source: admin/auth.php @ 3699:77a12236e993

Visit:

Revision 3699:77a12236e993, 15.2 KB checked in by franck <carnet.franck.paul@…>, 8 years ago (diff)
Add autocomplete attribute to form::password where it's relevant, code formatting (PSR-2)

Rev	Line
[0]	1	<?php
	2	# -- BEGIN LICENSE BLOCK ---------------------------------------
	3	#
	4	# This file is part of Dotclear 2.
	5	#
[1179]	6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
[0]	7	# Licensed under the GPL version 2.0 license.
	8	# See LICENSE file or
	9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
	10	#
	11	# -- END LICENSE BLOCK -----------------------------------------
	12
[3699]	13	require dirname(__FILE__) . '/../inc/admin/prepend.php';
[0]	14
	15	# If we have a session cookie, go to index.php
[3699]	16	if (isset($_SESSION['sess_user_id'])) {
	17	$core->adminurl->redirect('admin.home');
[0]	18	}
	19
	20	# Loading locales for detected language
	21	# That's a tricky hack but it works ;)
	22	$dlang = http::getAcceptLanguage();
[364]	23	$dlang = ($dlang == '' ? 'en' : $dlang);
[3699]	24	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/', $dlang)) {
	25	l10n::lang($dlang);
	26	l10n::set(dirname(__FILE__) . '/../locales/' . $dlang . '/main');
[0]	27	}
	28
[3352]	29	if (defined('DC_ADMIN_URL')) {
[3699]	30	$page_url = DC_ADMIN_URL . $core->adminurl->get('admin.auth');
[3352]	31	} else {
[3699]	32	$page_url = http::getHost() . $_SERVER['REQUEST_URI'];
[3352]	33	}
[0]	34
	35	$change_pwd = $core->auth->allowPassChange() && isset($_POST['new_pwd']) && isset($_POST['new_pwd_c']) && isset($_POST['login_data']);
[794]	36	$login_data = !empty($_POST['login_data']) ? html::escapeHTML($_POST['login_data']) : null;
[3699]	37	$recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
	38	$safe_mode = !empty($_REQUEST['safe_mode']);
	39	$akey = $core->auth->allowPassChange() && !empty($_GET['akey']) ? $_GET['akey'] : null;
	40	$user_id = $user_pwd = $user_key = $user_email = null;
	41	$err = $msg = null;
[0]	42
	43	# Auto upgrade
	44	if (empty($_GET) && empty($_POST)) {
[3699]	45	require dirname(__FILE__) . '/../inc/dbschema/upgrade.php';
	46	try {
	47	if (($changes = dcUpgrade::dotclearUpgrade($core)) !== false) {
	48	$msg = __('Dotclear has been upgraded.') . '<!-- ' . $changes . ' -->';
	49	}
	50	} catch (Exception $e) {
	51	$err = $e->getMessage();
	52	}
[0]	53	}
	54
	55	# If we have POST login informations, go throug auth process
[3699]	56	if (!empty($_POST['user_id']) && !empty($_POST['user_pwd'])) {
	57	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
	58	$user_pwd = !empty($_POST['user_pwd']) ? $_POST['user_pwd'] : null;
[0]	59	}
	60	# If we have COOKIE login informations, go throug auth process
[3699]	61	elseif (isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104) {
	62	# If we have a remember cookie, go through auth process with user_key
	63	$user_id = substr($_COOKIE['dc_admin'], 40);
	64	$user_id = @unpack('a32', @pack('H*', $user_id));
	65	if (is_array($user_id)) {
	66	$user_id = trim($user_id[1]);
	67	$user_key = substr($_COOKIE['dc_admin'], 0, 40);
	68	$user_pwd = null;
	69	} else {
	70	$user_id = null;
	71	}
[0]	72	}
	73
	74	# Recover password
[3699]	75	if ($recover && !empty($_POST['user_id']) && !empty($_POST['user_email'])) {
	76	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
	77	$user_email = !empty($_POST['user_email']) ? html::escapeHTML($_POST['user_email']) : '';
	78	try
	79	{
	80	$recover_key = $core->auth->setRecoverKey($user_id, $user_email);
[2566]	81
[3699]	82	$subject = mail::B64Header('Dotclear ' . __('Password reset'));
	83	$message =
	84	__('Someone has requested to reset the password for the following site and username.') . "\n\n" .
	85	$page_url . "\n" . __('Username:') . ' ' . $user_id . "\n\n" .
	86	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\n" .
	87	$page_url . '?akey=' . $recover_key;
[2566]	88
[3699]	89	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
	90	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
[2566]	91
[3699]	92	mail::sendMail($user_email, $subject, $message, $headers);
	93	$msg = sprintf(__('The e-mail was sent successfully to %s.'), $user_email);
	94	} catch (Exception $e) {
	95	$err = $e->getMessage();
	96	}
[0]	97	}
	98	# Send new password
[3699]	99	elseif ($akey) {
	100	try
	101	{
	102	$recover_res = $core->auth->recoverUserPassword($akey);
[2566]	103
[3699]	104	$subject = mb_encode_mimeheader('Dotclear ' . __('Your new password'), 'UTF-8', 'B');
	105	$message =
	106	__('Username:') . ' ' . $recover_res['user_id'] . "\n" .
	107	__('Password:') . ' ' . $recover_res['new_pass'] . "\n\n" .
	108	preg_replace('/\?(.*)$/', '', $page_url);
[2566]	109
[3699]	110	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
	111	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
[2566]	112
[3699]	113	mail::sendMail($recover_res['user_email'], $subject, $message, $headers);
	114	$msg = __('Your new password is in your mailbox.');
	115	} catch (Exception $e) {
	116	$err = $e->getMessage();
	117	}
[0]	118	}
	119	# Change password and retry to log
[3699]	120	elseif ($change_pwd) {
	121	try
	122	{
	123	$tmp_data = explode('/', $_POST['login_data']);
	124	if (count($tmp_data) != 3) {
	125	throw new Exception();
	126	}
	127	$data = array(
	128	'user_id' => base64_decode($tmp_data[0]),
	129	'cookie_admin' => $tmp_data[1],
	130	'user_remember' => $tmp_data[2] == '1'
	131	);
	132	if ($data['user_id'] === false) {
	133	throw new Exception();
	134	}
[2566]	135
[3699]	136	# Check login informations
	137	$check_user = false;
	138	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104) {
	139	$user_id = substr($data['cookie_admin'], 40);
	140	$user_id = @unpack('a32', @pack('H*', $user_id));
	141	if (is_array($user_id)) {
	142	$user_id = trim($data['user_id']);
	143	$user_key = substr($data['cookie_admin'], 0, 40);
	144	$check_user = $core->auth->checkUser($user_id, null, $user_key) === true;
	145	} else {
	146	$user_id = trim($user_id);
	147	}
	148	}
[2566]	149
[3699]	150	if (!$core->auth->allowPassChange() \|\| !$check_user) {
	151	$change_pwd = false;
	152	throw new Exception();
	153	}
[2566]	154
[3699]	155	if ($_POST['new_pwd'] != $_POST['new_pwd_c']) {
	156	throw new Exception(__("Passwords don't match"));
	157	}
[2566]	158
[3699]	159	if ($core->auth->checkUser($user_id, $_POST['new_pwd']) === true) {
	160	throw new Exception(__("You didn't change your password."));
	161	}
[2566]	162
[3699]	163	$cur = $core->con->openCursor($core->prefix . 'user');
	164	$cur->user_change_pwd = 0;
	165	$cur->user_pwd = $_POST['new_pwd'];
	166	$core->updUser($core->auth->userID(), $cur);
[2566]	167
[3699]	168	$core->session->start();
	169	$_SESSION['sess_user_id'] = $user_id;
	170	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
[2566]	171
[3699]	172	if ($data['user_remember']) {
	173	setcookie('dc_admin', $data['cookie_admin'], strtotime('+15 days'), '', '', DC_ADMIN_SSL);
	174	}
[2566]	175
[3699]	176	$core->adminurl->redirect('admin.home');
	177	} catch (Exception $e) {
	178	$err = $e->getMessage();
	179	}
[0]	180	}
	181	# Try to log
[3699]	182	elseif ($user_id !== null && ($user_pwd !== null \|\| $user_key !== null)) {
	183	# We check the user
	184	$check_user = $core->auth->checkUser($user_id, $user_pwd, $user_key, false) === true;
	185	if ($check_user) {
	186	$check_perms = $core->auth->findUserBlog() !== false;
	187	} else {
	188	$check_perms = false;
	189	}
[2566]	190
[3699]	191	$cookie_admin = http::browserUID(DC_MASTER_KEY . $user_id .
	192	$core->auth->cryptLegacy($user_id)) . bin2hex(pack('a32', $user_id));
[2566]	193
[3699]	194	if ($check_perms && $core->auth->mustChangePassword()) {
	195	$login_data = join('/', array(
	196	base64_encode($user_id),
	197	$cookie_admin,
	198	empty($_POST['user_remember']) ? '0' : '1'
	199	));
[2566]	200
[3699]	201	if (!$core->auth->allowPassChange()) {
	202	$err = __('You have to change your password before you can login.');
	203	} else {
	204	$err = __('In order to login, you have to change your password now.');
	205	$change_pwd = true;
	206	}
	207	} elseif ($check_perms && !empty($_POST['safe_mode']) && !$core->auth->isSuperAdmin()) {
	208	$err = __('Safe Mode can only be used for super administrators.');
	209	} elseif ($check_perms) {
	210	$core->session->start();
	211	$_SESSION['sess_user_id'] = $user_id;
	212	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
[2566]	213
[3699]	214	if (!empty($_POST['blog'])) {
	215	$_SESSION['sess_blog_id'] = $_POST['blog'];
	216	}
[2566]	217
[3699]	218	if (!empty($_POST['safe_mode']) && $core->auth->isSuperAdmin()) {
	219	$_SESSION['sess_safe_mode'] = true;
	220	}
[2566]	221
[3699]	222	if (!empty($_POST['user_remember'])) {
	223	setcookie('dc_admin', $cookie_admin, strtotime('+15 days'), '', '', DC_ADMIN_SSL);
	224	}
[2566]	225
[3699]	226	$core->adminurl->redirect('admin.home');
	227	} else {
	228	if (isset($_COOKIE['dc_admin'])) {
	229	unset($_COOKIE['dc_admin']);
	230	setcookie('dc_admin', false, -600, '', '', DC_ADMIN_SSL);
	231	}
	232	if ($check_user) {
	233	$err = __('Insufficient permissions');
	234	} else {
	235	$err = __('Wrong username or password');
	236	}
	237	}
[0]	238	}
	239
	240	if (isset($_GET['user'])) {
[3699]	241	$user_id = $_GET['user'];
[0]	242	}
	243
	244	header('Content-Type: text/html; charset=UTF-8');
[2792]	245
	246	// Prevents Clickjacking as far as possible
	247	header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
	248
[0]	249	?>
[2760]	250	<!DOCTYPE html>
	251	<html lang="<?php echo $dlang; ?>">
[0]	252	<head>
[2760]	253	<meta charset="UTF-8" />
[0]	254	<meta http-equiv="Content-Script-Type" content="text/javascript" />
	255	<meta http-equiv="Content-Style-Type" content="text/css" />
[364]	256	<meta http-equiv="Content-Language" content="<?php echo $dlang; ?>" />
[0]	257	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
	258	<meta name="GOOGLEBOT" content="NOSNIPPET" />
[1310]	259	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
[0]	260	<title><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></title>
[2160]	261	<link rel="icon" type="image/png" href="images/favicon96-logout.png" />
[2780]	262	<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
[2160]	263
[2566]	264
[0]	265	<?php
	266	echo dcPage::jsCommon();
	267	?>
[2566]	268
[3699]	269	<link rel="stylesheet" href="style/default.css" type="text/css" media="screen" />
[2566]	270
[3421]	271	<?php
	272	# --BEHAVIOR-- loginPageHTMLHead
	273	$core->callBehavior('loginPageHTMLHead');
	274	?>
[2566]	275
[3699]	276	<script type="text/javascript">
	277	$(window).load(function() {
	278	var uid = $('input[name=user_id]');
	279	var upw = $('input[name=user_pwd]');
	280	uid.focus();
[2566]	281
[3699]	282	if (upw.length == 0) { return; }
[2566]	283
[3699]	284	uid.keypress(processKey);
[1781]	285
[3699]	286	function processKey(evt) {
	287	if (evt.which == 13 && upw.val() == '') {
	288	upw.focus();
	289	return false;
	290	}
	291	return true;
	292	};
	293	$.cookie('dc_admin_test_cookie',true);
	294	if ($.cookie('dc_admin_test_cookie')) {
	295	$('#cookie_help').hide();
	296	$.cookie('dc_admin_test_cookie', '', {'expires': -1});
	297	} else {
	298	$('#cookie_help').show();
	299	}
	300	$('#issue #more').toggleWithLegend($('#issue').children().not('#more'));
	301	});
	302	</script>
[0]	303	</head>
	304
	305	<body id="dotclear-admin" class="auth">
	306
[2720]	307	<form action="<?php echo $core->adminurl->get('admin.auth'); ?>" method="post" id="login-screen">
[2784]	308	<h1 role="banner"><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></h1>
[0]	309
	310	<?php
	311	if ($err) {
[3699]	312	echo '<div class="error" role="alert">' . $err . '</div>';
[0]	313	}
	314	if ($msg) {
[3699]	315	echo '<p class="success" role="alert">' . $msg . '</p>';
[0]	316	}
	317
[3699]	318	if ($akey) {
	319	echo '<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>';
	320	} elseif ($recover) {
	321	echo
	322	'<div class="fieldset" role="main"><h2>' . __('Request a new password') . '</h2>' .
	323	'<p><label for="user_id">' . __('Username:') . '</label> ' .
	324	form::field(array('user_id', 'user_id'), 20, 32, html::escapeHTML($user_id)) . '</p>' .
[2566]	325
[3699]	326	'<p><label for="user_email">' . __('Email:') . '</label> ' .
	327	form::field(array('user_email', 'user_email'), 20, 255, html::escapeHTML($user_email)) . '</p>' .
[2566]	328
[3699]	329	'<p><input type="submit" value="' . __('recover') . '" />' .
	330	form::hidden(array('recover'), 1) . '</p>' .
	331	'</div>' .
[2566]	332
[3699]	333	'<div id="issue">' .
	334	'<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>' .
	335	'</div>';
	336	} elseif ($change_pwd) {
	337	echo
	338	'<div class="fieldset"><h2>' . __('Change your password') . '</h2>' .
	339	'<p><label for="new_pwd">' . __('New password:') . '</label> ' .
	340	form::password(array('new_pwd', 'new_pwd'), 20, 255, array('autocomplete' => 'new-password')) . '</p>' .
[2566]	341
[3699]	342	'<p><label for="new_pwd_c">' . __('Confirm password:') . '</label> ' .
	343	form::password(array('new_pwd_c', 'new_pwd_c'), 20, 255, array('autocomplete' => 'new-password')) . '</p>' .
	344	'</div>' .
[2566]	345
[3699]	346	'<p><input type="submit" value="' . __('change') . '" />' .
	347	form::hidden('login_data', $login_data) . '</p>';
	348	} else {
	349	if (is_callable(array($core->auth, 'authForm'))) {
	350	echo $core->auth->authForm($user_id);
	351	} else {
	352	if ($safe_mode) {
	353	echo '<div class="fieldset" role="main">';
	354	echo '<h2>' . __('Safe mode login') . '</h2>';
	355	echo
	356	'<p class="form-note">' .
	357	__('This mode allows you to login without activating any of your plugins. This may be useful to solve compatibility problems') . ' </p>' .
	358	'<p class="form-note">' . __('Disable or delete any plugin suspected to cause trouble, then log out and log back in normally.') .
	359	'</p>';
	360	} else {
	361	echo '<div class="fieldset" role="main">';
	362	}
[536]	363
[3699]	364	echo
	365	'<p><label for="user_id">' . __('Username:') . '</label> ' .
	366	form::field(array('user_id', 'user_id'), 20, 32, html::escapeHTML($user_id)) . '</p>' .
[2566]	367
[3699]	368	'<p><label for="user_pwd">' . __('Password:') . '</label> ' .
	369	form::password(array('user_pwd', 'user_pwd'), 20, 255, array('autocomplete' => 'current-password')) . '</p>' .
[2566]	370
[3699]	371	'<p>' .
	372	form::checkbox(array('user_remember', 'user_remember'), 1) .
	373	'<label for="user_remember" class="classic">' .
	374	__('Remember my ID on this device') . '</label></p>' .
[2566]	375
[3699]	376	'<p><input type="submit" value="' . __('log in') . '" class="login" /></p>';
[2566]	377
[3699]	378	if (!empty($_REQUEST['blog'])) {
	379	echo form::hidden('blog', html::escapeHTML($_REQUEST['blog']));
	380	}
	381	if ($safe_mode) {
	382	echo
	383	form::hidden('safe_mode', 1) .
	384	'</div>';
	385	} else {
	386	echo '</div>';
	387	}
	388	echo
	389	'<p id="cookie_help" class="error">' . __('You must accept cookies in order to use the private area.') . '</p>';
[72]	390
[3699]	391	echo '<div id="issue">';
[2566]	392
[3699]	393	if ($safe_mode) {
	394	echo
	395	'<p><a href="' . $core->adminurl->get('admin.auth') . '" id="normal_mode_link">' . __('Get back to normal authentication') . '</a></p>';
	396	} else {
	397	echo '<p id="more"><strong>' . __('Connection issue?') . '</strong></p>';
	398	if ($core->auth->allowPassChange()) {
	399	echo '<p><a href="' . $core->adminurl->get('admin.auth', array('recover' => 1)) . '">' . __('I forgot my password') . '</a></p>';
	400	}
	401	echo '<p><a href="' . $core->adminurl->get('admin.auth', array('safe_mode' => 1)) . '" id="safe_mode_link">' . __('I want to log in in safe mode') . '</a></p>';
	402	}
[2566]	403
[3699]	404	echo '</div>';
	405	}
[0]	406	}
	407	?>
	408	</form>
	409	</body>
[794]	410	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 3699:77a12236e993

Download in other formats:

Sites map