source: admin/auth.php @ 3146:ab86f108eae6

Visit:

Revision 3146:ab86f108eae6, 13.0 KB checked in by Dsls, 10 years ago (diff)
complement on trim, see #2097

Rev	Line
[0]	1	<?php
	2	# -- BEGIN LICENSE BLOCK ---------------------------------------
	3	#
	4	# This file is part of Dotclear 2.
	5	#
[1179]	6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
[0]	7	# Licensed under the GPL version 2.0 license.
	8	# See LICENSE file or
	9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
	10	#
	11	# -- END LICENSE BLOCK -----------------------------------------
	12
	13	require dirname(__FILE__).'/../inc/admin/prepend.php';
	14
	15	# If we have a session cookie, go to index.php
	16	if (isset($_SESSION['sess_user_id']))
	17	{
[2852]	18	$core->adminurl->redirect('admin.home');
[0]	19	}
	20
	21	# Loading locales for detected language
	22	# That's a tricky hack but it works ;)
	23	$dlang = http::getAcceptLanguage();
[364]	24	$dlang = ($dlang == '' ? 'en' : $dlang);
[366]	25	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$dlang))
[0]	26	{
[1949]	27	l10n::lang($dlang);
[0]	28	l10n::set(dirname(__FILE__).'/../locales/'.$dlang.'/main');
	29	}
	30
	31	$page_url = http::getHost().$_SERVER['REQUEST_URI'];
	32
	33	$change_pwd = $core->auth->allowPassChange() && isset($_POST['new_pwd']) && isset($_POST['new_pwd_c']) && isset($_POST['login_data']);
[794]	34	$login_data = !empty($_POST['login_data']) ? html::escapeHTML($_POST['login_data']) : null;
[0]	35	$recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
	36	$safe_mode = !empty($_REQUEST['safe_mode']);
	37	$akey = $core->auth->allowPassChange() && !empty($_GET['akey']) ? $_GET['akey'] : null;
	38	$user_id = $user_pwd = $user_key = $user_email = null;
	39	$err = $msg = null;
	40
	41	# Auto upgrade
	42	if (empty($_GET) && empty($_POST)) {
	43	require dirname(__FILE__).'/../inc/dbschema/upgrade.php';
	44	try {
	45	if (($changes = dotclearUpgrade($core)) !== false) {
	46	$msg = __('Dotclear has been upgraded.').'<!-- '.$changes.' -->';
	47	}
	48	} catch (Exception $e) {
	49	$err = $e->getMessage();
	50	}
	51	}
	52
	53	# If we have POST login informations, go throug auth process
	54	if (!empty($_POST['user_id']) && !empty($_POST['user_pwd']))
	55	{
	56	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
	57	$user_pwd = !empty($_POST['user_pwd']) ? $_POST['user_pwd'] : null;
	58	}
	59	# If we have COOKIE login informations, go throug auth process
	60	elseif (isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104)
	61	{
	62	# If we have a remember cookie, go through auth process with user_key
	63	$user_id = substr($_COOKIE['dc_admin'],40);
[3144]	64	$user_id = @unpack('a32',@pack('H*',$user_id));
[0]	65	if (is_array($user_id))
	66	{
[3144]	67	$user_id = trim($user_id[1]);
[0]	68	$user_key = substr($_COOKIE['dc_admin'],0,40);
	69	$user_pwd = null;
	70	}
	71	else
	72	{
	73	$user_id = null;
	74	}
	75	}
	76
	77	# Recover password
	78	if ($recover && !empty($_POST['user_id']) && !empty($_POST['user_email']))
	79	{
	80	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
	81	$user_email = !empty($_POST['user_email']) ? $_POST['user_email'] : '';
	82	try
	83	{
	84	$recover_key = $core->auth->setRecoverKey($user_id,$user_email);
[2566]	85
[0]	86	$subject = mail::B64Header('DotClear '.__('Password reset'));
	87	$message =
	88	__('Someone has requested to reset the password for the following site and username.')."\n\n".
	89	$page_url."\n".__('Username:').' '.$user_id."\n\n".
	90	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.')."\n".
	91	$page_url.'?akey='.$recover_key;
[2566]	92
[362]	93	$headers[] = 'From: '.(defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
[0]	94	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
[2566]	95
[0]	96	mail::sendMail($user_email,$subject,$message,$headers);
	97	$msg = sprintf(__('The e-mail was sent successfully to %s.'),$user_email);
	98	}
	99	catch (Exception $e)
	100	{
	101	$err = $e->getMessage();
	102	}
	103	}
	104	# Send new password
	105	elseif ($akey)
	106	{
	107	try
	108	{
	109	$recover_res = $core->auth->recoverUserPassword($akey);
[2566]	110
[0]	111	$subject = mb_encode_mimeheader('DotClear '.__('Your new password'),'UTF-8','B');
	112	$message =
	113	__('Username:').' '.$recover_res['user_id']."\n".
	114	__('Password:').' '.$recover_res['new_pass']."\n\n".
	115	preg_replace('/\?(.*)$/','',$page_url);
[2566]	116
[0]	117	$headers[] = 'From: dotclear@'.$_SERVER['HTTP_HOST'];
	118	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
[2566]	119
[0]	120	mail::sendMail($recover_res['user_email'],$subject,$message,$headers);
	121	$msg = __('Your new password is in your mailbox.');
	122	}
	123	catch (Exception $e)
	124	{
	125	$err = $e->getMessage();
	126	}
	127	}
	128	# Change password and retry to log
[365]	129	elseif ($change_pwd)
[0]	130	{
	131	try
	132	{
[365]	133	$tmp_data = explode('/',$_POST['login_data']);
	134	if (count($tmp_data) != 3) {
	135	throw new Exception();
	136	}
	137	$data = array(
	138	'user_id'=>base64_decode($tmp_data[0]),
	139	'cookie_admin'=>$tmp_data[1],
	140	'user_remember'=>$tmp_data[2]=='1'
	141	);
	142	if ($data['user_id'] === false) {
	143	throw new Exception();
	144	}
[2566]	145
[3103]	146	# Check login informations
	147	$check_user = false;
	148	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104)
[365]	149	{
[3103]	150	$user_id = substr($data['cookie_admin'],40);
[3146]	151	$user_id = @unpack('a32',@pack('H*',$user_id));
[3103]	152	if (is_array($user_id))
	153	{
[3146]	154	$user_id = trim($data['user_id']);
[3103]	155	$user_key = substr($data['cookie_admin'],0,40);
	156	$check_user = $core->auth->checkUser($user_id,null,$user_key) === true;
[3146]	157	} else {
	158	$user_id = trim($user_id);
[3103]	159	}
[365]	160	}
[2566]	161
[0]	162	if (!$core->auth->allowPassChange() \|\| !$check_user) {
	163	$change_pwd = false;
	164	throw new Exception();
	165	}
[2566]	166
[0]	167	if ($_POST['new_pwd'] != $_POST['new_pwd_c']) {
	168	throw new Exception(__("Passwords don't match"));
	169	}
[2566]	170
[0]	171	if ($core->auth->checkUser($user_id,$_POST['new_pwd']) === true) {
	172	throw new Exception(__("You didn't change your password."));
	173	}
[2566]	174
[0]	175	$cur = $core->con->openCursor($core->prefix.'user');
	176	$cur->user_change_pwd = 0;
	177	$cur->user_pwd = $_POST['new_pwd'];
	178	$core->updUser($core->auth->userID(),$cur);
[2566]	179
[0]	180	$core->session->start();
	181	$_SESSION['sess_user_id'] = $user_id;
	182	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
[2566]	183
[365]	184	if ($data['user_remember'])
[0]	185	{
	186	setcookie('dc_admin',$data['cookie_admin'],strtotime('+15 days'),'','',DC_ADMIN_SSL);
	187	}
[2566]	188
[2852]	189	$core->adminurl->redirect('admin.home');
[0]	190	}
	191	catch (Exception $e)
	192	{
	193	$err = $e->getMessage();
	194	}
	195	}
	196	# Try to log
	197	elseif ($user_id !== null && ($user_pwd !== null \|\| $user_key !== null))
	198	{
	199	# We check the user
[2311]	200	$check_user = $core->auth->checkUser($user_id,$user_pwd,$user_key,false) === true;
	201	if ($check_user) {
	202	$check_perms = $core->auth->findUserBlog() !== false;
	203	} else {
	204	$check_perms = false;
	205	}
[2566]	206
[0]	207	$cookie_admin = http::browserUID(DC_MASTER_KEY.$user_id.
[3036]	208	$core->auth->crypt($user_pwd)).bin2hex(pack('a32',$user_id));
[2566]	209
[2311]	210	if ($check_perms && $core->auth->mustChangePassword())
[0]	211	{
[365]	212	$login_data = join('/',array(
	213	base64_encode($user_id),
	214	$cookie_admin,
	215	empty($_POST['user_remember'])?'0':'1'
	216	));
[2566]	217
[0]	218	if (!$core->auth->allowPassChange()) {
	219	$err = __('You have to change your password before you can login.');
	220	} else {
	221	$err = __('In order to login, you have to change your password now.');
	222	$change_pwd = true;
	223	}
	224	}
[2566]	225	elseif ($check_perms && !empty($_POST['safe_mode']) && !$core->auth->isSuperAdmin())
[0]	226	{
	227	$err = __('Safe Mode can only be used for super administrators.');
	228	}
[2311]	229	elseif ($check_perms)
[0]	230	{
	231	$core->session->start();
	232	$_SESSION['sess_user_id'] = $user_id;
	233	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
[2566]	234
[0]	235	if (!empty($_POST['blog'])) {
	236	$_SESSION['sess_blog_id'] = $_POST['blog'];
	237	}
[2566]	238
[0]	239	if (!empty($_POST['safe_mode']) && $core->auth->isSuperAdmin()) {
	240	$_SESSION['sess_safe_mode'] = true;
	241	}
[2566]	242
[0]	243	if (!empty($_POST['user_remember'])) {
	244	setcookie('dc_admin',$cookie_admin,strtotime('+15 days'),'','',DC_ADMIN_SSL);
	245	}
[2566]	246
[2852]	247	$core->adminurl->redirect('admin.home');
[0]	248	}
	249	else
	250	{
	251	if (isset($_COOKIE['dc_admin'])) {
	252	unset($_COOKIE['dc_admin']);
	253	setcookie('dc_admin',false,-600,'','',DC_ADMIN_SSL);
	254	}
[2311]	255	if ($check_user) {
	256	$err = __('Insufficient permissions');
	257	} else {
	258	$err = __('Wrong username or password');
	259	}
[0]	260	}
	261	}
	262
	263	if (isset($_GET['user'])) {
	264	$user_id = $_GET['user'];
	265	}
	266
	267	header('Content-Type: text/html; charset=UTF-8');
[2792]	268
	269	// Prevents Clickjacking as far as possible
	270	header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
	271
[0]	272	?>
[2760]	273	<!DOCTYPE html>
	274	<html lang="<?php echo $dlang; ?>">
[0]	275	<head>
[2760]	276	<meta charset="UTF-8" />
[0]	277	<meta http-equiv="Content-Script-Type" content="text/javascript" />
	278	<meta http-equiv="Content-Style-Type" content="text/css" />
[364]	279	<meta http-equiv="Content-Language" content="<?php echo $dlang; ?>" />
[0]	280	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
	281	<meta name="GOOGLEBOT" content="NOSNIPPET" />
[1310]	282	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
[0]	283	<title><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></title>
[2160]	284	<link rel="icon" type="image/png" href="images/favicon96-logout.png" />
[2780]	285	<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
[2160]	286
[2566]	287
[0]	288	<?php
	289	echo dcPage::jsLoadIE7();
	290	echo dcPage::jsCommon();
	291	?>
[2566]	292
[473]	293	<link rel="stylesheet" href="style/default.css" type="text/css" media="screen" />
[2566]	294
[0]	295	<?php
	296	# --BEHAVIOR-- loginPageHTMLHead
	297	$core->callBehavior('loginPageHTMLHead');
	298	?>
[2566]	299
[0]	300	<script type="text/javascript">
	301	//<![CDATA[
	302	$(window).load(function() {
	303	var uid = $('input[name=user_id]');
	304	var upw = $('input[name=user_pwd]');
	305	uid.focus();
[2566]	306
[0]	307	if (upw.length == 0) { return; }
[2566]	308
[1781]	309	uid.keypress(processKey);
	310
[0]	311	function processKey(evt) {
[1781]	312	if (evt.which == 13 && upw.val() == '') {
[0]	313	upw.focus();
	314	return false;
	315	}
	316	return true;
	317	};
[259]	318	$.cookie('dc_admin_test_cookie',true);
	319	if ($.cookie('dc_admin_test_cookie')) {
[47]	320	$('#cookie_help').hide();
[314]	321	$.cookie('dc_admin_test_cookie', '', {'expires': -1});
[47]	322	} else {
	323	$('#cookie_help').show();
	324	}
[73]	325	$('#issue #more').toggleWithLegend($('#issue').children().not('#more'));
[0]	326	});
	327	//]]>
	328	</script>
	329	</head>
	330
	331	<body id="dotclear-admin" class="auth">
	332
[2720]	333	<form action="<?php echo $core->adminurl->get('admin.auth'); ?>" method="post" id="login-screen">
[2784]	334	<h1 role="banner"><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></h1>
[0]	335
	336	<?php
	337	if ($err) {
[2787]	338	echo '<div class="error" role="alert">'.$err.'</div>';
[0]	339	}
	340	if ($msg) {
[2787]	341	echo '<p class="success" role="alert">'.$msg.'</p>';
[0]	342	}
	343
	344	if ($akey)
	345	{
[2720]	346	echo '<p><a href="'.$core->adminurl->get('admin.auth').'">'.__('Back to login screen').'</a></p>';
[0]	347	}
	348	elseif ($recover)
	349	{
	350	echo
[2784]	351	'<div class="fieldset" role="main"><h2>'.__('Request a new password').'</h2>'.
[550]	352	'<p><label for="user_id">'.__('Username:').'</label> '.
	353	form::field(array('user_id','user_id'),20,32,html::escapeHTML($user_id)).'</p>'.
[2566]	354
[550]	355	'<p><label for="user_email">'.__('Email:').'</label> '.
	356	form::field(array('user_email','user_email'),20,255,html::escapeHTML($user_email)).'</p>'.
[2566]	357
[454]	358	'<p><input type="submit" value="'.__('recover').'" />'.
[0]	359	form::hidden(array('recover'),1).'</p>'.
[1484]	360	'</div>'.
[2566]	361
[262]	362	'<div id="issue">'.
[2720]	363	'<p><a href="'.$core->adminurl->get('admin.auth').'">'.__('Back to login screen').'</a></p>'.
[1484]	364	'</div>';
[0]	365	}
	366	elseif ($change_pwd)
	367	{
	368	echo
[1484]	369	'<div class="fieldset"><h2>'.__('Change your password').'</h2>'.
[550]	370	'<p><label for="new_pwd">'.__('New password:').'</label> '.
	371	form::password(array('new_pwd','new_pwd'),20,255).'</p>'.
[2566]	372
[550]	373	'<p><label for="new_pwd_c">'.__('Confirm password:').'</label> '.
	374	form::password(array('new_pwd_c','new_pwd_c'),20,255).'</p>'.
[1484]	375	'</div>'.
[2566]	376
[0]	377	'<p><input type="submit" value="'.__('change').'" />'.
	378	form::hidden('login_data',$login_data).'</p>';
	379	}
	380	else
	381	{
	382	if (is_callable(array($core->auth,'authForm')))
	383	{
	384	echo $core->auth->authForm($user_id);
	385	}
	386	else
	387	{
	388	if ($safe_mode) {
[2784]	389	echo '<div class="fieldset" role="main">';
[1484]	390	echo '<h2>'.__('Safe mode login').'</h2>';
[2566]	391	echo
[1484]	392	'<p class="form-note">'.
	393	__('This mode allows you to login without activating any of your plugins. This may be useful to solve compatibility problems').' </p>'.
	394	'<p class="form-note">'.__('Disable or delete any plugin suspected to cause trouble, then log out and log back in normally.').
[73]	395	'</p>';
[0]	396	}
[536]	397	else {
[2784]	398	echo '<div class="fieldset" role="main">';
[536]	399	}
	400
[0]	401	echo
[550]	402	'<p><label for="user_id">'.__('Username:').'</label> '.
	403	form::field(array('user_id','user_id'),20,32,html::escapeHTML($user_id)).'</p>'.
[2566]	404
[550]	405	'<p><label for="user_pwd">'.__('Password:').'</label> '.
	406	form::password(array('user_pwd','user_pwd'),20,255).'</p>'.
[2566]	407
[550]	408	'<p>'.
	409	form::checkbox(array('user_remember','user_remember'),1).
	410	'<label for="user_remember" class="classic">'.
[0]	411	__('Remember my ID on this computer').'</label></p>'.
[2566]	412
[1558]	413	'<p><input type="submit" value="'.__('log in').'" class="login" /></p>';
[2566]	414
[0]	415	if (!empty($_REQUEST['blog'])) {
	416	echo form::hidden('blog',html::escapeHTML($_REQUEST['blog']));
	417	}
	418	if($safe_mode) {
[2566]	419	echo
[550]	420	form::hidden('safe_mode',1).
[1484]	421	'</div>';
[0]	422	}
[550]	423	else {
	424	echo '</div>';
	425	}
[0]	426	echo
[262]	427	'<p id="cookie_help" class="error">'.__('You must accept cookies in order to use the private area.').'</p>';
[72]	428
	429	echo '<div id="issue">';
[2566]	430
[0]	431	if ($safe_mode) {
	432	echo
[2720]	433	'<p><a href="'.$core->adminurl->get('admin.auth').'" id="normal_mode_link">'.__('Get back to normal authentication').'</a></p>';
[0]	434	} else {
[72]	435	echo '<p id="more"><strong>'.__('Connection issue?').'</strong></p>';
	436	if ($core->auth->allowPassChange()) {
[2720]	437	echo '<p><a href="'.$core->adminurl->get('admin.auth',array('recover' => 1)).'">'.__('I forgot my password').'</a></p>';
[72]	438	}
[2720]	439	echo '<p><a href="'.$core->adminurl->get('admin.auth',array('safe_mode' => 1)).'" id="safe_mode_link">'.__('I want to log in in safe mode').'</a></p>';
[0]	440	}
[2566]	441
[72]	442	echo '</div>';
[0]	443	}
	444	}
	445	?>
	446	</form>
	447	</body>
[794]	448	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 3146:ab86f108eae6

Download in other formats:

Sites map