source: admin/auth.php @ 3874:ab8368569446

Visit:

Revision 3874:ab8368569446, 14.4 KB checked in by franck <carnet.franck.paul@…>, 7 years ago (diff)
short notation for array (array() → [])

Rev	Line
[0]	1	<?php
[3731]	2	/**
	3	* @package Dotclear
	4	* @subpackage Backend
	5	*
	6	* @copyright Olivier Meunier & Association Dotclear
	7	* @copyright GPL-2.0-only
	8	*/
[0]	9
[3699]	10	require dirname(__FILE__) . '/../inc/admin/prepend.php';
[0]	11
	12	# If we have a session cookie, go to index.php
[3699]	13	if (isset($_SESSION['sess_user_id'])) {
	14	$core->adminurl->redirect('admin.home');
[0]	15	}
	16
	17	# Loading locales for detected language
	18	# That's a tricky hack but it works ;)
	19	$dlang = http::getAcceptLanguage();
[364]	20	$dlang = ($dlang == '' ? 'en' : $dlang);
[3699]	21	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/', $dlang)) {
	22	l10n::lang($dlang);
	23	l10n::set(dirname(__FILE__) . '/../locales/' . $dlang . '/main');
[0]	24	}
	25
[3352]	26	if (defined('DC_ADMIN_URL')) {
[3699]	27	$page_url = DC_ADMIN_URL . $core->adminurl->get('admin.auth');
[3352]	28	} else {
[3699]	29	$page_url = http::getHost() . $_SERVER['REQUEST_URI'];
[3352]	30	}
[0]	31
	32	$change_pwd = $core->auth->allowPassChange() && isset($_POST['new_pwd']) && isset($_POST['new_pwd_c']) && isset($_POST['login_data']);
[794]	33	$login_data = !empty($_POST['login_data']) ? html::escapeHTML($_POST['login_data']) : null;
[3699]	34	$recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
	35	$safe_mode = !empty($_REQUEST['safe_mode']);
	36	$akey = $core->auth->allowPassChange() && !empty($_GET['akey']) ? $_GET['akey'] : null;
	37	$user_id = $user_pwd = $user_key = $user_email = null;
	38	$err = $msg = null;
[0]	39
	40	# Auto upgrade
	41	if (empty($_GET) && empty($_POST)) {
[3699]	42	require dirname(__FILE__) . '/../inc/dbschema/upgrade.php';
	43	try {
	44	if (($changes = dcUpgrade::dotclearUpgrade($core)) !== false) {
	45	$msg = __('Dotclear has been upgraded.') . '<!-- ' . $changes . ' -->';
	46	}
	47	} catch (Exception $e) {
	48	$err = $e->getMessage();
	49	}
[0]	50	}
	51
	52	# If we have POST login informations, go throug auth process
[3699]	53	if (!empty($_POST['user_id']) && !empty($_POST['user_pwd'])) {
	54	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
	55	$user_pwd = !empty($_POST['user_pwd']) ? $_POST['user_pwd'] : null;
[0]	56	}
	57	# If we have COOKIE login informations, go throug auth process
[3699]	58	elseif (isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104) {
	59	# If we have a remember cookie, go through auth process with user_key
	60	$user_id = substr($_COOKIE['dc_admin'], 40);
	61	$user_id = @unpack('a32', @pack('H*', $user_id));
	62	if (is_array($user_id)) {
	63	$user_id = trim($user_id[1]);
	64	$user_key = substr($_COOKIE['dc_admin'], 0, 40);
	65	$user_pwd = null;
	66	} else {
	67	$user_id = null;
	68	}
[0]	69	}
	70
	71	# Recover password
[3699]	72	if ($recover && !empty($_POST['user_id']) && !empty($_POST['user_email'])) {
	73	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
	74	$user_email = !empty($_POST['user_email']) ? html::escapeHTML($_POST['user_email']) : '';
	75	try
	76	{
	77	$recover_key = $core->auth->setRecoverKey($user_id, $user_email);
[2566]	78
[3699]	79	$subject = mail::B64Header('Dotclear ' . __('Password reset'));
	80	$message =
	81	__('Someone has requested to reset the password for the following site and username.') . "\n\n" .
	82	$page_url . "\n" . __('Username:') . ' ' . $user_id . "\n\n" .
	83	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\n" .
	84	$page_url . '?akey=' . $recover_key;
[2566]	85
[3699]	86	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
	87	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
[2566]	88
[3699]	89	mail::sendMail($user_email, $subject, $message, $headers);
	90	$msg = sprintf(__('The e-mail was sent successfully to %s.'), $user_email);
	91	} catch (Exception $e) {
	92	$err = $e->getMessage();
	93	}
[0]	94	}
	95	# Send new password
[3699]	96	elseif ($akey) {
	97	try
	98	{
	99	$recover_res = $core->auth->recoverUserPassword($akey);
[2566]	100
[3699]	101	$subject = mb_encode_mimeheader('Dotclear ' . __('Your new password'), 'UTF-8', 'B');
	102	$message =
	103	__('Username:') . ' ' . $recover_res['user_id'] . "\n" .
	104	__('Password:') . ' ' . $recover_res['new_pass'] . "\n\n" .
	105	preg_replace('/\?(.*)$/', '', $page_url);
[2566]	106
[3699]	107	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
	108	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
[2566]	109
[3699]	110	mail::sendMail($recover_res['user_email'], $subject, $message, $headers);
	111	$msg = __('Your new password is in your mailbox.');
	112	} catch (Exception $e) {
	113	$err = $e->getMessage();
	114	}
[0]	115	}
	116	# Change password and retry to log
[3699]	117	elseif ($change_pwd) {
	118	try
	119	{
	120	$tmp_data = explode('/', $_POST['login_data']);
	121	if (count($tmp_data) != 3) {
	122	throw new Exception();
	123	}
[3874]	124	$data = [
[3699]	125	'user_id' => base64_decode($tmp_data[0]),
	126	'cookie_admin' => $tmp_data[1],
	127	'user_remember' => $tmp_data[2] == '1'
[3874]	128	];
[3699]	129	if ($data['user_id'] === false) {
	130	throw new Exception();
	131	}
[2566]	132
[3699]	133	# Check login informations
	134	$check_user = false;
	135	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104) {
	136	$user_id = substr($data['cookie_admin'], 40);
	137	$user_id = @unpack('a32', @pack('H*', $user_id));
	138	if (is_array($user_id)) {
	139	$user_id = trim($data['user_id']);
	140	$user_key = substr($data['cookie_admin'], 0, 40);
	141	$check_user = $core->auth->checkUser($user_id, null, $user_key) === true;
	142	} else {
	143	$user_id = trim($user_id);
	144	}
	145	}
[2566]	146
[3699]	147	if (!$core->auth->allowPassChange() \|\| !$check_user) {
	148	$change_pwd = false;
	149	throw new Exception();
	150	}
[2566]	151
[3699]	152	if ($_POST['new_pwd'] != $_POST['new_pwd_c']) {
	153	throw new Exception(__("Passwords don't match"));
	154	}
[2566]	155
[3699]	156	if ($core->auth->checkUser($user_id, $_POST['new_pwd']) === true) {
	157	throw new Exception(__("You didn't change your password."));
	158	}
[2566]	159
[3699]	160	$cur = $core->con->openCursor($core->prefix . 'user');
	161	$cur->user_change_pwd = 0;
	162	$cur->user_pwd = $_POST['new_pwd'];
	163	$core->updUser($core->auth->userID(), $cur);
[2566]	164
[3699]	165	$core->session->start();
	166	$_SESSION['sess_user_id'] = $user_id;
	167	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
[2566]	168
[3699]	169	if ($data['user_remember']) {
	170	setcookie('dc_admin', $data['cookie_admin'], strtotime('+15 days'), '', '', DC_ADMIN_SSL);
	171	}
[2566]	172
[3699]	173	$core->adminurl->redirect('admin.home');
	174	} catch (Exception $e) {
	175	$err = $e->getMessage();
	176	}
[0]	177	}
	178	# Try to log
[3699]	179	elseif ($user_id !== null && ($user_pwd !== null \|\| $user_key !== null)) {
	180	# We check the user
	181	$check_user = $core->auth->checkUser($user_id, $user_pwd, $user_key, false) === true;
	182	if ($check_user) {
	183	$check_perms = $core->auth->findUserBlog() !== false;
	184	} else {
	185	$check_perms = false;
	186	}
[2566]	187
[3699]	188	$cookie_admin = http::browserUID(DC_MASTER_KEY . $user_id .
	189	$core->auth->cryptLegacy($user_id)) . bin2hex(pack('a32', $user_id));
[2566]	190
[3699]	191	if ($check_perms && $core->auth->mustChangePassword()) {
[3874]	192	$login_data = join('/', [
[3699]	193	base64_encode($user_id),
	194	$cookie_admin,
	195	empty($_POST['user_remember']) ? '0' : '1'
[3874]	196	]);
[2566]	197
[3699]	198	if (!$core->auth->allowPassChange()) {
	199	$err = __('You have to change your password before you can login.');
	200	} else {
	201	$err = __('In order to login, you have to change your password now.');
	202	$change_pwd = true;
	203	}
	204	} elseif ($check_perms && !empty($_POST['safe_mode']) && !$core->auth->isSuperAdmin()) {
	205	$err = __('Safe Mode can only be used for super administrators.');
	206	} elseif ($check_perms) {
	207	$core->session->start();
	208	$_SESSION['sess_user_id'] = $user_id;
	209	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
[2566]	210
[3699]	211	if (!empty($_POST['blog'])) {
	212	$_SESSION['sess_blog_id'] = $_POST['blog'];
	213	}
[2566]	214
[3699]	215	if (!empty($_POST['safe_mode']) && $core->auth->isSuperAdmin()) {
	216	$_SESSION['sess_safe_mode'] = true;
	217	}
[2566]	218
[3699]	219	if (!empty($_POST['user_remember'])) {
	220	setcookie('dc_admin', $cookie_admin, strtotime('+15 days'), '', '', DC_ADMIN_SSL);
	221	}
[2566]	222
[3699]	223	$core->adminurl->redirect('admin.home');
	224	} else {
	225	if (isset($_COOKIE['dc_admin'])) {
	226	unset($_COOKIE['dc_admin']);
	227	setcookie('dc_admin', false, -600, '', '', DC_ADMIN_SSL);
	228	}
	229	if ($check_user) {
	230	$err = __('Insufficient permissions');
	231	} else {
	232	$err = __('Wrong username or password');
	233	}
	234	}
[0]	235	}
	236
	237	if (isset($_GET['user'])) {
[3699]	238	$user_id = $_GET['user'];
[0]	239	}
	240
	241	header('Content-Type: text/html; charset=UTF-8');
[2792]	242
	243	// Prevents Clickjacking as far as possible
	244	header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
	245
[0]	246	?>
[2760]	247	<!DOCTYPE html>
	248	<html lang="<?php echo $dlang; ?>">
[0]	249	<head>
[2760]	250	<meta charset="UTF-8" />
[0]	251	<meta http-equiv="Content-Script-Type" content="text/javascript" />
	252	<meta http-equiv="Content-Style-Type" content="text/css" />
[364]	253	<meta http-equiv="Content-Language" content="<?php echo $dlang; ?>" />
[0]	254	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
	255	<meta name="GOOGLEBOT" content="NOSNIPPET" />
[1310]	256	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
[0]	257	<title><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></title>
[2160]	258	<link rel="icon" type="image/png" href="images/favicon96-logout.png" />
[2780]	259	<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
[2160]	260
[2566]	261
[0]	262	<?php
	263	echo dcPage::jsCommon();
	264	?>
[2566]	265
[3699]	266	<link rel="stylesheet" href="style/default.css" type="text/css" media="screen" />
[2566]	267
[3421]	268	<?php
	269	# --BEHAVIOR-- loginPageHTMLHead
	270	$core->callBehavior('loginPageHTMLHead');
[3725]	271
	272	echo dcPage::jsLoad('js/_auth.js');
[3421]	273	?>
[0]	274	</head>
	275
	276	<body id="dotclear-admin" class="auth">
	277
[2720]	278	<form action="<?php echo $core->adminurl->get('admin.auth'); ?>" method="post" id="login-screen">
[2784]	279	<h1 role="banner"><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></h1>
[0]	280
	281	<?php
	282	if ($err) {
[3699]	283	echo '<div class="error" role="alert">' . $err . '</div>';
[0]	284	}
	285	if ($msg) {
[3699]	286	echo '<p class="success" role="alert">' . $msg . '</p>';
[0]	287	}
	288
[3699]	289	if ($akey) {
	290	echo '<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>';
	291	} elseif ($recover) {
	292	echo
	293	'<div class="fieldset" role="main"><h2>' . __('Request a new password') . '</h2>' .
	294	'<p><label for="user_id">' . __('Username:') . '</label> ' .
[3725]	295	form::field('user_id', 20, 32,
[3874]	296	[
[3725]	297	'default' => html::escapeHTML($user_id),
	298	'autocomplete' => 'username'
[3874]	299	]
[3725]	300	) .
	301	'</p>' .
[2566]	302
[3699]	303	'<p><label for="user_email">' . __('Email:') . '</label> ' .
[3725]	304	form::email('user_email',
[3874]	305	[
[3725]	306	'default' => html::escapeHTML($user_email),
	307	'autocomplete' => 'email'
[3874]	308	]
[3725]	309	) .
	310	'</p>' .
[2566]	311
[3699]	312	'<p><input type="submit" value="' . __('recover') . '" />' .
[3725]	313	form::hidden('recover', 1) . '</p>' .
[3699]	314	'</div>' .
[2566]	315
[3699]	316	'<div id="issue">' .
	317	'<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>' .
	318	'</div>';
	319	} elseif ($change_pwd) {
	320	echo
	321	'<div class="fieldset"><h2>' . __('Change your password') . '</h2>' .
	322	'<p><label for="new_pwd">' . __('New password:') . '</label> ' .
[3725]	323	form::password('new_pwd', 20, 255,
[3874]	324	[
[3725]	325	'autocomplete' => 'new-password'
[3874]	326	]
[3725]	327	) . '</p>' .
[2566]	328
[3699]	329	'<p><label for="new_pwd_c">' . __('Confirm password:') . '</label> ' .
[3725]	330	form::password('new_pwd_c', 20, 255,
[3874]	331	[
[3725]	332	'autocomplete' => 'new-password'
[3874]	333	]
[3725]	334	) . '</p>' .
[3699]	335	'</div>' .
[2566]	336
[3699]	337	'<p><input type="submit" value="' . __('change') . '" />' .
	338	form::hidden('login_data', $login_data) . '</p>';
	339	} else {
[3874]	340	if (is_callable([$core->auth, 'authForm'])) {
[3699]	341	echo $core->auth->authForm($user_id);
	342	} else {
	343	if ($safe_mode) {
	344	echo '<div class="fieldset" role="main">';
	345	echo '<h2>' . __('Safe mode login') . '</h2>';
	346	echo
	347	'<p class="form-note">' .
	348	__('This mode allows you to login without activating any of your plugins. This may be useful to solve compatibility problems') . ' </p>' .
	349	'<p class="form-note">' . __('Disable or delete any plugin suspected to cause trouble, then log out and log back in normally.') .
	350	'</p>';
	351	} else {
	352	echo '<div class="fieldset" role="main">';
	353	}
[536]	354
[3699]	355	echo
	356	'<p><label for="user_id">' . __('Username:') . '</label> ' .
[3725]	357	form::field('user_id', 20, 32,
[3874]	358	[
[3725]	359	'default' => html::escapeHTML($user_id),
	360	'autocomplete' => 'username'
[3874]	361	]
[3725]	362	) . '</p>' .
[2566]	363
[3699]	364	'<p><label for="user_pwd">' . __('Password:') . '</label> ' .
[3725]	365	form::password('user_pwd', 20, 255,
[3874]	366	[
[3725]	367	'autocomplete' => 'current-password'
[3874]	368	]
[3725]	369	) . '</p>' .
[2566]	370
[3699]	371	'<p>' .
[3725]	372	form::checkbox('user_remember', 1) .
[3699]	373	'<label for="user_remember" class="classic">' .
	374	__('Remember my ID on this device') . '</label></p>' .
[2566]	375
[3699]	376	'<p><input type="submit" value="' . __('log in') . '" class="login" /></p>';
[2566]	377
[3699]	378	if (!empty($_REQUEST['blog'])) {
	379	echo form::hidden('blog', html::escapeHTML($_REQUEST['blog']));
	380	}
	381	if ($safe_mode) {
	382	echo
	383	form::hidden('safe_mode', 1) .
	384	'</div>';
	385	} else {
	386	echo '</div>';
	387	}
	388	echo
	389	'<p id="cookie_help" class="error">' . __('You must accept cookies in order to use the private area.') . '</p>';
[72]	390
[3699]	391	echo '<div id="issue">';
[2566]	392
[3699]	393	if ($safe_mode) {
	394	echo
	395	'<p><a href="' . $core->adminurl->get('admin.auth') . '" id="normal_mode_link">' . __('Get back to normal authentication') . '</a></p>';
	396	} else {
	397	echo '<p id="more"><strong>' . __('Connection issue?') . '</strong></p>';
	398	if ($core->auth->allowPassChange()) {
[3874]	399	echo '<p><a href="' . $core->adminurl->get('admin.auth', ['recover' => 1]) . '">' . __('I forgot my password') . '</a></p>';
[3699]	400	}
[3874]	401	echo '<p><a href="' . $core->adminurl->get('admin.auth', ['safe_mode' => 1]) . '" id="safe_mode_link">' . __('I want to log in in safe mode') . '</a></p>';
[3699]	402	}
[2566]	403
[3699]	404	echo '</div>';
	405	}
[0]	406	}
	407	?>
	408	</form>
	409	</body>
[794]	410	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 3874:ab8368569446

Download in other formats:

Sites map