1 | <?php |
---|
2 | # -- BEGIN LICENSE BLOCK --------------------------------------- |
---|
3 | # |
---|
4 | # This file is part of Dotclear 2. |
---|
5 | # |
---|
6 | # Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear |
---|
7 | # Licensed under the GPL version 2.0 license. |
---|
8 | # See LICENSE file or |
---|
9 | # http://www.gnu.org/licenses/old-licenses/gpl-2.0.html |
---|
10 | # |
---|
11 | # -- END LICENSE BLOCK ----------------------------------------- |
---|
12 | |
---|
13 | require dirname(__FILE__) . '/../inc/admin/prepend.php'; |
---|
14 | |
---|
15 | # If we have a session cookie, go to index.php |
---|
16 | if (isset($_SESSION['sess_user_id'])) { |
---|
17 | $core->adminurl->redirect('admin.home'); |
---|
18 | } |
---|
19 | |
---|
20 | # Loading locales for detected language |
---|
21 | # That's a tricky hack but it works ;) |
---|
22 | $dlang = http::getAcceptLanguage(); |
---|
23 | $dlang = ($dlang == '' ? 'en' : $dlang); |
---|
24 | if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/', $dlang)) { |
---|
25 | l10n::lang($dlang); |
---|
26 | l10n::set(dirname(__FILE__) . '/../locales/' . $dlang . '/main'); |
---|
27 | } |
---|
28 | |
---|
29 | if (defined('DC_ADMIN_URL')) { |
---|
30 | $page_url = DC_ADMIN_URL . $core->adminurl->get('admin.auth'); |
---|
31 | } else { |
---|
32 | $page_url = http::getHost() . $_SERVER['REQUEST_URI']; |
---|
33 | } |
---|
34 | |
---|
35 | $change_pwd = $core->auth->allowPassChange() && isset($_POST['new_pwd']) && isset($_POST['new_pwd_c']) && isset($_POST['login_data']); |
---|
36 | $login_data = !empty($_POST['login_data']) ? html::escapeHTML($_POST['login_data']) : null; |
---|
37 | $recover = $core->auth->allowPassChange() && !empty($_REQUEST['recover']); |
---|
38 | $safe_mode = !empty($_REQUEST['safe_mode']); |
---|
39 | $akey = $core->auth->allowPassChange() && !empty($_GET['akey']) ? $_GET['akey'] : null; |
---|
40 | $user_id = $user_pwd = $user_key = $user_email = null; |
---|
41 | $err = $msg = null; |
---|
42 | |
---|
43 | # Auto upgrade |
---|
44 | if (empty($_GET) && empty($_POST)) { |
---|
45 | require dirname(__FILE__) . '/../inc/dbschema/upgrade.php'; |
---|
46 | try { |
---|
47 | if (($changes = dcUpgrade::dotclearUpgrade($core)) !== false) { |
---|
48 | $msg = __('Dotclear has been upgraded.') . '<!-- ' . $changes . ' -->'; |
---|
49 | } |
---|
50 | } catch (Exception $e) { |
---|
51 | $err = $e->getMessage(); |
---|
52 | } |
---|
53 | } |
---|
54 | |
---|
55 | # If we have POST login informations, go throug auth process |
---|
56 | if (!empty($_POST['user_id']) && !empty($_POST['user_pwd'])) { |
---|
57 | $user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null; |
---|
58 | $user_pwd = !empty($_POST['user_pwd']) ? $_POST['user_pwd'] : null; |
---|
59 | } |
---|
60 | # If we have COOKIE login informations, go throug auth process |
---|
61 | elseif (isset($_COOKIE['dc_admin']) && strlen($_COOKIE['dc_admin']) == 104) { |
---|
62 | # If we have a remember cookie, go through auth process with user_key |
---|
63 | $user_id = substr($_COOKIE['dc_admin'], 40); |
---|
64 | $user_id = @unpack('a32', @pack('H*', $user_id)); |
---|
65 | if (is_array($user_id)) { |
---|
66 | $user_id = trim($user_id[1]); |
---|
67 | $user_key = substr($_COOKIE['dc_admin'], 0, 40); |
---|
68 | $user_pwd = null; |
---|
69 | } else { |
---|
70 | $user_id = null; |
---|
71 | } |
---|
72 | } |
---|
73 | |
---|
74 | # Recover password |
---|
75 | if ($recover && !empty($_POST['user_id']) && !empty($_POST['user_email'])) { |
---|
76 | $user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null; |
---|
77 | $user_email = !empty($_POST['user_email']) ? html::escapeHTML($_POST['user_email']) : ''; |
---|
78 | try |
---|
79 | { |
---|
80 | $recover_key = $core->auth->setRecoverKey($user_id, $user_email); |
---|
81 | |
---|
82 | $subject = mail::B64Header('Dotclear ' . __('Password reset')); |
---|
83 | $message = |
---|
84 | __('Someone has requested to reset the password for the following site and username.') . "\n\n" . |
---|
85 | $page_url . "\n" . __('Username:') . ' ' . $user_id . "\n\n" . |
---|
86 | __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\n" . |
---|
87 | $page_url . '?akey=' . $recover_key; |
---|
88 | |
---|
89 | $headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local'); |
---|
90 | $headers[] = 'Content-Type: text/plain; charset=UTF-8;'; |
---|
91 | |
---|
92 | mail::sendMail($user_email, $subject, $message, $headers); |
---|
93 | $msg = sprintf(__('The e-mail was sent successfully to %s.'), $user_email); |
---|
94 | } catch (Exception $e) { |
---|
95 | $err = $e->getMessage(); |
---|
96 | } |
---|
97 | } |
---|
98 | # Send new password |
---|
99 | elseif ($akey) { |
---|
100 | try |
---|
101 | { |
---|
102 | $recover_res = $core->auth->recoverUserPassword($akey); |
---|
103 | |
---|
104 | $subject = mb_encode_mimeheader('Dotclear ' . __('Your new password'), 'UTF-8', 'B'); |
---|
105 | $message = |
---|
106 | __('Username:') . ' ' . $recover_res['user_id'] . "\n" . |
---|
107 | __('Password:') . ' ' . $recover_res['new_pass'] . "\n\n" . |
---|
108 | preg_replace('/\?(.*)$/', '', $page_url); |
---|
109 | |
---|
110 | $headers[] = 'From: ' . (defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local'); |
---|
111 | $headers[] = 'Content-Type: text/plain; charset=UTF-8;'; |
---|
112 | |
---|
113 | mail::sendMail($recover_res['user_email'], $subject, $message, $headers); |
---|
114 | $msg = __('Your new password is in your mailbox.'); |
---|
115 | } catch (Exception $e) { |
---|
116 | $err = $e->getMessage(); |
---|
117 | } |
---|
118 | } |
---|
119 | # Change password and retry to log |
---|
120 | elseif ($change_pwd) { |
---|
121 | try |
---|
122 | { |
---|
123 | $tmp_data = explode('/', $_POST['login_data']); |
---|
124 | if (count($tmp_data) != 3) { |
---|
125 | throw new Exception(); |
---|
126 | } |
---|
127 | $data = array( |
---|
128 | 'user_id' => base64_decode($tmp_data[0]), |
---|
129 | 'cookie_admin' => $tmp_data[1], |
---|
130 | 'user_remember' => $tmp_data[2] == '1' |
---|
131 | ); |
---|
132 | if ($data['user_id'] === false) { |
---|
133 | throw new Exception(); |
---|
134 | } |
---|
135 | |
---|
136 | # Check login informations |
---|
137 | $check_user = false; |
---|
138 | if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104) { |
---|
139 | $user_id = substr($data['cookie_admin'], 40); |
---|
140 | $user_id = @unpack('a32', @pack('H*', $user_id)); |
---|
141 | if (is_array($user_id)) { |
---|
142 | $user_id = trim($data['user_id']); |
---|
143 | $user_key = substr($data['cookie_admin'], 0, 40); |
---|
144 | $check_user = $core->auth->checkUser($user_id, null, $user_key) === true; |
---|
145 | } else { |
---|
146 | $user_id = trim($user_id); |
---|
147 | } |
---|
148 | } |
---|
149 | |
---|
150 | if (!$core->auth->allowPassChange() || !$check_user) { |
---|
151 | $change_pwd = false; |
---|
152 | throw new Exception(); |
---|
153 | } |
---|
154 | |
---|
155 | if ($_POST['new_pwd'] != $_POST['new_pwd_c']) { |
---|
156 | throw new Exception(__("Passwords don't match")); |
---|
157 | } |
---|
158 | |
---|
159 | if ($core->auth->checkUser($user_id, $_POST['new_pwd']) === true) { |
---|
160 | throw new Exception(__("You didn't change your password.")); |
---|
161 | } |
---|
162 | |
---|
163 | $cur = $core->con->openCursor($core->prefix . 'user'); |
---|
164 | $cur->user_change_pwd = 0; |
---|
165 | $cur->user_pwd = $_POST['new_pwd']; |
---|
166 | $core->updUser($core->auth->userID(), $cur); |
---|
167 | |
---|
168 | $core->session->start(); |
---|
169 | $_SESSION['sess_user_id'] = $user_id; |
---|
170 | $_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY); |
---|
171 | |
---|
172 | if ($data['user_remember']) { |
---|
173 | setcookie('dc_admin', $data['cookie_admin'], strtotime('+15 days'), '', '', DC_ADMIN_SSL); |
---|
174 | } |
---|
175 | |
---|
176 | $core->adminurl->redirect('admin.home'); |
---|
177 | } catch (Exception $e) { |
---|
178 | $err = $e->getMessage(); |
---|
179 | } |
---|
180 | } |
---|
181 | # Try to log |
---|
182 | elseif ($user_id !== null && ($user_pwd !== null || $user_key !== null)) { |
---|
183 | # We check the user |
---|
184 | $check_user = $core->auth->checkUser($user_id, $user_pwd, $user_key, false) === true; |
---|
185 | if ($check_user) { |
---|
186 | $check_perms = $core->auth->findUserBlog() !== false; |
---|
187 | } else { |
---|
188 | $check_perms = false; |
---|
189 | } |
---|
190 | |
---|
191 | $cookie_admin = http::browserUID(DC_MASTER_KEY . $user_id . |
---|
192 | $core->auth->cryptLegacy($user_id)) . bin2hex(pack('a32', $user_id)); |
---|
193 | |
---|
194 | if ($check_perms && $core->auth->mustChangePassword()) { |
---|
195 | $login_data = join('/', array( |
---|
196 | base64_encode($user_id), |
---|
197 | $cookie_admin, |
---|
198 | empty($_POST['user_remember']) ? '0' : '1' |
---|
199 | )); |
---|
200 | |
---|
201 | if (!$core->auth->allowPassChange()) { |
---|
202 | $err = __('You have to change your password before you can login.'); |
---|
203 | } else { |
---|
204 | $err = __('In order to login, you have to change your password now.'); |
---|
205 | $change_pwd = true; |
---|
206 | } |
---|
207 | } elseif ($check_perms && !empty($_POST['safe_mode']) && !$core->auth->isSuperAdmin()) { |
---|
208 | $err = __('Safe Mode can only be used for super administrators.'); |
---|
209 | } elseif ($check_perms) { |
---|
210 | $core->session->start(); |
---|
211 | $_SESSION['sess_user_id'] = $user_id; |
---|
212 | $_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY); |
---|
213 | |
---|
214 | if (!empty($_POST['blog'])) { |
---|
215 | $_SESSION['sess_blog_id'] = $_POST['blog']; |
---|
216 | } |
---|
217 | |
---|
218 | if (!empty($_POST['safe_mode']) && $core->auth->isSuperAdmin()) { |
---|
219 | $_SESSION['sess_safe_mode'] = true; |
---|
220 | } |
---|
221 | |
---|
222 | if (!empty($_POST['user_remember'])) { |
---|
223 | setcookie('dc_admin', $cookie_admin, strtotime('+15 days'), '', '', DC_ADMIN_SSL); |
---|
224 | } |
---|
225 | |
---|
226 | $core->adminurl->redirect('admin.home'); |
---|
227 | } else { |
---|
228 | if (isset($_COOKIE['dc_admin'])) { |
---|
229 | unset($_COOKIE['dc_admin']); |
---|
230 | setcookie('dc_admin', false, -600, '', '', DC_ADMIN_SSL); |
---|
231 | } |
---|
232 | if ($check_user) { |
---|
233 | $err = __('Insufficient permissions'); |
---|
234 | } else { |
---|
235 | $err = __('Wrong username or password'); |
---|
236 | } |
---|
237 | } |
---|
238 | } |
---|
239 | |
---|
240 | if (isset($_GET['user'])) { |
---|
241 | $user_id = $_GET['user']; |
---|
242 | } |
---|
243 | |
---|
244 | header('Content-Type: text/html; charset=UTF-8'); |
---|
245 | |
---|
246 | // Prevents Clickjacking as far as possible |
---|
247 | header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+ |
---|
248 | |
---|
249 | ?> |
---|
250 | <!DOCTYPE html> |
---|
251 | <html lang="<?php echo $dlang; ?>"> |
---|
252 | <head> |
---|
253 | <meta charset="UTF-8" /> |
---|
254 | <meta http-equiv="Content-Script-Type" content="text/javascript" /> |
---|
255 | <meta http-equiv="Content-Style-Type" content="text/css" /> |
---|
256 | <meta http-equiv="Content-Language" content="<?php echo $dlang; ?>" /> |
---|
257 | <meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" /> |
---|
258 | <meta name="GOOGLEBOT" content="NOSNIPPET" /> |
---|
259 | <meta name="viewport" content="width=device-width, initial-scale=1.0" /> |
---|
260 | <title><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></title> |
---|
261 | <link rel="icon" type="image/png" href="images/favicon96-logout.png" /> |
---|
262 | <link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" /> |
---|
263 | |
---|
264 | |
---|
265 | <?php |
---|
266 | echo dcPage::jsCommon(); |
---|
267 | ?> |
---|
268 | |
---|
269 | <link rel="stylesheet" href="style/default.css" type="text/css" media="screen" /> |
---|
270 | |
---|
271 | <?php |
---|
272 | # --BEHAVIOR-- loginPageHTMLHead |
---|
273 | $core->callBehavior('loginPageHTMLHead'); |
---|
274 | ?> |
---|
275 | |
---|
276 | <script type="text/javascript"> |
---|
277 | $(window).load(function() { |
---|
278 | var uid = $('input[name=user_id]'); |
---|
279 | var upw = $('input[name=user_pwd]'); |
---|
280 | uid.focus(); |
---|
281 | |
---|
282 | if (upw.length == 0) { return; } |
---|
283 | |
---|
284 | uid.keypress(processKey); |
---|
285 | |
---|
286 | function processKey(evt) { |
---|
287 | if (evt.which == 13 && upw.val() == '') { |
---|
288 | upw.focus(); |
---|
289 | return false; |
---|
290 | } |
---|
291 | return true; |
---|
292 | }; |
---|
293 | $.cookie('dc_admin_test_cookie',true); |
---|
294 | if ($.cookie('dc_admin_test_cookie')) { |
---|
295 | $('#cookie_help').hide(); |
---|
296 | $.cookie('dc_admin_test_cookie', '', {'expires': -1}); |
---|
297 | } else { |
---|
298 | $('#cookie_help').show(); |
---|
299 | } |
---|
300 | $('#issue #more').toggleWithLegend($('#issue').children().not('#more')); |
---|
301 | }); |
---|
302 | </script> |
---|
303 | </head> |
---|
304 | |
---|
305 | <body id="dotclear-admin" class="auth"> |
---|
306 | |
---|
307 | <form action="<?php echo $core->adminurl->get('admin.auth'); ?>" method="post" id="login-screen"> |
---|
308 | <h1 role="banner"><?php echo html::escapeHTML(DC_VENDOR_NAME); ?></h1> |
---|
309 | |
---|
310 | <?php |
---|
311 | if ($err) { |
---|
312 | echo '<div class="error" role="alert">' . $err . '</div>'; |
---|
313 | } |
---|
314 | if ($msg) { |
---|
315 | echo '<p class="success" role="alert">' . $msg . '</p>'; |
---|
316 | } |
---|
317 | |
---|
318 | if ($akey) { |
---|
319 | echo '<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>'; |
---|
320 | } elseif ($recover) { |
---|
321 | echo |
---|
322 | '<div class="fieldset" role="main"><h2>' . __('Request a new password') . '</h2>' . |
---|
323 | '<p><label for="user_id">' . __('Username:') . '</label> ' . |
---|
324 | form::field(array('user_id', 'user_id'), 20, 32, html::escapeHTML($user_id)) . '</p>' . |
---|
325 | |
---|
326 | '<p><label for="user_email">' . __('Email:') . '</label> ' . |
---|
327 | form::field(array('user_email', 'user_email'), 20, 255, html::escapeHTML($user_email)) . '</p>' . |
---|
328 | |
---|
329 | '<p><input type="submit" value="' . __('recover') . '" />' . |
---|
330 | form::hidden(array('recover'), 1) . '</p>' . |
---|
331 | '</div>' . |
---|
332 | |
---|
333 | '<div id="issue">' . |
---|
334 | '<p><a href="' . $core->adminurl->get('admin.auth') . '">' . __('Back to login screen') . '</a></p>' . |
---|
335 | '</div>'; |
---|
336 | } elseif ($change_pwd) { |
---|
337 | echo |
---|
338 | '<div class="fieldset"><h2>' . __('Change your password') . '</h2>' . |
---|
339 | '<p><label for="new_pwd">' . __('New password:') . '</label> ' . |
---|
340 | form::password(array('new_pwd', 'new_pwd'), 20, 255, array('autocomplete' => 'new-password')) . '</p>' . |
---|
341 | |
---|
342 | '<p><label for="new_pwd_c">' . __('Confirm password:') . '</label> ' . |
---|
343 | form::password(array('new_pwd_c', 'new_pwd_c'), 20, 255, array('autocomplete' => 'new-password')) . '</p>' . |
---|
344 | '</div>' . |
---|
345 | |
---|
346 | '<p><input type="submit" value="' . __('change') . '" />' . |
---|
347 | form::hidden('login_data', $login_data) . '</p>'; |
---|
348 | } else { |
---|
349 | if (is_callable(array($core->auth, 'authForm'))) { |
---|
350 | echo $core->auth->authForm($user_id); |
---|
351 | } else { |
---|
352 | if ($safe_mode) { |
---|
353 | echo '<div class="fieldset" role="main">'; |
---|
354 | echo '<h2>' . __('Safe mode login') . '</h2>'; |
---|
355 | echo |
---|
356 | '<p class="form-note">' . |
---|
357 | __('This mode allows you to login without activating any of your plugins. This may be useful to solve compatibility problems') . ' </p>' . |
---|
358 | '<p class="form-note">' . __('Disable or delete any plugin suspected to cause trouble, then log out and log back in normally.') . |
---|
359 | '</p>'; |
---|
360 | } else { |
---|
361 | echo '<div class="fieldset" role="main">'; |
---|
362 | } |
---|
363 | |
---|
364 | echo |
---|
365 | '<p><label for="user_id">' . __('Username:') . '</label> ' . |
---|
366 | form::field(array('user_id', 'user_id'), 20, 32, html::escapeHTML($user_id)) . '</p>' . |
---|
367 | |
---|
368 | '<p><label for="user_pwd">' . __('Password:') . '</label> ' . |
---|
369 | form::password(array('user_pwd', 'user_pwd'), 20, 255, array('autocomplete' => 'current-password')) . '</p>' . |
---|
370 | |
---|
371 | '<p>' . |
---|
372 | form::checkbox(array('user_remember', 'user_remember'), 1) . |
---|
373 | '<label for="user_remember" class="classic">' . |
---|
374 | __('Remember my ID on this device') . '</label></p>' . |
---|
375 | |
---|
376 | '<p><input type="submit" value="' . __('log in') . '" class="login" /></p>'; |
---|
377 | |
---|
378 | if (!empty($_REQUEST['blog'])) { |
---|
379 | echo form::hidden('blog', html::escapeHTML($_REQUEST['blog'])); |
---|
380 | } |
---|
381 | if ($safe_mode) { |
---|
382 | echo |
---|
383 | form::hidden('safe_mode', 1) . |
---|
384 | '</div>'; |
---|
385 | } else { |
---|
386 | echo '</div>'; |
---|
387 | } |
---|
388 | echo |
---|
389 | '<p id="cookie_help" class="error">' . __('You must accept cookies in order to use the private area.') . '</p>'; |
---|
390 | |
---|
391 | echo '<div id="issue">'; |
---|
392 | |
---|
393 | if ($safe_mode) { |
---|
394 | echo |
---|
395 | '<p><a href="' . $core->adminurl->get('admin.auth') . '" id="normal_mode_link">' . __('Get back to normal authentication') . '</a></p>'; |
---|
396 | } else { |
---|
397 | echo '<p id="more"><strong>' . __('Connection issue?') . '</strong></p>'; |
---|
398 | if ($core->auth->allowPassChange()) { |
---|
399 | echo '<p><a href="' . $core->adminurl->get('admin.auth', array('recover' => 1)) . '">' . __('I forgot my password') . '</a></p>'; |
---|
400 | } |
---|
401 | echo '<p><a href="' . $core->adminurl->get('admin.auth', array('safe_mode' => 1)) . '" id="safe_mode_link">' . __('I want to log in in safe mode') . '</a></p>'; |
---|
402 | } |
---|
403 | |
---|
404 | echo '</div>'; |
---|
405 | } |
---|
406 | } |
---|
407 | ?> |
---|
408 | </form> |
---|
409 | </body> |
---|
410 | </html> |
---|