CoreLibs/development
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8c4527cf4a291e7db105e81dc84ce6090a347e4e
development/www/libs/Class.Login.inc
Clemens Schwaighofer deff15cc71 Update core classes with better debugging output 
Add server name to the print out and log print debug entry.
For the debug log file add the full file path so we know which file
exactly got accessed.
2014-09-30 16:12:50 +09:00

1015 lines
41 KiB
PHP
Raw Blame History

<?
/*********************************************************************
* AUTHOR: Clemens "Gullevek" Schwaighofer (www.gullevek.org)
* CREATED: 2000/06/01
* VERSION: 4.0.0
* RELEASED LICENSE: BSD style (use it, u don't have to make YOUR source public)
* but let me know if u made changes, and please don't redistribute it
* with your name on it ...
* SHORT DESCRIPTON:
* ~ 2003/03/03: change the whole include file into one class
* advantages are a) can include before actuall call, can control it
* easer (login db, etc), etc etc etc
*
* a login lib that should stand out of all others
* will be a class one day
*
* descrption of session_vars
* DEBUG_ALL - set to one, prints out error_msg var at end of php execution
* DB_DEBUG - prints out database debugs (query, etc)
* GROUP_LEVEL - the level he can access (numeric)
* USER_NAME - login name from user
* LANG - lang to show edit interface (not yet used)
* DEFAULT_CHARSET - in connection with LANG (not yet used)
* PAGES - array of hashes
* edit_page_id - ID from the edit_pages table
* filename - name of the file
* page_name - name in menu
* menu - appears in menu
* popup - is a popup
* popup_x - if popup -> width
* popup_y - if popup -> height
* online - page is online (user can access)
* query_string - string to paste for popup (will change)
*
* HISTORY:
* 2010/12/21 (cs) merge back password change interface
* 2010/12/17 (cs) change that password can be blowfish encrypted, auto detects if other encryption is used (md5, std des) and tries to use them
* 2007/05/29 (cs) BUG with assign query and visible sub arrays to pages
* 2005/09/21 (cs) if error -> unset the session vars
* 2005/07/04 (cs) add a function to write into the edit log file
* 2005/07/01 (cs) start adepting login class to new edit interface layout
* 2005/03/31 (cs) fixed the class call with all debug vars
* 2004/11/17 (cs) unused var cleanup
* 2004/11/16 (cs) rewrite login so it uses a template and not just plain html. prepare it, so it will be able to use external stuff later (some interface has to be designed for that
* 2004/11/16 (cs) removed the mobile html part from login * 2004/09/30 (cs) layout fix
* 2003-11-11: if user has debug 1 unset memlimit, because there can be serious problems with the query logging
* 2003-06-12: added flag to PAGES array
* changed the get vars from GLOBALS to _POST
* changed the session registration. no more GLOBAL vars are registered
* only _SESSION["..."]
* 2003-06-09: added mobile phone login possibility
* 2003-03-04: droped ADMIN and added GROUP_LEVEL
* 2003-03-03: started to change the include file function collection
* to become a class
* 2003-02-28: various advances and changes, but far from perfect
* decided to change it into a class for easier handling
* add also possibility to change what will stored in the
* login session ?
* 2000-06-01: created basic idea and functions
*********************************************************************/
require_once(LIBS."Class.DB.IO.inc");
class login extends db_io
{
private $euid; // the user id var
private $permission_okay = 0; // is set to one if login okay, or EUID is set and user is okay to access this page
public $login; // pressed login
private $username; // login name
private $password; // login password
private $logout; // logout button
private $login_error; // login error code, can be matched to the array login_error_msg, which holds the string
private $password_change = false; // if this is set to true, the user can change passwords
private $pw_change_deny_users = array (); // array of users for which the password change is forbidden
// all possible login error conditions
private $login_error_msg = array ();
// this is an array holding all strings & templates passed from the outside (translation)
private $login_template = array ('strings' => array (), 'password_change' => '', 'template' => '');
// acl vars
public $acl = array (
'acl' => array (
'user' => array (),
'page' => array (),
'edit_access' => array ()
),
'info' => array (
'edit_access' => array ()
)
);
public $default_acl_list = array ();
// METHOD: login
// PARAMS: db_config -> array for logging in to DB where edit_users tables are
// db_debug -> sets debug output for db_io (can be overruled with DB_DEBUG)
// RETURN: none
// DESC : cunstroctuor, does ALL, opens db, works through connection checks, closes itself
public function __construct($db_config, $lang = 'en_utf8', $debug = 0, $db_debug = 0, $echo = 1, $print = 0)
{
// create db connection and init base class
parent::__construct($db_config, $debug, $db_debug, $echo, $print);
// no session could be found at all
if (!session_id())
{
echo "<b>Session not started!</b><br>Use 'session_start();'.<br>For less problems with other session, you can set a session name with 'session_name(\"name\");'.<br>";
exit;
}
// set log file name
$this->file_name_ext = '_login_'.date('Y-m-d').'.log';
// get the language sub class & init it
require_once(LIBS."Class.l10n.inc");
$this->l = new l10n($lang);
// if we have a search path we need to set it, to use the correct DB to login
// check what schema to use. if there is a login schema use this, else check if there is a schema set in the config, or fall back to DB_SCHEMA if this exists, if this also does not exists use public schema
$SCHEMA = defined('LOGIN_DB_SCHEMA') ? LOGIN_DB_SCHEMA : ($db_config['db_schema'] ? $db_config['db_schema'] : (defined('DB_SCHEMA') ? DB_SCHEMA : 'public'));
$this->db_exec("SET search_path TO ".$SCHEMA);
$this->euid = array_key_exists('EUID', $_SESSION) ? $_SESSION['EUID'] : 0; // if there is none, there is none, saves me POST/GET check
// get login vars, are so, can't be changed
// prepare
if (!isset($_POST['login_login']))
$_POST['login_login'] = '';
if (!isset($_POST['login_username']))
$_POST['login_username'] = '';
if (!isset($_POST['login_password']))
$_POST['login_password'] = '';
if (!isset($_POST['login_logout']))
$_POST['login_logout'] = '';
if (!isset($_POST['change_password']))
$_POST['change_password'] = '';
if (!isset($_POST['pw_username']))
$_POST['pw_username'] = '';
if (!isset($_POST['pw_old_password']))
$_POST['pw_old_password'] = '';
if (!isset($_POST['pw_new_password']))
$_POST['pw_new_password'] = '';
if (!isset($_POST['pw_new_password_confirm']))
$_POST['pw_new_password_confirm'] = '';
// pass on vars to Object vars
$this->login = $_POST["login_login"];
$this->username = $_POST["login_username"];
$this->password = $_POST["login_password"];
$this->logout = $_POST["login_logout"];
// password change vars
$this->change_password = $_POST["change_password"];
$this->pw_username = $_POST['pw_username'];
$this->pw_old_password = $_POST['pw_old_password'];
$this->pw_new_password = $_POST['pw_new_password'];
$this->pw_new_password_confirm = $_POST['pw_new_password_confirm'];
// logout target (from config)
$this->logout_target = LOGOUT_TARGET;
// disallow user list for password change
$this->pw_change_deny_users = array ('admin');
// set flag if password change is okay
if (defined('PASSWORD_CHANGE'))
$this->password_change = PASSWORD_CHANGE;
// max login counts before error reporting
$this->max_login_error_count = 10;
// users that never get locked, even if they are set strict
$this->lock_deny_users = array ('admin');
// internal
$this->class_info["login"] = array(
"class_name" => "Login",
"class_version" => "4.0.0",
"class_created" => "2000-06-01",
"class_author" => "cs/gullevek/at"
);
// read the current edit_access_right list into an array
$q = "SELECT level, type, name FROM edit_access_right WHERE level >= 0 ORDER BY level";
while ($res = $this->db_return($q))
{
// level to description format
$this->default_acl_list[$res['level']] = array (
'type' => $res['type'],
'name' => $res['name']
);
// format type (eg read) => acl number (eg 20)
$this->default_acl_list[$res['type']] = $res['level'];
}
// write that into the session
$_SESSION['DEFAULT_ACL_LIST'] = $this->default_acl_list;
// if username & password & !$euid start login
$this->login_login_user();
// checks if $euid given check if user is okay for that side
$this->login_check_permissions();
// logsout user
$this->login_logout_user();
// if the password change flag is okay, run the password change method
if ($this->password_change)
$this->login_password_change();
// if !$euid || permission not okay, print login screan
echo $this->login_print_login();
// closing all connections, depending on error status, exit
if (!$this->login_close_class())
{
// do not go anywhere, quit processing here
// do something with possible debug data?
if (TARGET == 'live' || TARGET == 'remote')
{
// login
$this->debug_output_all = DEBUG ? 1 : 0;
$this->echo_output_all = 0;
$this->print_output_all = DEBUG ? 1 : 0;
}
$status_msg = $this->print_error_msg();
if ($this->echo_output_all)
echo $status_msg;
exit;
}
// set acls for this user/group and this page
$this->login_set_acl();
}
// METHOD: _login
// PARAMS: none
// RETURN: none
// DESC : deconstructory, called with the last function to close DB connection
public function __destruct()
{
parent::__destruct();
}
// METHOD: login_login_user
// PARAMS: none
// RETURN: none
// DESC : if user pressed login button this script is called, but only if there is no preview euid set
private function login_login_user()
{
// have to get the global stuff here for setting it later
if (!$this->euid && $this->login)
{
if (!($this->password && $this->username))
{
$this->login_error = 102;
}
else
{
// we have to get the themes in here too
$q = "SELECT eu.edit_user_id, username, password, eu.edit_group_id, eg.name AS edit_group_name, admin, eu.login_error_count, eu.login_error_date_last, eu.login_error_date_first, eu.strict, eu.locked, ";
$q .= "debug, db_debug, ";
$q .= "eareu.level AS user_level, eareu.type AS user_type, ";
$q .= "eareg.level AS group_level, eareg.type AS group_type, ";
$q .= "eu.enabled, el.short_name AS lang_short, el.iso_name AS lang_iso, first.header_color AS first_header_color, second.header_color AS second_header_color, second.template ";
$q .= "FROM edit_user eu ";
$q .= "LEFT JOIN edit_scheme second ON (second.edit_scheme_id = eu.edit_scheme_id AND second.enabled = 1), ";
$q .= "edit_language el, edit_group eg, ";
$q .= "edit_access_right eareu, ";
$q .= "edit_access_right eareg, ";
$q .= "edit_scheme first ";
$q .= "WHERE first.edit_scheme_id = eg.edit_scheme_id AND eu.edit_group_id = eg.edit_group_id AND eu.edit_language_id = el.edit_language_id AND ";
$q .= "eu.edit_access_right_id = eareu.edit_access_right_id AND ";
$q .= "eg.edit_access_right_id = eareg.edit_access_right_id AND ";
// password match is done in script, against old plain or new blowfish encypted
$q .= "(LOWER(username) = '".strtolower($this->username)."') ";
$res = $this->db_return($q);
// username is wrong, but we throw for wrong username and wrong password the same error
if (!$this->cursor_ext[md5($q)]["num_rows"])
{
$this->login_error = 1010;
}
else
{
// if login errors is half of max errors and the last login error was less than 10s ago, forbid any new login try
// check with what kind of prefix the password begins:
// $2a$ or $2y$: BLOWFISCH
// $1$: MD5
// $ and one alphanumeric letter, 13 chars long, but nor $ at the end: STD_DESC
// if no $ => normal password
// NOW, if we have a password encoded, but not the correct encoder available, throw special error
// check flow
// - user is enabled
// - user is not locked
// - password is readable
// - encrypted password matches
// - plain password matches
// user is enabled
if (!$res["enabled"])
{
$this->login_error = 104;
}
// user is locked, either set or auto set
elseif ($res['locked'])
{
$this->login_error = 105;
}
elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) && CRYPT_BLOWFISH != 1) || (preg_match("/^\\$1\\$/", $res['password']) && CRYPT_MD5 != 1) || (preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && CRYPT_STD_DES != 1))
{
$this->login_error = 9999; // this means password cannot be decrypted because of missing crypt methods
}
// check passwword as crypted, $2a$ or $2y$ is blowfish start, $1$ is MD5 start, $\w{12} is standard DES
elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) || preg_match("/^\\$1\\$/", $res['password']) || preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password'])) && !$this->verifyCryptString($this->password, $res['password']))
{
$this->login_error = 1011;
}
// check old plain password, non case sensitive
elseif (!preg_match("/^\\$2(a|y)\\$/", $res['password']) && !preg_match("/^\\$1\\$/", $res['password']) && !preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && $res['password'] != $this->password)
{
$this->login_error = 1012;
}
// nromal user processing
else
{
// set class var and session var
$_SESSION["EUID"] = $this->euid = $res["edit_user_id"];
// check if user is okay
$this->login_check_permissions();
if (!$this->login_error)
{
// now set all session vars and read page permissions
$GLOBALS["DEBUG_ALL"] = $_SESSION["DEBUG_ALL"] = $res["debug"];
$GLOBALS["DB_DEBUG"] = $_SESSION["DB_DEBUG"] = $res["db_debug"];
$_SESSION["USER_NAME"] = $res["username"];
$_SESSION["ADMIN"] = $res["admin"];
$_SESSION["GROUP_NAME"] = $res["edit_group_name"];
$_SESSION["USER_ACL_LEVEL"] = $res["user_level"];
$_SESSION["USER_ACL_TYPE"] = $res["user_type"];
$_SESSION["GROUP_ACL_LEVEL"] = $res["group_level"];
$_SESSION["GROUP_ACL_TYPE"] = $res["group_type"];
$_SESSION["TEMPLATE"] = ($res["template"]) ? $res["template"] : DEFAULT_TEMPLATE;
$_SESSION["HEADER_COLOR"] = ($res["second_header_color"]) ? $res["second_header_color"] : $res["first_header_color"];
$_SESSION["LANG"] = $res["lang_short"];
$_SESSION["DEFAULT_CHARSET"] = $res["lang_iso"];
$_SESSION["DEFAULT_LANG"] = $res["lang_short"].'_'.strtolower(str_replace('-', '', $res["lang_iso"]));
// reset any login error count for this user
if ($res['login_error_count'] > 0)
{
$q = "UPDATE edit_user SET login_error_count = 0, login_error_date_last = NULL, login_error_date_first = NULL WHERE edit_user_id = ".$res['edit_user_id'];
$this->db_exec($q);
}
$pages = array();
$edit_page_ids = array();
// set pages access
$q = "SELECT ep.edit_page_id, filename, ep.name AS edit_page_name, ep.order_number AS edit_page_order, menu, popup, popup_x, popup_y, online, ear.level, ear.type ";
$q .= "FROM edit_page ep, edit_page_access epa, edit_access_right ear ";
$q .= "WHERE ep.edit_page_id = epa.edit_page_id AND ear.edit_access_right_id = epa.edit_access_right_id ";
$q .= "AND epa.enabled = 1 AND epa.edit_group_id = ".$res["edit_group_id"]." ";
$q .= "ORDER BY ep.order_number";
while ($res = $this->db_return($q))
{
// page id array for sub data readout
$edit_page_ids[] = $res['edit_page_id'];
// create the array for pages
array_push($pages, array (
"edit_page_id" => $res["edit_page_id"],
"filename" => $res["filename"],
"page_name" => $res["edit_page_name"],
"order" => $res['edit_page_order'],
"menu" => $res["menu"],
"popup" => $res["popup"],
"popup_x" => $res["popup_x"],
"popup_y" => $res["popup_y"],
"online" => $res["online"],
"acl_level" => $res["level"],
"acl_type" => $res["type"],
"query" => array (),
"visible" => array ()
));
// make reference filename -> level
$pages_acl[$res["filename"]] = $res["level"];
} // for each page
// get the visible groups for all pages and write them to the pages
$_edit_page_id = 0;
$q = "SELECT epvg.edit_page_id, name, flag FROM edit_visible_group evp, edit_page_visible_group epvg WHERE evp.edit_visible_group_id = epvg.edit_visible_group_id AND epvg.edit_page_id IN (".join(', ', $edit_page_ids).") ORDER BY epvg.edit_page_id";
while ($res = $this->db_return($q))
{
if ($res['edit_page_id'] != $_edit_page_id)
{
// search the pos in the array push
$pos = $this->array_search_recursive($res['edit_page_id'], $pages, 'edit_page_id');
$_edit_page_id = $res['edit_page_id'];
}
$pages[$pos[0]]['visible'][$res['name']] = $res['flag'];
}
// get the same for the query strings
$_edit_page_id = 0;
$q = "SELECT eqs.edit_page_id, name, value, dynamic FROM edit_query_string eqs WHERE enabled = 1 AND edit_page_id IN (".join(', ', $edit_page_ids).") ORDER BY eqs.edit_page_id";
while ($res = $this->db_return($q))
{
if ($res['edit_page_id'] != $_edit_page_id)
{
// search the pos in the array push
$pos = $this->array_search_recursive($res['edit_page_id'], $pages, 'edit_page_id');
$_edit_page_id = $res['edit_page_id'];
}
$pages[$pos[0]]['query'][] = array (
"name" => $res['name'],
"value" => $res['value'],
"dynamic" => $res['dynamic']
);
}
$_SESSION["PAGES"] = $pages;
$_SESSION["PAGES_ACL_LEVEL"] = $pages_acl;
// load the edit_access user rights
$q = "SELECT ea.edit_access_id, level, type, ea.name, ea.color, edit_default ";
$q .= "FROM edit_access_user eau, edit_access_right ear, edit_access ea ";
$q .= "WHERE eau.edit_access_id = ea.edit_access_id AND eau.edit_access_right_id = ear.edit_access_right_id AND eau.enabled = 1 AND edit_user_id = ".$this->euid." ";
$q .= "ORDER BY ea.name";
$unit_access = array();
$eauid = array();
$unit_acl = array();
while ($res = $this->db_return($q))
{
$unit_access[$res['edit_access_id']] = array (
"id" => $res['edit_access_id'],
"acl_level" => $res["level"],
"acl_type" => $res["type"],
"name" => $res["name"],
"color" => $res["color"],
"default" => $res["edit_default"]
);
if ($res['edit_default'])
$_SESSION["UNIT_DEFAULT"] = $res['edit_access_id'];
array_push($eauid, $res['edit_access_id']);
$unit_acl[$res['edit_access_id']] = $res['level'];
}
$_SESSION["UNIT"] = $unit_access;
$_SESSION["UNIT_ACL_LEVEL"] = $unit_acl;
$_SESSION['EAID'] = $eauid;
} // user has permission to THIS page
} // user was not enabled or other login error
if ($this->login_error)
{
if ($res['login_error_count'] == 0)
$login_error_date_first = ', login_error_date_first = NOW()';
// update login error count for this user
$q = "UPDATE edit_user SET login_error_count = login_error_count + 1, login_error_date_last = NOW() $login_error_date_first WHERE edit_user_id = ".$res['edit_user_id'];
$this->db_exec($q);
// totally lock the user if error max is reached
if ($res['login_error_count'] + 1 > $this->max_login_error_count)
{
// do some alert reporting in case this error is too big
// if strict is set, lock this user
// this needs manual unlocking by an admin user
if ($res['strict'] && !in_array($this->username, $this->lock_deny_users))
{
$q = "UPDATE edit_user SET locked = 1 WHERE edit_user_id = ".$res['edit_user_id'];
}
}
}
} // user was not found
} // if not username AND password where given
// if there was an login error, show login screen
if ($this->login_error)
{
// reset the perm var, to confirm logout
$this->permission_okay = 0;
}
} // if he pressed login at least and is not yet loggined in
}
// METHOD: login_check_permission
// PARAMS: none
// RETUNR none
// DESC : for every page the user access this script checks if he is allowed to do so
public function login_check_permissions()
{
if ($this->euid && $this->login_error != 103)
{
$q = "SELECT filename ";
$q .= "FROM edit_page ep, edit_page_access epa, edit_group eg, edit_user eu ";
$q .= "WHERE ep.edit_page_id = epa.edit_page_id AND eg.edit_group_id = epa.edit_group_id AND eg.edit_group_id = eu.edit_group_id ";
$q .= "AND eu.edit_user_id = ".$this->euid." AND filename = '".$this->page_name."' AND eg.enabled = 1 AND epa.enabled = 1";
$res = $this->db_return_row($q);
// unset mem limit if debug is set to 1
// if (($GLOBALS["DEBUG_ALL"] || $GLOBALS["DB_DEBUG"] || $_SESSION["DEBUG_ALL"] || $_SESSION["DB_DEBUG"]) && ini_get('memory_limit') != -1)
// ini_set('memory_limit', -1);
if ($res["filename"] == $this->page_name)
{
$this->permission_okay = 1;
}
else
{
$this->login_error = 103;
$this->permission_okay = 0;
}
}
// if called from public, so we can check if the permissions are ok
return $this->permission_okay;
}
// METHOD: login_logout_user
// PARAMS: none
// RETURN: none
// DESC : if a user pressed on logout, destroyes session and unsets all global vars
public function login_logout_user()
{
if ($this->logout || $this->login_error)
{
// unregister and destroy session vars
unset($_SESSION["EUID"]);
unset($_SESSION["GROUP_LEVEL"]);
unset($_SESSION["PAGES"]);
unset($_SESSION["USER_NAME"]);
unset($_SESSION["UNIT"]);
unset($_SESSION["DEBUG_ALL"]);
unset($_SESSION["DB_DEBUG"]);
unset($GLOBALS["DEBUG_ALL"]);
unset($GLOBALS["DB_DEBUG"]);
unset($_SESSION["LANG"]);
unset($_SESSION["DEFAULT_CHARSET"]);
unset($_SESSION["DEFAULT_LANG"]);
unset($_SESSION["GROUP_NAME"]);
unset($_SESSION["HEADER_COLOR"]);
session_destroy();
// he prints the login screen again
$this->permission_okay = 0;
}
}
// METHOD: login_set_acl
// PARAMS: none
// RETURN: none
// DESC : sets all the basic ACLs
// init set the basic acl the user has, based on the following rules
// * init set from config DEFAULT ACL
// * if group ACL is set, it overrides the default ACL
// * if page ACL is set, it overrides the group ACL
// * if user ACL is set, it overrides the page ACL
// set the page ACL
// * default ACL set
// * set group ACL if not default overrides default ACL
// * set page ACL if not default overrides group ACL
// set edit access ACL an set default edit access group
// * if an account ACL is set, set this parallel, account ACL overrides user ACL if it applies
// * if edit access ACL level is set, use this, else use page
// set all base ACL levels as a list keyword -> ACL number
public function login_set_acl()
{
// set the mastser user id
$this->acl['info']['euid'] = $_SESSION['EUID'];
// set admin flag, if this is on, all ACLs are set 100
if ($_SESSION['ADMIN'])
$this->acl['info']['admin'] = 1;
else
$this->acl['info']['admin'] = 0;
$this->acl['acl']['admin'] = $this->acl['info']['admin'];
if (!$this->acl['info']['admin'])
{
// this is the base if nothing is set
$this->acl['acl']['user'] = DEFAULT_ACL_LEVEL; // old base ACL
$this->acl['acl']['max'] = DEFAULT_ACL_LEVEL;
// group ACL 0
if ($_SESSION['GROUP_ACL_LEVEL'] != -1)
{
$this->acl['acl']['user'] = $_SESSION['GROUP_ACL_LEVEL'];
if ($this->acl['acl']['user'] > $this->acl['acl']['max'])
$this->acl['acl']['max'] = $this->acl['acl']['user'];
}
// page ACL 2
if ($_SESSION['PAGES_ACL_LEVEL'][$this->page_name] != -1)
{
$this->acl['acl']['user'] = $_SESSION['PAGES_ACL_LEVEL'][$this->page_name];
if ($this->acl['acl']['user'] > $this->acl['acl']['max'])
$this->acl['acl']['max'] = $this->acl['acl']['user'];
}
// user ACL 1
if ($_SESSION['USER_ACL_LEVEL'] != -1)
{
$this->acl['acl']['user'] = $_SESSION['USER_ACL_LEVEL'];
if ($this->acl['acl']['user'] > $this->acl['acl']['max'])
$this->acl['acl']['max'] = $this->acl['acl']['user'];
}
}
else
{
// if admin is on, level is 100 (admin)
$this->acl['acl']['user'] = 100;
$this->acl['acl']['max'] = 100;
}
// set the current page acl
// start with default acl
// set group if not -1
// set page if not -1, overrides groug
$this->acl['acl']['page'] = DEFAULT_ACL_LEVEL;
if ($_SESSION['GROUP_ACL_LEVEL'] != -1)
{
$this->acl['acl']['page'] = $_SESSION['GROUP_ACL_LEVEL'];
}
if ($_SESSION['PAGES_ACL_LEVEL'][$this->page_name] != -1)
{
$this->acl['acl']['page'] = $_SESSION['PAGES_ACL_LEVEL'][$this->page_name];
}
// PER ACCOUNT (UNIT/edit access)->
foreach ($_SESSION['UNIT'] as $unit)
{
// set edit access acl, unless admin, then it is default 100
$this->acl['acl']['edit_access'][$unit['id']] = !$this->acl['info']['admin'] ? ($unit['acl_level'] != -1 ? $unit['acl_level'] : $this->acl['acl']['page']) : 100;
$this->acl['info']['edit_access'][$unit['id']] = $unit['name'];
}
// flag if to show extra edit access drop downs (because user has multiple groups assigned)
if (count($_SESSION['UNIT']) > 1)
$this->acl['acl']['show_ea_extra'] = 1;
else
$this->acl['acl']['show_ea_extra'] = 0;
// set the default edit access
$this->acl['info']['default_edit_access'] = $_SESSION['UNIT_DEFAULT'];
// integrate the default_acl list, but only for the keyword -> level
foreach ($this->default_acl_list as $key => $value)
{
if (!is_numeric($key))
$this->acl['list'][$key] = $value;
}
}
// METHOD: login_check_edit_access
// PARAMS: edit_access_id to check
// RETURN: true/false: if the edit access is not in the valid list: false
// DESC : checks if this edit access id is valid
public function login_check_edit_access($edit_access_id)
{
if (array_key_exists($edit_access_id, $this->acl['info']['edit_access']))
return true;
else
return false;
}
// METHOD: login_password_change
// PARAMS: none
// RETURN: none
// DESC : changes a user password
private function login_password_change()
{
if ($this->change_password)
{
$event = 'Password Change';
// check that given username is NOT in the deny list, else silent skip (with error log)
if (!in_array($this->pw_username, $this->pw_change_deny_users))
{
if (!$this->pw_username || !$this->pw_password)
{
$this->login_error = 200;
$data = 'Missing username or old password.';
}
// check user exist, if not -> error
if (!$this->login_error)
{
$q = "SELECT edit_user_id FROM edit_user WHERE enabled = 1 AND username = '".$this->db_escape_string($this->pw_username)."'";
list ($edit_user_id) = $this->db_return_row($q);
if (!$edit_user_id)
{
// username wrong
$this->login_error = 201;
$data = 'User could not be found';
}
}
// check old passwords match -> error
if (!$this->login_error)
{
$q = "SELECT edit_user_id FROM edit_user WHERE enabled = 1 AND username = '".$this->db_escape_string($this->pw_username)."' AND password = '".$this->db_escape_string($this->pw_old_password)."'";
list ($edit_user_id) = $this->db_return_row($q);
if (!$edit_user_id)
{
// old password wrong
$this->login_error = 202;
$data = 'The old password does not match';
}
}
// check if new passwords were filled out -> error
if (!$this->login_error)
{
if (!$this->pw_new_password || !$this->pw_new_password_confirm)
{
$this->login_error = 203;
$data = 'Missing new password or new password confirm.';
}
}
// check new passwords both match -> error
if (!$this->login_error)
{
if ($this->pw_new_password != $this->pw_new_password_confirm)
{
$this->login_error = 204;
$data = 'The new passwords do not match: '.$this->pw_new_password.' == '.$this->pw_new_password_confirm;
}
}
// no error change this users password
if (!$this->login_error)
{
// update the user (edit_user_id) with the new password
$q = "UPDATE edit_user SET password = '".$this->db_escape_string($this->cryptString($this->pw_new_password))."' WHERE edit_user_id = ".$edit_user_id;
$this->db_exec($q);
$data = 'Password change for user "'.$this->pw_username.'" from "'.$this->pw_old_password.'" to "'.$this->pw_new_password.'"';
}
}
else
{
// illegal user error
$this->login_error = '220';
$data = 'Illegal user for password change: '.$this->pw_username;
}
// log this password change attempt
$this->write_log($event, $data, $this->login_error, $pw_username, $pw_old_password);
} // button pressed
}
// METHOD: login_print_login
// PARAMS: none
// RETURN: none
// DESC : prints out login html part if no permission (error) is set
private function login_print_login()
{
if (!$this->permission_okay)
{
// set the templates now
$this->login_set_templates();
// if there is a global logout target ...
if (file_exists($this->logout_target) && $this->logout_target)
{
$LOGOUT_TARGET = $this->logout_target;
} else
{
$LOGOUT_TARGET = "";
}
$html_string = $this->login_template['template'];
// if password change is okay
if ($this->password_change)
{
$html_string_password_change = $this->login_template['password_change'];
// pre change the data in the PASSWORD_CHANGE_DIV first
foreach ($this->login_template['strings'] as $string => $data)
{
if ($data)
$html_string_password_change = str_replace("{".$string."}", $data, $html_string_password_change);
}
$this->login_template['strings']['PASSWORD_CHANGE_DIV'] = $html_string_password_change;
}
// put in the logout redirect string
if ($this->logout && $LOGOUT_TARGET)
$html_string = str_replace("{LOGOUT_TARGET}", '<meta http-equiv="refresh" content="0; URL='.$LOGOUT_TARGET.'">', $html_string);
else
$html_string = str_replace("{LOGOUT_TARGET}", '', $html_string);
// print error messagae
if ($this->login_error)
$html_string = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."<br>", $html_string);
else
$html_string = str_replace("{ERROR_MSG}", "<br>", $html_string);
// create the replace array context
foreach ($this->login_template['strings'] as $string => $data)
{
$html_string = str_replace("{".$string."}", $data, $html_string);
}
// return the created HTML here
return $html_string;
} // if permission is 0 then print out login
}
// METHOD: login_close_class
// PARAMS: none
// RETURN: none
// DESC : last function called, writes log and prints out error msg and exists script if permission 0
private function login_close_class()
{
// write to LOG table ...
if ($this->login_error || $this->login || $this->logout)
{
$username = '';
$password = '';
// set event
if ($this->login)
$event = "Login";
else if ($this->logout)
$event = "Logout";
else
$event = "No Permission";
// prepare for log
if ($this->euid)
{
// get user from user table
$q = "SELECT username, password FROM edit_user WHERE edit_user_id = ".$this->euid;
list($username, $password) = $this->db_return_row($q);
} // if euid is set, get username (or try)
$this->write_log($event, '', $this->login_error, $username, $password);
} // write log under certain settings
// now close DB connection
// $this->error_msg = $this->_login();
if (!$this->permission_okay)
{
return false;
}
else
{
return true;
}
}
// METHOD: login_set_templates
// PARAMS:
// RETURN: none
// DESC : checks if there are external templates, if not uses internal fallback ones
private function login_set_templates()
{
$strings = array (
'HTML_TITLE' => $this->l->__("LOGIN"),
'TITLE' => $this->l->__("LOGIN"),
'USERNAME' => $this->l->__("Username"),
'PASSWORD' => $this->l->__("Password"),
'LOGIN' => $this->l->__("Login"),
'ERROR_MSG' => '',
'LOGOUT_TARGET' => '',
'PASSWORD_CHANGE_BUTTON_VALUE' => $this->l->__('Change Password')
);
$error_msgs = array (
"100" => $this->l->__("Fatal Error: <b>[EUID] came in as GET/POST!</b>"), // actually obsolete
"1010" => $this->l->__("Fatal Error: <b>Login Failed - Wrong Username or Password</b>"), // user not found
"1011" => $this->l->__("Fatal Error: <b>Login Failed - Wrong Username or Password</b>"), // blowfish password wrong
"1012" => $this->l->__("Fatal Error: <b>Login Failed - Wrong Username or Password</b>"), // fallback md5 password wrong
"102" => $this->l->__("Fatal Error: <b>Login Failed - Please enter username and password</b>"),
"103" => $this->l->__("Fatal Error: <b>You do not have the rights to access this Page</b>"),
"104" => $this->l->__("Fatal Error: <b>Login Failed - User not enabled</b>"),
"105" => $this->l->__("Fatal Error: <b>Login Failed - User is locked</b>"),
"220" => $this->l->__("Fatal Error: <b>Password change - The user could not be found</b>"), // actually this is an illegal user, but I mask it
'200' => $this->l->__("Fatal Error: <b>Password change - Please enter username and old password</b>"),
"201" => $this->l->__("Fatal Error: <b>Password change - The user could not be found</b>"),
"202" => $this->l->__("Fatal Error: <b>Password change - The old password is not correct</b>"),
"203" => $this->l->__("Fatal Error: <b>Password change - Please fill out both new password fields</b>"),
"204" => $this->l->__("Fatal Error: <b>Password change - The new passwords do not match</b>"),
"9999" => $this->l->__("Fatal Error: <b>necessary crypt engine could not be found</b>. Login is impossible") // this is bad bad error
);
// if password change is okay
if ($this->password_change)
{
$strings = array_merge($strings, array (
'TITLE_PASSWORD_CHANGE' => 'Change Password for User',
'OLD_PASSWORD' => $this->l->__("Old Password"),
'NEW_PASSWORD' => $this->l->__("New Password"),
'NEW_PASSWORD_CONFIRM' => $this->l->__("New Password confirm"),
'CLOSE' => $this->l->__('Close'),
'JS_SHOW_HIDE' => "function ShowHideDiv(id) { element = document.getElementById(id); if (element.className == 'visible' || !element.className) element.className = 'hidden'; else element.className = 'visible'; }",
'PASSWORD_CHANGE_BUTTON' => '<input type="button" name="pw_change" value="'.$strings['PASSWORD_CHANGE_BUTTON_VALUE'].'" OnClick="ShowHideDiv(\'pw_change_div\');">'
));
$this->login_template['password_change'] = <<<EOM
<div id="pw_change_div" class="hidden" style="position: absolute; top: 30px; left: 50px; width: 400px; height: 220px; background-color: white; border: 1px solid black; padding: 25px;">
<table>
<tr><td class="norm" align="center" colspan="2"><h3>{TITLE_PASSWORD_CHANGE}</h3></td></tr>
<tr><td class="norm" colspan="2">{ERROR_MSG}</td></tr>
<tr><td class="norm" align="right">{USERNAME}</td><td><input type="text" name="pw_username" value=""></td></tr>
<tr><td class="norm" align="right">{OLD_PASSWORD}</td><td><input type="password" name="pw_old_password" value=""></td></tr>
<tr><td class="norm" align="right">{NEW_PASSWORD}</td><td><input type="password" name="pw_new_password" value=""></td></tr>
<tr><td class="norm" align="right">{NEW_PASSWORD_CONFIRM}</td><td><input type="password" name="pw_new_password_confirm" value=""></td></tr>
<tr><td></td><td><input type="submit" name="change_password" value="{PASSWORD_CHANGE_BUTTON_VALUE}"><input type="button" name="pw_change" value="{CLOSE}" OnClick="ShowHideDiv('pw_change_div');"></td></tr>
</table>
</div>
EOM;
}
else
{
$strings = array_merge($strings, array (
'JS_SHOW_HIDE' => '',
'PASSWORD_CHANGE_BUTTON' => '',
'PASSWORD_CHANGE_DIV' => ''
));
}
// first check if all strings are set from outside, if not, set with default ones
while (list($string, $data) = each($strings))
{
if (!array_key_exists($string, $this->login_template['strings']))
{
$this->login_template['strings'][$string] = $data;
}
}
// error msgs the same
while (list($code, $data) = each($error_msgs))
{
if (!array_key_exists($code, $this->login_error_msg))
{
$this->login_error_msg[$code] = $data;
}
}
// now check templates
if (!$this->login_template['template'])
{
$this->login_template['template'] = <<<EOM
<html>
<head>
<title>{HTML_TITLE}</title>
<style type="text/css">
.norm { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; line-height: 15px; color: #000000}
h3 { font-size: 18px; }
.visible { visibility: visible; }
.hidden { visibility: hidden; display: none; }
</style>
<script language="JavaScript">
<!--
{JS_SHOW_HIDE}
//-->
</script>
{LOGOUT_TARGET}
</head>
<body bgcolor="#FFFFFF">
<br>
<br>
<br>
<form method="post">
<table width="500" border="0" cellpadding="2" cellspacing="1">
<tr>
<td class="norm" align="right">
<h3>{TITLE}</h3>
</td>
<td>&nbsp;</td>
</tr>
<tr>
<td class="norm" colspan="2" align="center">
{ERROR_MSG}
</td>
</tr>
<tr>
<td align="right" class="norm">{USERNAME}</td>
<td><input type="text" name="login_username"></td>
</tr>
<tr>
<td align="right" class="norm">{PASSWORD}</td>
<td><input type="password" name="login_password"></td>
</tr>
<tr>
<td align="right">
</td>
<td>
<input type="submit" name="login_login" value="{LOGIN}">
{PASSWORD_CHANGE_BUTTON}
</td>
</tr>
<tr>
<td align="right">
<br><br>
</td>
<td>&nbsp;</td>
</tr>
</table>
{PASSWORD_CHANGE_DIV}
</form>
</body>
</html>
EOM;
}
}
// METHOD: write_log
// PARAMS: event -> string of what has been done
// data -> data information (id, etc)
// error -> if error, write error string (not enougth data, etc)
// RETURN: none
// DESC : writes detailed data into the edit user log table (keep log what user does)
private function write_log($event, $data, $error = "", $username = "", $password = "")
{
if ($this->login)
$this->action = 'Login';
elseif ($this->logout)
$this->action = 'Logout';
$_data_binary = array (
'_SESSION' => $_SESSION,
'_GET' => $_GET,
'_POST' => $_POST,
'_FILES' => $_FILES,
'error' => $this->login_error
);
$data_binary = $this->db_escape_bytea(bzcompress(serialize($_data_binary)));
// SQL querie for log entry
$q = "INSERT INTO edit_log ";
$q .= "(username, password, euid, event_date, event, error, data, data_binary, page, ";
$q .= "ip, user_agent, referer, script_name, query_string, server_name, http_host, http_accept, http_accept_charset, http_accept_encoding, session_id, ";
$q .= "action, action_id, action_yes, action_flag, action_menu, action_loaded, action_value, action_error) ";
$q .= "VALUES ('".$this->db_escape_string($username)."', '".$this->db_escape_string($password)."', ".(($this->euid) ? $this->euid : 'NULL').", NOW(), '".$this->db_escape_string($event)."', '".$this->db_escape_string($error)."', '".$this->db_escape_string($data)."', '".$data_binary."', '".$this->page_name."', ";
foreach (array('REMOTE_ADDR', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'SCRIPT_FILENAME', 'QUERY_STRING', 'SERVER_NAME', 'HTTP_HOST', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING') as $server_code)
{
if (array_key_exists($server_code, $_SERVER))
$q .= "'".$this->db_escape_string($_SERVER[$server_code])."', ";
else
$q .= "NULL, ";
}
$q .= "'".session_id()."', ";
$q .= "'".$this->db_escape_string($this->action)."', '".$this->db_escape_string($this->username)."', NULL, '".$this->db_escape_string($this->login_error)."', NULL, NULL, '".$this->db_escape_string($this->permission_okay)."', NULL)";
$this->db_exec($q);
}
// METHOD: login_check_edit_access_id
// PARAMS: edit access id to check
// RETURN: same edit access id if ok, or the default edit access id if given one is not valud
// DESC : checks that the given edit access id is valid for this user
public function login_check_edit_access_id($edit_access_id)
{
if (!array_key_exists($edit_access_id, $_SESSION["UNIT"]))
return $_SESSION["UNIT_DEFAULT"];
else
return $edit_access_id;
}
} // close class
?>
Reference in New Issue View Git Blame Copy Permalink