source: admin/auth.php @ 2311:b9ea646a3613

Visit:

Revision 2311:b9ea646a3613, 12.8 KB checked in by Dsls, 12 years ago (diff)
Added specific message for auth with insufficient permissions. Added sleep() on invalid user on auth.php.

Line
1	<?php
2	# -- BEGIN LICENSE BLOCK ---------------------------------------
3	#
4	# This file is part of Dotclear 2.
5	#
6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
7	# Licensed under the GPL version 2.0 license.
8	# See LICENSE file or
9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10	#
11	# -- END LICENSE BLOCK -----------------------------------------
12
13	require dirname(__FILE__).'/../inc/admin/prepend.php';
14
15	# If we have a session cookie, go to index.php
16	if (isset($_SESSION['sess_user_id']))
17	{
18	http::redirect('index.php');
19	}
20
21	# Loading locales for detected language
22	# That's a tricky hack but it works ;)
23	$dlang = http::getAcceptLanguage();
24	$dlang = ($dlang == '' ? 'en' : $dlang);
25	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$dlang))
26	{
27	l10n::lang($dlang);
28	l10n::set(dirname(__FILE__).'/../locales/'.$dlang.'/main');
29	}
30
31	$page_url = http::getHost().$_SERVER['REQUEST_URI'];
32
33	$change_pwd = $core->auth->allowPassChange() && isset($_POST['new_pwd']) && isset($_POST['new_pwd_c']) && isset($_POST['login_data']);
34	$login_data = !empty($_POST['login_data']) ? html::escapeHTML($_POST['login_data']) : null;
35	$recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
36	$safe_mode = !empty($_REQUEST['safe_mode']);
37	$akey = $core->auth->allowPassChange() && !empty($_GET['akey']) ? $_GET['akey'] : null;
38	$user_id = $user_pwd = $user_key = $user_email = null;
39	$err = $msg = null;
40
41	# Auto upgrade
42	if (empty($_GET) && empty($_POST)) {
43	require dirname(__FILE__).'/../inc/dbschema/upgrade.php';
44	try {
45	if (($changes = dotclearUpgrade($core)) !== false) {
46	$msg = __('Dotclear has been upgraded.').'<!-- '.$changes.' -->';
47	}
48	} catch (Exception $e) {
49	$err = $e->getMessage();
50	}
51	}
52
53	# If we have POST login informations, go throug auth process
54	if (!empty($_POST['user_id']) && !empty($_POST['user_pwd']))
55	{
56	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
57	$user_pwd = !empty($_POST['user_pwd']) ? $_POST['user_pwd'] : null;
58	}
59	# If we have COOKIE login informations, go throug auth process
60	elseif (isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104)
61	{
62	# If we have a remember cookie, go through auth process with user_key
63	$user_id = substr($_COOKIE['dc_admin'],40);
64	$user_id = @unpack('a32',@pack('H*',$user_id));
65	if (is_array($user_id))
66	{
67	$user_id = $user_id[1];
68	$user_key = substr($_COOKIE['dc_admin'],0,40);
69	$user_pwd = null;
70	}
71	else
72	{
73	$user_id = null;
74	}
75	}
76
77	# Recover password
78	if ($recover && !empty($_POST['user_id']) && !empty($_POST['user_email']))
79	{
80	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
81	$user_email = !empty($_POST['user_email']) ? $_POST['user_email'] : '';
82	try
83	{
84	$recover_key = $core->auth->setRecoverKey($user_id,$user_email);
85
86	$subject = mail::B64Header('DotClear '.__('Password reset'));
87	$message =
88	__('Someone has requested to reset the password for the following site and username.')."\n\n".
89	$page_url."\n".__('Username:').' '.$user_id."\n\n".
90	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.')."\n".
91	$page_url.'?akey='.$recover_key;
92
93	$headers[] = 'From: '.(defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
94	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
95
96	mail::sendMail($user_email,$subject,$message,$headers);
97	$msg = sprintf(__('The e-mail was sent successfully to %s.'),$user_email);
98	}
99	catch (Exception $e)
100	{
101	$err = $e->getMessage();
102	}
103	}
104	# Send new password
105	elseif ($akey)
106	{
107	try
108	{
109	$recover_res = $core->auth->recoverUserPassword($akey);
110
111	$subject = mb_encode_mimeheader('DotClear '.__('Your new password'),'UTF-8','B');
112	$message =
113	__('Username:').' '.$recover_res['user_id']."\n".
114	__('Password:').' '.$recover_res['new_pass']."\n\n".
115	preg_replace('/\?(.*)$/','',$page_url);
116
117	$headers[] = 'From: dotclear@'.$_SERVER['HTTP_HOST'];
118	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
119
120	mail::sendMail($recover_res['user_email'],$subject,$message,$headers);
121	$msg = __('Your new password is in your mailbox.');
122	}
123	catch (Exception $e)
124	{
125	$err = $e->getMessage();
126	}
127	}
128	# Change password and retry to log
129	elseif ($change_pwd)
130	{
131	try
132	{
133	$tmp_data = explode('/',$_POST['login_data']);
134	if (count($tmp_data) != 3) {
135	throw new Exception();
136	}
137	$data = array(
138	'user_id'=>base64_decode($tmp_data[0]),
139	'cookie_admin'=>$tmp_data[1],
140	'user_remember'=>$tmp_data[2]=='1'
141	);
142	if ($data['user_id'] === false) {
143	throw new Exception();
144	}
145
146	# Check login informations
147	$check_user = false;
148	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104)
149	{
150	$user_id = substr($data['cookie_admin'],40);
151	$user_id = @unpack('a32',@pack('H*',$user_id));
152	if (is_array($user_id))
153	{
154	$user_id = $user_id[1];
155	$user_key = substr($data['cookie_admin'],0,40);
156	$check_user = $core->auth->checkUser($user_id,null,$user_key) === true;
157	}
158	}
159
160	if (!$core->auth->allowPassChange() \|\| !$check_user) {
161	$change_pwd = false;
162	throw new Exception();
163	}
164
165	if ($_POST['new_pwd'] != $_POST['new_pwd_c']) {
166	throw new Exception(__("Passwords don't match"));
167	}
168
169	if ($core->auth->checkUser($user_id,$_POST['new_pwd']) === true) {
170	throw new Exception(__("You didn't change your password."));
171	}
172
173	$cur = $core->con->openCursor($core->prefix.'user');
174	$cur->user_change_pwd = 0;
175	$cur->user_pwd = $_POST['new_pwd'];
176	$core->updUser($core->auth->userID(),$cur);
177
178	$core->session->start();
179	$_SESSION['sess_user_id'] = $user_id;
180	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
181
182	if ($data['user_remember'])
183	{
184	setcookie('dc_admin',$data['cookie_admin'],strtotime('+15 days'),'','',DC_ADMIN_SSL);
185	}
186
187	http::redirect('index.php');
188	}
189	catch (Exception $e)
190	{
191	$err = $e->getMessage();
192	}
193	}
194	# Try to log
195	elseif ($user_id !== null && ($user_pwd !== null \|\| $user_key !== null))
196	{
197	# We check the user
198	$check_user = $core->auth->checkUser($user_id,$user_pwd,$user_key,false) === true;
199	if ($check_user) {
200	$check_perms = $core->auth->findUserBlog() !== false;
201	} else {
202	$check_perms = false;
203	}
204
205	$cookie_admin = http::browserUID(DC_MASTER_KEY.$user_id.
206	crypt::hmac(DC_MASTER_KEY,$user_pwd)).bin2hex(pack('a32',$user_id));
207
208	if ($check_perms && $core->auth->mustChangePassword())
209	{
210	$login_data = join('/',array(
211	base64_encode($user_id),
212	$cookie_admin,
213	empty($_POST['user_remember'])?'0':'1'
214	));
215
216	if (!$core->auth->allowPassChange()) {
217	$err = __('You have to change your password before you can login.');
218	} else {
219	$err = __('In order to login, you have to change your password now.');
220	$change_pwd = true;
221	}
222	}
223	elseif ($check_perms && !empty($_POST['safe_mode']) && !$core->auth->isSuperAdmin())
224	{
225	$err = __('Safe Mode can only be used for super administrators.');
226	}
227	elseif ($check_perms)
228	{
229	$core->session->start();
230	$_SESSION['sess_user_id'] = $user_id;
231	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
232
233	if (!empty($_POST['blog'])) {
234	$_SESSION['sess_blog_id'] = $_POST['blog'];
235	}
236
237	if (!empty($_POST['safe_mode']) && $core->auth->isSuperAdmin()) {
238	$_SESSION['sess_safe_mode'] = true;
239	}
240
241	if (!empty($_POST['user_remember'])) {
242	setcookie('dc_admin',$cookie_admin,strtotime('+15 days'),'','',DC_ADMIN_SSL);
243	}
244
245	http::redirect('index.php');
246	}
247	else
248	{
249	if (isset($_COOKIE['dc_admin'])) {
250	unset($_COOKIE['dc_admin']);
251	setcookie('dc_admin',false,-600,'','',DC_ADMIN_SSL);
252	}
253	if ($check_user) {
254	$err = __('Insufficient permissions');
255	} else {
256	$err = __('Wrong username or password');
257	}
258	}
259	}
260
261	if (isset($_GET['user'])) {
262	$user_id = $_GET['user'];
263	}
264
265	header('Content-Type: text/html; charset=UTF-8');
266	?>
267	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
268	<html xmlns="http://www.w3.org/1999/xhtml"
269	xml:lang="<?php echo $dlang; ?>" lang="<?php echo $dlang; ?>">
270	<head>
271	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
272	<meta http-equiv="Content-Script-Type" content="text/javascript" />
273	<meta http-equiv="Content-Style-Type" content="text/css" />
274	<meta http-equiv="Content-Language" content="<?php echo $dlang; ?>" />
275	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
276	<meta name="GOOGLEBOT" content="NOSNIPPET" />
277	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
278	<title><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></title>
279	<link rel="icon" type="image/png" href="images/favicon96-logout.png" />
280	<link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />
281
282
283	<?php
284	echo dcPage::jsLoadIE7();
285	echo dcPage::jsCommon();
286	?>
287
288	<link rel="stylesheet" href="style/default.css" type="text/css" media="screen" />
289
290	<?php
291	# --BEHAVIOR-- loginPageHTMLHead
292	$core->callBehavior('loginPageHTMLHead');
293	?>
294
295	<script type="text/javascript">
296	//<![CDATA[
297	$(window).load(function() {
298	var uid = $('input[name=user_id]');
299	var upw = $('input[name=user_pwd]');
300	uid.focus();
301
302	if (upw.length == 0) { return; }
303
304	uid.keypress(processKey);
305
306	function processKey(evt) {
307	if (evt.which == 13 && upw.val() == '') {
308	upw.focus();
309	return false;
310	}
311	return true;
312	};
313	$.cookie('dc_admin_test_cookie',true);
314	if ($.cookie('dc_admin_test_cookie')) {
315	$('#cookie_help').hide();
316	$.cookie('dc_admin_test_cookie', '', {'expires': -1});
317	} else {
318	$('#cookie_help').show();
319	}
320	$('#issue #more').toggleWithLegend($('#issue').children().not('#more'));
321	});
322	//]]>
323	</script>
324	</head>
325
326	<body id="dotclear-admin" class="auth">
327
328	<form action="auth.php" method="post" id="login-screen">
329	<h1><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></h1>
330
331	<?php
332	if ($err) {
333	echo '<div class="error">'.$err.'</div>';
334	}
335	if ($msg) {
336	echo '<p class="success">'.$msg.'</p>';
337	}
338
339	if ($akey)
340	{
341	echo '<p><a href="auth.php">'.__('Back to login screen').'</a></p>';
342	}
343	elseif ($recover)
344	{
345	echo
346	'<div class="fieldset"><h2>'.__('Request a new password').'</h2>'.
347	'<p><label for="user_id">'.__('Username:').'</label> '.
348	form::field(array('user_id','user_id'),20,32,html::escapeHTML($user_id)).'</p>'.
349
350	'<p><label for="user_email">'.__('Email:').'</label> '.
351	form::field(array('user_email','user_email'),20,255,html::escapeHTML($user_email)).'</p>'.
352
353	'<p><input type="submit" value="'.__('recover').'" />'.
354	form::hidden(array('recover'),1).'</p>'.
355	'</div>'.
356
357	'<div id="issue">'.
358	'<p><a href="auth.php">'.__('Back to login screen').'</a></p>'.
359	'</div>';
360	}
361	elseif ($change_pwd)
362	{
363	echo
364	'<div class="fieldset"><h2>'.__('Change your password').'</h2>'.
365	'<p><label for="new_pwd">'.__('New password:').'</label> '.
366	form::password(array('new_pwd','new_pwd'),20,255).'</p>'.
367
368	'<p><label for="new_pwd_c">'.__('Confirm password:').'</label> '.
369	form::password(array('new_pwd_c','new_pwd_c'),20,255).'</p>'.
370	'</div>'.
371
372	'<p><input type="submit" value="'.__('change').'" />'.
373	form::hidden('login_data',$login_data).'</p>';
374	}
375	else
376	{
377	if (is_callable(array($core->auth,'authForm')))
378	{
379	echo $core->auth->authForm($user_id);
380	}
381	else
382	{
383	if ($safe_mode) {
384	echo '<div class="fieldset">';
385	echo '<h2>'.__('Safe mode login').'</h2>';
386	echo
387	'<p class="form-note">'.
388	__('This mode allows you to login without activating any of your plugins. This may be useful to solve compatibility problems').' </p>'.
389	'<p class="form-note">'.__('Disable or delete any plugin suspected to cause trouble, then log out and log back in normally.').
390	'</p>';
391	}
392	else {
393	echo '<div class="fieldset">';
394	}
395
396	echo
397	'<p><label for="user_id">'.__('Username:').'</label> '.
398	form::field(array('user_id','user_id'),20,32,html::escapeHTML($user_id)).'</p>'.
399
400	'<p><label for="user_pwd">'.__('Password:').'</label> '.
401	form::password(array('user_pwd','user_pwd'),20,255).'</p>'.
402
403	'<p>'.
404	form::checkbox(array('user_remember','user_remember'),1).
405	'<label for="user_remember" class="classic">'.
406	__('Remember my ID on this computer').'</label></p>'.
407
408	'<p><input type="submit" value="'.__('log in').'" class="login" /></p>';
409
410	if (!empty($_REQUEST['blog'])) {
411	echo form::hidden('blog',html::escapeHTML($_REQUEST['blog']));
412	}
413	if($safe_mode) {
414	echo
415	form::hidden('safe_mode',1).
416	'</div>';
417	}
418	else {
419	echo '</div>';
420	}
421	echo
422	'<p id="cookie_help" class="error">'.__('You must accept cookies in order to use the private area.').'</p>';
423
424	echo '<div id="issue">';
425
426	if ($safe_mode) {
427	echo
428	'<p><a href="auth.php" id="normal_mode_link">'.__('Get back to normal authentication').'</a></p>';
429	} else {
430	echo '<p id="more"><strong>'.__('Connection issue?').'</strong></p>';
431	if ($core->auth->allowPassChange()) {
432	echo '<p><a href="auth.php?recover=1">'.__('I forgot my password').'</a></p>';
433	}
434	echo '<p><a href="auth.php?safe_mode=1" id="safe_mode_link">'.__('I want to log in in safe mode').'</a></p>';
435	}
436
437	echo '</div>';
438	}
439	}
440	?>
441	</form>
442	</body>
443	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 2311:b9ea646a3613

Download in other formats:

Sites map