login extends \CoreLibs\DB\IO
 			$event = 'Password Change';
 			// check that given username is NOT in the deny list, else silent skip (with error log)
 			if (!in_array($this->pw_username, $this->pw_change_deny_users)) {
-				if (!$this->pw_username || !$this->pw_password) {
+				if (!$this->pw_username || !$this->pw_old_password) {
 					$this->login_error = 200;
 					$data = 'Missing username or old password.';
 				}
@@ -662,9 +743,9 @@ class Login extends \CoreLibs\DB\IO
 				}
 				// check old passwords match -> error
 				if (!$this->login_error) {
-					$q = "SELECT edit_user_id FROM edit_user WHERE enabled = 1 AND username = '".$this->dbEscapeString($this->pw_username)."' AND password = '".$this->dbEscapeString($this->pw_old_password)."'";
-					list ($edit_user_id) = $this->dbReturnRow($q);
-					if (!$edit_user_id) {
+					$q = "SELECT edit_user_id, password FROM edit_user WHERE enabled = 1 AND username = '".$this->dbEscapeString($this->pw_username)."'";
+					list ($edit_user_id, $old_password_hash) = $this->dbReturnRow($q);
+					if (!$edit_user_id || !$this->loginPasswordCheck($old_password_hash, $this->pw_old_password)) {
 						// old password wrong
 						$this->login_error = 202;
 						$data = 'The old password does not match';
@@ -681,15 +762,23 @@ class Login extends \CoreLibs\DB\IO
 				if (!$this->login_error) {
 					if ($this->pw_new_password != $this->pw_new_password_confirm) {
 						$this->login_error = 204;
-						$data = 'The new passwords do not match: '.$this->pw_new_password.' == '.$this->pw_new_password_confirm;
+						$data = 'The new passwords do not match';
+					}
+				}
+				// password shall match to something in minimum length or form
+				if (!$this->login_error) {
+					if (!$this->loginPasswordChangeValidPassword($this->pw_new_password)) {
+						$this->login_error = 205;
+						$data = 'The new password string is not valid';
 					}
 				}
 				// no error change this users password
 				if (!$this->login_error) {
 					// update the user (edit_user_id) with the new password
-					$q = "UPDATE edit_user SET password = '".$this->dbEscapeString($this->cryptString($this->pw_new_password))."' WHERE edit_user_id = ".$edit_user_id;
+					$q = "UPDATE edit_user SET password = '".$this->dbEscapeString($this->passwordSet($this->pw_new_password))."' WHERE edit_user_id = ".$edit_user_id;
 					$this->dbExec($q);
-					$data = 'Password change for user "'.$this->pw_username.'" from "'.$this->pw_old_password.'" to "'.$this->pw_new_password.'"';
+					$data = 'Password change for user "'.$this->pw_username.'"';
+					$this->password_change_ok = true;
 				}
 			} else {
 				// illegal user error
@@ -697,7 +786,7 @@ class Login extends \CoreLibs\DB\IO
 				$data = 'Illegal user for password change: '.$this->pw_username;
 			}
 			// log this password change attempt
-			$this->write_log($event, $data, $this->login_error, $pw_username, $pw_old_password);
+			$this->writeLog($event, $data, $this->login_error, $this->pw_username);
 		} // button pressed
 	}

@@ -727,29 +816,43 @@ class Login extends \CoreLibs\DB\IO
 				// pre change the data in the PASSWORD_CHANGE_DIV first
 				foreach ($this->login_template['strings'] as $string => $data) {
 					if ($data) {
-						$html_string_password_change = str_replace("{".$string."}", $data, $html_string_password_change);
+						$html_string_password_change = str_replace('{'.$string.'}', $data, $html_string_password_change);
 					}
 				}
+				// print error messagae
+				if ($this->login_error) {
+					$html_string_password_change = str_replace('{ERROR_MSG}', $this->login_error_msg[$this->login_error].'<br>', $html_string_password_change);
+				} else {
+					$html_string_password_change = str_replace('{ERROR_MSG}', '<br>', $html_string_password_change);
+				}
+				// if pw change action, show the float again
+				if ($this->change_password && !$this->password_change_ok) {
+					$html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '<script language="JavaScript">ShowHideDiv(\'pw_change_div\');</script>', $html_string_password_change);
+				} else {
+					$html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '', $html_string_password_change);
+				}
 				$this->login_template['strings']['PASSWORD_CHANGE_DIV'] = $html_string_password_change;
 			}

 			// put in the logout redirect string
 			if ($this->logout && $LOGOUT_TARGET) {
-				$html_string = str_replace("{LOGOUT_TARGET}", '<meta http-equiv="refresh" content="0; URL='.$LOGOUT_TARGET.'">', $html_string);
+				$html_string = str_replace('{LOGOUT_TARGET}', '<meta http-equiv="refresh" content="0; URL='.$LOGOUT_TARGET.'">', $html_string);
 			} else {
-				$html_string = str_replace("{LOGOUT_TARGET}", '', $html_string);
+				$html_string = str_replace('{LOGOUT_TARGET}', '', $html_string);
 			}

 			// print error messagae
 			if ($this->login_error) {
-				$html_string = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."<br>", $html_string);
+				$html_string = str_replace('{ERROR_MSG}', $this->login_error_msg[$this->login_error].'<br>', $html_string);
+			} elseif ($this->password_change_ok && $this->password_change) {
+				$html_string = str_replace('{ERROR_MSG}', $this->login_error_msg[300].'<br>', $html_string);
 			} else {
-				$html_string = str_replace("{ERROR_MSG}", "<br>", $html_string);
+				$html_string = str_replace('{ERROR_MSG}', '<br>', $html_string);
 			}

 			// create the replace array context
 			foreach ($this->login_template['strings'] as $string => $data) {
-				$html_string = str_replace("{".$string."}", $data, $html_string);
+				$html_string = str_replace('{'.$string.'}', $data, $html_string);
 			}

 			// return the created HTML here
@@ -782,10 +885,10 @@ class Login extends \CoreLibs\DB\IO
 				$q = "SELECT username, password FROM edit_user WHERE edit_user_id = ".$this->euid;
 				list($username, $password) = $this->dbReturnRow($q);
 			} // if euid is set, get username (or try)
-			$this->writeLog($event, '', $this->login_error, $username, $password);
+			$this->writeLog($event, '', $this->login_error, $username);
 		} // write log under certain settings
 		// now close DB connection
-//			$this->error_msg = $this->_login();
+		// $this->error_msg = $this->_login();
 		if (!$this->permission_okay) {
 			return false;
 		} else {
@@ -816,6 +919,7 @@ class Login extends \CoreLibs\DB\IO
 			"1010" => $this->l->__("Fatal Error: <b>Login Failed - Wrong Username or Password</b>"), // user not found
 			"1011" => $this->l->__("Fatal Error: <b>Login Failed - Wrong Username or Password</b>"), // blowfish password wrong
 			"1012" => $this->l->__("Fatal Error: <b>Login Failed - Wrong Username or Password</b>"), // fallback md5 password wrong
+			"1013" => $this->l->__("Fatal Error: <b>Login Failed - Wrong Username or Password</b>"), // new password_hash wrong
 			"102" => $this->l->__("Fatal Error: <b>Login Failed - Please enter username and password</b>"),
 			"103" => $this->l->__("Fatal Error: <b>You do not have the rights to access this Page</b>"),
 			"104" => $this->l->__("Fatal Error: <b>Login Failed - User not enabled</b>"),
@@ -826,6 +930,8 @@ class Login extends \CoreLibs\DB\IO
 			"202" => $this->l->__("Fatal Error: <b>Password change - The old password is not correct</b>"),
 			"203" => $this->l->__("Fatal Error: <b>Password change - Please fill out both new password fields</b>"),
 			"204" => $this->l->__("Fatal Error: <b>Password change - The new passwords do not match</b>"),
+			"205" => $this->l->__("Fatal Error: <b>Password change - The new password is not in a valid format</b>"), // we should also not here WHAT is valid
+			"300" => $this->l->__("Success: <b>Password change successful</b>"), // for OK password change
 			"9999" => $this->l->__("Fatal Error: <b>necessary crypt engine could not be found</b>. Login is impossible") // this is bad bad error
 		);

@@ -852,6 +958,7 @@ class Login extends \CoreLibs\DB\IO
 <tr><td></td><td><input type="submit" name="change_password" value="{PASSWORD_CHANGE_BUTTON_VALUE}"><input type="button" name="pw_change" value="{CLOSE}" OnClick="ShowHideDiv('pw_change_div');"></td></tr>
 </table>
 </div>
+{PASSWORD_CHANGE_SHOW}
 EOM;
 		} else {
 			$strings = array_merge($strings, array (
@@ -862,14 +969,14 @@ EOM;
 		}

 		// first check if all strings are set from outside, if not, set with default ones
-		while (list($string, $data) = each($strings)) {
+		foreach ($strings as $string => $data) {
 			if (!array_key_exists($string, $this->login_template['strings'])) {
 				$this->login_template['strings'][$string] = $data;
 			}
 		}

 		// error msgs the same
-		while (list($code, $data) = each($error_msgs)) {
+		foreach ($error_msgs as $code => $data) {
 			if (!array_key_exists($code, $this->login_error_msg)) {
 				$this->login_error_msg[$code] = $data;
 			}
@@ -949,12 +1056,14 @@ EOM;
 	//        error -> if error, write error string (not enougth data, etc)
 	// RETURN: none
 	// DESC  : writes detailed data into the edit user log table (keep log what user does)
-	private function writeLog($event, $data, $error = "", $username = "", $password = "")
+	private function writeLog($event, $data, $error = '', $username = '')
 	{
 		if ($this->login) {
 				$this->action = 'Login';
 		} elseif ($this->logout) {
 				$this->action = 'Logout';
+		} else {
+			$this->action = '';
 		}
 		$_data_binary = array (
 				'_SESSION' => $_SESSION,
@@ -969,9 +1078,11 @@ EOM;
 		$q .= "(username, password, euid, event_date, event, error, data, data_binary, page, ";
 		$q .= "ip, user_agent, referer, script_name, query_string, server_name, http_host, http_accept, http_accept_charset, http_accept_encoding, session_id, ";
 		$q .= "action, action_id, action_yes, action_flag, action_menu, action_loaded, action_value, action_error) ";
-		$q .= "VALUES ('".$this->dbEscapeString($username)."', '".$this->dbEscapeString($password)."', ".(($this->euid) ? $this->euid : 'NULL').", ";
+		$q .= "VALUES ('".$this->dbEscapeString($username)."', 'PASSWORD', ".(($this->euid) ? $this->euid : 'NULL').", ";
 		$q .= "NOW(), '".$this->dbEscapeString($event)."', '".$this->dbEscapeString($error)."', '".$this->dbEscapeString($data)."', '".$data_binary."', '".$this->page_name."', ";
-		foreach (array('REMOTE_ADDR', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'SCRIPT_FILENAME', 'QUERY_STRING', 'SERVER_NAME', 'HTTP_HOST', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING') as $server_code) {
+		foreach (array(
+			'REMOTE_ADDR', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'SCRIPT_FILENAME', 'QUERY_STRING', 'SERVER_NAME', 'HTTP_HOST', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING'
+		) as $server_code) {
 			if (array_key_exists($server_code, $_SERVER)) {
 				$q .= "'".$this->dbEscapeString($_SERVER[$server_code])."', ";
 			} else {
--- a/www/lib/CoreLibs/Basic.inc
+++ b/www/lib/CoreLibs/Basic.inc
@@ -123,7 +123,7 @@ class Basic
 	private $log_print_file = 'error_msg##LOGID####LEVEL####CLASS####PAGENAME####DATE##';
 	private $log_file_unique_id; // a unique ID set only once for call derived from this class
 	public $log_print_file_date = 1; // if set add Y-m-d and do automatic daily rotation
-	private $log_file_id = LOG_FILE_ID ? LOG_FILE_ID : ''; // a alphanumeric name that has to be set as global definition
+	private $log_file_id = ''; // a alphanumeric name that has to be set as global definition
 	public $log_per_level = 0; // set, it will split per level (first parameter in debug call)
 	public $log_per_class = 0; // set, will split log per class
 	public $log_per_page = 0; // set, will split log per called file
@@ -148,12 +148,13 @@ class Basic
 	// error char for the char conver
 	public $mbErrorChar;

-	// crypt saslt prefix
+	// [!!! DEPRECATED !!!] crypt saslt prefix
 	public $cryptSaltPrefix = '';
 	public $cryptSaltSuffix = '';
 	public $cryptIterationCost = 7; // this is for staying backwards compatible with the old ones
 	public $cryptSaltSize = 22; // default 22 chars for blowfish, 2 for STD DES, 8 for MD5,
-
+	// new better password management
+	protected $password_options = array ();
 	// session name
 	private $session_name = '';
 	private $session_id = '';
@@ -178,9 +179,30 @@ class Basic
 			"class_author" => 'Clemens Schwaighofer'
 		);

+		// before we start any work, we should check that all MUST constants are defined
+		$abort = false;
+		foreach (array(
+			'DS', 'DIR', 'BASE', 'ROOT', 'LIB', 'INCLUDES', 'LAYOUT', 'PICTURES', 'FLASH', 'VIDEOS', 'DOCUMENTS', 'PDFS', 'BINARIES', 'ICONS',
+			'UPLOADS', 'CSV', 'JS', 'CSS', 'TABLE_ARRAYS', 'SMARTY', 'LANG', 'CACHE', 'TMP', 'LOG', 'TEMPLATES', 'TEMPLATES_C',
+			'TEMPLATES_FRONTEND', 'DEFAULT_TEMPLATE', 'DEFAULT_TEMPLATE_FILE', 'DEFAULT_LANG', 'DEFAULT_ENCODING', 'DEFAULT_HASH',
+			'DEFAULT_ACL_LEVEL', 'LOGOUT_TARGET', 'PASSWORD_CHANGE', 'AJAX_REQUEST_TYPE', 'USE_PROTOTYPE', 'USE_SCRIPTACULOUS', 'USE_JQUERY',
+			'PAGE_WIDTH', 'MASTER_TEMPLATE_NAME', 'PUBLIC_SCHEMA', 'TEST_SCHEMA', 'DEV_SCHEMA', 'LIVE_SCHEMA', 'LOGIN_DB', 'MAIN_DB', 'DB_SCHEMA',
+			'LOGIN_DB_SCHEMA', 'GLOBAL_DB_SCHEMA', 'TARGET', 'DEBUG', 'SHOW_ALL_ERRORS'
+		) as $constant) {
+			if (!defined($constant)) {
+				echo "Constant $constant misssing<br>";
+				$abort = true;
+			}
+		}
+		if ($abort === true) {
+			die('Core Constant missing. Check config file.');
+		}
+
 		// set the page name
 		$this->page_name = $this->getPageName();
 		$this->host_name = $this->getHostName();
+		// init the log file id
+		$this->log_file_id = defined('LOG_FILE_ID') ? LOG_FILE_ID : '';

 		// set the paths matching to the valid file types
 		$this->data_path = array (
@@ -327,7 +349,7 @@ class Basic
 		// initial the session if there is no session running already
 		if (!session_id()) {
 			// check if we have an external session name given, else skip this step
-			if (SET_SESSION_NAME) {
+			if (defined('SET_SESSION_NAME')) {
 				// set the session name for possible later check
 				$this->session_name = SET_SESSION_NAME;
 			}
@@ -340,8 +362,10 @@ class Basic
 			$this->session_id = session_id();
 		}

-		// init crypt settings
+		// [!!! DEPRECATED !!!] init crypt settings
 		$this->cryptInit();
+		// new better password init
+		$this->passwordInit();

 		// start logging running time
 		$this->runningTime();
@@ -431,7 +455,7 @@ class Basic
 	// DESC  : wrapper around microtime function to print out y-m-d h:i:s.ms
 	public static function printTime($set_microtime = -1)
 	{
-		list($microtime, $timestamp) = explode(" ", microtime());
+		list($microtime, $timestamp) = explode(' ', microtime());
 		$string = date("Y-m-d H:i:s", $timestamp);
 		// if microtime flag is -1 no round, if 0, no microtime, if >= 1, round that size
 		if ($set_microtime == -1) {
@@ -1088,6 +1112,37 @@ class Basic
 		return $ret_array;
 	}

+	// METHOD: arrayToString
+	// WAS   : ArrayToString
+	// PARAMS: array, connect char
+	// RETRUN: string
+	// DESC  : wrapper for join, but checks if input is an array and if not returns null
+	public static function arrayToString($array, $connect_char)
+	{
+		if (is_array($array)) {
+			return join($connect_char, $array);
+		} else {
+			return false;
+		}
+	}
+
+	// METHOD: flattenArray
+	// PARAMS: array in multi dimensions
+	// RETURN: returns a flatten array
+	// DESC  : converts multi dimensional array to a flat array
+	//         does NOT preserve keys
+	public static function flattenArray(array $array)
+	{
+		$return = array();
+		array_walk_recursive(
+			$array,
+			function ($a) use (&$return) {
+				$return[] = $a;
+			}
+		);
+		return $return;
+	}
+
 	// METHOD: __mbMimeEncode
 	// WAS   : _mb_mime_encode
 	// PARAMS: string to encode, encoding to encode in
@@ -1221,17 +1276,20 @@ class Basic
 	//         xd xh xm xs xms to a timestamp.microtime format
 	public static function stringToTime($timestring)
 	{
-		$timestamp = '';
+		$timestamp = 0;
 		if (preg_match("/(d|h|m|s|ms)/", $timestring)) {
-			$timegroups = array (1 => 86400, 3 => 3600, 5 => 60, 7 => 1);
+			// pos for preg match read + multiply factor
+			$timegroups = array (2 => 86400, 4 => 3600, 6 => 60, 8 => 1);
+			// preg match: 0: full strsing
+			// 2, 4, 6, 8 are the to need values
 			preg_match("/^((\d+)d ?)?((\d+)h ?)?((\d+)m ?)?((\d+)s ?)?((\d+)ms)?$/", $timestring, $matches);
 			// multiply the returned matches and sum them up. the last one (ms) is added with .
-			for ($i = 1; $i <= 7; $i += 2) {
-				if ($matches[$i]) {
-					$timestamp += ($matches[($i + 1)] * $timegroups[$i]);
+			foreach ($timegroups as $i => $time_multiply) {
+				if (is_numeric($matches[$i])) {
+					$timestamp += $matches[$i] * $time_multiply;
 				}
 			}
-			if ($matches[10]) {
+			if (is_numeric($matches[10])) {
 				$timestamp .= '.'.$matches[10];
 			}
 			return $timestamp;
@@ -1346,20 +1404,6 @@ class Basic
 		}
 	}

-	// METHOD: arrayToString
-	// WAS   : ArrayToString
-	// PARAMS: array, connect char
-	// RETRUN: string
-	// DESC  : wrapper for join, but checks if input is an array and if not returns null
-	public static function arrayToString($array, $connect_char)
-	{
-		if (is_array($array)) {
-			return join($connect_char, $array);
-		} else {
-			return false;
-		}
-	}
-
 	// METHOD: createThumbnail
 	// WAS   : CreateThumbnail
 	// PARAMS: pic -> picture where from we create a thumbnail
@@ -1630,6 +1674,11 @@ class Basic
 		return false;
 	}

+	// [!!! DEPRECATED !!!]
+	// ALL crypt* methids are DEPRECATED and SHALL NOT BE USED
+	// use the new password* instead
+
+	// [!!! DEPRECATED !!!] -> passwordInit
 	// METHOD: cryptInit
 	// PARAMS: none
 	// RETURN: none
@@ -1676,6 +1725,7 @@ class Basic
 		}
 	}

+	// [!!! DEPRECATED !!!] -> not needed
 	// METHOD: cryptSaltString
 	// PARAMS: random string length, default is 22 (for blowfish crypt)
 	// RETURN: random string
@@ -1703,6 +1753,7 @@ class Basic
 		return $salt_string;
 	}

+	// [!!! DEPRECATED !!!] -> passwordSet
 	// METHOD: cryptString
 	// PARAMS: string to be crypted (one way)
 	// RETURN: encrypted string
@@ -1714,6 +1765,7 @@ class Basic
 		return crypt($string, $this->cryptSaltPrefix.$this->cryptSaltString($this->cryptSaltSize).$this->cryptSaltSuffix);
 	}

+	// [!!! DEPRECATED !!!] -> passwordVerify
 	// METHOD: verifyCryptString
 	// PARAMS: plain string (eg password)
 	//         full crypted string (from cryptString
@@ -1729,6 +1781,61 @@ class Basic
 		}
 	}

+	// *** BETTER PASSWORD OPTIONS, must be used ***
+	// METHOD: passwordInit
+	// PARAMS: none
+	// RETURN: none
+	// DESC  : inits the password options set
+	//         currently this is et empty, and the default options are used
+	private function passwordInit()
+	{
+		// set default password cost: use default set automatically
+		$this->password_options = array (
+			// 'cost' => PASSWORD_BCRYPT_DEFAULT_COST
+		);
+	}
+
+	// METHOD: passwordSet
+	// PARAMS: password
+	// RETURN: hashed password
+	// DESC  : creates the password hash
+	public function passwordSet($password)
+	{
+		// always use the PHP default for the password
+		// password options ca be set in the password init, but should be kept as default
+		return password_hash($password, PASSWORD_DEFAULT, $this->password_options);
+	}
+
+	// METHOD: passwordVerify
+	// PARAMS: password and hash
+	// RETURN: true or false
+	// DESC  : checks if the entered password matches the hash
+	public function passwordVerify($password, $hash)
+	{
+		if (password_verify($password, $hash)) {
+			return true;
+		} else {
+			return false;
+		}
+		// in case something strange, return false on default
+		return false;
+	}
+
+	// METHOD: passwordRehashCheck
+	// PARAMS: hash
+	// RETURN: true or false
+	// DESC  : checks if the password needs to be rehashed
+	public function passwordRehashCheck($hash)
+	{
+		if (password_needs_rehash($hash, PASSWORD_DEFAULT, $this->password_options)) {
+			return true;
+		} else {
+			return false;
+		}
+		// in case of strange, force re-hash
+		return true;
+	}
+
 	// *** COLORS ***

 	// METHOD: hex2rgb
--- a/www/lib/CoreLibs/DB/IO.inc
+++ b/www/lib/CoreLibs/DB/IO.inc
@@ -501,7 +501,7 @@ class IO extends \CoreLibs\Basic
 	// NOTE  : used in db_dump_data only
 	private function __printArray($array)
 	{
-		while (list($key, $value) = each($array)) {
+		foreach ($array as $key => $value) {
 			$string .= $this->nbsp.'<b>'.$key.'</b> => ';
 			if (is_array($value)) {
 				$this->nbsp .= '&nbsp;&nbsp;&nbsp;';
@@ -567,7 +567,7 @@ class IO extends \CoreLibs\Basic
 			// write detailed error log
 		}
 		if ($this->warning_id) {
-			$this->__dbDebug('db', '<span style="color: orange;"><b>DB-Warning</b> '.$this->warning_id.': '.$this->error_string[$this->warning_id].($msg ? ', '.$msg : '').'</span>', 'DB_ERROR', $where_called);
+			$this->__dbDebug('db', '<span style="color: orange;"><b>DB-Warning</b> '.$this->warning_id.': '.$this->error_string[$this->warning_id].($msg ? ', '.$msg : '').'</span>', 'DB_WARNING', $where_called);
 			$this->had_warning = $this->warning_id;
 		}
 		// unset the error/warning vars
@@ -1111,7 +1111,7 @@ class IO extends \CoreLibs\Basic
 					$this->cursor_ext[$md5]['read_rows'] ++;
 					// if reset is <3 caching is done, else no
 					if ($reset < 3) {
-						while (list($field_name, $data) = each($return)) {
+						foreach ($return as $field_name => $data) {
 							$temp[$field_name] = $data;
 						}
 						$this->cursor_ext[$md5][] = $temp;
--- a/www/lib/CoreLibs/Output/Form/Generate.inc
+++ b/www/lib/CoreLibs/Output/Form/Generate.inc
@@ -887,16 +887,16 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 					} // switch
 				} // for each error to check
 			} elseif ($value["mandatory"] &&
-						(
-							// for all "normal" fields
-							($this->table_array[$key]["type"] != "password" && $this->table_array[$key]["type"] != "drop_down_db_input" && !$this->table_array[$key]["value"]) ||
-							// for drop_down_db_input check if one of both fields filled
-							($this->table_array[$key]["type"] == "drop_down_db_input" && !$this->table_array[$key]["input_value"] && !$this->table_array[$key]["value"]) ||
-							// for password
-							($this->table_array[$key]["type"] == "password" && !$this->table_array[$key]["value"] && !$this->table_array[$key]["HIDDEN_value"])
-						)
-					// main if end
-					) {
+				(
+					// for all "normal" fields
+					($this->table_array[$key]["type"] != "password" && $this->table_array[$key]["type"] != "drop_down_db_input" && !$this->table_array[$key]["value"]) ||
+					// for drop_down_db_input check if one of both fields filled
+					($this->table_array[$key]["type"] == "drop_down_db_input" && !$this->table_array[$key]["input_value"] && !$this->table_array[$key]["value"]) ||
+					// for password
+					($this->table_array[$key]["type"] == "password" && !$this->table_array[$key]["value"] && !$this->table_array[$key]["HIDDEN_value"])
+				)
+			// main if end
+			) {
 				// if mandatory && no input
 				// $this->debug('form', "A: ".$this->table_array[$key]["type"]." -- ".$this->table_array[$key]["input_value"]." -- ".$this->table_array[$key]["value"]);
 				if (!$this->table_array[$key]["value"] && $this->table_array[$key]["type"] != "binary") {
@@ -1145,7 +1145,6 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 	// DESC  : save a table, reference and all input fields
 	public function formSaveTableArray($addslashes = 0)
 	{
-//       global $_FILES;
 		// for drop_down_db_input check if text field is filled and if, if not yet in db ...
 		// and upload files
 		if (!is_array($this->table_array)) {
@@ -1154,9 +1153,9 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 		reset($this->table_array);
 		while (list($key, $value) = each($this->table_array)) {
 			// drop_down_db with input + reference table
-//$this->debug('form', "A: ".$this->table_array[$key]["type"]." --- ".$this->table_array[$key]["input_value"]);
+			// $this->debug('form', "A: ".$this->table_array[$key]["type"]." --- ".$this->table_array[$key]["input_value"]);
 			if ($this->table_array[$key]["type"] == "drop_down_db_input" && $this->table_array[$key]["input_value"]) {
-//$this->debug('form', "HERE");
+				// $this->debug('form', "HERE");
 				// check if this text name already exists (lowercase compare)
 				$q = "SELECT ".$this->table_array[$key]["pk_name"]." FROM ".$this->table_array[$key]["table_name"]." WHERE LCASE(".$this->table_array[$key]["input_name"].") = '".$this->db_escape_string(strtolower($this->table_array[$key]["input_value"]))."'";
 				// if a where was given, add here
@@ -1208,10 +1207,10 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 				// if smth in $$key_file -> save or overwrite
 				// if smth in $key && $$key_delete && !$$key_file-> delte
 				// if smth in $key, keep as is
-//           $_file=$key."_file";
-//           $_delete=$key."_delete";
-//$this->debug('form', "UF: ".$GLOBALS["_FILES"][$key."_file"]['name']);
-//$this->debug('form', "delete: ".$key."_delete => ".$GLOBALS[$key.'_delete']);
+				// $_file=$key."_file";
+				// $_delete=$key."_delete";
+				// $this->debug('form', "UF: ".$GLOBALS["_FILES"][$key."_file"]['name']);
+				// $this->debug('form', "delete: ".$key."_delete => ".$GLOBALS[$key.'_delete']);
 				if ($GLOBALS["_FILES"][$key."_file"]['name']) {
 					// check if dir exists
 					if (is_dir($this->table_array[$key]["save_dir"])) {
@@ -1240,11 +1239,11 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 			// for password crypt it as blowfish, or if not available MD5
 			if ($this->table_array[$key]['type'] == 'password') {
 				if ($this->table_array[$key]["value"]) {
-					// password is stored in blowfish format, or in the format supported by this PHP version
-					$this->table_array[$key]["value"] = $this->cryptString($this->table_array[$key]["value"]);
+					// use the better new passwordSet instead of crypt based
+					$this->table_array[$key]['value'] = $this->passwordSet($this->table_array[$key]['value']);
 					$this->table_array[$key]["HIDDEN_value"] = $this->table_array[$key]["value"];
 				} else {
-//						$this->table_array[$key]["HIDDEN_value"] =
+					// $this->table_array[$key]["HIDDEN_value"] =
 				}
 			}
 		} // go through each field
@@ -1287,14 +1286,14 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 						$max = count($_POST[$prfx.$key]);
 					}
 				}
-//$this->debug('edit_error', "MAX: $max");
+				// $this->debug('edit_error', "MAX: $max");
 				// check if there is a hidden key, update, else insert
 				while (list($el_name, $data_array) = each($reference_array["elements"])) {
 					// this is only for reference_data part, at least one of the text fields need to be set for writing
 					$blow_write = array ();
-//$this->debug('edit_error_query', "QUERY: ".$this->print_ar($_POST));
+					// $this->debug('edit_error_query', "QUERY: ".$this->print_ar($_POST));
 					// go through all submitted data
-//						for ($i = 0; $i < count($_POST[$el_name]); $i ++)
+					// for ($i = 0; $i < count($_POST[$el_name]); $i ++)
 					for ($i = 0; $i < $max; $i ++) {
 						// if we have enable name & delete set, then only insert/update those which are flagged as active
 						// check if mandatory field is set, if not set "do not write flag"
@@ -1326,7 +1325,7 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 						// write all data (insert/update) because I don't know until all are processed if it is insert or update
 						// don't write primary key backup for update
 						// for reference_data type, only write if at least one text type field is set
-//$this->debug('edit_error', "I: $i | EL Name: $prfx$el_name | Data: ".$_POST[$prfx.$el_name][$i]." | Type: ".$type[$i]." | PK: ".$data_array["pk_id"].", Block write: ".$block_write[$i]);
+						// $this->debug('edit_error', "I: $i | EL Name: $prfx$el_name | Data: ".$_POST[$prfx.$el_name][$i]." | Type: ".$type[$i]." | PK: ".$data_array["pk_id"].", Block write: ".$block_write[$i]);
 						// only add elements that are not PK or FK flaged
 						if (!$data_array['pk_id'] && !$data_array['fk_id']) {
 							// update data list
--- a/www/media/binaries/.gitignore
+++ b/www/media/binaries/.gitignore
Author	SHA1	Message	Date
Clemens Schwaighofer	1afc0eb982	README update	2018-06-08 16:58:07 +09:00
Clemens Schwaighofer	a7e7539911	config updates	2018-06-08 16:48:42 +09:00
Clemens Schwaighofer	6e3f017960	Config file updates	2018-06-08 16:46:25 +09:00
Clemens Schwaighofer	80715e5ef1	base config.inc update	2018-06-08 16:41:35 +09:00
Clemens Schwaighofer	0408483aa8	Add array flatten method A multi dimensional array can be flattened into a single array	2018-06-06 18:58:09 +09:00
Clemens Schwaighofer	02d1d03c15	Fix long lines, fix timestamp method, fix db error to warning DB IO: On multiple PK return it say DB_ERROR, but this is actually a warning DB_WARNING Login: fix long lines and make SCHEMA set better with if instead of terinary Basic: fix string to time with loop over array parts and not for loop	2018-06-04 18:53:28 +09:00
Clemens Schwaighofer	6db87c64b0	Update core config.inc file (bare)	2018-05-24 17:58:17 +09:00
Clemens Schwaighofer	765297d2a2	Update config template files	2018-05-24 17:57:17 +09:00
Clemens Schwaighofer	382cc0524a	file upload page updates, config updates Update the files upload page with missing unlinks for certain actions and ACL settings Add LIVE_SCHEMA to config & var set check	2018-05-24 15:08:18 +09:00
Clemens Schwaighofer	aa57c6218f	various fixes for PHP 7.2 compatible	2018-05-16 13:42:31 +09:00
Clemens Schwaighofer	b3f9fd27e6	Update for <? in the table_array list, fix binaries folder name	2018-05-14 15:37:05 +09:00
Clemens Schwaighofer	4e6463a849	Password check & change update The password check flow is now dedicated method. The password change has been updated to check for a valid password before accepting it (default is only min 8 chars). Success message is printed out. On error the overlay stays visible. Old password correct check uses normal password check method now. No passwords in any form are logged for error or printed anywhere at all.	2018-05-09 15:12:13 +09:00
Clemens Schwaighofer	5ad0419613	Login class rehash part: do not use variable Write the new hash directly to the DB, we don't need to store it in variable	2018-05-09 11:55:12 +09:00
Clemens Schwaighofer	e23389a7f8	Fix password re-hash in login with correct methods Don't call the PHP functions directly, but use the internal wrapper methods for password rehash check and set in Login class	2018-05-09 11:47:32 +09:00
Clemens Schwaighofer	c21e194eaf	Add proper PHP password management The old crypt based password methods are all deprecated and the new password_* are now standard. Also added auto rehash for old password on login	2018-05-09 11:34:40 +09:00