source: admin/auth.php @ 3874:ab8368569446

Visit:

Revision 3874:ab8368569446, 14.4 KB checked in by franck <carnet.franck.paul@…>, 7 years ago (diff)
short notation for array (array() → [])

Line
1	<?php
2	/**
3	* @package Dotclear
4	* @subpackage Backend
5	*
6	* @copyright Olivier Meunier & Association Dotclear
7	* @copyright GPL-2.0-only
8	*/
9
10	require dirname(__FILE__) . '/../inc/admin/prepend.php';
11
12	# If we have a session cookie, go to index.php
13	if (isset($_SESSION['sess_user_id'])) {
14	$core->adminurl->redirect('admin.home');
15	}
16
17	# Loading locales for detected language
18	# That's a tricky hack but it works ;)
19	$dlang = http::getAcceptLanguage();
20	$dlang = ($dlang == '' ? 'en' : $dlang);
21	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/', $dlang)) {
22	l10n::lang($dlang);
23	l10n::set(dirname(__FILE__) . '/../locales/' . $dlang . '/main');
24	}
25
26	if (defined('DC_ADMIN_URL')) {
27	$page_url = DC_ADMIN_URL . $core->adminurl->get('admin.auth');
28	} else {
29	$page_url = http::getHost() . $_SERVER['REQUEST_URI'];
30	}
31
32	$change_pwd = $core->auth->allowPassChange() && isset($_POST['new_pwd']) && isset($_POST['new_pwd_c']) && isset($_POST['login_data']);
33	$login_data = !empty($_POST['login_data']) ? html::escapeHTML($_POST['login_data']) : null;
34	$recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
35	$safe_mode = !empty($_REQUEST['safe_mode']);
36	$akey = $core->auth->allowPassChange() && !empty($_GET['akey']) ? $_GET['akey'] : null;
37	$user_id = $user_pwd = $user_key = $user_email = null;
38	$err = $msg = null;
39
40	# Auto upgrade
41	if (empty($_GET) && empty($_POST)) {
42	require dirname(__FILE__) . '/../inc/dbschema/upgrade.php';
43	try {
44	if (($changes = dcUpgrade::dotclearUpgrade($core)) !== false) {
45	$msg = __('Dotclear has been upgraded.') . '<!-- ' . $changes . ' -->';
46	}
47	} catch (Exception $e) {
48	$err = $e->getMessage();
49	}
50	}
51
52	# If we have POST login informations, go throug auth process
53	if (!empty($_POST['user_id']) && !empty($_POST['user_pwd'])) {
54	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
55	$user_pwd = !empty($_POST['user_pwd']) ? $_POST['user_pwd'] : null;
56	}
57	# If we have COOKIE login informations, go throug auth process
58	elseif (isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104) {
59	# If we have a remember cookie, go through auth process with user_key
60	$user_id = substr($_COOKIE['dc_admin'], 40);
61	$user_id = @unpack('a32', @pack('H*', $user_id));
62	if (is_array($user_id)) {
63	$user_id = trim($user_id[1]);
64	$user_key = substr($_COOKIE['dc_admin'], 0, 40);
65	$user_pwd = null;
66	} else {
67	$user_id = null;
68	}
69	}
70
71	# Recover password
72	if ($recover && !empty($_POST['user_id']) && !empty($_POST['user_email'])) {
73	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
74	$user_email = !empty($_POST['user_email']) ? html::escapeHTML($_POST['user_email']) : '';
75	try
76	{
77	$recover_key = $core->auth->setRecoverKey($user_id, $user_email);
78
79	$subject = mail::B64Header('Dotclear ' . __('Password reset'));
80	$message =
81	__('Someone has requested to reset the password for the following site and username.') . "\n\n" .
82	$page_url . "\n" . __('Username:') . ' ' . $user_id . "\n\n" .
83	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\n" .
84	$page_url . '?akey=' . $recover_key;
85
86	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
87	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
88
89	mail::sendMail($user_email, $subject, $message, $headers);
90	$msg = sprintf(__('The e-mail was sent successfully to %s.'), $user_email);
91	} catch (Exception $e) {
92	$err = $e->getMessage();
93	}
94	}
95	# Send new password
96	elseif ($akey) {
97	try
98	{
99	$recover_res = $core->auth->recoverUserPassword($akey);
100
101	$subject = mb_encode_mimeheader('Dotclear ' . __('Your new password'), 'UTF-8', 'B');
102	$message =
103	__('Username:') . ' ' . $recover_res['user_id'] . "\n" .
104	__('Password:') . ' ' . $recover_res['new_pass'] . "\n\n" .
105	preg_replace('/\?(.*)$/', '', $page_url);
106
107	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
108	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
109
110	mail::sendMail($recover_res['user_email'], $subject, $message, $headers);
111	$msg = __('Your new password is in your mailbox.');
112	} catch (Exception $e) {
113	$err = $e->getMessage();
114	}
115	}
116	# Change password and retry to log
117	elseif ($change_pwd) {
118	try
119	{
120	$tmp_data = explode('/', $_POST['login_data']);
121	if (count($tmp_data) != 3) {
122	throw new Exception();
123	}
124	$data = [
125	'user_id' => base64_decode($tmp_data[0]),
126	'cookie_admin' => $tmp_data[1],
127	'user_remember' => $tmp_data[2] == '1'
128	];
129	if ($data['user_id'] === false) {
130	throw new Exception();
131	}
132
133	# Check login informations
134	$check_user = false;
135	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104) {
136	$user_id = substr($data['cookie_admin'], 40);
137	$user_id = @unpack('a32', @pack('H*', $user_id));
138	if (is_array($user_id)) {
139	$user_id = trim($data['user_id']);
140	$user_key = substr($data['cookie_admin'], 0, 40);
141	$check_user = $core->auth->checkUser($user_id, null, $user_key) === true;
142	} else {
143	$user_id = trim($user_id);
144	}
145	}
146
147	if (!$core->auth->allowPassChange() \|\| !$check_user) {
148	$change_pwd = false;
149	throw new Exception();
150	}
151
152	if ($_POST['new_pwd'] != $_POST['new_pwd_c']) {
153	throw new Exception(__("Passwords don't match"));
154	}
155
156	if ($core->auth->checkUser($user_id, $_POST['new_pwd']) === true) {
157	throw new Exception(__("You didn't change your password."));
158	}
159
160	$cur = $core->con->openCursor($core->prefix . 'user');
161	$cur->user_change_pwd = 0;
162	$cur->user_pwd = $_POST['new_pwd'];
163	$core->updUser($core->auth->userID(), $cur);
164
165	$core->session->start();
166	$_SESSION['sess_user_id'] = $user_id;
167	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
168
169	if ($data['user_remember']) {
170	setcookie('dc_admin', $data['cookie_admin'], strtotime('+15 days'), '', '', DC_ADMIN_SSL);
171	}
172
173	$core->adminurl->redirect('admin.home');
174	} catch (Exception $e) {
175	$err = $e->getMessage();
176	}
177	}
178	# Try to log
179	elseif ($user_id !== null && ($user_pwd !== null \|\| $user_key !== null)) {
180	# We check the user
181	$check_user = $core->auth->checkUser($user_id, $user_pwd, $user_key, false) === true;
182	if ($check_user) {
183	$check_perms = $core->auth->findUserBlog() !== false;
184	} else {
185	$check_perms = false;
186	}
187
188	$cookie_admin = http::browserUID(DC_MASTER_KEY . $user_id .
189	$core->auth->cryptLegacy($user_id)) . bin2hex(pack('a32', $user_id));
190
191	if ($check_perms && $core->auth->mustChangePassword()) {
192	$login_data = join('/', [
193	base64_encode($user_id),
194	$cookie_admin,
195	empty($_POST['user_remember']) ? '0' : '1'
196	]);
197
198	if (!$core->auth->allowPassChange()) {
199	$err = __('You have to change your password before you can login.');
200	} else {
201	$err = __('In order to login, you have to change your password now.');
202	$change_pwd = true;
203	}
204	} elseif ($check_perms && !empty($_POST['safe_mode']) && !$core->auth->isSuperAdmin()) {
205	$err = __('Safe Mode can only be used for super administrators.');
206	} elseif ($check_perms) {
207	$core->session->start();
208	$_SESSION['sess_user_id'] = $user_id;
209	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
210
211	if (!empty($_POST['blog'])) {
212	$_SESSION['sess_blog_id'] = $_POST['blog'];
213	}
214
215	if (!empty($_POST['safe_mode']) && $core->auth->isSuperAdmin()) {
216	$_SESSION['sess_safe_mode'] = true;
217	}
218
219	if (!empty($_POST['user_remember'])) {
220	setcookie('dc_admin', $cookie_admin, strtotime('+15 days'), '', '', DC_ADMIN_SSL);
221	}
222
223	$core->adminurl->redirect('admin.home');
224	} else {
225	if (isset($_COOKIE['dc_admin'])) {
226	unset($_COOKIE['dc_admin']);
227	setcookie('dc_admin', false, -600, '', '', DC_ADMIN_SSL);
228	}
229	if ($check_user) {
230	$err = __('Insufficient permissions');
231	} else {
232	$err = __('Wrong username or password');
233	}
234	}
235	}
236
237	if (isset($_GET['user'])) {
238	$user_id = $_GET['user'];
239	}
240
241	header('Content-Type: text/html; charset=UTF-8');
242
243	// Prevents Clickjacking as far as possible
244	header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
245
246	?>
247	<!DOCTYPE html>
248	<html lang="<?php echo $dlang; ?>">
249	<head>
250	<meta charset="UTF-8" />
251	<meta http-equiv="Content-Script-Type" content="text/javascript" />
252	<meta http-equiv="Content-Style-Type" content="text/css" />
253	<meta http-equiv="Content-Language" content="<?php echo $dlang; ?>" />
254	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
255	<meta name="GOOGLEBOT" content="NOSNIPPET" />
256	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
257	<title><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></title>
258	<link rel="icon" type="image/png" href="images/favicon96-logout.png" />
259	<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
260
261
262	<?php
263	echo dcPage::jsCommon();
264	?>
265
266	<link rel="stylesheet" href="style/default.css" type="text/css" media="screen" />
267
268	<?php
269	# --BEHAVIOR-- loginPageHTMLHead
270	$core->callBehavior('loginPageHTMLHead');
271
272	echo dcPage::jsLoad('js/_auth.js');
273	?>
274	</head>
275
276	<body id="dotclear-admin" class="auth">
277
278	<form action="<?php echo $core->adminurl->get('admin.auth'); ?>" method="post" id="login-screen">
279	<h1 role="banner"><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></h1>
280
281	<?php
282	if ($err) {
283	echo '<div class="error" role="alert">' . $err . '</div>';
284	}
285	if ($msg) {
286	echo '<p class="success" role="alert">' . $msg . '</p>';
287	}
288
289	if ($akey) {
290	echo '<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>';
291	} elseif ($recover) {
292	echo
293	'<div class="fieldset" role="main"><h2>' . __('Request a new password') . '</h2>' .
294	'<p><label for="user_id">' . __('Username:') . '</label> ' .
295	form::field('user_id', 20, 32,
296	[
297	'default' => html::escapeHTML($user_id),
298	'autocomplete' => 'username'
299	]
300	) .
301	'</p>' .
302
303	'<p><label for="user_email">' . __('Email:') . '</label> ' .
304	form::email('user_email',
305	[
306	'default' => html::escapeHTML($user_email),
307	'autocomplete' => 'email'
308	]
309	) .
310	'</p>' .
311
312	'<p><input type="submit" value="' . __('recover') . '" />' .
313	form::hidden('recover', 1) . '</p>' .
314	'</div>' .
315
316	'<div id="issue">' .
317	'<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>' .
318	'</div>';
319	} elseif ($change_pwd) {
320	echo
321	'<div class="fieldset"><h2>' . __('Change your password') . '</h2>' .
322	'<p><label for="new_pwd">' . __('New password:') . '</label> ' .
323	form::password('new_pwd', 20, 255,
324	[
325	'autocomplete' => 'new-password'
326	]
327	) . '</p>' .
328
329	'<p><label for="new_pwd_c">' . __('Confirm password:') . '</label> ' .
330	form::password('new_pwd_c', 20, 255,
331	[
332	'autocomplete' => 'new-password'
333	]
334	) . '</p>' .
335	'</div>' .
336
337	'<p><input type="submit" value="' . __('change') . '" />' .
338	form::hidden('login_data', $login_data) . '</p>';
339	} else {
340	if (is_callable([$core->auth, 'authForm'])) {
341	echo $core->auth->authForm($user_id);
342	} else {
343	if ($safe_mode) {
344	echo '<div class="fieldset" role="main">';
345	echo '<h2>' . __('Safe mode login') . '</h2>';
346	echo
347	'<p class="form-note">' .
348	__('This mode allows you to login without activating any of your plugins. This may be useful to solve compatibility problems') . ' </p>' .
349	'<p class="form-note">' . __('Disable or delete any plugin suspected to cause trouble, then log out and log back in normally.') .
350	'</p>';
351	} else {
352	echo '<div class="fieldset" role="main">';
353	}
354
355	echo
356	'<p><label for="user_id">' . __('Username:') . '</label> ' .
357	form::field('user_id', 20, 32,
358	[
359	'default' => html::escapeHTML($user_id),
360	'autocomplete' => 'username'
361	]
362	) . '</p>' .
363
364	'<p><label for="user_pwd">' . __('Password:') . '</label> ' .
365	form::password('user_pwd', 20, 255,
366	[
367	'autocomplete' => 'current-password'
368	]
369	) . '</p>' .
370
371	'<p>' .
372	form::checkbox('user_remember', 1) .
373	'<label for="user_remember" class="classic">' .
374	__('Remember my ID on this device') . '</label></p>' .
375
376	'<p><input type="submit" value="' . __('log in') . '" class="login" /></p>';
377
378	if (!empty($_REQUEST['blog'])) {
379	echo form::hidden('blog', html::escapeHTML($_REQUEST['blog']));
380	}
381	if ($safe_mode) {
382	echo
383	form::hidden('safe_mode', 1) .
384	'</div>';
385	} else {
386	echo '</div>';
387	}
388	echo
389	'<p id="cookie_help" class="error">' . __('You must accept cookies in order to use the private area.') . '</p>';
390
391	echo '<div id="issue">';
392
393	if ($safe_mode) {
394	echo
395	'<p><a href="' . $core->adminurl->get('admin.auth') . '" id="normal_mode_link">' . __('Get back to normal authentication') . '</a></p>';
396	} else {
397	echo '<p id="more"><strong>' . __('Connection issue?') . '</strong></p>';
398	if ($core->auth->allowPassChange()) {
399	echo '<p><a href="' . $core->adminurl->get('admin.auth', ['recover' => 1]) . '">' . __('I forgot my password') . '</a></p>';
400	}
401	echo '<p><a href="' . $core->adminurl->get('admin.auth', ['safe_mode' => 1]) . '" id="safe_mode_link">' . __('I want to log in in safe mode') . '</a></p>';
402	}
403
404	echo '</div>';
405	}
406	}
407	?>
408	</form>
409	</body>
410	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 3874:ab8368569446

Download in other formats:

Sites map