source: admin/auth.php @ 3699:77a12236e993

Visit:

Revision 3699:77a12236e993, 15.2 KB checked in by franck <carnet.franck.paul@…>, 6 years ago (diff)
Add autocomplete attribute to form::password where it's relevant, code formatting (PSR-2)

Line
1	<?php
2	# -- BEGIN LICENSE BLOCK ---------------------------------------
3	#
4	# This file is part of Dotclear 2.
5	#
6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
7	# Licensed under the GPL version 2.0 license.
8	# See LICENSE file or
9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10	#
11	# -- END LICENSE BLOCK -----------------------------------------
12
13	require dirname(__FILE__) . '/../inc/admin/prepend.php';
14
15	# If we have a session cookie, go to index.php
16	if (isset($_SESSION['sess_user_id'])) {
17	$core->adminurl->redirect('admin.home');
18	}
19
20	# Loading locales for detected language
21	# That's a tricky hack but it works ;)
22	$dlang = http::getAcceptLanguage();
23	$dlang = ($dlang == '' ? 'en' : $dlang);
24	if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/', $dlang)) {
25	l10n::lang($dlang);
26	l10n::set(dirname(__FILE__) . '/../locales/' . $dlang . '/main');
27	}
28
29	if (defined('DC_ADMIN_URL')) {
30	$page_url = DC_ADMIN_URL . $core->adminurl->get('admin.auth');
31	} else {
32	$page_url = http::getHost() . $_SERVER['REQUEST_URI'];
33	}
34
35	$change_pwd = $core->auth->allowPassChange() && isset($_POST['new_pwd']) && isset($_POST['new_pwd_c']) && isset($_POST['login_data']);
36	$login_data = !empty($_POST['login_data']) ? html::escapeHTML($_POST['login_data']) : null;
37	$recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']);
38	$safe_mode = !empty($_REQUEST['safe_mode']);
39	$akey = $core->auth->allowPassChange() && !empty($_GET['akey']) ? $_GET['akey'] : null;
40	$user_id = $user_pwd = $user_key = $user_email = null;
41	$err = $msg = null;
42
43	# Auto upgrade
44	if (empty($_GET) && empty($_POST)) {
45	require dirname(__FILE__) . '/../inc/dbschema/upgrade.php';
46	try {
47	if (($changes = dcUpgrade::dotclearUpgrade($core)) !== false) {
48	$msg = __('Dotclear has been upgraded.') . '<!-- ' . $changes . ' -->';
49	}
50	} catch (Exception $e) {
51	$err = $e->getMessage();
52	}
53	}
54
55	# If we have POST login informations, go throug auth process
56	if (!empty($_POST['user_id']) && !empty($_POST['user_pwd'])) {
57	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
58	$user_pwd = !empty($_POST['user_pwd']) ? $_POST['user_pwd'] : null;
59	}
60	# If we have COOKIE login informations, go throug auth process
61	elseif (isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104) {
62	# If we have a remember cookie, go through auth process with user_key
63	$user_id = substr($_COOKIE['dc_admin'], 40);
64	$user_id = @unpack('a32', @pack('H*', $user_id));
65	if (is_array($user_id)) {
66	$user_id = trim($user_id[1]);
67	$user_key = substr($_COOKIE['dc_admin'], 0, 40);
68	$user_pwd = null;
69	} else {
70	$user_id = null;
71	}
72	}
73
74	# Recover password
75	if ($recover && !empty($_POST['user_id']) && !empty($_POST['user_email'])) {
76	$user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null;
77	$user_email = !empty($_POST['user_email']) ? html::escapeHTML($_POST['user_email']) : '';
78	try
79	{
80	$recover_key = $core->auth->setRecoverKey($user_id, $user_email);
81
82	$subject = mail::B64Header('Dotclear ' . __('Password reset'));
83	$message =
84	__('Someone has requested to reset the password for the following site and username.') . "\n\n" .
85	$page_url . "\n" . __('Username:') . ' ' . $user_id . "\n\n" .
86	__('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\n" .
87	$page_url . '?akey=' . $recover_key;
88
89	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
90	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
91
92	mail::sendMail($user_email, $subject, $message, $headers);
93	$msg = sprintf(__('The e-mail was sent successfully to %s.'), $user_email);
94	} catch (Exception $e) {
95	$err = $e->getMessage();
96	}
97	}
98	# Send new password
99	elseif ($akey) {
100	try
101	{
102	$recover_res = $core->auth->recoverUserPassword($akey);
103
104	$subject = mb_encode_mimeheader('Dotclear ' . __('Your new password'), 'UTF-8', 'B');
105	$message =
106	__('Username:') . ' ' . $recover_res['user_id'] . "\n" .
107	__('Password:') . ' ' . $recover_res['new_pass'] . "\n\n" .
108	preg_replace('/\?(.*)$/', '', $page_url);
109
110	$headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
111	$headers[] = 'Content-Type: text/plain; charset=UTF-8;';
112
113	mail::sendMail($recover_res['user_email'], $subject, $message, $headers);
114	$msg = __('Your new password is in your mailbox.');
115	} catch (Exception $e) {
116	$err = $e->getMessage();
117	}
118	}
119	# Change password and retry to log
120	elseif ($change_pwd) {
121	try
122	{
123	$tmp_data = explode('/', $_POST['login_data']);
124	if (count($tmp_data) != 3) {
125	throw new Exception();
126	}
127	$data = array(
128	'user_id' => base64_decode($tmp_data[0]),
129	'cookie_admin' => $tmp_data[1],
130	'user_remember' => $tmp_data[2] == '1'
131	);
132	if ($data['user_id'] === false) {
133	throw new Exception();
134	}
135
136	# Check login informations
137	$check_user = false;
138	if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104) {
139	$user_id = substr($data['cookie_admin'], 40);
140	$user_id = @unpack('a32', @pack('H*', $user_id));
141	if (is_array($user_id)) {
142	$user_id = trim($data['user_id']);
143	$user_key = substr($data['cookie_admin'], 0, 40);
144	$check_user = $core->auth->checkUser($user_id, null, $user_key) === true;
145	} else {
146	$user_id = trim($user_id);
147	}
148	}
149
150	if (!$core->auth->allowPassChange() \|\| !$check_user) {
151	$change_pwd = false;
152	throw new Exception();
153	}
154
155	if ($_POST['new_pwd'] != $_POST['new_pwd_c']) {
156	throw new Exception(__("Passwords don't match"));
157	}
158
159	if ($core->auth->checkUser($user_id, $_POST['new_pwd']) === true) {
160	throw new Exception(__("You didn't change your password."));
161	}
162
163	$cur = $core->con->openCursor($core->prefix . 'user');
164	$cur->user_change_pwd = 0;
165	$cur->user_pwd = $_POST['new_pwd'];
166	$core->updUser($core->auth->userID(), $cur);
167
168	$core->session->start();
169	$_SESSION['sess_user_id'] = $user_id;
170	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
171
172	if ($data['user_remember']) {
173	setcookie('dc_admin', $data['cookie_admin'], strtotime('+15 days'), '', '', DC_ADMIN_SSL);
174	}
175
176	$core->adminurl->redirect('admin.home');
177	} catch (Exception $e) {
178	$err = $e->getMessage();
179	}
180	}
181	# Try to log
182	elseif ($user_id !== null && ($user_pwd !== null \|\| $user_key !== null)) {
183	# We check the user
184	$check_user = $core->auth->checkUser($user_id, $user_pwd, $user_key, false) === true;
185	if ($check_user) {
186	$check_perms = $core->auth->findUserBlog() !== false;
187	} else {
188	$check_perms = false;
189	}
190
191	$cookie_admin = http::browserUID(DC_MASTER_KEY . $user_id .
192	$core->auth->cryptLegacy($user_id)) . bin2hex(pack('a32', $user_id));
193
194	if ($check_perms && $core->auth->mustChangePassword()) {
195	$login_data = join('/', array(
196	base64_encode($user_id),
197	$cookie_admin,
198	empty($_POST['user_remember']) ? '0' : '1'
199	));
200
201	if (!$core->auth->allowPassChange()) {
202	$err = __('You have to change your password before you can login.');
203	} else {
204	$err = __('In order to login, you have to change your password now.');
205	$change_pwd = true;
206	}
207	} elseif ($check_perms && !empty($_POST['safe_mode']) && !$core->auth->isSuperAdmin()) {
208	$err = __('Safe Mode can only be used for super administrators.');
209	} elseif ($check_perms) {
210	$core->session->start();
211	$_SESSION['sess_user_id'] = $user_id;
212	$_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
213
214	if (!empty($_POST['blog'])) {
215	$_SESSION['sess_blog_id'] = $_POST['blog'];
216	}
217
218	if (!empty($_POST['safe_mode']) && $core->auth->isSuperAdmin()) {
219	$_SESSION['sess_safe_mode'] = true;
220	}
221
222	if (!empty($_POST['user_remember'])) {
223	setcookie('dc_admin', $cookie_admin, strtotime('+15 days'), '', '', DC_ADMIN_SSL);
224	}
225
226	$core->adminurl->redirect('admin.home');
227	} else {
228	if (isset($_COOKIE['dc_admin'])) {
229	unset($_COOKIE['dc_admin']);
230	setcookie('dc_admin', false, -600, '', '', DC_ADMIN_SSL);
231	}
232	if ($check_user) {
233	$err = __('Insufficient permissions');
234	} else {
235	$err = __('Wrong username or password');
236	}
237	}
238	}
239
240	if (isset($_GET['user'])) {
241	$user_id = $_GET['user'];
242	}
243
244	header('Content-Type: text/html; charset=UTF-8');
245
246	// Prevents Clickjacking as far as possible
247	header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
248
249	?>
250	<!DOCTYPE html>
251	<html lang="<?php echo $dlang; ?>">
252	<head>
253	<meta charset="UTF-8" />
254	<meta http-equiv="Content-Script-Type" content="text/javascript" />
255	<meta http-equiv="Content-Style-Type" content="text/css" />
256	<meta http-equiv="Content-Language" content="<?php echo $dlang; ?>" />
257	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
258	<meta name="GOOGLEBOT" content="NOSNIPPET" />
259	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
260	<title><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></title>
261	<link rel="icon" type="image/png" href="images/favicon96-logout.png" />
262	<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
263
264
265	<?php
266	echo dcPage::jsCommon();
267	?>
268
269	<link rel="stylesheet" href="style/default.css" type="text/css" media="screen" />
270
271	<?php
272	# --BEHAVIOR-- loginPageHTMLHead
273	$core->callBehavior('loginPageHTMLHead');
274	?>
275
276	<script type="text/javascript">
277	$(window).load(function() {
278	var uid = $('input[name=user_id]');
279	var upw = $('input[name=user_pwd]');
280	uid.focus();
281
282	if (upw.length == 0) { return; }
283
284	uid.keypress(processKey);
285
286	function processKey(evt) {
287	if (evt.which == 13 && upw.val() == '') {
288	upw.focus();
289	return false;
290	}
291	return true;
292	};
293	$.cookie('dc_admin_test_cookie',true);
294	if ($.cookie('dc_admin_test_cookie')) {
295	$('#cookie_help').hide();
296	$.cookie('dc_admin_test_cookie', '', {'expires': -1});
297	} else {
298	$('#cookie_help').show();
299	}
300	$('#issue #more').toggleWithLegend($('#issue').children().not('#more'));
301	});
302	</script>
303	</head>
304
305	<body id="dotclear-admin" class="auth">
306
307	<form action="<?php echo $core->adminurl->get('admin.auth'); ?>" method="post" id="login-screen">
308	<h1 role="banner"><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></h1>
309
310	<?php
311	if ($err) {
312	echo '<div class="error" role="alert">' . $err . '</div>';
313	}
314	if ($msg) {
315	echo '<p class="success" role="alert">' . $msg . '</p>';
316	}
317
318	if ($akey) {
319	echo '<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>';
320	} elseif ($recover) {
321	echo
322	'<div class="fieldset" role="main"><h2>' . __('Request a new password') . '</h2>' .
323	'<p><label for="user_id">' . __('Username:') . '</label> ' .
324	form::field(array('user_id', 'user_id'), 20, 32, html::escapeHTML($user_id)) . '</p>' .
325
326	'<p><label for="user_email">' . __('Email:') . '</label> ' .
327	form::field(array('user_email', 'user_email'), 20, 255, html::escapeHTML($user_email)) . '</p>' .
328
329	'<p><input type="submit" value="' . __('recover') . '" />' .
330	form::hidden(array('recover'), 1) . '</p>' .
331	'</div>' .
332
333	'<div id="issue">' .
334	'<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>' .
335	'</div>';
336	} elseif ($change_pwd) {
337	echo
338	'<div class="fieldset"><h2>' . __('Change your password') . '</h2>' .
339	'<p><label for="new_pwd">' . __('New password:') . '</label> ' .
340	form::password(array('new_pwd', 'new_pwd'), 20, 255, array('autocomplete' => 'new-password')) . '</p>' .
341
342	'<p><label for="new_pwd_c">' . __('Confirm password:') . '</label> ' .
343	form::password(array('new_pwd_c', 'new_pwd_c'), 20, 255, array('autocomplete' => 'new-password')) . '</p>' .
344	'</div>' .
345
346	'<p><input type="submit" value="' . __('change') . '" />' .
347	form::hidden('login_data', $login_data) . '</p>';
348	} else {
349	if (is_callable(array($core->auth, 'authForm'))) {
350	echo $core->auth->authForm($user_id);
351	} else {
352	if ($safe_mode) {
353	echo '<div class="fieldset" role="main">';
354	echo '<h2>' . __('Safe mode login') . '</h2>';
355	echo
356	'<p class="form-note">' .
357	__('This mode allows you to login without activating any of your plugins. This may be useful to solve compatibility problems') . ' </p>' .
358	'<p class="form-note">' . __('Disable or delete any plugin suspected to cause trouble, then log out and log back in normally.') .
359	'</p>';
360	} else {
361	echo '<div class="fieldset" role="main">';
362	}
363
364	echo
365	'<p><label for="user_id">' . __('Username:') . '</label> ' .
366	form::field(array('user_id', 'user_id'), 20, 32, html::escapeHTML($user_id)) . '</p>' .
367
368	'<p><label for="user_pwd">' . __('Password:') . '</label> ' .
369	form::password(array('user_pwd', 'user_pwd'), 20, 255, array('autocomplete' => 'current-password')) . '</p>' .
370
371	'<p>' .
372	form::checkbox(array('user_remember', 'user_remember'), 1) .
373	'<label for="user_remember" class="classic">' .
374	__('Remember my ID on this device') . '</label></p>' .
375
376	'<p><input type="submit" value="' . __('log in') . '" class="login" /></p>';
377
378	if (!empty($_REQUEST['blog'])) {
379	echo form::hidden('blog', html::escapeHTML($_REQUEST['blog']));
380	}
381	if ($safe_mode) {
382	echo
383	form::hidden('safe_mode', 1) .
384	'</div>';
385	} else {
386	echo '</div>';
387	}
388	echo
389	'<p id="cookie_help" class="error">' . __('You must accept cookies in order to use the private area.') . '</p>';
390
391	echo '<div id="issue">';
392
393	if ($safe_mode) {
394	echo
395	'<p><a href="' . $core->adminurl->get('admin.auth') . '" id="normal_mode_link">' . __('Get back to normal authentication') . '</a></p>';
396	} else {
397	echo '<p id="more"><strong>' . __('Connection issue?') . '</strong></p>';
398	if ($core->auth->allowPassChange()) {
399	echo '<p><a href="' . $core->adminurl->get('admin.auth', array('recover' => 1)) . '">' . __('I forgot my password') . '</a></p>';
400	}
401	echo '<p><a href="' . $core->adminurl->get('admin.auth', array('safe_mode' => 1)) . '" id="safe_mode_link">' . __('I want to log in in safe mode') . '</a></p>';
402	}
403
404	echo '</div>';
405	}
406	}
407	?>
408	</form>
409	</body>
410	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/auth.php @ 3699:77a12236e993

Download in other formats:

Sites map