source: admin/auth.php @ 2911:5434e75ad738

Visit:

Revision 2911:5434e75ad738, 9.6 KB checked in by Dsls, 11 years ago (diff)
Merge with default

Line
1	<?php
2	# -- BEGIN LICENSE BLOCK ---------------------------------------
3	#
4	# This file is part of Dotclear 2.
5	#
6	# Copyright (c) 2003-2011 Olivier Meunier & Association Dotclear
7	# Licensed under the GPL version 2.0 license.
8	# See LICENSE file or
9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10	#
11	# -- END LICENSE BLOCK -----------------------------------------
12
13	require dirname(__FILE__).'/../inc/admin/prepend.php';
14
15	# If we have a session cookie, go to index.php
16	if (isset($_SESSION['sess_user_id'])) {
17	http::redirect('index.php');
18	}
19
20	# Loading locales for detected language
21	# That's a tricky hack but it works ;)
22	$dlang = http::getAcceptLanguage();
23	$dlang = ($dlang == '' ? 'en' : $dlang);
24	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$dlang)) {
25	l10n::set(dirname(__FILE__).'/../locales/'.$dlang.'/main');
26	}
27
28	# Auto upgrade
29	if (empty($_GET) && empty($_POST)) {
30	require dirname(__FILE__).'/../inc/dbschema/upgrade.php';
31	try {
32	if (($changes = dotclearUpgrade($core)) !== false) {
33	$_ctx->setAlert(__('Dotclear has been upgraded.').'<!-- '.$changes.' -->');
34	}
35	}
36	catch (Exception $e) {
37	$_ctx->addError($e->getMessage());
38	}
39	}
40
41	/**
42	Actions for authentication on admin pages
43	*/
44	class adminPageAuth
45	{
46	# Send new password from recover email
47	public static function send($akey)
48	{
49	global $core, $_ctx;
50
51	$_ctx->akey = true;
52
53	try {
54	$recover_res = $core->auth->recoverUserPassword($akey);
55
56	$subject = mb_encode_mimeheader('DotClear '.__('Your new password'),'UTF-8','B');
57	$message =
58	__('Username:').' '.$recover_res['user_id']."\n".
59	__('Password:').' '.$recover_res['new_pass']."\n\n".
60	preg_replace('/\?(.*)$/','',http::getHost().$_SERVER['REQUEST_URI']);
61
62	$headers[] = 'From: dotclear@'.$_SERVER['HTTP_HOST'];
63	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
64
65	mail::sendMail($recover_res['user_email'],$subject,$message,$headers);
66	$_ctx->setAlert(__('Your new password is in your mailbox.'));
67	}
68	catch (Exception $e) {
69	$_ctx->addError($e->getMessage());
70	}
71	}
72
73	# Authentication process
74	public static function process($form,$user_id,$user_pwd,$user_key=null)
75	{
76	global $core, $_ctx;
77
78	# We check the user
79	$check_user = $core->auth->checkUser($user_id,$user_pwd,$user_key) === true;
80
81	$cookie_admin = http::browserUID(DC_MASTER_KEY.$user_id.
82	crypt::hmac(DC_MASTER_KEY,$user_pwd)).bin2hex(pack('a32',$user_id));
83
84	if ($check_user && $core->auth->mustChangePassword())
85	{
86	$form->login_data = join('/',array(
87	base64_encode($user_id),
88	$cookie_admin,
89	$form->user_remember == '' ? '0' : '1'
90	));
91
92	if (!$core->auth->allowPassChange()) {
93	$_ctx->addError(__('You have to change your password before you can login.'));
94	} else {
95	$_ctx->addError(__('In order to login, you have to change your password now.'));
96	$_ctx->change_pwd = true;
97	}
98	}
99	elseif ($check_user && $form->safe_mode != '' && !$core->auth->isSuperAdmin())
100	{
101	$_ctx->addError(__('Safe Mode can only be used for super administrators.'));
102	}
103	elseif ($check_user)
104	{
105	$core->session->start();
106	$_SESSION['sess_user_id'] = $user_id;
107	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
108
109	if ($form->blog != '') {
110	$_SESSION['sess_blog_id'] = $form->blog;
111	}
112
113	if ($form->safe_mode != '' && $core->auth->isSuperAdmin()) {
114	$_SESSION['sess_safe_mode'] = true;
115	}
116
117	if ($form->user_remember != '') {
118	setcookie('dc_admin',$cookie_admin,strtotime('+15 days'),'','',DC_ADMIN_SSL);
119	}
120
121	http::redirect('index.php');
122	}
123	else
124	{
125	if (isset($_COOKIE['dc_admin'])) {
126	unset($_COOKIE['dc_admin']);
127	setcookie('dc_admin',false,-600,'','',DC_ADMIN_SSL);
128	}
129	$_ctx->addError(__('Wrong username or password'));
130	}
131	}
132
133	# Login form action
134	public static function login($form)
135	{
136	global $_ctx;
137
138	if ($form->user_id != '' && $form->user_pwd != '') {
139	self::process($form,$form->user_id,$form->user_pwd);
140	}
141
142	# Send post values to form
143	$form->user_id = $form->user_id;
144	}
145
146	# Recover password form action
147	public static function recover($form)
148	{
149	global $core, $_ctx;
150
151	if ($form->user_id == '' \|\| $form->user_email == '') {
152	return;
153	}
154
155	$user_id = $form->user_id;
156	$user_email = $form->user_email;
157	$page_url = http::getHost().$_SERVER['REQUEST_URI'];
158
159	try {
160	$recover_key = $core->auth->setRecoverKey($user_id,$user_email);
161
162	$subject = mail::B64Header('DotClear '.__('Password reset'));
163	$message =
164	__('Someone has requested to reset the password for the following site and username.')."\n\n".
165	$page_url."\n".__('Username:').' '.$user_id."\n\n".
166	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.')."\n".
167	$page_url.'?akey='.$recover_key;
168
169	$headers[] = 'From: '.(defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
170	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
171
172	mail::sendMail($user_email,$subject,$message,$headers);
173	$_ctx->setAlert(sprintf(__('The e-mail was sent successfully to %s.'),$user_email));
174	}
175	catch (Exception $e) {
176	$_ctx->addError($e->getMessage());
177	}
178
179	# Send post values to form
180	$form->user_id = $form->user_id;
181	$form->user_email = $form->user_email;
182	}
183
184	# Change password form action
185	public static function change($form)
186	{
187	global $core, $_ctx;
188
189	if ($form->login_data) {
190	return;
191	}
192	$_ctx->change_pwd = true;
193
194	$new_pwd = (string) $form->new_pwd;
195	$new_pwd_c = (string) $form->new_pwd_c;
196
197	try {
198	$tmp_data = explode('/',$form->login_data);
199	if (count($tmp_data) != 3) {
200	throw new Exception();
201	}
202	$data = array(
203	'user_id'=>base64_decode($tmp_data[0]),
204	'cookie_admin'=>$tmp_data[1],
205	'user_remember'=>$tmp_data[2]=='1'
206	);
207	if ($data['user_id'] === false) {
208	throw new Exception();
209	}
210
211	# Check login informations
212	$check_user = false;
213	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104)
214	{
215	$user_id = substr($data['cookie_admin'],40);
216	$user_id = @unpack('a32',@pack('H*',$user_id));
217	if (is_array($user_id))
218	{
219	$user_id = $user_id[1];
220	$user_key = substr($data['cookie_admin'],0,40);
221	$check_user = $core->auth->checkUser($user_id,null,$user_key) === true;
222	}
223	}
224
225	if (!$core->auth->allowPassChange() \|\| !$check_user) {
226	$_ctx->change_pwd = false;
227	throw new Exception();
228	}
229
230	if ($new_pwd != $new_pwd_c) {
231	throw new Exception(__("Passwords don't match"));
232	}
233
234	if ($core->auth->checkUser($user_id,$new_pwd) === true) {
235	throw new Exception(__("You didn't change your password."));
236	}
237
238	$cur = $core->con->openCursor($core->prefix.'user');
239	$cur->user_change_pwd = 0;
240	$cur->user_pwd = $new_pwd;
241	$core->updUser($core->auth->userID(),$cur);
242
243	$core->session->start();
244	$_SESSION['sess_user_id'] = $user_id;
245	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
246
247	if ($data['user_remember']) {
248	setcookie('dc_admin',$data['cookie_admin'],strtotime('+15 days'),'','',DC_ADMIN_SSL);
249	}
250
251	http::redirect('index.php');
252	}
253	catch (Exception $e) {
254	$_ctx->addError($e->getMessage());
255	}
256
257	# Send post values to form
258	$form->login_data = $form->login_data;
259	}
260	}
261
262	# Form fields
263	$form = new dcForm($core,'auth','auth.php');
264	$form
265	->addField(
266	new dcFieldText('user_id','',array(
267	"label" => __('Username:'),
268	"maxlength" => 32)))
269	->addField(
270	new dcFieldPassword('user_pwd','',array(
271	"label" => __('Password:'))))
272	->addField(
273	new dcFieldText('user_email','',array(
274	"label" => __('Email:'))))
275	->addField(
276	new dcFieldPassword('new_pwd','',array(
277	"label" => __('New password:'))))
278	->addField(
279	new dcFieldPassword('new_pwd_c','',array(
280	"label" => __('Confirm password:'))))
281	->addField(
282	new dcFieldCheckbox ('user_remember',1,array(
283	"label" => __('Remember my ID on this computer'))))
284	->addField(
285	new dcFieldSubmit('auth_login',__('log in'),array(
286	'action' => array('adminPageAuth','login'))))
287	->addField(
288	new dcFieldSubmit('auth_recover',__('recover'),array(
289	'action' => array('adminPageAuth','recover'))))
290	->addField(
291	new dcFieldSubmit('auth_change',__('change'),array(
292	'action' => array('adminPageAuth','change'))))
293	->addField(
294	new dcFieldHidden ('safe_mode','0'))
295	->addField(
296	new dcFieldHidden ('recover','0'))
297	->addField(
298	new dcFieldHidden ('login_data',''))
299	->addField(
300	new dcFieldHidden ('blog',''));
301
302	# Context variables
303	$_ctx->allow_pass_change = $core->auth->allowPassChange();
304	$_ctx->change_pwd = $core->auth->allowPassChange() && $form->new_pwd != '' && $form->new_pwd_c != '' && $form->login_data != '';
305	$_ctx->recover = $form->recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
306	$_ctx->setSafeMode(!empty($_REQUEST['safe_mode']));
307	$form->safe_mode = !empty($_REQUEST['safe_mode']);
308	$_ctx->akey = false;
309	$_ctx->dlang = $dlang;
310
311	# If we have no POST login informations and have COOKIE login informations, go throug auth process
312	if ($form->user_id == '' && $form->user_pwd == ''
313	&& isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104) {
314
315	# If we have a remember cookie, go through auth process with user_key
316	$user_id = substr($_COOKIE['dc_admin'],40);
317	$user_id = @unpack('a32',@pack('H*',$user_id));
318
319	if (is_array($user_id)) {
320	$user_id = $user_id[1];
321	$user_key = substr($_COOKIE['dc_admin'],0,40);
322	$user_pwd = '';
323
324	adminPageAuth::process($form,$user_id,$user_pwd,$user_key);
325	}
326	}
327	# If we have an akey, go throug send password process
328	elseif ($core->auth->allowPassChange() && !empty($_GET['akey'])) {
329	adminPageAuth::send($_GET['akey']);
330	}
331
332	if (isset($_GET['user'])) {
333	$form->user_id = $_GET['user'];
334	}
335
336	$form->setup();
337
338	$core->tpl->display('auth.html.twig');
339	?>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 2911:5434e75ad738

Download in other formats:

Sites map