source: admin/auth.php @ 2593:6741802596a0

Visit:

Revision 2593:6741802596a0, 9.6 KB checked in by Dsls, 12 years ago (diff)
Fusion avec default

Rev	Line
[0]	1	<?php
	2	# -- BEGIN LICENSE BLOCK ---------------------------------------
	3	#
	4	# This file is part of Dotclear 2.
	5	#
[794]	6	# Copyright (c) 2003-2011 Olivier Meunier & Association Dotclear
[0]	7	# Licensed under the GPL version 2.0 license.
	8	# See LICENSE file or
	9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
	10	#
	11	# -- END LICENSE BLOCK -----------------------------------------
	12
	13	require dirname(__FILE__).'/../inc/admin/prepend.php';
	14
	15	# If we have a session cookie, go to index.php
[1059]	16	if (isset($_SESSION['sess_user_id'])) {
[0]	17	http::redirect('index.php');
	18	}
	19
	20	# Loading locales for detected language
	21	# That's a tricky hack but it works ;)
	22	$dlang = http::getAcceptLanguage();
[364]	23	$dlang = ($dlang == '' ? 'en' : $dlang);
[1059]	24	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$dlang)) {
[0]	25	l10n::set(dirname(__FILE__).'/../locales/'.$dlang.'/main');
	26	}
	27
	28	# Auto upgrade
	29	if (empty($_GET) && empty($_POST)) {
	30	require dirname(__FILE__).'/../inc/dbschema/upgrade.php';
	31	try {
	32	if (($changes = dotclearUpgrade($core)) !== false) {
[1089]	33	$_ctx->setAlert(__('Dotclear has been upgraded.').'<!-- '.$changes.' -->');
[0]	34	}
[1059]	35	}
	36	catch (Exception $e) {
	37	$_ctx->addError($e->getMessage());
[0]	38	}
	39	}
	40
[1059]	41	/**
	42	Actions for authentication on admin pages
	43	*/
	44	class adminPageAuth
[0]	45	{
[1059]	46	# Send new password from recover email
	47	public static function send($akey)
	48	{
	49	global $core, $_ctx;
	50
	51	$_ctx->akey = true;
	52
	53	try {
	54	$recover_res = $core->auth->recoverUserPassword($akey);
	55
	56	$subject = mb_encode_mimeheader('DotClear '.__('Your new password'),'UTF-8','B');
	57	$message =
	58	__('Username:').' '.$recover_res['user_id']."\n".
	59	__('Password:').' '.$recover_res['new_pass']."\n\n".
	60	preg_replace('/\?(.*)$/','',http::getHost().$_SERVER['REQUEST_URI']);
	61
	62	$headers[] = 'From: dotclear@'.$_SERVER['HTTP_HOST'];
	63	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
	64
	65	mail::sendMail($recover_res['user_email'],$subject,$message,$headers);
[1089]	66	$_ctx->setAlert(__('Your new password is in your mailbox.'));
[1059]	67	}
	68	catch (Exception $e) {
	69	$_ctx->addError($e->getMessage());
	70	}
	71	}
	72
	73	# Authentication process
	74	public static function process($form,$user_id,$user_pwd,$user_key=null)
	75	{
	76	global $core, $_ctx;
	77
	78	# We check the user
	79	$check_user = $core->auth->checkUser($user_id,$user_pwd,$user_key) === true;
	80
	81	$cookie_admin = http::browserUID(DC_MASTER_KEY.$user_id.
	82	crypt::hmac(DC_MASTER_KEY,$user_pwd)).bin2hex(pack('a32',$user_id));
	83
	84	if ($check_user && $core->auth->mustChangePassword())
	85	{
	86	$form->login_data = join('/',array(
	87	base64_encode($user_id),
	88	$cookie_admin,
	89	$form->user_remember == '' ? '0' : '1'
	90	));
	91
	92	if (!$core->auth->allowPassChange()) {
	93	$_ctx->addError(__('You have to change your password before you can login.'));
	94	} else {
	95	$_ctx->addError(__('In order to login, you have to change your password now.'));
	96	$_ctx->change_pwd = true;
	97	}
	98	}
	99	elseif ($check_user && $form->safe_mode != '' && !$core->auth->isSuperAdmin())
	100	{
	101	$_ctx->addError(__('Safe Mode can only be used for super administrators.'));
	102	}
	103	elseif ($check_user)
	104	{
	105	$core->session->start();
	106	$_SESSION['sess_user_id'] = $user_id;
	107	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
	108
	109	if ($form->blog != '') {
	110	$_SESSION['sess_blog_id'] = $form->blog;
	111	}
	112
	113	if ($form->safe_mode != '' && $core->auth->isSuperAdmin()) {
	114	$_SESSION['sess_safe_mode'] = true;
	115	}
	116
	117	if ($form->user_remember != '') {
	118	setcookie('dc_admin',$cookie_admin,strtotime('+15 days'),'','',DC_ADMIN_SSL);
	119	}
	120
	121	http::redirect('index.php');
	122	}
	123	else
	124	{
	125	if (isset($_COOKIE['dc_admin'])) {
	126	unset($_COOKIE['dc_admin']);
	127	setcookie('dc_admin',false,-600,'','',DC_ADMIN_SSL);
	128	}
	129	$_ctx->addError(__('Wrong username or password'));
	130	}
	131	}
	132
	133	# Login form action
	134	public static function login($form)
	135	{
	136	global $_ctx;
	137
	138	if ($form->user_id != '' && $form->user_pwd != '') {
	139	self::process($form,$form->user_id,$form->user_pwd);
	140	}
	141
	142	# Send post values to form
	143	$form->user_id = $form->user_id;
	144	}
	145
	146	# Recover password form action
	147	public static function recover($form)
	148	{
	149	global $core, $_ctx;
	150
	151	if ($form->user_id == '' \|\| $form->user_email == '') {
	152	return;
	153	}
	154
	155	$user_id = $form->user_id;
	156	$user_email = $form->user_email;
	157	$page_url = http::getHost().$_SERVER['REQUEST_URI'];
	158
	159	try {
	160	$recover_key = $core->auth->setRecoverKey($user_id,$user_email);
	161
	162	$subject = mail::B64Header('DotClear '.__('Password reset'));
	163	$message =
	164	__('Someone has requested to reset the password for the following site and username.')."\n\n".
	165	$page_url."\n".__('Username:').' '.$user_id."\n\n".
	166	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.')."\n".
	167	$page_url.'?akey='.$recover_key;
	168
	169	$headers[] = 'From: '.(defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
	170	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
	171
	172	mail::sendMail($user_email,$subject,$message,$headers);
[1089]	173	$_ctx->setAlert(sprintf(__('The e-mail was sent successfully to %s.'),$user_email));
[1059]	174	}
	175	catch (Exception $e) {
	176	$_ctx->addError($e->getMessage());
	177	}
	178
	179	# Send post values to form
	180	$form->user_id = $form->user_id;
	181	$form->user_email = $form->user_email;
	182	}
	183
	184	# Change password form action
	185	public static function change($form)
	186	{
	187	global $core, $_ctx;
	188
	189	if ($form->login_data) {
	190	return;
	191	}
	192	$_ctx->change_pwd = true;
	193
	194	$new_pwd = (string) $form->new_pwd;
	195	$new_pwd_c = (string) $form->new_pwd_c;
	196
	197	try {
	198	$tmp_data = explode('/',$form->login_data);
	199	if (count($tmp_data) != 3) {
	200	throw new Exception();
	201	}
	202	$data = array(
	203	'user_id'=>base64_decode($tmp_data[0]),
	204	'cookie_admin'=>$tmp_data[1],
	205	'user_remember'=>$tmp_data[2]=='1'
	206	);
	207	if ($data['user_id'] === false) {
	208	throw new Exception();
	209	}
	210
	211	# Check login informations
	212	$check_user = false;
	213	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104)
	214	{
	215	$user_id = substr($data['cookie_admin'],40);
	216	$user_id = @unpack('a32',@pack('H*',$user_id));
	217	if (is_array($user_id))
	218	{
	219	$user_id = $user_id[1];
	220	$user_key = substr($data['cookie_admin'],0,40);
	221	$check_user = $core->auth->checkUser($user_id,null,$user_key) === true;
	222	}
	223	}
	224
	225	if (!$core->auth->allowPassChange() \|\| !$check_user) {
	226	$_ctx->change_pwd = false;
	227	throw new Exception();
	228	}
	229
	230	if ($new_pwd != $new_pwd_c) {
	231	throw new Exception(__("Passwords don't match"));
	232	}
	233
	234	if ($core->auth->checkUser($user_id,$new_pwd) === true) {
	235	throw new Exception(__("You didn't change your password."));
	236	}
	237
	238	$cur = $core->con->openCursor($core->prefix.'user');
	239	$cur->user_change_pwd = 0;
	240	$cur->user_pwd = $new_pwd;
	241	$core->updUser($core->auth->userID(),$cur);
	242
	243	$core->session->start();
	244	$_SESSION['sess_user_id'] = $user_id;
	245	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
	246
	247	if ($data['user_remember']) {
	248	setcookie('dc_admin',$data['cookie_admin'],strtotime('+15 days'),'','',DC_ADMIN_SSL);
	249	}
	250
	251	http::redirect('index.php');
	252	}
	253	catch (Exception $e) {
	254	$_ctx->addError($e->getMessage());
	255	}
	256
	257	# Send post values to form
	258	$form->login_data = $form->login_data;
	259	}
[0]	260	}
[1059]	261
	262	# Form fields
	263	$form = new dcForm($core,'auth','auth.php');
	264	$form
	265	->addField(
	266	new dcFieldText('user_id','',array(
[2313]	267	"label" => __('Username:'),
	268	"maxlength" => 32)))
[1059]	269	->addField(
	270	new dcFieldPassword('user_pwd','',array(
	271	"label" => __('Password:'))))
	272	->addField(
	273	new dcFieldText('user_email','',array(
	274	"label" => __('Email:'))))
	275	->addField(
	276	new dcFieldPassword('new_pwd','',array(
	277	"label" => __('New password:'))))
	278	->addField(
	279	new dcFieldPassword('new_pwd_c','',array(
	280	"label" => __('Confirm password:'))))
	281	->addField(
[1317]	282	new dcFieldCheckbox ('user_remember',1,array(
[1059]	283	"label" => __('Remember my ID on this computer'))))
	284	->addField(
	285	new dcFieldSubmit('auth_login',__('log in'),array(
	286	'action' => array('adminPageAuth','login'))))
	287	->addField(
	288	new dcFieldSubmit('auth_recover',__('recover'),array(
	289	'action' => array('adminPageAuth','recover'))))
	290	->addField(
	291	new dcFieldSubmit('auth_change',__('change'),array(
	292	'action' => array('adminPageAuth','change'))))
	293	->addField(
	294	new dcFieldHidden ('safe_mode','0'))
	295	->addField(
	296	new dcFieldHidden ('recover','0'))
	297	->addField(
	298	new dcFieldHidden ('login_data',''))
	299	->addField(
	300	new dcFieldHidden ('blog',''));
	301
	302	# Context variables
	303	$_ctx->allow_pass_change = $core->auth->allowPassChange();
	304	$_ctx->change_pwd = $core->auth->allowPassChange() && $form->new_pwd != '' && $form->new_pwd_c != '' && $form->login_data != '';
	305	$_ctx->recover = $form->recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
[1061]	306	$_ctx->setSafeMode(!empty($_REQUEST['safe_mode']));
	307	$form->safe_mode = !empty($_REQUEST['safe_mode']);
[1059]	308	$_ctx->akey = false;
[2313]	309	$_ctx->dlang = $dlang;
[1059]	310
	311	# If we have no POST login informations and have COOKIE login informations, go throug auth process
	312	if ($form->user_id == '' && $form->user_pwd == ''
	313	&& isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104) {
	314
[0]	315	# If we have a remember cookie, go through auth process with user_key
	316	$user_id = substr($_COOKIE['dc_admin'],40);
	317	$user_id = @unpack('a32',@pack('H*',$user_id));
[1059]	318
	319	if (is_array($user_id)) {
[0]	320	$user_id = $user_id[1];
	321	$user_key = substr($_COOKIE['dc_admin'],0,40);
[1059]	322	$user_pwd = '';
	323
	324	adminPageAuth::process($form,$user_id,$user_pwd,$user_key);
[0]	325	}
	326	}
[1059]	327	# If we have an akey, go throug send password process
	328	elseif ($core->auth->allowPassChange() && !empty($_GET['akey'])) {
	329	adminPageAuth::send($_GET['akey']);
[0]	330	}
	331
	332	if (isset($_GET['user'])) {
[1059]	333	$form->user_id = $_GET['user'];
[0]	334	}
	335
[1059]	336	$form->setup();
[2160]	337
[1059]	338	$core->tpl->display('auth.html.twig');
	339	?>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 2593:6741802596a0

Download in other formats:

Sites map