1
+ − 1 <?php
+ − 2
+ − 3 /*
+ − 4 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 5 * Copyright (C) 2006-2009 Dan Fuhry
1
+ − 6 * sessions.php - everything related to security and user management
+ − 7 *
+ − 8 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 9 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 10 *
+ − 11 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 12 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 13 */
+ − 14
+ − 15 /**
+ − 16 * Anything and everything related to security and user management. This includes AES encryption, which is illegal in some countries.
+ − 17 * Documenting the API was not easy - I hope you folks enjoy it.
+ − 18 * @package Enano
+ − 19 * @subpackage Session manager
+ − 20 * @category security, user management, logins, etc.
+ − 21 */
+ − 22
+ − 23 class sessionManager {
+ − 24
+ − 25 # Variables
+ − 26
+ − 27 /**
+ − 28 * Whether we're logged in or not
+ − 29 * @var bool
+ − 30 */
+ − 31
+ − 32 var $user_logged_in = false;
+ − 33
+ − 34 /**
+ − 35 * Our current low-privilege session key
+ − 36 * @var string
+ − 37 */
+ − 38
+ − 39 var $sid;
+ − 40
+ − 41 /**
+ − 42 * Username of currently logged-in user, or IP address if not logged in
+ − 43 * @var string
+ − 44 */
+ − 45
+ − 46 var $username;
+ − 47
+ − 48 /**
436
+ − 49 * User ID of currently logged-in user, or 1 if not logged in
1
+ − 50 * @var int
+ − 51 */
+ − 52
436
+ − 53 var $user_id = 1;
1
+ − 54
+ − 55 /**
+ − 56 * Real name of currently logged-in user, or blank if not logged in
+ − 57 * @var string
+ − 58 */
+ − 59
+ − 60 var $real_name;
+ − 61
+ − 62 /**
+ − 63 * E-mail address of currently logged-in user, or blank if not logged in
+ − 64 * @var string
+ − 65 */
+ − 66
+ − 67 var $email;
+ − 68
+ − 69 /**
31
+ − 70 * List of "extra" user information fields (IM handles, etc.)
+ − 71 * @var array (associative)
+ − 72 */
+ − 73
+ − 74 var $user_extra;
+ − 75
+ − 76 /**
1
+ − 77 * User level of current user
+ − 78 * USER_LEVEL_GUEST: guest
+ − 79 * USER_LEVEL_MEMBER: regular user
+ − 80 * USER_LEVEL_CHPREF: default - pseudo-level that allows changing password and e-mail address (requires re-authentication)
+ − 81 * USER_LEVEL_MOD: moderator
+ − 82 * USER_LEVEL_ADMIN: administrator
+ − 83 * @var int
+ − 84 */
+ − 85
+ − 86 var $user_level;
+ − 87
+ − 88 /**
+ − 89 * High-privilege session key
+ − 90 * @var string or false if not running on high-level authentication
+ − 91 */
+ − 92
+ − 93 var $sid_super;
+ − 94
+ − 95 /**
+ − 96 * The user's theme preference, defaults to $template->default_theme
+ − 97 * @var string
+ − 98 */
+ − 99
+ − 100 var $theme;
+ − 101
+ − 102 /**
+ − 103 * The user's style preference, or style auto-detected based on theme if not logged in
+ − 104 * @var string
+ − 105 */
+ − 106
+ − 107 var $style;
+ − 108
+ − 109 /**
+ − 110 * Signature of current user - appended to comments, etc.
+ − 111 * @var string
+ − 112 */
+ − 113
+ − 114 var $signature;
+ − 115
+ − 116 /**
+ − 117 * UNIX timestamp of when we were registered, or 0 if not logged in
+ − 118 * @var int
+ − 119 */
+ − 120
+ − 121 var $reg_time;
+ − 122
+ − 123 /**
+ − 124 * The number of unread private messages this user has.
+ − 125 * @var int
+ − 126 */
+ − 127
+ − 128 var $unread_pms = 0;
+ − 129
+ − 130 /**
591
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 131 * AES key used to encrypt passwords and session key info.
1
+ − 132 * @var string
591
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 133 * @access private
1
+ − 134 */
+ − 135
591
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 136 protected $private_key;
1
+ − 137
+ − 138 /**
+ − 139 * Regex that defines a valid username, minus the ^ and $, these are added later
+ − 140 * @var string
+ − 141 */
+ − 142
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 143 var $valid_username = '([^<>&\?\'"%\n\r\t\a\/]+)';
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 144
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 145 /**
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 146 * The current user's user title. Defaults to NULL.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 147 * @var string
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 148 */
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 149
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 150 var $user_title = null;
1
+ − 151
+ − 152 /**
+ − 153 * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
+ − 154 * @var string
+ − 155 */
+ − 156
436
+ − 157 var $auth_level = 1;
1
+ − 158
+ − 159 /**
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 160 * Preference for date formatting
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 161 * @var string
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 162 */
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 163
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 164 var $date_format = DATE_4;
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 165
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 166 /**
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 167 * Preference for time formatting
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 168 * @var string
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 169 */
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 170
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 171 var $time_format = TIME_24_NS;
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 172
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 173 /**
1
+ − 174 * State variable to track if a session timed out
+ − 175 * @var bool
+ − 176 */
+ − 177
+ − 178 var $sw_timed_out = false;
+ − 179
+ − 180 /**
554
+ − 181 * Token appended to some important forms to prevent CSRF.
+ − 182 * @var string
+ − 183 */
+ − 184
+ − 185 var $csrf_token = false;
+ − 186
+ − 187 /**
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 188 * Password change disabled, for auth plugins
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 189 * @var bool
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 190 */
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 191
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 192 var $password_change_disabled = false;
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 193
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 194 /**
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 195 * Password change page URL + title, for auth plugins
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 196 * @var array
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 197 */
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 198
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 199 var $password_change_dest = array('url' => '', 'title' => '');
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 200
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 201 /**
1
+ − 202 * Switch to track if we're started or not.
+ − 203 * @access private
+ − 204 * @var bool
+ − 205 */
+ − 206
+ − 207 var $started = false;
+ − 208
+ − 209 /**
+ − 210 * Switch to control compatibility mode (for older Enano websites being upgraded)
+ − 211 * @access private
+ − 212 * @var bool
+ − 213 */
+ − 214
+ − 215 var $compat = false;
+ − 216
+ − 217 /**
+ − 218 * Our list of permission types.
+ − 219 * @access private
+ − 220 * @var array
+ − 221 */
+ − 222
+ − 223 var $acl_types = Array();
+ − 224
+ − 225 /**
+ − 226 * The list of descriptions for the permission types
+ − 227 * @var array
+ − 228 */
+ − 229
+ − 230 var $acl_descs = Array();
+ − 231
+ − 232 /**
+ − 233 * A list of dependencies for ACL types.
+ − 234 * @var array
+ − 235 */
+ − 236
+ − 237 var $acl_deps = Array();
+ − 238
+ − 239 /**
246
+ − 240 * Our tell-all list of permissions. Do not even try to change this.
+ − 241 * @access private
1
+ − 242 * @var array
+ − 243 */
+ − 244
+ − 245 var $perms = Array();
+ − 246
+ − 247 /**
+ − 248 * A cache variable - saved after sitewide permissions are checked but before page-specific permissions.
+ − 249 * @var array
+ − 250 * @access private
+ − 251 */
+ − 252
+ − 253 var $acl_base_cache = Array();
+ − 254
+ − 255 /**
+ − 256 * Stores the scope information for ACL types.
+ − 257 * @var array
+ − 258 * @access private
+ − 259 */
+ − 260
+ − 261 var $acl_scope = Array();
+ − 262
+ − 263 /**
+ − 264 * Array to track which default permissions are being used
+ − 265 * @var array
+ − 266 * @access private
+ − 267 */
+ − 268
+ − 269 var $acl_defaults_used = Array();
+ − 270
+ − 271 /**
+ − 272 * Array to track group membership.
+ − 273 * @var array
+ − 274 */
+ − 275
+ − 276 var $groups = Array();
+ − 277
+ − 278 /**
+ − 279 * Associative array to track group modship.
+ − 280 * @var array
+ − 281 */
+ − 282
+ − 283 var $group_mod = Array();
+ − 284
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 285 /**
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 286 * A constant array of user-level-to-rank default associations.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 287 * @var array
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 288 */
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 289
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 290 var $level_rank_table = array(
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 291 USER_LEVEL_ADMIN => RANK_ID_ADMIN,
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 292 USER_LEVEL_MOD => RANK_ID_MOD,
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 293 USER_LEVEL_MEMBER => RANK_ID_MEMBER,
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 294 USER_LEVEL_CHPREF => RANK_ID_MEMBER,
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 295 USER_LEVEL_GUEST => RANK_ID_GUEST
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 296 );
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 297
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 298 /**
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 299 * A constant array that maps precedence constants to language strings
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 300 * @var array
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 301 */
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 302
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 303 var $acl_inherit_lang_table = array(
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 304 ACL_INHERIT_ENANO_DEFAULT => 'acl_inherit_enano_default',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 305 ACL_INHERIT_GLOBAL_EVERYONE => 'acl_inherit_global_everyone',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 306 ACL_INHERIT_GLOBAL_GROUP => 'acl_inherit_global_group',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 307 ACL_INHERIT_GLOBAL_USER => 'acl_inherit_global_user',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 308 ACL_INHERIT_PG_EVERYONE => 'acl_inherit_pg_everyone',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 309 ACL_INHERIT_PG_GROUP => 'acl_inherit_pg_group',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 310 ACL_INHERIT_PG_USER => 'acl_inherit_pg_user',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 311 ACL_INHERIT_LOCAL_EVERYONE => 'acl_inherit_local_everyone',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 312 ACL_INHERIT_LOCAL_GROUP => 'acl_inherit_local_group',
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 313 ACL_INHERIT_LOCAL_USER => 'acl_inherit_local_user'
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 314 );
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 315
1
+ − 316 # Basic functions
+ − 317
+ − 318 /**
+ − 319 * Constructor.
+ − 320 */
+ − 321
+ − 322 function __construct()
+ − 323 {
+ − 324 global $db, $session, $paths, $template, $plugins; // Common objects
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 325
289
2b60c89dc27f
Fixed a few major bugs with the upgrade script and the config file not getting loaded properly due to IN_ENANO_INSTALL
Dan
diff
changeset
+ − 326 if ( defined('IN_ENANO_INSTALL') && !defined('IN_ENANO_UPGRADE') )
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 327 {
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 328 @include(ENANO_ROOT.'/config.new.php');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 329 }
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 330 else
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 331 {
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 332 @include(ENANO_ROOT.'/config.php');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 333 }
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 334
1
+ − 335 unset($dbhost, $dbname, $dbuser, $dbpasswd);
+ − 336 if(isset($crypto_key))
+ − 337 {
+ − 338 $this->private_key = $crypto_key;
+ − 339 $this->private_key = hexdecode($this->private_key);
+ − 340 }
+ − 341 else
+ − 342 {
+ − 343 if(is_writable(ENANO_ROOT.'/config.php'))
+ − 344 {
+ − 345 // Generate and stash a private key
+ − 346 // This should only happen during an automated silent gradual migration to the new encryption platform.
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 347 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 348 $this->private_key = $aes->gen_readymade_key();
+ − 349
+ − 350 $config = file_get_contents(ENANO_ROOT.'/config.php');
+ − 351 if(!$config)
+ − 352 {
+ − 353 die('$session->__construct(): can\'t get the contents of config.php');
+ − 354 }
+ − 355
+ − 356 $config = str_replace("?>", "\$crypto_key = '{$this->private_key}';\n?>", $config);
+ − 357 // And while we're at it...
+ − 358 $config = str_replace('MIDGET_INSTALLED', 'ENANO_INSTALLED', $config);
+ − 359 $fh = @fopen(ENANO_ROOT.'/config.php', 'w');
+ − 360 if ( !$fh )
+ − 361 {
+ − 362 die('$session->__construct(): Couldn\'t open config file for writing to store the private key, I tried to avoid something like this...');
+ − 363 }
+ − 364
+ − 365 fwrite($fh, $config);
+ − 366 fclose($fh);
+ − 367 }
+ − 368 else
+ − 369 {
+ − 370 die_semicritical('Crypto error', '<p>No private key was found in the config file, and we can\'t generate one because we don\'t have write access to the config file. Please CHMOD config.php to 666 or 777 and reload this page.</p>');
+ − 371 }
+ − 372 }
+ − 373 // Check for compatibility mode
+ − 374 if(defined('IN_ENANO_INSTALL'))
+ − 375 {
+ − 376 $q = $db->sql_query('SELECT old_encryption FROM '.table_prefix.'users LIMIT 1;');
+ − 377 if(!$q)
+ − 378 {
+ − 379 $error = mysql_error();
+ − 380 if(strstr($error, "Unknown column 'old_encryption'"))
+ − 381 $this->compat = true;
+ − 382 else
+ − 383 $db->_die('This should never happen and is a bug - the only error that was supposed to happen here didn\'t happen. (sessions.php in constructor, during compat mode check)');
+ − 384 }
+ − 385 $db->free_result();
+ − 386 }
+ − 387 }
+ − 388
+ − 389 /**
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 390 * PHP 4 compatible constructor. Deprecated in 1.1.x.
1
+ − 391 */
+ − 392
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 393 /*
1
+ − 394 function sessionManager()
+ − 395 {
+ − 396 $this->__construct();
+ − 397 }
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 398 */
1
+ − 399
+ − 400 /**
+ − 401 * Wrapper function to sanitize strings for MySQL and HTML
+ − 402 * @param string $text The text to sanitize
+ − 403 * @return string
+ − 404 */
+ − 405
+ − 406 function prepare_text($text)
+ − 407 {
+ − 408 global $db;
+ − 409 return $db->escape(htmlspecialchars($text));
+ − 410 }
+ − 411
+ − 412 /**
+ − 413 * Makes a SQL query and handles error checking
+ − 414 * @param string $query The SQL query to make
+ − 415 * @return resource
+ − 416 */
+ − 417
+ − 418 function sql($query)
+ − 419 {
+ − 420 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 421 $result = $db->sql_query($query);
+ − 422 if(!$result)
+ − 423 {
+ − 424 $db->_die('The error seems to have occurred somewhere in the session management code.');
+ − 425 }
+ − 426 return $result;
+ − 427 }
+ − 428
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 429 /**
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 430 * Returns true if we're currently on a page that shouldn't be blocked even if we have an inactive or banned account
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 431 * @param bool strict - if true, whitelist of pages is even stricter (Login, Logout and CSS only). if false (default), admin access is allowed, assuming other factors allow it
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 432 * @return bool
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 433 */
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 434
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 435 function on_critical_page($strict = false)
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 436 {
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 437 global $title;
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 438 list($page_id, $namespace) = RenderMan::strToPageID($title);
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 439 list($page_id) = explode('/', $page_id);
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 440
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 441 if ( $strict )
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 442 {
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 443 return $namespace == 'Special' && in_array($page_id, array('CSS', 'Login', 'Logout'));
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 444 }
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 445 else
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 446 {
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 447 return $namespace == 'Admin' || ($namespace == 'Special' && in_array($page_id, array('CSS', 'Login', 'Logout', 'Administration')));
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 448 }
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 449 }
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 450
1
+ − 451 # Session restoration and permissions
+ − 452
+ − 453 /**
+ − 454 * Initializes the basic state of things, including most user prefs, login data, cookie stuff
+ − 455 */
+ − 456
+ − 457 function start()
+ − 458 {
+ − 459 global $db, $session, $paths, $template, $plugins; // Common objects
209
+ − 460 global $lang;
406
+ − 461 global $timezone;
1
+ − 462 if($this->started) return;
+ − 463 $this->started = true;
+ − 464 $user = false;
590
03a60844c7c5
Several optimization changes including getting rid of a few eval()s. Added placeholder functions for the theme manager, which should be working now
Dan
diff
changeset
+ − 465 if ( isset($_COOKIE['sid']) )
1
+ − 466 {
590
03a60844c7c5
Several optimization changes including getting rid of a few eval()s. Added placeholder functions for the theme manager, which should be working now
Dan
diff
changeset
+ − 467 if ( $this->compat )
1
+ − 468 {
+ − 469 $userdata = $this->compat_validate_session($_COOKIE['sid']);
+ − 470 }
+ − 471 else
+ − 472 {
+ − 473 $userdata = $this->validate_session($_COOKIE['sid']);
+ − 474 }
590
03a60844c7c5
Several optimization changes including getting rid of a few eval()s. Added placeholder functions for the theme manager, which should be working now
Dan
diff
changeset
+ − 475 if ( is_array($userdata) )
1
+ − 476 {
+ − 477 $this->sid = $_COOKIE['sid'];
+ − 478 $this->user_logged_in = true;
+ − 479 $this->user_id = intval($userdata['user_id']);
+ − 480 $this->username = $userdata['username'];
+ − 481 $this->user_level = intval($userdata['user_level']);
+ − 482 $this->real_name = $userdata['real_name'];
+ − 483 $this->email = $userdata['email'];
+ − 484 $this->unread_pms = $userdata['num_pms'];
568
+ − 485 $this->user_title = ( isset($userdata['user_title']) ) ? $userdata['user_title'] : null;
1
+ − 486 if(!$this->compat)
+ − 487 {
+ − 488 $this->theme = $userdata['theme'];
+ − 489 $this->style = $userdata['style'];
+ − 490 $this->signature = $userdata['signature'];
+ − 491 $this->reg_time = $userdata['reg_time'];
+ − 492 }
436
+ − 493 $this->auth_level = USER_LEVEL_MEMBER;
554
+ − 494 // generate an anti-CSRF token
+ − 495 $this->csrf_token = sha1($this->username . $this->sid . $this->user_id);
1
+ − 496 if(!isset($template->named_theme_list[$this->theme]))
+ − 497 {
+ − 498 if($this->compat || !is_object($template))
+ − 499 {
+ − 500 $this->theme = 'oxygen';
+ − 501 $this->style = 'bleu';
+ − 502 }
+ − 503 else
+ − 504 {
+ − 505 $this->theme = $template->default_theme;
+ − 506 $this->style = $template->default_style;
+ − 507 }
+ − 508 }
+ − 509 $user = true;
711
+ − 510
+ − 511 // set timezone params
406
+ − 512 $GLOBALS['timezone'] = $userdata['user_timezone'];
711
+ − 513 $GLOBALS['dst_params'] = explode(';', $userdata['user_dst']);
+ − 514 foreach ( $GLOBALS['dst_params'] as &$parm )
+ − 515 {
+ − 516 if ( substr($parm, -1) != 'd' )
+ − 517 $parm = intval($parm);
+ − 518 }
1
+ − 519
209
+ − 520 // Set language
+ − 521 if ( !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ − 522 {
+ − 523 $lang_id = intval($userdata['user_lang']);
+ − 524 $lang = new Language($lang_id);
406
+ − 525 @setlocale(LC_ALL, $lang->lang_code);
209
+ − 526 }
1
+ − 527
+ − 528 if(isset($_REQUEST['auth']) && !$this->sid_super)
+ − 529 {
+ − 530 // Now he thinks he's a moderator. Or maybe even an administrator. Let's find out if he's telling the truth.
+ − 531 if($this->compat)
+ − 532 {
+ − 533 $key = $_REQUEST['auth'];
+ − 534 $super = $this->compat_validate_session($key);
+ − 535 }
+ − 536 else
+ − 537 {
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 538 $key = $_REQUEST['auth'];
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 539 if ( !empty($key) && ( strlen($key) / 2 ) % 4 == 0 )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 540 {
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 541 $super = $this->validate_session($key);
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 542 }
1
+ − 543 }
518
+ − 544 if(is_array(@$super))
1
+ − 545 {
+ − 546 $this->auth_level = intval($super['auth_level']);
+ − 547 $this->sid_super = $_REQUEST['auth'];
+ − 548 }
+ − 549 }
+ − 550 }
+ − 551 }
+ − 552 if(!$user)
+ − 553 {
+ − 554 //exit;
+ − 555 $this->register_guest_session();
+ − 556 }
+ − 557 if(!$this->compat)
+ − 558 {
+ − 559 // init groups
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 560 $q = $this->sql('SELECT g.group_name,g.group_id,m.is_mod FROM '.table_prefix.'groups AS g' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 561 . ' LEFT JOIN '.table_prefix.'group_members AS m' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 562 . ' ON g.group_id=m.group_id' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 563 . ' WHERE ( m.user_id='.$this->user_id.'' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 564 . ' OR g.group_name=\'Everyone\')' . "\n"
592
+ − 565 . ' ' . ( /* quick hack for upgrade compatibility reasons */ enano_version() == '1.0RC1' ? '' : 'AND ( m.pending != 1 OR m.pending IS NULL )' ) . '' . "\n"
+ − 566 . ' ORDER BY group_id ASC;'); // The ORDER BY is to make sure "Everyone" comes first so the permissions can be overridden
1
+ − 567 if($row = $db->fetchrow())
+ − 568 {
+ − 569 do {
+ − 570 $this->groups[$row['group_id']] = $row['group_name'];
+ − 571 $this->group_mod[$row['group_id']] = ( intval($row['is_mod']) == 1 );
+ − 572 } while($row = $db->fetchrow());
+ − 573 }
+ − 574 else
+ − 575 {
+ − 576 die('No group info');
+ − 577 }
590
03a60844c7c5
Several optimization changes including getting rid of a few eval()s. Added placeholder functions for the theme manager, which should be working now
Dan
diff
changeset
+ − 578 profiler_log('Fetched group memberships');
1
+ − 579 }
471
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 580
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 581 // make sure we aren't banned
1
+ − 582 $this->check_banlist();
+ − 583
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 584 // make sure the account is active
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 585 if ( !$this->compat && $this->user_logged_in && $userdata['account_active'] != 1 && !$this->on_critical_page() )
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 586 {
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 587 $this->show_inactive_error($userdata);
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 588 }
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 589
471
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 590 // Printable page view? Probably the wrong place to control
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 591 // it but $template is pretty dumb, it will just about always
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 592 // do what you ask it to do, which isn't always what we want
1
+ − 593 if ( isset ( $_GET['printable'] ) )
+ − 594 {
+ − 595 $this->theme = 'printable';
+ − 596 $this->style = 'default';
+ − 597 }
+ − 598
471
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 599 // setup theme ACLs
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 600 $template->process_theme_acls();
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 601
590
03a60844c7c5
Several optimization changes including getting rid of a few eval()s. Added placeholder functions for the theme manager, which should be working now
Dan
diff
changeset
+ − 602 profiler_log('Sessions started. Banlist and theme ACLs initialized');
1
+ − 603 }
+ − 604
+ − 605 # Logins
+ − 606
+ − 607 /**
+ − 608 * Attempts to perform a login using crypto functions
+ − 609 * @param string $username The username
+ − 610 * @param string $aes_data The encrypted password, hex-encoded
+ − 611 * @param string $aes_key The MD5 hash of the encryption key, hex-encoded
+ − 612 * @param string $challenge The 256-bit MD5 challenge string - first 128 bits should be the hash, the last 128 should be the challenge salt
+ − 613 * @param int $level The privilege level we're authenticating for, defaults to 0
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 614 * @param string $captcha_hash Optional. If we're locked out and the lockout policy is captcha, this should be the identifier for the code.
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 615 * @param string $captcha_code Optional. If we're locked out and the lockout policy is captcha, this should be the code the user entered.
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 616 * @param bool $remember Optional. If true, remembers the session for X days. Otherwise, assigns a short session. Defaults to false.
436
+ − 617 * @param bool $lookup_key Optional. If true (default) this queries the database for the "real" encryption key. Else, uses what is given.
1
+ − 618 * @return string 'success' on success, or error string on failure
+ − 619 */
+ − 620
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 621 function login_with_crypto($username, $aes_data, $aes_key_id, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false, $remember = false, $lookup_key = true)
1
+ − 622 {
+ − 623 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 624
+ − 625 // Instanciate the Rijndael encryption object
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 626 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 627
+ − 628 // Fetch our decryption key
+ − 629
436
+ − 630 if ( $lookup_key )
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 631 {
436
+ − 632 $aes_key = $this->fetch_public_key($aes_key_id);
+ − 633 if ( !$aes_key )
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 634 {
436
+ − 635 // It could be that our key cache is full. If it seems larger than 65KB, clear it
+ − 636 if ( strlen(getConfig('login_key_cache')) > 65000 )
+ − 637 {
+ − 638 setConfig('login_key_cache', '');
+ − 639 return array(
+ − 640 'success' => false,
+ − 641 'error' => 'key_not_found_cleared',
+ − 642 );
+ − 643 }
304
+ − 644 return array(
+ − 645 'success' => false,
436
+ − 646 'error' => 'key_not_found'
304
+ − 647 );
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 648 }
436
+ − 649 }
+ − 650 else
+ − 651 {
+ − 652 $aes_key =& $aes_key_id;
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 653 }
1
+ − 654
+ − 655 // Convert the key to a binary string
+ − 656 $bin_key = hexdecode($aes_key);
+ − 657
+ − 658 if(strlen($bin_key) != AES_BITS / 8)
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 659 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 660 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 661 'error' => 'key_wrong_length'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 662 );
1
+ − 663
+ − 664 // Decrypt our password
+ − 665 $password = $aes->decrypt($aes_data, $bin_key, ENC_HEX);
+ − 666
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 667 // Let the LoginAPI do the rest.
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 668 return $this->login_without_crypto($username, $password, false, $level, $captcha_hash, $captcha_code, $remember);
1
+ − 669 }
+ − 670
+ − 671 /**
+ − 672 * Attempts to login without using crypto stuff, mainly for use when the other side doesn't like Javascript
+ − 673 * This method of authentication is inherently insecure, there's really nothing we can do about it except hope and pray that everyone moves to Firefox
+ − 674 * Technically it still uses crypto, but it only decrypts the password already stored, which is (obviously) required for authentication
+ − 675 * @param string $username The username
+ − 676 * @param string $password The password -OR- the MD5 hash of the password if $already_md5ed is true
+ − 677 * @param bool $already_md5ed This should be set to true if $password is an MD5 hash, and should be false if it's plaintext. Defaults to false.
+ − 678 * @param int $level The privilege level we're authenticating for, defaults to 0
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 679 * @param string $captcha_hash Optional. If we're locked out and the lockout policy is captcha, this should be the identifier for the code.
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 680 * @param string $captcha_code Optional. If we're locked out and the lockout policy is captcha, this should be the code the user entered.
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 681 * @param bool $remember Optional. If true, remembers the session for X days. Otherwise, assigns a short session. Defaults to false.
1
+ − 682 */
+ − 683
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 684 function login_without_crypto($username, $password, $already_md5ed = false, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false, $remember = false)
1
+ − 685 {
+ − 686 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 687
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 688 if ( $already_md5ed )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 689 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 690 // No longer supported
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 691 return array(
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 692 'mode' => 'error',
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 693 'error' => '$already_md5ed is no longer supported (set this parameter to false and make sure the password you send to $session->login_without_crypto() is not hashed)'
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 694 );
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 695 }
1
+ − 696
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 697 // Replace underscores with spaces in username
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 698 // (Added in 1.0.2)
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 699 $username = str_replace('_', ' ', $username);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 700
1
+ − 701 // Perhaps we're upgrading Enano?
+ − 702 if($this->compat)
+ − 703 {
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 704 return $this->login_compat($username, md5($password), $level);
1
+ − 705 }
+ − 706
1065
+ − 707 // Lockout check
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 708 if ( !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 709 {
1032
+ − 710 $lockout_data = $this->get_lockout_info($lockout_data);
436
+ − 711
+ − 712 $captcha_good = false;
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 713 if ( $lockout_data['lockout_policy'] == 'captcha' && $captcha_hash && $captcha_code )
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 714 {
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 715 // policy is captcha -- check if it's correct, and if so, bypass lockout check
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 716 $real_code = $this->get_captcha($captcha_hash);
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 717 if ( strtolower($real_code) === strtolower($captcha_code) )
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 718 {
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 719 $captcha_good = true;
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 720 }
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 721 }
953
323c4cd1aa37
Made some more changes to the way namespaces are handled, for optimization purposes. This is a bit of a structural reorganization: $paths->pages is obsoleted in its entirety; calculating page existence and metadata is now the job of the Namespace_* backend class. There are many things in PageProcessor that should be reorganized, and page actions in general should really be rethought. This is probably the beginning of a long process that will be taking place over the course of the betas.
Dan
diff
changeset
+ − 722 if ( $lockout_data['lockout_policy'] != 'disable' && !$captcha_good )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 723 {
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 724 if ( $lockout_data['lockout_fails'] >= $lockout_data['lockout_threshold'] )
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 725 {
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 726 // ooh boy, somebody's in trouble ;-)
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 727 return array(
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 728 'success' => false,
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 729 'error' => 'locked_out',
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 730 'lockout_threshold' => $lockout_data['lockout_threshold'],
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 731 'lockout_duration' => ( $lockout_data['lockout_duration'] ),
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 732 'lockout_fails' => $lockout_data['lockout_fails'],
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 733 'lockout_policy' => $lockout_data['lockout_policy'],
1065
+ − 734 'time_rem' => $lockout_data['time_rem'],
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 735 'lockout_last_time' => $lockout_data['lockout_last_time']
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 736 );
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 737 }
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 738 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 739 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 740
1
+ − 741 // Instanciate the Rijndael encryption object
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 742 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 743
+ − 744 // Initialize our success switch
+ − 745 $success = false;
+ − 746
+ − 747 // Retrieve the real password from the database
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 748 $username_db = $db->escape(strtolower($username));
1063
+ − 749 $username_db_upper = $db->escape($username);
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 750 if ( !$db->sql_query('SELECT password,password_salt,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix."users\n"
1063
+ − 751 . " WHERE ( " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db' OR username = '$username_db_upper' );") )
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 752 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 753 $this->sql('SELECT password,\'\' AS password_salt,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix."users\n"
1063
+ − 754 . " WHERE ( " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db' OR username = '$username_db_upper' );");
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 755 }
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 756 if ( $db->numrows() < 1 )
188
+ − 757 {
+ − 758 // This wasn't logged in <1.0.2, dunno how it slipped through
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 759 if ( $level > USER_LEVEL_MEMBER )
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 760 $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 761 . ' (\'security\', \'admin_auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', '
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 762 . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
188
+ − 763 else
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 764 $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary) VALUES\n"
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 765 . ' (\'security\', \'auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', '
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 766 . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 767
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 768 // Do we also need to increment the lockout countdown?
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 769 if ( @$lockout_data['lockout_policy'] != 'disable' && !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 770 {
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 771 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 772 // increment fail count
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 773 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', ' . time() . ', \'credential\');');
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 774 $lockout_data['lockout_fails']++;
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 775 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 776 'success' => false,
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 777 'error' => ( $lockout_data['lockout_fails'] >= $lockout_data['lockout_threshold'] ) ? 'locked_out' : 'invalid_credentials',
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 778 'lockout_threshold' => $lockout_data['lockout_threshold'],
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 779 'lockout_duration' => ( $lockout_data['lockout_duration'] ),
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 780 'lockout_fails' => $lockout_data['lockout_fails'],
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 781 'lockout_policy' => $lockout_data['lockout_policy']
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 782 );
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 783 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 784
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 785 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 786 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 787 'error' => 'invalid_credentials'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 788 );
188
+ − 789 }
1
+ − 790 $row = $db->fetchrow();
+ − 791
+ − 792 // Check to see if we're logging in using a temporary password
+ − 793
+ − 794 if((intval($row['temp_password_time']) + 3600*24) > time() )
+ − 795 {
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 796 $temp_pass = hmac_sha1($password, $row['password_salt']);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 797 if( $temp_pass === $row['temp_password'] )
1
+ − 798 {
+ − 799 $code = $plugins->setHook('login_password_reset');
+ − 800 foreach ( $code as $cmd )
+ − 801 {
+ − 802 eval($cmd);
+ − 803 }
+ − 804
521
d264784355e5
Implemented the password-reset redirect _properly_ instead of the hackish direct header() call in sessions.php
Dan
diff
changeset
+ − 805 return array(
d264784355e5
Implemented the password-reset redirect _properly_ instead of the hackish direct header() call in sessions.php
Dan
diff
changeset
+ − 806 'success' => false,
d264784355e5
Implemented the password-reset redirect _properly_ instead of the hackish direct header() call in sessions.php
Dan
diff
changeset
+ − 807 'error' => 'valid_reset',
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 808 'redirect_url' => makeUrlComplete('Special', 'PasswordReset/stage2/' . $row['user_id'] . '/' . $this->pk_encrypt($password))
521
d264784355e5
Implemented the password-reset redirect _properly_ instead of the hackish direct header() call in sessions.php
Dan
diff
changeset
+ − 809 );
1
+ − 810 }
+ − 811 }
+ − 812
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 813 if ( $row['old_encryption'] == 1 )
1
+ − 814 {
+ − 815 // The user's password is stored using the obsolete and insecure MD5 algorithm - we'll update the field with the new password
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 816 if(md5($password) === $row['password'])
1
+ − 817 {
802
+ − 818 if ( !defined('IN_ENANO_UPGRADE') )
+ − 819 {
+ − 820 $hmac_secret = hexencode(AESCrypt::randkey(20), '', '');
+ − 821 $password_hmac = hmac_sha1($password, $hmac_secret);
+ − 822 $this->sql('UPDATE '.table_prefix."users SET password = '$password_hmac', password_salt = '$hmac_secret', old_encryption = 0 WHERE user_id={$row['user_id']};");
+ − 823 }
1
+ − 824 $success = true;
+ − 825 }
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 826 }
941
+ − 827 else if ( $row['old_encryption'] == 2 || ( defined('ENANO_UPGRADE_USE_AES_PASSWORDS') ) && strlen($row['password']) != 40 )
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 828 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 829 // Our password field uses the 1.0RC1-1.1.5 encryption format
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 830 $real_pass = $aes->decrypt($row['password'], $this->private_key);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 831 if($password === $real_pass)
1
+ − 832 {
802
+ − 833 if ( !defined('IN_ENANO_UPGRADE') )
+ − 834 {
+ − 835 $hmac_secret = hexencode(AESCrypt::randkey(20), '', '');
+ − 836 $password_hmac = hmac_sha1($password, $hmac_secret);
+ − 837 $this->sql('UPDATE '.table_prefix."users SET password = '$password_hmac', password_salt = '$hmac_secret', old_encryption = 0 WHERE user_id={$row['user_id']};");
+ − 838 }
1
+ − 839 $success = true;
+ − 840 }
+ − 841 }
+ − 842 else
+ − 843 {
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 844 // Password uses HMAC-SHA1
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 845 $user_challenge = hmac_sha1($password, $row['password_salt']);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 846 $password_hmac =& $row['password'];
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 847 if ( $user_challenge === $password_hmac )
1
+ − 848 {
+ − 849 $success = true;
+ − 850 }
+ − 851 }
+ − 852 if($success)
+ − 853 {
+ − 854 if((int)$level > (int)$row['user_level'])
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 855 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 856 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 857 'error' => 'too_big_for_britches'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 858 );
1089
+ − 859
+ − 860 // grant session
802
+ − 861 $sess = $this->register_session($row['user_id'], $username, ( isset($password_hmac) ? $password_hmac : $password ), $level, $remember);
1089
+ − 862
1
+ − 863 if($sess)
+ − 864 {
+ − 865 if($level > USER_LEVEL_MEMBER)
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 866 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
1
+ − 867 else
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 868 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
1
+ − 869
+ − 870 $code = $plugins->setHook('login_success');
+ − 871 foreach ( $code as $cmd )
+ − 872 {
+ − 873 eval($cmd);
+ − 874 }
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 875
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 876 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 877 'success' => true
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 878 );
1
+ − 879 }
+ − 880 else
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 881 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 882 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 883 'error' => 'backend_fail'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 884 );
1
+ − 885 }
+ − 886 else
+ − 887 {
+ − 888 if($level > USER_LEVEL_MEMBER)
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 889 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
1
+ − 890 else
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 891 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
1
+ − 892
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 893 // Do we also need to increment the lockout countdown?
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 894 if ( !defined('IN_ENANO_INSTALL') && $lockout_data['lockout_policy'] != 'disable' )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 895 {
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 896 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 897 // increment fail count
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 898 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', ' . time() . ', \'credential\');');
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 899 $lockout_data['lockout_fails']++;
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 900 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 901 'success' => false,
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 902 'error' => ( $lockout_data['lockout_fails'] >= $lockout_data['lockout_threshold'] ) ? 'locked_out' : 'invalid_credentials',
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 903 'lockout_threshold' => $lockout_data['lockout_threshold'],
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 904 'lockout_duration' => ( $lockout_data['lockout_duration'] ),
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 905 'lockout_fails' => $lockout_data['lockout_fails'],
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 906 'lockout_policy' => $lockout_data['lockout_policy']
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 907 );
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 908 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 909
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 910 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 911 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 912 'error' => 'invalid_credentials'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 913 );
1
+ − 914 }
+ − 915 }
+ − 916
+ − 917 /**
554
+ − 918 * Attempts to log in using the old table structure and algorithm. This is for upgrades from old 1.0.x releases.
1
+ − 919 * @param string $username
+ − 920 * @param string $password This should be an MD5 hash
+ − 921 * @return string 'success' if successful, or error message on failure
+ − 922 */
+ − 923
+ − 924 function login_compat($username, $password, $level = 0)
+ − 925 {
+ − 926 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 927 $pass_hashed =& $password;
+ − 928 $this->sql('SELECT password,user_id,user_level FROM '.table_prefix.'users WHERE username=\''.$this->prepare_text($username).'\';');
+ − 929 if($db->numrows() < 1)
+ − 930 return 'The username and/or password is incorrect.';
+ − 931 $row = $db->fetchrow();
+ − 932 if($row['password'] == $password)
+ − 933 {
+ − 934 if((int)$level > (int)$row['user_level'])
+ − 935 return 'You are not authorized for this level of access.';
+ − 936 $sess = $this->register_session_compat(intval($row['user_id']), $username, $password, $level);
+ − 937 if($sess)
+ − 938 return 'success';
+ − 939 else
+ − 940 return 'Your login credentials were correct, but an internal error occured while registering the session key in the database.';
+ − 941 }
+ − 942 else
+ − 943 {
+ − 944 return 'The username and/or password is incorrect.';
+ − 945 }
+ − 946 }
+ − 947
+ − 948 /**
+ − 949 * Registers a session key in the database. This function *ASSUMES* that the username and password have already been validated!
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 950 * Basically the session key is a hex-encoded cookie (encrypted with the site's private key) that says "u=[username];p=[sha1 of password];s=[unique key id]"
1
+ − 951 * @param int $user_id
+ − 952 * @param string $username
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 953 * @param string $password_hmac The HMAC of the user's password, right from the database
1
+ − 954 * @param int $level The level of access to grant, defaults to USER_LEVEL_MEMBER
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 955 * @param bool $remember Whether the session should be long-term (true) or not (false). Defaults to short-term.
1
+ − 956 * @return bool
+ − 957 */
+ − 958
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 959 function register_session($user_id, $username, $password_hmac, $level = USER_LEVEL_MEMBER, $remember = false)
1
+ − 960 {
697
+ − 961 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 962
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 963 // Random key identifier
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 964 $salt = '';
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 965 for ( $i = 0; $i < 32; $i++ )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 966 {
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 967 $salt .= chr(mt_rand(32, 126));
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 968 }
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 969
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 970 // Session key
802
+ − 971 if ( defined('ENANO_UPGRADE_USE_AES_PASSWORDS') )
+ − 972 {
+ − 973 $session_key = $this->pk_encrypt("u=$username;p=" . sha1($password_hmac) . ";s=$salt");
+ − 974 }
+ − 975 else
+ − 976 {
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 977 $key_pieces = array($password_hmac);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 978 $sk_mode = 'generate';
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 979 $code = $plugins->setHook('session_key_calc');
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 980 foreach ( $code as $cmd )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 981 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 982 eval($cmd);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 983 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 984 $key_pieces = implode("\xFF", $key_pieces);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 985
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 986 $session_key = hmac_sha1($key_pieces, $salt);
802
+ − 987 }
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 988
1001
+ − 989 // Minimum level
+ − 990 $level = max(array($level, USER_LEVEL_MEMBER));
+ − 991
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 992 // Type of key
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 993 $key_type = ( $level > USER_LEVEL_MEMBER ) ? SK_ELEV : ( $remember ? SK_LONG : SK_SHORT );
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 994
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 995 // If we're registering an elevated-privilege key, it needs to be on GET
1
+ − 996 if($level > USER_LEVEL_MEMBER)
+ − 997 {
802
+ − 998 $this->sid_super = $session_key;
+ − 999 $_GET['auth'] = $session_key;
1
+ − 1000 }
+ − 1001 else
+ − 1002 {
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1003 // Stash it in a cookie
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1004 // For now, make the cookie last forever, we can change this in 1.1.x
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 1005 setcookie( 'sid', $session_key, time()+15552000, scriptPath.'/', null, $GLOBALS['is_https']);
1
+ − 1006 $_COOKIE['sid'] = $session_key;
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1007 $this->sid = $session_key;
1
+ − 1008 }
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1009 // $keyhash is stored in the database, this is for compatibility with the older DB structure
1
+ − 1010 $keyhash = md5($session_key);
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1011 // Record the user's IP
466
+ − 1012 $ip = $_SERVER['REMOTE_ADDR'];
+ − 1013 if(!is_valid_ip($ip))
1
+ − 1014 die('$session->register_session: Remote-Addr was spoofed');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1015 // The time needs to be stashed to enforce the 15-minute limit on elevated session keys
1
+ − 1016 $time = time();
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1017
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1018 // Sanity check
1
+ − 1019 if(!is_int($user_id))
+ − 1020 die('Somehow an SQL injection attempt crawled into our session registrar! (1)');
+ − 1021 if(!is_int($level))
+ − 1022 die('Somehow an SQL injection attempt crawled into our session registrar! (2)');
+ − 1023
1001
+ − 1024 // Update RAM
+ − 1025 $this->user_id = $user_id;
+ − 1026 $this->user_level = max(array($this->user_level, $level));
+ − 1027
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1028 // All done!
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1029 $query = $db->sql_query('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time, key_type) VALUES(\''.$keyhash.'\', \''.$db->escape($salt).'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.', ' . $key_type . ');');
697
+ − 1030 if ( !$query && defined('IN_ENANO_UPGRADE') )
+ − 1031 // we're trying to upgrade so the key_type column is probably missing - try it again without specifying the key type
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1032 $this->sql('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time) VALUES(\''.$keyhash.'\', \''.$db->escape($salt).'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.');');
697
+ − 1033
1
+ − 1034 return true;
+ − 1035 }
+ − 1036
+ − 1037 /**
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1038 * Identical to register_session in nature, but uses the old login/table structure. DO NOT use this except in the upgrade script under very controlled circumstances.
1
+ − 1039 * @see sessionManager::register_session()
+ − 1040 * @access private
+ − 1041 */
+ − 1042
+ − 1043 function register_session_compat($user_id, $username, $password, $level = 0)
+ − 1044 {
+ − 1045 $salt = md5(microtime() . mt_rand());
+ − 1046 $thekey = md5($password . $salt);
+ − 1047 if($level > 0)
+ − 1048 {
+ − 1049 $this->sid_super = $thekey;
+ − 1050 }
+ − 1051 else
+ − 1052 {
+ − 1053 setcookie( 'sid', $thekey, time()+315360000, scriptPath.'/' );
+ − 1054 $_COOKIE['sid'] = $thekey;
+ − 1055 }
+ − 1056 $ip = ip2hex($_SERVER['REMOTE_ADDR']);
+ − 1057 if(!$ip)
+ − 1058 die('$session->register_session: Remote-Addr was spoofed');
+ − 1059 $time = time();
+ − 1060 if(!is_int($user_id))
+ − 1061 die('Somehow an SQL injection attempt crawled into our session registrar! (1)');
+ − 1062 if(!is_int($level))
+ − 1063 die('Somehow an SQL injection attempt crawled into our session registrar! (2)');
+ − 1064 $query = $this->sql('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time) VALUES(\''.$thekey.'\', \''.$salt.'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.');');
+ − 1065 return true;
+ − 1066 }
+ − 1067
+ − 1068 /**
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1069 * Tells us if we're locked out from logging in or not.
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1070 * @param reference will be filled with information regarding in-progress lockout
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1071 * @return bool True if locked out, false otherwise
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1072 */
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1073
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1074 function get_lockout_info(&$lockdata)
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1075 {
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1076 global $db;
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1077
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1078 // this has to be initialized to hide warnings
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1079 $lockdata = null;
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1080
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1081 // Query database for lockout info
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1082 $locked_out = false;
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1083 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1084 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
1065
+ − 1085 // convert to seconds
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1086 $duration = $duration * 60;
1065
+ − 1087 // decide on policy
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1088 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1089 if ( $policy != 'disable' )
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1090 {
1065
+ − 1091 // enabled; make decision
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1092 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1093 $timestamp_cutoff = time() - $duration;
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1094 $q = $this->sql('SELECT timestamp FROM ' . table_prefix . 'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
1032
+ − 1095 $fails = $db->numrows($q);
+ − 1096 $row = $db->fetchrow($q);
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1097 $locked_out = ( $fails >= $threshold );
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1098 $lockdata = array(
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1099 'locked_out' => $locked_out,
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1100 'lockout_threshold' => $threshold,
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1101 'lockout_duration' => ( $duration / 60 ),
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1102 'lockout_fails' => $fails,
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1103 'lockout_policy' => $policy,
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1104 'lockout_last_time' => $row['timestamp'],
1065
+ − 1105 'time_rem' => $locked_out ? ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ) : 0,
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1106 'captcha' => ''
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1107 );
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1108 $db->free_result();
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1109 }
1032
+ − 1110 else
+ − 1111 {
1065
+ − 1112 // disabled; send back default dataset
1032
+ − 1113 $lockdata = array(
+ − 1114 'locked_out' => false,
+ − 1115 'lockout_threshold' => $threshold,
+ − 1116 'lockout_duration' => ( $duration / 60 ),
+ − 1117 'lockout_fails' => 0,
+ − 1118 'lockout_policy' => $policy,
+ − 1119 'lockout_last_time' => 0,
+ − 1120 'time_rem' => 0,
+ − 1121 'captcha' => ''
+ − 1122 );
+ − 1123 }
+ − 1124 return $lockdata;
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1125 }
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1126
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1127 /**
1
+ − 1128 * Creates/restores a guest session
+ − 1129 * @todo implement real session management for guests
+ − 1130 */
+ − 1131
+ − 1132 function register_guest_session()
+ − 1133 {
+ − 1134 global $db, $session, $paths, $template, $plugins; // Common objects
209
+ − 1135 global $lang;
1
+ − 1136 $this->username = $_SERVER['REMOTE_ADDR'];
+ − 1137 $this->user_level = USER_LEVEL_GUEST;
+ − 1138 if($this->compat || defined('IN_ENANO_INSTALL'))
+ − 1139 {
+ − 1140 $this->theme = 'oxygen';
+ − 1141 $this->style = 'bleu';
+ − 1142 }
+ − 1143 else
+ − 1144 {
+ − 1145 $this->theme = ( isset($_GET['theme']) && isset($template->named_theme_list[$_GET['theme']])) ? $_GET['theme'] : $template->default_theme;
466
+ − 1146 $this->style = ( isset($_GET['style']) && file_exists(ENANO_ROOT.'/themes/'.$this->theme . '/css/'.$_GET['style'].'.css' )) ? $_GET['style'] : preg_replace('/\.css$/', '', $template->named_theme_list[$this->theme]['default_style']);
1
+ − 1147 }
+ − 1148 $this->user_id = 1;
377
bb3e6c3bd4f4
Removed stray debugging info from ACL editor success notification; added ability for guests to set language on URI (?lang=eng); added html_in_pages ACL type and separated from php_in_pages so HTML can be embedded but not PHP; rewote portions of the path manager to better abstract URL input; added Zend Framework into list of BSD-licensed libraries; localized some remaining strings; got the migration script working, but just barely; fixed display bug in Special:Contributions; localized Main Page button in admin panel
Dan
diff
changeset
+ − 1149 // This is a VERY special case we are allowing. It lets the installer create languages using the Enano API.
209
+ − 1150 if ( !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ − 1151 {
782
+ − 1152 $language = ( isset($_GET['lang']) && preg_match('/^[a-z0-9-_]+$/', @$_GET['lang']) ) ? $_GET['lang'] : intval(getConfig('default_language'));
209
+ − 1153 $lang = new Language($language);
406
+ − 1154 @setlocale(LC_ALL, $lang->lang_code);
209
+ − 1155 }
557
26479224936a
Modified $template->init_vars() to pivot to local page metadata and permissions from a PageProcessor object instead of global data from $paths and permissions from $session to allow redirects to affect on-page controls as well as the actual content (only partially complete, protection and several other elements still need to be localized)
Dan
diff
changeset
+ − 1156 // make a CSRF token
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 1157 $this->csrf_token = hmac_sha1($_SERVER['REMOTE_ADDR'], sha1($this->private_key));
1
+ − 1158 }
+ − 1159
+ − 1160 /**
+ − 1161 * Validates a session key, and returns the userdata associated with the key or false
+ − 1162 * @param string $key The session key to validate
+ − 1163 * @return array Keys are 'user_id', 'username', 'email', 'real_name', 'user_level', 'theme', 'style', 'signature', 'reg_time', 'account_active', 'activation_key', and 'auth_level' or bool false if validation failed. The key 'auth_level' is the maximum authorization level that this key provides.
+ − 1164 */
+ − 1165
+ − 1166 function validate_session($key)
+ − 1167 {
+ − 1168 global $db, $session, $paths, $template, $plugins; // Common objects
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1169 profiler_log("SessionManager: checking session: " . sha1($key));
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1170
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1171 if ( strlen($key) > 48 )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1172 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1173 return $this->validate_aes_session($key);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1174 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1175
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1176 profiler_log("SessionManager: checking session: " . $key);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1177
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1178 return $this->validate_session_shared($key, '');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1179 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1180
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1181 /**
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1182 * Validates an old-format AES session key. DO NOT USE THIS. Will return false if called outside of an upgrade.
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1183 * @param string Session key
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1184 * @return array
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1185 */
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1186
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1187 protected function validate_aes_session($key)
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1188 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1189 global $db, $session, $paths, $template, $plugins; // Common objects
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1190
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1191 // No valid use except during upgrades
802
+ − 1192 if ( !preg_match('/^upg-/', enano_version()) && !defined('IN_ENANO_UPGRADE') )
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1193 return false;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1194
802
+ − 1195 $decrypted_key = $this->pk_decrypt($key);
1
+ − 1196 if ( !$decrypted_key )
+ − 1197 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1198 // die_semicritical('AES encryption error', '<p>Something went wrong during the AES decryption process.</p><pre>'.print_r($decrypted_key, true).'</pre>');
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1199 return false;
1
+ − 1200 }
+ − 1201
802
+ − 1202 $n = preg_match('/^u='.$this->valid_username.';p=([A-Fa-f0-9]+?);s=(.{32})$/', $decrypted_key, $keydata);
1
+ − 1203 if($n < 1)
+ − 1204 {
802
+ − 1205 echo '(debug) $session->validate_session: Key does not match regex<br />Decrypted key: '.$decrypted_key;
1
+ − 1206 return false;
+ − 1207 }
+ − 1208 $keyhash = md5($key);
+ − 1209 $salt = $db->escape($keydata[3]);
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1210
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1211 return $this->validate_session_shared($keyhash, $salt, true);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1212 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1213
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1214 /**
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1215 * Shared portion of session validation. Do not try to call this.
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1216 * @return array
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1217 * @access private
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1218 */
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1219
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1220 protected function validate_session_shared($key, $salt, $loose_call = false)
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1221 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1222 global $db, $session, $paths, $template, $plugins; // Common objects
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1223
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1224 // using a normal call to $db->sql_query to avoid failing on errors here
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1225 $columns_select = "u.user_id AS uid, u.username, u.password, u.password_salt, u.email, u.real_name, u.user_level, u.theme,\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1226 . " u.style,u.signature, u.reg_time, u.account_active, u.activation_key, u.user_lang, u.user_title, k.salt, k.source_ip,\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1227 . " k.time, k.auth_level, k.key_type, COUNT(p.message_id) AS num_pms, u.user_timezone, u.user_dst, x.*";
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1228
857
f3a5a276208c
Added support for alternate port numbers on database servers. Also in install-cli, merged in new sysreqs functionality.
Dan
diff
changeset
+ − 1229 $columns_groupby = "u.user_id, u.username, u.password, u.password_salt, u.email, u.real_name, u.user_level, u.theme, u.style, u.signature,\n"
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1230 . " u.reg_time, u.account_active, u.activation_key, u.user_lang, u.user_timezone, u.user_title, u.user_dst,\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1231 . " k.salt, k.source_ip, k.time, k.auth_level, k.key_type, x.user_id, x.user_aim, x.user_yahoo, x.user_msn,\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1232 . " x.user_xmpp, x.user_homepage, x.user_location, x.user_job, x.user_hobbies, x.email_public,\n"
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1233 . " x.disable_js_fx, x.date_format, x.time_format";
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1234
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1235 $joins = " LEFT JOIN " . table_prefix . "users AS u\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1236 . " ON ( u.user_id=k.user_id )\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1237 . " LEFT JOIN " . table_prefix . "users_extra AS x\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1238 . " ON ( u.user_id=x.user_id OR x.user_id IS NULL )\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1239 . " LEFT JOIN " . table_prefix . "privmsgs AS p\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1240 . " ON ( p.message_to=u.username AND p.message_read=0 )\n";
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1241 if ( !$loose_call )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1242 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1243 $key_md5 = md5($key);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1244 $query = $db->sql_query("SELECT $columns_select\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1245 . "FROM " . table_prefix . "session_keys AS k\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1246 . $joins
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1247 . " WHERE k.session_key='$key_md5'\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1248 . " GROUP BY $columns_groupby;");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1249 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1250 else
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1251 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1252 $query = $db->sql_query("SELECT $columns_select\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1253 . "FROM " . table_prefix . "session_keys AS k\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1254 . $joins
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1255 . " WHERE k.session_key='$key'\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1256 . " AND k.salt='$salt'\n"
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1257 . " GROUP BY $columns_groupby;");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1258 }
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1259
603
+ − 1260 if ( !$query && ( defined('IN_ENANO_INSTALL') or defined('IN_ENANO_UPGRADE') ) )
18
+ − 1261 {
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1262 $key_md5 = $loose_call ? $key : md5($key);
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1263 $query = $this->sql('SELECT u.user_id AS uid,u.username,u.password,\'\' AS password_salt,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms, 1440 AS user_timezone, \'0;0;0;0;60\' AS user_dst, ' . SK_SHORT . ' AS key_type, k.salt FROM '.table_prefix.'session_keys AS k
18
+ − 1264 LEFT JOIN '.table_prefix.'users AS u
+ − 1265 ON ( u.user_id=k.user_id )
+ − 1266 LEFT JOIN '.table_prefix.'privmsgs AS p
+ − 1267 ON ( p.message_to=u.username AND p.message_read=0 )
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1268 WHERE k.session_key=\''.$key_md5.'\'
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1269 GROUP BY u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,k.salt;');
18
+ − 1270 }
603
+ − 1271 else if ( !$query )
+ − 1272 {
+ − 1273 $db->_die();
+ − 1274 }
1
+ − 1275 if($db->numrows() < 1)
+ − 1276 {
1084
+ − 1277 // echo '(debug) $session->validate_session: Key was not found in database: ' . $key_md5 . '<br />';
1
+ − 1278 return false;
+ − 1279 }
+ − 1280 $row = $db->fetchrow();
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1281 profiler_log("SessionManager: session check: selected and fetched results");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1282
1
+ − 1283 $row['user_id'] =& $row['uid'];
466
+ − 1284 $ip = $_SERVER['REMOTE_ADDR'];
1
+ − 1285 if($row['auth_level'] > $row['user_level'])
+ − 1286 {
+ − 1287 // Failed authorization check
+ − 1288 // echo '(debug) $session->validate_session: access to this auth level denied<br />';
+ − 1289 return false;
+ − 1290 }
+ − 1291 if($ip != $row['source_ip'])
+ − 1292 {
484
+ − 1293 // Special exception for 1.1.x upgrade - the 1.1.3 upgrade changes the size of the column and this is what validate_session
+ − 1294 // expects, but if the column size hasn't changed yet just check the first 10 digits of the IP.
+ − 1295 $fail = true;
+ − 1296 if ( defined('IN_ENANO_UPGRADE') )
+ − 1297 {
568
+ − 1298 if ( substr($ip, 0, 10) == substr($row['source_ip'], 0, 10) )
484
+ − 1299 $fail = false;
+ − 1300 }
1
+ − 1301 // Failed IP address check
+ − 1302 // echo '(debug) $session->validate_session: IP address mismatch<br />';
484
+ − 1303 if ( $fail )
+ − 1304 return false;
1
+ − 1305 }
+ − 1306
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1307 // $loose_call is turned on only from validate_aes_session
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1308 if ( !$loose_call )
1
+ − 1309 {
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1310 $key_pieces = array($row['password']);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1311 $user_id =& $row['uid'];
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1312 $sk_mode = 'validate';
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1313 $code = $plugins->setHook('session_key_calc');
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1314 foreach ( $code as $cmd )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1315 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1316 eval($cmd);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1317 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1318 $key_pieces = implode("\xFF", $key_pieces);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1319 $correct_key = hexdecode(hmac_sha1($key_pieces, $row['salt']));
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1320 $user_key = hexdecode($key);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1321 if ( $correct_key !== $user_key || !is_string($user_key) )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1322 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1323 return false;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1324 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1325 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1326 else
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1327 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1328 // if this is a "loose call", this only works once (during the final upgrade stage). Destroy the contents of session_keys.
802
+ − 1329 if ( $row['auth_level'] == USER_LEVEL_ADMIN && preg_match('/^upg-/', enano_version()) )
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1330 $this->sql('DELETE FROM ' . table_prefix . "session_keys;");
1
+ − 1331 }
+ − 1332
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1333 // timestamp check
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1334 switch ( $row['key_type'] )
1
+ − 1335 {
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1336 case SK_SHORT:
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1337 $time_now = time();
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1338 $time_key = $row['time'] + ( 60 * intval(getConfig('session_short', '720')) );
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1339 if ( $time_now > $time_key )
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1340 {
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1341 // Session timed out
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1342 return false;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1343 }
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1344 break;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1345 case SK_LONG:
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1346 if ( intval(getConfig('session_remember_time', '0')) === 0 )
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1347 {
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1348 // sessions last infinitely, timestamp validation is therefore successful
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1349 break;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1350 }
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1351 $time_now = time();
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1352 $time_key = $row['time'] + ( 86400 * intval(getConfig('session_remember_time', '30')) );
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1353 if ( $time_now > $time_key )
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1354 {
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1355 // Session timed out
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1356 return false;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1357 }
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1358 break;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1359 case SK_ELEV:
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1360 $time_now = time();
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1361 $time_key = $row['time'] + 900;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1362 if($time_now > $time_key && $row['auth_level'] > USER_LEVEL_MEMBER)
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1363 {
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1364 // Session timed out
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1365 // echo '(debug) $session->validate_session: super session timed out<br />';
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1366 $this->sw_timed_out = true;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1367 return false;
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1368 }
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1369 break;
1
+ − 1370 }
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1371
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1372 // If this is an elevated-access or short-term session key, update the time
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 1373 if( $row['key_type'] == SK_ELEV || $row['key_type'] == SK_SHORT )
1
+ − 1374 {
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1375 $this->sql('UPDATE '.table_prefix.'session_keys SET time='.time().' WHERE session_key=\''.md5($key).'\';');
1
+ − 1376 }
+ − 1377
31
+ − 1378 $user_extra = array();
555
ac4c6a7f01d8
Added user preference for disabling visual effects in Javascript applets; added re-import button to installed plugins
Dan
diff
changeset
+ − 1379 foreach ( array('user_aim', 'user_yahoo', 'user_msn', 'user_xmpp', 'user_homepage', 'user_location', 'user_job', 'user_hobbies', 'email_public', 'disable_js_fx') as $column )
31
+ − 1380 {
375
8d0e3a5a6990
[minor] Trying to be a little more careful with values from users_extra in validate_session()
Dan
diff
changeset
+ − 1381 if ( isset($row[$column]) )
8d0e3a5a6990
[minor] Trying to be a little more careful with values from users_extra in validate_session()
Dan
diff
changeset
+ − 1382 $user_extra[$column] = $row[$column];
985
+ − 1383 else
+ − 1384 $user_extra[$column] = '';
31
+ − 1385 }
+ − 1386
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1387 if ( isset($row['date_format']) )
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1388 $this->date_format = $row['date_format'];
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1389 if ( isset($row['time_format']) )
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1390 $this->time_format = $row['time_format'];
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 1391
31
+ − 1392 $this->user_extra = $user_extra;
+ − 1393 // Leave the rest to PHP's automatic garbage collector ;-)
+ − 1394
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1395 $row['password'] = '';
406
+ − 1396 $row['user_timezone'] = intval($row['user_timezone']) - 1440;
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1397
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1398 profiler_log("SessionManager: finished session check");
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1399
1
+ − 1400 return $row;
+ − 1401 }
+ − 1402
+ − 1403 /**
+ − 1404 * Validates a session key, and returns the userdata associated with the key or false. Optimized for compatibility with the old MD5-based auth system.
+ − 1405 * @param string $key The session key to validate
+ − 1406 * @return array Keys are 'user_id', 'username', 'email', 'real_name', 'user_level', 'theme', 'style', 'signature', 'reg_time', 'account_active', 'activation_key', and 'auth_level' or bool false if validation failed. The key 'auth_level' is the maximum authorization level that this key provides.
+ − 1407 */
+ − 1408
+ − 1409 function compat_validate_session($key)
+ − 1410 {
+ − 1411 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1412 $key = $db->escape($key);
+ − 1413
406
+ − 1414 $query = $this->sql('SELECT u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,k.source_ip,k.salt,k.time,k.auth_level,1440 AS user_timezone FROM '.table_prefix.'session_keys AS k
1
+ − 1415 LEFT JOIN '.table_prefix.'users AS u
+ − 1416 ON u.user_id=k.user_id
+ − 1417 WHERE k.session_key=\''.$key.'\';');
+ − 1418 if($db->numrows() < 1)
+ − 1419 {
+ − 1420 // echo '(debug) $session->validate_session: Key '.$key.' was not found in database<br />';
+ − 1421 return false;
+ − 1422 }
+ − 1423 $row = $db->fetchrow();
+ − 1424 $ip = ip2hex($_SERVER['REMOTE_ADDR']);
+ − 1425 if($row['auth_level'] > $row['user_level'])
+ − 1426 {
+ − 1427 // Failed authorization check
+ − 1428 // echo '(debug) $session->validate_session: user not authorized for this access level';
+ − 1429 return false;
+ − 1430 }
+ − 1431 if($ip != $row['source_ip'])
+ − 1432 {
+ − 1433 // Failed IP address check
+ − 1434 // echo '(debug) $session->validate_session: IP address mismatch; IP in table: '.$row['source_ip'].'; reported IP: '.$ip.'';
+ − 1435 return false;
+ − 1436 }
+ − 1437
+ − 1438 // Do the password validation
+ − 1439 $real_key = md5($row['password'] . $row['salt']);
+ − 1440
+ − 1441 //die('<pre>'.print_r($keydata, true).'</pre>');
+ − 1442 if($real_key != $key)
+ − 1443 {
+ − 1444 // Failed password check
+ − 1445 // echo '(debug) $session->validate_session: supplied password is wrong<br />Real key: '.$real_key.'<br />User key: '.$key;
+ − 1446 return false;
+ − 1447 }
+ − 1448
+ − 1449 $time_now = time();
+ − 1450 $time_key = $row['time'] + 900;
+ − 1451 if($time_now > $time_key && $row['auth_level'] >= 1)
+ − 1452 {
+ − 1453 $this->sw_timed_out = true;
+ − 1454 // Session timed out
+ − 1455 // echo '(debug) $session->validate_session: super session timed out<br />';
+ − 1456 return false;
+ − 1457 }
+ − 1458
406
+ − 1459 $row['user_timezone'] = intval($row['user_timezone']) - 1440;
+ − 1460
1
+ − 1461 return $row;
+ − 1462 }
+ − 1463
+ − 1464 /**
+ − 1465 * Demotes us to one less than the specified auth level. AKA destroys elevated authentication and/or logs out the user, depending on $level
+ − 1466 * @param int $level How low we should go - USER_LEVEL_MEMBER means demote to USER_LEVEL_GUEST, and anything more powerful than USER_LEVEL_MEMBER means demote to USER_LEVEL_MEMBER
+ − 1467 * @return string 'success' if successful, or error on failure
+ − 1468 */
+ − 1469
+ − 1470 function logout($level = USER_LEVEL_MEMBER)
+ − 1471 {
+ − 1472 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1473 $ou = $this->username;
+ − 1474 $oid = $this->user_id;
1071
f374801eb775
Sessions: fixed logout() destroying normal session (instead of elevated) if $level = USER_LEVEL_CHPREF. Possible very minor security concern: elevated sessions were not fully destroyed, so if a normal session is opened from the same IP, the elevated one may be reusable for 15 minutes.
Dan
diff
changeset
+ − 1475 if($level > USER_LEVEL_MEMBER)
1
+ − 1476 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1477 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1478 if(!$this->user_logged_in || $this->auth_level < ( USER_LEVEL_MEMBER + 1))
221
+ − 1479 {
+ − 1480 return 'success';
+ − 1481 }
1
+ − 1482 // Destroy elevated privileges
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 1483 $keyhash = md5($this->sid_super);
1
+ − 1484 $this->sql('DELETE FROM '.table_prefix.'session_keys WHERE session_key=\''.$keyhash.'\' AND user_id=\'' . $this->user_id . '\';');
+ − 1485 $this->sid_super = false;
+ − 1486 $this->auth_level = USER_LEVEL_MEMBER;
+ − 1487 }
+ − 1488 else
+ − 1489 {
+ − 1490 if($this->user_logged_in)
+ − 1491 {
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1492 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1493 // Completely destroy our session
1071
f374801eb775
Sessions: fixed logout() destroying normal session (instead of elevated) if $level = USER_LEVEL_CHPREF. Possible very minor security concern: elevated sessions were not fully destroyed, so if a normal session is opened from the same IP, the elevated one may be reusable for 15 minutes.
Dan
diff
changeset
+ − 1494 if($this->auth_level > USER_LEVEL_MEMBER)
1
+ − 1495 {
+ − 1496 $this->logout(USER_LEVEL_ADMIN);
+ − 1497 }
+ − 1498 $this->sql('DELETE FROM '.table_prefix.'session_keys WHERE session_key=\''.md5($this->sid).'\';');
+ − 1499 setcookie( 'sid', '', time()-(3600*24), scriptPath.'/' );
+ − 1500 }
+ − 1501 }
+ − 1502 $code = $plugins->setHook('logout_success'); // , Array('level'=>$level,'old_username'=>$ou,'old_user_id'=>$oid));
+ − 1503 foreach ( $code as $cmd )
+ − 1504 {
+ − 1505 eval($cmd);
+ − 1506 }
+ − 1507 return 'success';
+ − 1508 }
+ − 1509
+ − 1510 # Miscellaneous stuff
+ − 1511
+ − 1512 /**
603
+ − 1513 * Alerts the user that their account is inactive, and tells them appropriate steps to remedy the situation. Halts execution.
+ − 1514 * @param array Return from validate_session()
+ − 1515 */
+ − 1516
+ − 1517 function show_inactive_error($userdata)
+ − 1518 {
+ − 1519 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1520 global $lang;
+ − 1521
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1522 global $title;
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1523 $paths->init($title);
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1524
603
+ − 1525 $language = intval(getConfig('default_language'));
+ − 1526 $lang = new Language($language);
+ − 1527 @setlocale(LC_ALL, $lang->lang_code);
+ − 1528
+ − 1529 $a = getConfig('account_activation');
+ − 1530 switch($a)
+ − 1531 {
+ − 1532 case 'none':
+ − 1533 default:
+ − 1534 $solution = $lang->get('user_login_noact_solution_none');
+ − 1535 break;
+ − 1536 case 'user':
+ − 1537 $solution = $lang->get('user_login_noact_solution_user');
+ − 1538 break;
+ − 1539 case 'admin':
+ − 1540 $solution = $lang->get('user_login_noact_solution_admin');
+ − 1541 break;
+ − 1542 }
+ − 1543
+ − 1544 // admin activation request opportunity
+ − 1545 $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'logs WHERE log_type=\'admin\' AND action=\'activ_req\' AND edit_summary=\'' . $db->escape($userdata['username']) . '\';');
+ − 1546 if ( !$q )
+ − 1547 $db->_die();
+ − 1548
+ − 1549 $can_request = ( $db->numrows() < 1 );
+ − 1550 $db->free_result();
+ − 1551
+ − 1552 if ( isset($_POST['logout']) )
+ − 1553 {
+ − 1554 $this->sid = $_COOKIE['sid'];
+ − 1555 $this->user_logged_in = true;
+ − 1556 $this->user_id = intval($userdata['user_id']);
+ − 1557 $this->username = $userdata['username'];
+ − 1558 $this->auth_level = USER_LEVEL_MEMBER;
+ − 1559 $this->user_level = USER_LEVEL_MEMBER;
+ − 1560 $this->logout();
+ − 1561 redirect(scriptPath . '/', $lang->get('user_login_noact_msg_logout_success_title'), $lang->get('user_login_noact_msg_logout_success_body'), 5);
+ − 1562 }
+ − 1563
+ − 1564 if ( $can_request && !isset($_POST['activation_request']) )
+ − 1565 {
+ − 1566 $form = '<p>' . $lang->get('user_login_noact_msg_ask_admins') . '</p>
+ − 1567 <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">
+ − 1568 <p><input type="submit" name="activation_request" value="' . $lang->get('user_login_noact_btn_request_activation') . '" /> <input type="submit" name="logout" value="' . $lang->get('user_login_noact_btn_log_out') . '" /></p>
+ − 1569 </form>';
+ − 1570 }
+ − 1571 else
+ − 1572 {
+ − 1573 if ( $can_request && isset($_POST['activation_request']) )
+ − 1574 {
+ − 1575 $this->admin_activation_request($userdata['username']);
+ − 1576 $form = '<p>' . $lang->get('user_login_noact_msg_admins_just_asked') . '</p>
+ − 1577 <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">
+ − 1578 <p><input type="submit" name="logout" value="' . $lang->get('user_login_noact_btn_log_out') . '" /></p>
+ − 1579 </form>';
+ − 1580 }
+ − 1581 else
+ − 1582 {
+ − 1583 $form = '<p>' . $lang->get('user_login_noact_msg_admins_asked') . '</p>
+ − 1584 <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">
+ − 1585 <p><input type="submit" name="logout" value="' . $lang->get('user_login_noact_btn_log_out') . '" /></p>
+ − 1586 </form>';
+ − 1587 }
+ − 1588 }
+ − 1589
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1590 global $output;
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1591 $output = new Output_HTML();
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1592 $output->set_title($lang->get('user_login_noact_title'));
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1593 die_friendly($lang->get('user_login_noact_title'), '<p>' . $lang->get('user_login_noact_msg_intro') . ' '.$solution.'</p>' . $form);
603
+ − 1594 }
+ − 1595
+ − 1596 /**
1
+ − 1597 * Appends the high-privilege session key to the URL if we are authorized to do high-privilege stuff
+ − 1598 * @param string $url The URL to add session data to
+ − 1599 * @return string
+ − 1600 */
+ − 1601
+ − 1602 function append_sid($url)
+ − 1603 {
+ − 1604 $sep = ( strstr($url, '?') ) ? '&' : '?';
+ − 1605 if ( $this->sid_super )
+ − 1606 {
+ − 1607 $url = $url . $sep . 'auth=' . urlencode($this->sid_super);
+ − 1608 // echo($this->sid_super.'<br/>');
+ − 1609 }
+ − 1610 return $url;
+ − 1611 }
+ − 1612
+ − 1613 /**
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1614 * Prevent the user from changing their password. Authentication plugins may call this to enforce single sign-on.
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1615 * @param string URL to page where the user may change their password
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1616 * @param string Title of the page where the user may change their password
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1617 * @return null
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1618 */
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1619
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1620 function disable_password_change($change_url = false, $change_title = false)
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1621 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1622 if ( $this->password_change_disabled )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1623 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1624 // don't allow calling twice. if we have two plugins doing this, somebody is bad at configuring websites.
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1625 return false;
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1626 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1627
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1628 if ( is_string($change_url) && is_string($change_title) )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1629 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1630 $this->password_change_dest = array(
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1631 'url' => $change_url,
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1632 'title' => $change_title
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1633 );
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1634 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1635 else
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1636 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1637 $this->password_change_dest = array(
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1638 'url' => false,
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1639 'title' => false
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1640 );
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1641 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1642
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1643 $this->password_change_disabled = true;
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1644 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1645
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1646 /**
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1647 * Grabs the user's password MD5 - NOW DEPRECATED AND DISABLED.
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 1648 * @return bool false
1
+ − 1649 */
+ − 1650
+ − 1651 function grab_password_hash()
+ − 1652 {
815
+ − 1653 return false;
1
+ − 1654 }
+ − 1655
+ − 1656 /**
+ − 1657 * Destroys the user's password MD5 in memory
+ − 1658 */
+ − 1659
+ − 1660 function disallow_password_grab()
+ − 1661 {
+ − 1662 $this->password_hash = false;
+ − 1663 return false;
+ − 1664 }
+ − 1665
+ − 1666 /**
+ − 1667 * Generates an AES key and stashes it in the database
+ − 1668 * @return string Hex-encoded AES key
+ − 1669 */
+ − 1670
+ − 1671 function rijndael_genkey()
+ − 1672 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1673 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1674 $key = $aes->gen_readymade_key();
+ − 1675 $keys = getConfig('login_key_cache');
+ − 1676 if(is_string($keys))
+ − 1677 $keys .= $key;
+ − 1678 else
+ − 1679 $keys = $key;
+ − 1680 setConfig('login_key_cache', $keys);
+ − 1681 return $key;
+ − 1682 }
+ − 1683
+ − 1684 /**
+ − 1685 * Generate a totally random 128-bit value for MD5 challenges
+ − 1686 * @return string
+ − 1687 */
+ − 1688
+ − 1689 function dss_rand()
+ − 1690 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1691 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1692 $random = $aes->randkey(128);
+ − 1693 unset($aes);
+ − 1694 return md5(microtime() . $random);
+ − 1695 }
+ − 1696
+ − 1697 /**
+ − 1698 * Fetch a cached login public key using the MD5sum as an identifier. Each key can only be fetched once before it is destroyed.
+ − 1699 * @param string $md5 The MD5 sum of the key
+ − 1700 * @return string, or bool false on failure
+ − 1701 */
+ − 1702
+ − 1703 function fetch_public_key($md5)
+ − 1704 {
+ − 1705 $keys = getConfig('login_key_cache');
+ − 1706 $keys = enano_str_split($keys, AES_BITS / 4);
+ − 1707
+ − 1708 foreach($keys as $i => $k)
+ − 1709 {
+ − 1710 if(md5($k) == $md5)
+ − 1711 {
+ − 1712 unset($keys[$i]);
+ − 1713 if(count($keys) > 0)
+ − 1714 {
+ − 1715 if ( strlen(getConfig('login_key_cache') ) > 64000 )
+ − 1716 {
+ − 1717 // This should only need to be done once every month or so for an average-size site
+ − 1718 setConfig('login_key_cache', '');
+ − 1719 }
+ − 1720 else
+ − 1721 {
+ − 1722 $keys = implode('', array_values($keys));
+ − 1723 setConfig('login_key_cache', $keys);
+ − 1724 }
+ − 1725 }
+ − 1726 else
+ − 1727 {
+ − 1728 setConfig('login_key_cache', '');
+ − 1729 }
+ − 1730 return $k;
+ − 1731 }
+ − 1732 }
+ − 1733 // Couldn't find the key...
+ − 1734 return false;
+ − 1735 }
+ − 1736
+ − 1737 /**
+ − 1738 * Adds a user to a group.
+ − 1739 * @param int User ID
+ − 1740 * @param int Group ID
+ − 1741 * @param bool Group moderator - defaults to false
+ − 1742 * @return bool True on success, false on failure
+ − 1743 */
+ − 1744
+ − 1745 function add_user_to_group($user_id, $group_id, $is_mod = false)
+ − 1746 {
+ − 1747 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1748
+ − 1749 // Validation
+ − 1750 if ( !is_int($user_id) || !is_int($group_id) || !is_bool($is_mod) )
+ − 1751 return false;
+ − 1752 if ( $user_id < 1 || $group_id < 1 )
+ − 1753 return false;
+ − 1754
+ − 1755 $mod_switch = ( $is_mod ) ? '1' : '0';
+ − 1756 $q = $this->sql('SELECT member_id,is_mod FROM '.table_prefix.'group_members WHERE user_id=' . $user_id . ' AND group_id=' . $group_id . ';');
+ − 1757 if ( !$q )
+ − 1758 $db->_die();
+ − 1759 if ( $db->numrows() < 1 )
+ − 1760 {
+ − 1761 // User is not in group
+ − 1762 $this->sql('INSERT INTO '.table_prefix.'group_members(user_id,group_id,is_mod) VALUES(' . $user_id . ', ' . $group_id . ', ' . $mod_switch . ');');
+ − 1763 return true;
+ − 1764 }
+ − 1765 else
+ − 1766 {
+ − 1767 $row = $db->fetchrow();
+ − 1768 // Update modship status
+ − 1769 if ( strval($row['is_mod']) == $mod_switch )
+ − 1770 {
+ − 1771 // Modship unchanged
+ − 1772 return true;
+ − 1773 }
+ − 1774 else
+ − 1775 {
+ − 1776 // Modship changed
+ − 1777 $this->sql('UPDATE '.table_prefix.'group_members SET is_mod=' . $mod_switch . ' WHERE member_id=' . $row['member_id'] . ';');
+ − 1778 return true;
+ − 1779 }
+ − 1780 }
+ − 1781 return false;
+ − 1782 }
+ − 1783
+ − 1784 /**
+ − 1785 * Removes a user from a group.
+ − 1786 * @param int User ID
+ − 1787 * @param int Group ID
+ − 1788 * @return bool True on success, false on failure
+ − 1789 * @todo put a little more error checking in...
+ − 1790 */
+ − 1791
+ − 1792 function remove_user_from_group($user_id, $group_id)
+ − 1793 {
+ − 1794 if ( !is_int($user_id) || !is_int($group_id) )
+ − 1795 return false;
+ − 1796 $this->sql('DELETE FROM '.table_prefix."group_members WHERE user_id=$user_id AND group_id=$group_id;");
+ − 1797 return true;
+ − 1798 }
+ − 1799
+ − 1800 /**
+ − 1801 * Checks the banlist to ensure that we're an allowed user. Doesn't return anything because it dies if the user is banned.
+ − 1802 */
+ − 1803
+ − 1804 function check_banlist()
+ − 1805 {
+ − 1806 global $db, $session, $paths, $template, $plugins; // Common objects
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1807 global $lang;
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1808
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1809 $col_reason = ( $this->compat ) ? '\'No reason available (session manager is in compatibility mode)\' AS reason' : 'reason';
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1810 $remote_addr = ( strstr($_SERVER['REMOTE_ADDR'], ':') ) ? expand_ipv6_address($_SERVER['REMOTE_ADDR']) : $_SERVER['REMOTE_ADDR'];
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1811
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1812 $banned = false;
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1813 if ( $this->user_logged_in )
1
+ − 1814 {
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1815 // check by IP, email, and username
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1816 if ( ENANO_DBLAYER == 'MYSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1817 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1818 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1819 . " ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1820 . " ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' REGEXP ban_value ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1821 . " ( ban_type = " . BAN_USER . " AND is_regex = 0 AND ban_value = '{$this->username}' ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1822 . " ( ban_type = " . BAN_USER . " AND is_regex = 1 AND '{$this->username}' REGEXP ban_value ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1823 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 0 AND ban_value = '{$this->email}' ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1824 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 1 AND '{$this->email}' REGEXP ban_value ) \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1825 . " ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1826 }
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1827 else if ( ENANO_DBLAYER == 'PGSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1828 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1829 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1830 . " ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR \n"
322
+ − 1831 . " ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' ~ ban_value ) OR \n"
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1832 . " ( ban_type = " . BAN_USER . " AND is_regex = 0 AND ban_value = '{$this->username}' ) OR \n"
322
+ − 1833 . " ( ban_type = " . BAN_USER . " AND is_regex = 1 AND '{$this->username}' ~ ban_value ) OR \n"
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1834 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 0 AND ban_value = '{$this->email}' ) OR \n"
322
+ − 1835 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 1 AND '{$this->email}' ~ ban_value ) \n"
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1836 . " ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1837 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1838 $q = $this->sql($sql);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1839 if ( $db->numrows() > 0 )
1
+ − 1840 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1841 while ( list($reason_temp, $ban_value, $ban_type, $is_regex) = $db->fetchrow_num() )
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1842 {
425
+ − 1843 if ( $ban_type == BAN_IP && $is_regex != 1 )
1
+ − 1844 {
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1845 // check range
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1846 $regexp = parse_ip_range_regex($ban_value);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1847 if ( !$regexp )
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1848 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1849 continue;
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1850 }
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1851 if ( preg_match("/$regexp/", $remote_addr) )
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1852 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1853 $reason = $reason_temp;
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1854 $banned = true;
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1855 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1856 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1857 else
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1858 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1859 // User is banned
1
+ − 1860 $banned = true;
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1861 $reason = $reason_temp;
1
+ − 1862 }
+ − 1863 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1864 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1865 $db->free_result();
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1866 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1867 else
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1868 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1869 // check by IP only
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1870 if ( ENANO_DBLAYER == 'MYSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1871 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1872 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1873 ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1874 ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' REGEXP ban_value )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1875 ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1876 }
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1877 else if ( ENANO_DBLAYER == 'PGSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1878 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1879 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1880 ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR
322
+ − 1881 ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' ~ ban_value )
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1882 ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1883 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1884 $q = $this->sql($sql);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1885 if ( $db->numrows() > 0 )
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1886 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1887 while ( list($reason_temp, $ban_value, $ban_type, $is_regex) = $db->fetchrow_num() )
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1888 {
495
+ − 1889 if ( $ban_type == BAN_IP && $is_regex != 1 )
1
+ − 1890 {
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1891 // check range
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1892 $regexp = parse_ip_range_regex($ban_value);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1893 if ( !$regexp )
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1894 {
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1895 die("bad regexp for $ban_value");
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1896 continue;
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1897 }
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1898 if ( preg_match("/$regexp/", $remote_addr) )
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1899 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1900 $reason = $reason_temp;
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1901 $banned = true;
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1902 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1903 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1904 else
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1905 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1906 // User is banned
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1907 $reason = $reason_temp;
1
+ − 1908 $banned = true;
+ − 1909 }
+ − 1910 }
+ − 1911 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1912 $db->free_result();
1
+ − 1913 }
1101
30d8bb88572d
Sessions: Improved inactive account UX; shuffled around a bit of code so that whitelist checks are shared; fixed a bunch of bugs related to ban code and IPv6 addresses
Dan
diff
changeset
+ − 1914 if ( $banned && !$this->on_critical_page(true) )
1
+ − 1915 {
+ − 1916 // This guy is banned - kill the session, kill the database connection, bail out, and be pretty about it
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1917 die_semicritical($lang->get('user_ban_msg_title'), '<p>' . $lang->get('user_ban_msg_body') . '</p><div class="error-box"><b>' . $lang->get('user_ban_lbl_reason') . '</b><br />' . $reason . '</div>');
1
+ − 1918 exit;
+ − 1919 }
+ − 1920 }
+ − 1921
+ − 1922 # Registration
+ − 1923
+ − 1924 /**
+ − 1925 * Registers a user. This does not perform any type of login.
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1926 * @param string New user's username
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1927 * @param string This should be unencrypted.
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1928 * @param string E-mail address.
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1929 * @param string Optional, defaults to ''.
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1930 * @param bool Optional. If true, the account is not activated initially and an admin activation request is sent. The caller is responsible for sending the address info and notice.
1
+ − 1931 */
+ − 1932
30
+ − 1933 function create_user($username, $password, $email, $real_name = '', $coppa = false)
13
fdd6b9dd42c3
Installer actually works now on dev servers; minor language change in template.php; code cleanliness fix in sessions.php
Dan
diff
changeset
+ − 1934 {
1
+ − 1935 global $db, $session, $paths, $template, $plugins; // Common objects
370
+ − 1936 global $lang;
1
+ − 1937
+ − 1938 // Initialize AES
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1939 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1940
359
+ − 1941 // Since we're recording IP addresses, make sure the user's IP is safe.
+ − 1942 $ip =& $_SERVER['REMOTE_ADDR'];
+ − 1943 if ( !is_valid_ip($ip) )
+ − 1944 return 'Invalid IP';
+ − 1945
+ − 1946 if ( !preg_match('#^'.$this->valid_username.'$#', $username) )
370
+ − 1947 return $lang->get('user_reg_err_username_banned_chars');
359
+ − 1948
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1949 $username = str_replace('_', ' ', $username);
135
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1950 $user_orig = $username;
1
+ − 1951 $username = $this->prepare_text($username);
+ − 1952 $email = $this->prepare_text($email);
+ − 1953 $real_name = $this->prepare_text($real_name);
+ − 1954
+ − 1955 $nameclause = ( $real_name != '' ) ? ' OR real_name=\''.$real_name.'\'' : '';
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1956 $q = $this->sql('SELECT * FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.strtolower($username).'\' OR email=\''.$email.'\''.$nameclause.';');
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1957 if($db->numrows() > 0)
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1958 {
1
+ − 1959 $row = $db->fetchrow();
370
+ − 1960 $str = 'user_reg_err_dupe';
+ − 1961
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1962 if ( $row['username'] == $username )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1963 {
370
+ − 1964 $str .= '_username';
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1965 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1966 if ( $row['email'] == $email )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1967 {
370
+ − 1968 $str .= '_email';
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1969 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1970 if ( $row['real_name'] == $real_name && $real_name != '' )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1971 {
370
+ − 1972 $str .= '_realname';
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1973 }
370
+ − 1974
371
dc6026376919
Improved compatibility with PostgreSQL and fixed a number of installer bugs; fixed missing "meta" category declaration in language files
Dan
diff
changeset
+ − 1975 return $lang->get($str);
1
+ − 1976 }
+ − 1977
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1978 // Is the password strong enough?
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1979 if ( getConfig('pw_strength_enable') )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1980 {
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1981 $min_score = intval( getConfig('pw_strength_minimum') );
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1982 $pass_score = password_score($password);
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1983 if ( $pass_score < $min_score )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1984 {
370
+ − 1985 return $lang->get('user_reg_err_password_too_weak');
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1986 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1987 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1988
1
+ − 1989 // Require the account to be activated?
+ − 1990 switch(getConfig('account_activation'))
+ − 1991 {
+ − 1992 case 'none':
+ − 1993 default:
+ − 1994 $active = '1';
+ − 1995 break;
+ − 1996 case 'user':
+ − 1997 $active = '0';
+ − 1998 break;
+ − 1999 case 'admin':
+ − 2000 $active = '0';
+ − 2001 break;
+ − 2002 }
30
+ − 2003 if ( $coppa )
+ − 2004 $active = '0';
+ − 2005
+ − 2006 $coppa_col = ( $coppa ) ? '1' : '0';
1
+ − 2007
+ − 2008 // Generate a totally random activation key
+ − 2009 $actkey = sha1 ( microtime() . mt_rand() );
+ − 2010
30
+ − 2011 // We good, create the user
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2012 $this->sql('INSERT INTO '.table_prefix.'users ( username, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa, user_registration_ip ) VALUES ( \''.$username.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ', \'' . $ip . '\' );');
1
+ − 2013
31
+ − 2014 // Get user ID and create users_extra entry
+ − 2015 $q = $this->sql('SELECT user_id FROM '.table_prefix."users WHERE username='$username';");
+ − 2016 if ( $db->numrows() > 0 )
+ − 2017 {
359
+ − 2018 list($user_id) = $db->fetchrow_num();
31
+ − 2019 $db->free_result();
+ − 2020
42
45ebe475ff75
I dunno how many times I'm gonna have to fix the "problem seems to be the hex conversion" bug, but this is at least the fourth try.
Dan
diff
changeset
+ − 2021 $this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');');
31
+ − 2022 }
+ − 2023
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2024 // Set the password
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2025 $this->set_password($user_id, $password);
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2026
731
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2027 // Config option added, 1.1.5
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2028 if ( getConfig('userpage_grant_acl', '1') == '1' )
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2029 {
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2030 // Grant edit and very limited mod access to the userpage
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2031 $acl_data = array(
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2032 'read' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2033 'view_source' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2034 'edit_page' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2035 'post_comments' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2036 'edit_comments' => AUTH_ALLOW, // only allows editing own comments
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2037 'history_view' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2038 'history_rollback' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2039 'rename' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2040 'delete_page' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2041 'tag_create' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2042 'tag_delete_own' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2043 'tag_delete_other' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2044 'edit_cat' => AUTH_ALLOW,
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2045 'create_page' => AUTH_ALLOW
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2046 );
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2047 $acl_data = $db->escape($this->perm_to_string($acl_data));
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2048 $userpage = $db->escape(sanitize_page_id($user_orig));
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2049 $cols = "target_type, target_id, page_id, namespace, rules";
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2050 $vals = ACL_TYPE_USER . ", $user_id, '$userpage', 'User', '$acl_data'";
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2051 $q = "INSERT INTO ".table_prefix."acl($cols) VALUES($vals);";
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2052 $this->sql($q);
8e6dbf6882c2
Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
Dan
diff
changeset
+ − 2053 }
135
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 2054
1
+ − 2055 // Require the account to be activated?
30
+ − 2056 if ( $coppa )
+ − 2057 {
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2058 $this->admin_activation_request($user_orig);
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2059 $this->send_coppa_mail($user_orig, $email);
30
+ − 2060 }
+ − 2061 else
1
+ − 2062 {
30
+ − 2063 switch(getConfig('account_activation'))
+ − 2064 {
+ − 2065 case 'none':
+ − 2066 default:
+ − 2067 break;
+ − 2068 case 'user':
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2069 $a = $this->send_activation_mail($user_orig);
30
+ − 2070 if(!$a)
+ − 2071 {
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2072 $this->admin_activation_request($user_orig);
370
+ − 2073 return $lang->get('user_reg_err_actmail_failed') . ' ' . $a;
30
+ − 2074 }
+ − 2075 break;
+ − 2076 case 'admin':
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2077 $this->admin_activation_request($user_orig);
30
+ − 2078 break;
+ − 2079 }
1
+ − 2080 }
+ − 2081
+ − 2082 // Leave some data behind for the hook
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2083 $code = $plugins->setHook('user_registered');
1
+ − 2084 foreach ( $code as $cmd )
+ − 2085 {
+ − 2086 eval($cmd);
+ − 2087 }
+ − 2088
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2089 // Uncomment to automatically log the user in (WARNING: commented out for a reason - doesn't consider activation and other things)
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2090 // $this->register_session($user_orig, $password);
1
+ − 2091 return 'success';
+ − 2092 }
+ − 2093
+ − 2094 /**
+ − 2095 * Attempts to send an e-mail to the specified user with activation instructions.
+ − 2096 * @param string $u The usernamd of the user requesting activation
+ − 2097 * @return bool true on success, false on failure
+ − 2098 */
+ − 2099
+ − 2100 function send_activation_mail($u, $actkey = false)
+ − 2101 {
+ − 2102 global $db, $session, $paths, $template, $plugins; // Common objects
370
+ − 2103 global $lang;
1
+ − 2104 $q = $this->sql('SELECT username,activation_key,account_active,email FROM '.table_prefix.'users WHERE username=\''.$db->escape($u).'\';');
+ − 2105 $r = $db->fetchrow();
+ − 2106 if ( empty($r['email']) )
+ − 2107 $db->_die('BUG: $session->send_activation_mail(): no e-mail address in row');
+ − 2108
370
+ − 2109 $aklink = makeUrlComplete('Special', 'ActivateAccount/'.str_replace(' ', '_', $u).'/'. ( ( is_string($actkey) ) ? $actkey : $r['activation_key'] ) );
+ − 2110 $message = $lang->get('user_reg_activation_email', array(
+ − 2111 'activation_link' => $aklink,
+ − 2112 'username' => $u
+ − 2113 ));
+ − 2114
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2115 if ( getConfig('smtp_enabled') == '1' )
1
+ − 2116 {
370
+ − 2117 $result = smtp_send_email($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email'));
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2118 if ( $result == 'success' )
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2119 {
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2120 $result = true;
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2121 }
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2122 else
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2123 {
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2124 echo $result;
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2125 $result = false;
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2126 }
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2127 }
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2128 else
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 2129 {
370
+ − 2130 $result = mail($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email'));
1
+ − 2131 }
+ − 2132 return $result;
+ − 2133 }
+ − 2134
+ − 2135 /**
30
+ − 2136 * Attempts to send an e-mail to the specified user's e-mail address on file intended for the parents
+ − 2137 * @param string $u The usernamd of the user requesting activation
+ − 2138 * @return bool true on success, false on failure
+ − 2139 */
+ − 2140
+ − 2141 function send_coppa_mail($u, $actkey = false)
+ − 2142 {
+ − 2143 global $db, $session, $paths, $template, $plugins; // Common objects
370
+ − 2144 global $lang;
30
+ − 2145
+ − 2146 $q = $this->sql('SELECT username,email FROM '.table_prefix.'users WHERE user_id=2 OR user_level=' . USER_LEVEL_ADMIN . ' ORDER BY user_id ASC;');
+ − 2147 $un = $db->fetchrow();
+ − 2148 $admin_user = $un['username'];
+ − 2149
+ − 2150 $q = $this->sql('SELECT username,activation_key,account_active,email FROM '.table_prefix.'users WHERE username=\''.$db->escape($u).'\';');
+ − 2151 $r = $db->fetchrow();
+ − 2152 if ( empty($r['email']) )
+ − 2153 $db->_die('BUG: $session->send_activation_mail(): no e-mail address in row');
+ − 2154
+ − 2155 if(isset($_SERVER['HTTPS'])) $prot = 'https';
+ − 2156 else $prot = 'http';
+ − 2157 if($_SERVER['SERVER_PORT'] == '80') $p = '';
+ − 2158 else $p = ':'.$_SERVER['SERVER_PORT'];
+ − 2159 $sidbak = false;
+ − 2160 if($this->sid_super)
+ − 2161 $sidbak = $this->sid_super;
+ − 2162 $this->sid_super = false;
+ − 2163 if($sidbak)
+ − 2164 $this->sid_super = $sidbak;
+ − 2165 unset($sidbak);
+ − 2166 $link = "$prot://".$_SERVER['HTTP_HOST'].scriptPath;
+ − 2167
370
+ − 2168 $message = $lang->get(
+ − 2169 'user_reg_activation_email_coppa',
+ − 2170 array(
+ − 2171 'username' => $u,
+ − 2172 'admin_user' => $admin_user,
+ − 2173 'site_link' => $link
+ − 2174 )
+ − 2175 );
30
+ − 2176
+ − 2177
+ − 2178 if(getConfig('smtp_enabled') == '1')
+ − 2179 {
+ − 2180 $result = smtp_send_email($r['email'], getConfig('site_name').' website account activation', preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email'));
+ − 2181 if($result == 'success')
+ − 2182 {
+ − 2183 $result = true;
+ − 2184 }
+ − 2185 else
+ − 2186 {
+ − 2187 echo $result;
+ − 2188 $result = false;
+ − 2189 }
+ − 2190 }
+ − 2191 else
+ − 2192 {
+ − 2193 $result = mail($r['email'], getConfig('site_name').' website account activation', preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email'));
+ − 2194 }
+ − 2195 return $result;
+ − 2196 }
+ − 2197
+ − 2198 /**
1
+ − 2199 * Sends an e-mail to a user so they can reset their password.
+ − 2200 * @param int $user The user ID, or username if it's a string
+ − 2201 * @return bool true on success, false on failure
+ − 2202 */
+ − 2203
+ − 2204 function mail_password_reset($user)
+ − 2205 {
+ − 2206 global $db, $session, $paths, $template, $plugins; // Common objects
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2207 global $lang;
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2208
1
+ − 2209 if(is_int($user))
+ − 2210 {
+ − 2211 $q = $this->sql('SELECT user_id,username,email FROM '.table_prefix.'users WHERE user_id='.$user.';'); // This is SAFE! This is only called if $user is an integer
+ − 2212 }
+ − 2213 elseif(is_string($user))
+ − 2214 {
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 2215 $q = $this->sql('SELECT user_id,username,email FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=' . ENANO_SQLFUNC_LOWERCASE . '(\''.$db->escape($user).'\');');
1
+ − 2216 }
+ − 2217 else
+ − 2218 {
+ − 2219 return false;
+ − 2220 }
+ − 2221
+ − 2222 $row = $db->fetchrow();
+ − 2223 $temp_pass = $this->random_pass();
+ − 2224
+ − 2225 $this->register_temp_password($row['user_id'], $temp_pass);
+ − 2226
+ − 2227 $site_name = getConfig('site_name');
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2228
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2229 $message = $lang->get('userfuncs_passreset_email', array(
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2230 'username' => $row['username'],
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2231 'site_name' => $site_name,
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2232 'remote_addr' => $_SERVER['REMOTE_ADDR'],
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2233 'temp_pass' => $temp_pass
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2234 ));
1
+ − 2235
+ − 2236 if(getConfig('smtp_enabled') == '1')
+ − 2237 {
+ − 2238 $result = smtp_send_email($row['email'], getConfig('site_name').' password reset', preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email'));
+ − 2239 if($result == 'success')
+ − 2240 {
+ − 2241 $result = true;
+ − 2242 }
+ − 2243 else
+ − 2244 {
+ − 2245 echo '<p>'.$result.'</p>';
+ − 2246 $result = false;
+ − 2247 }
+ − 2248 } else {
+ − 2249 $result = mail($row['email'], getConfig('site_name').' password reset', preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email'));
+ − 2250 }
+ − 2251 return $result;
+ − 2252 }
+ − 2253
+ − 2254 /**
+ − 2255 * Sets the temporary password for the specified user to whatever is specified.
+ − 2256 * @param int $user_id
+ − 2257 * @param string $password
+ − 2258 * @return bool
+ − 2259 */
+ − 2260
+ − 2261 function register_temp_password($user_id, $password)
+ − 2262 {
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2263 global $db;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2264 if ( !is_int($user_id) )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2265 return false;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2266
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2267 $this->sql('SELECT password_salt FROM ' . table_prefix . "users WHERE user_id = $user_id;");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2268 if ( $db->numrows() < 1 )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2269 return false;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2270
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2271 list($salt) = $db->fetchrow_num();
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2272 $db->free_result();
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2273
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2274 $temp_pass = hmac_sha1($password, $salt);
1
+ − 2275 $this->sql('UPDATE '.table_prefix.'users SET temp_password=\'' . $temp_pass . '\',temp_password_time='.time().' WHERE user_id='.intval($user_id).';');
+ − 2276 }
+ − 2277
+ − 2278 /**
+ − 2279 * Sends a request to the admin panel to have the username $u activated.
+ − 2280 * @param string $u The username of the user requesting activation
+ − 2281 */
+ − 2282
+ − 2283 function admin_activation_request($u)
+ − 2284 {
+ − 2285 global $db;
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 2286 $this->sql('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, author, edit_summary) VALUES(\'admin\', \'activ_req\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$this->username.'\', \''.$db->escape($u).'\');');
1
+ − 2287 }
+ − 2288
+ − 2289 /**
+ − 2290 * Activates a user account. If the action fails, a report is sent to the admin.
+ − 2291 * @param string $user The username of the user requesting activation
+ − 2292 * @param string $key The activation key
+ − 2293 */
+ − 2294
+ − 2295 function activate_account($user, $key)
+ − 2296 {
+ − 2297 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2298 $this->sql('UPDATE '.table_prefix.'users SET account_active=1 WHERE username=\''.$db->escape($user).'\' AND activation_key=\''.$db->escape($key).'\';');
+ − 2299 $r = mysql_affected_rows();
+ − 2300 if ( $r > 0 )
+ − 2301 {
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 2302 $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_good\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
1
+ − 2303 }
+ − 2304 else
+ − 2305 {
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 2306 $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
1
+ − 2307 }
+ − 2308 return $r;
+ − 2309 }
+ − 2310
+ − 2311 /**
+ − 2312 * For a given user level identifier (USER_LEVEL_*), returns a string describing that user level.
+ − 2313 * @param int User level
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2314 * @param bool If true, returns a shorter string. Optional.
1
+ − 2315 * @return string
+ − 2316 */
+ − 2317
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2318 function userlevel_to_string($user_level, $short = false)
1
+ − 2319 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2320 global $lang;
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2321
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2322 static $levels = array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2323 'short' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2324 USER_LEVEL_GUEST => 'Guest',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2325 USER_LEVEL_MEMBER => 'Member',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2326 USER_LEVEL_CHPREF => 'Sensitive preferences changeable',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2327 USER_LEVEL_MOD => 'Moderator',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2328 USER_LEVEL_ADMIN => 'Administrative'
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2329 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2330 'long' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2331 USER_LEVEL_GUEST => 'Low - guest privileges',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2332 USER_LEVEL_MEMBER => 'Standard - normal member level',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2333 USER_LEVEL_CHPREF => 'Medium - user can change his/her own e-mail address and password',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2334 USER_LEVEL_MOD => 'High - moderator privileges',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2335 USER_LEVEL_ADMIN => 'Highest - administrative privileges'
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2336 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2337 'l10n' => false
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2338 );
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2339
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2340 if ( is_object($lang) && !$levels['l10n'] )
1
+ − 2341 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2342 $levels = array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2343 'short' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2344 USER_LEVEL_GUEST => $lang->get('user_level_short_guest'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2345 USER_LEVEL_MEMBER => $lang->get('user_level_short_member'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2346 USER_LEVEL_CHPREF => $lang->get('user_level_short_chpref'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2347 USER_LEVEL_MOD => $lang->get('user_level_short_mod'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2348 USER_LEVEL_ADMIN => $lang->get('user_level_short_admin')
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2349 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2350 'long' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2351 USER_LEVEL_GUEST => $lang->get('user_level_long_guest'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2352 USER_LEVEL_MEMBER => $lang->get('user_level_long_member'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2353 USER_LEVEL_CHPREF => $lang->get('user_level_long_chpref'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2354 USER_LEVEL_MOD => $lang->get('user_level_long_mod'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2355 USER_LEVEL_ADMIN => $lang->get('user_level_long_admin')
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2356 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2357 'l10n' => true
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2358 );
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2359 }
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2360
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2361 $key = ( $short ) ? 'short' : 'long';
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2362 if ( isset($levels[$key][$user_level]) )
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2363 {
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2364 return $levels[$key][$user_level];
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2365 }
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2366 else
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2367 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2368 if ( $short )
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2369 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2370 return ( is_object($lang) ) ? $lang->get('user_level_short_unknown', array('user_level' => $user_level)) : "Unknown - $user_level";
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2371 }
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2372 else
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2373 {
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2374 return ( is_object($lang) ) ? $lang->get('user_level_long_unknown', array('user_level' => $user_level)) : "Unknown level ($user_level)";
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2375 }
1
+ − 2376 }
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2377
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2378 return 'Linux rocks!';
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2379
1
+ − 2380 }
+ − 2381
+ − 2382 /**
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2383 * Change a user's e-mail address.
1
+ − 2384 * @param int $user_id The user ID of the user to update - this cannot be changed
+ − 2385 * @param string $email The new e-mail address
+ − 2386 * @return string 'success' if successful, or array of error strings on failure
+ − 2387 */
+ − 2388
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2389 function change_email($user_id, $email)
1
+ − 2390 {
+ − 2391 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2392
+ − 2393 // Create some arrays
+ − 2394
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2395 $errors = array(); // Used to hold error strings
1
+ − 2396
+ − 2397 // Scan the user ID for problems
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2398 if ( intval($user_id) < 1 )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2399 $errors[] = 'SQL injection attempt';
1
+ − 2400
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2401 $user_id = intval($user_id);
1
+ − 2402
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2403 // Verify e-mail address
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2404 if ( !check_email_address($email) )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2405 $errors[] = 'user_err_email_not_valid';
1
+ − 2406
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2407 if ( count($errors) > 0 )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2408 return $errors;
1
+ − 2409
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2410 // Make query
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2411 $email = $db->escape($email);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2412 $q = $db->sql_query('UPDATE ' . table_prefix . "users SET email = '$email' WHERE user_id = $user_id;");
1
+ − 2413
+ − 2414 // We also need to trigger re-activation.
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2415 switch(getConfig('account_activation', 'none'))
1
+ − 2416 {
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2417 case 'user':
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2418 case 'admin':
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2419
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2420 // Note: even with admin activation, activation e-mails are sent when an e-mail is changed.
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2421
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2422 if ( $session->user_level >= USER_LEVEL_MOD && getConfig('account_activation') == 'admin' )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2423 // Trust admins and moderators
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2424 break;
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2425
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2426 // retrieve username
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2427 if ( !$username )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2428 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2429 $q = $this->sql('SELECT username FROM ' . table_prefix . "users WHERE user_id = $user_id;");
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2430 if($db->numrows() < 1)
1
+ − 2431 {
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2432 $errors[] = 'The username could not be selected.';
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2433 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2434 else
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2435 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2436 $row = $db->fetchrow();
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2437 $username = $row['username'];
1
+ − 2438 }
1079
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2439 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2440 if ( !$username )
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2441 return $errors;
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2442
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2443 // Generate an activation key
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2444 $actkey = sha1 ( microtime() . mt_rand() );
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2445 $a = $this->send_activation_mail($username, $actkey);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2446 if(!$a)
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2447 {
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2448 $this->admin_activation_request($username);
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2449 }
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2450 // Deactivate the account until e-mail is confirmed
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2451 $q = $db->sql_query('UPDATE ' . table_prefix . "users SET account_active = 0, activation_key = '$actkey' WHERE user_id = $user_id;");
fcc42560afe6
Added ability for authentication plugins to modify session keys (to allow invalidation when their own authentication data is changed) as well as the ability to disable the built-in password change facility
Dan
diff
changeset
+ − 2452 break;
1
+ − 2453 }
+ − 2454
+ − 2455 // Yay! We're done
+ − 2456 return 'success';
+ − 2457 }
+ − 2458
591
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2459 /**
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2460 * Sets a user's password.
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2461 * @param int|string User ID or username
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2462 * @param string New password
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2463 */
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2464
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2465 function set_password($user, $password)
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2466 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2467 // Generate new password and salt
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2468 $hmac_secret = hexencode(AESCrypt::randkey(20), '', '');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2469 $password_hmac = hmac_sha1($password, $hmac_secret);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2470
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2471 // Figure out how we want to specify the user
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2472 $uidcol = is_int($user) ? "user_id = $user" : ENANO_SQLFUNC_LOWERCASE . "(username) = '" . strtolower($this->prepare_text($user)) . "'";
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2473
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2474 // Perform update
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2475 $this->sql('UPDATE ' . table_prefix . "users SET old_encryption = 0, password = '$password_hmac', password_salt = '$hmac_secret' WHERE $uidcol;");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2476
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2477 return true;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2478 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2479
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 2480 /**
591
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2481 * Encrypts a string using the site's private key.
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2482 * @param string
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2483 * @param int Return type - one of ENC_BINARY, ENC_HEX, ENC_BASE64
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2484 * @return string
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2485 */
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2486
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2487 function pk_encrypt($string, $return_type = ENC_HEX)
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2488 {
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2489 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2490 return $aes->encrypt($string, $this->private_key, $return_type);
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2491 }
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2492
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2493 /**
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2494 * Encrypts a string using the site's private key.
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2495 * @param string
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2496 * @param int Input type - one of ENC_BINARY, ENC_HEX, ENC_BASE64
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2497 * @return string
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2498 */
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2499
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2500 function pk_decrypt($string, $input_type = ENC_HEX)
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2501 {
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2502 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2503 return $aes->decrypt($string, $this->private_key, $input_type);
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2504 }
2529833a7731
Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
Dan
diff
changeset
+ − 2505
1
+ − 2506 #
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2507 # USER RANKS
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2508 #
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2509
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2510 /**
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2511 * SYNOPSIS OF THE RANK SYSTEM
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2512 * Enano's rank logic calculates a user's rank based on a precedence scale. The way things are checked is:
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2513 * 1. Check to see if the user has a specific rank assigned. Use that if possible.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2514 * 2. Check the user's primary group to see if it specifies a rank. Use that if possible.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2515 * 3. Check the other groups a user is in. If one that has a custom rank is encountered, use that rank.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2516 * 4. See if the user's user level has a specific rank hard-coded to be associated with it. (Always overrideable as can be seen above)
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2517 * 5. Use the "member" rank
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2518 */
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2519
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2520 /**
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2521 * Generates a textual SQL query for fetching rank data to be sent to calculate_user_rank().
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2522 * @param string Text to append, possibly a WHERE clause or so
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2523 * @return string
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2524 */
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2525
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2526 function generate_rank_sql($append = '')
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2527 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2528 // Generate level-to-rank associations
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2529 $assoc = array();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2530 foreach ( $this->level_rank_table as $level => $rank )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2531 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2532 $assoc[] = " ( u.user_level = $level AND rl.rank_id = $rank )";
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2533 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2534 $assoc = implode(" OR\n", $assoc) . "\n";
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2535
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2536 $gid_col = ( ENANO_DBLAYER == 'PGSQL' ) ?
618
+ − 2537 'array_to_string(' . table_prefix . 'array_accum(m.group_id), \',\') AS group_list' :
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2538 'GROUP_CONCAT(m.group_id) AS group_list';
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2539
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2540 // The actual query
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2541 $sql = "SELECT u.user_id, u.username, u.user_level, u.user_group, u.user_rank, u.user_title, g.group_rank,\n"
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2542 . " COALESCE(ru.rank_id, rg.rank_id, rl.rank_id, rd.rank_id ) AS rank_id,\n"
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2543 . " COALESCE(ru.rank_title, rg.rank_title, rl.rank_title, rd.rank_title) AS rank_title,\n"
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2544 . " COALESCE(ru.rank_style, rg.rank_style, rl.rank_style, rd.rank_style) AS rank_style,\n"
770
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2545 . " rg.rank_id AS group_rank_id,\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2546 . " ( ru.rank_id IS NULL AND rg.rank_id IS NULL ) AS using_default,\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2547 . " ( ru.rank_id IS NULL AND rg.rank_id IS NOT NULL ) AS using_group,\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2548 . " ( ru.rank_id IS NOT NULL ) AS using_user,\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2549 . " u.user_rank_userset,\n"
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2550 . " $gid_col\n"
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2551 . " FROM " . table_prefix . "users AS u\n"
584
+ − 2552 . " LEFT JOIN " . table_prefix . "groups AS g\n"
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2553 . " ON ( g.group_id = u.user_group )\n"
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2554 . " LEFT JOIN " . table_prefix . "group_members AS m\n"
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2555 . " ON ( u.user_id = m.user_id )\n"
584
+ − 2556 . " LEFT JOIN " . table_prefix . "ranks AS ru\n"
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2557 . " ON ( u.user_rank = ru.rank_id )\n"
584
+ − 2558 . " LEFT JOIN " . table_prefix . "ranks AS rg\n"
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2559 . " ON ( g.group_rank = rg.rank_id )\n"
584
+ − 2560 . " LEFT JOIN " . table_prefix . "ranks AS rl\n"
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2561 . " ON (\n"
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2562 . $assoc
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2563 . " )\n"
584
+ − 2564 . " LEFT JOIN " . table_prefix . "ranks AS rd\n"
580
+ − 2565 . " ON ( rd.rank_id = 1 )$append\n"
776
+ − 2566 . " GROUP BY u.user_id, u.username, u.user_level, u.user_group, u.user_rank, u.user_title, u.user_rank_userset, g.group_rank,\n"
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2567 . " ru.rank_id, ru.rank_title, ru.rank_style,rg.rank_id, rg.rank_title, rg.rank_style,\n"
580
+ − 2568 . " rl.rank_id, rl.rank_title, rl.rank_style,rd.rank_id, rd.rank_title, rd.rank_style;";
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2569
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2570 return $sql;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2571 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2572
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2573 /**
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2574 * Returns an associative array with a user's rank information.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2575 * The array will contain the following values:
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2576 * username: string The user's username
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2577 * user_id: integer Numerical user ID
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2578 * rank_id: integer Numerical rank ID
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2579 * rank: string The user's current rank
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2580 * title: string The user's custom user title if applicable; should be displayed one line below the rank
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2581 * style: string CSS for the username
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2582 * @param int|string Username *or* user ID
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2583 * @return array or false on failure
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2584 */
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2585
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2586 function get_user_rank($id)
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2587 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2588 global $db, $session, $paths, $template, $plugins; // Common objects
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2589 global $lang;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2590 global $user_ranks;
770
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2591 // cache info in RAM if possible
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2592 static $_cache = array();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2593
593
4f9bec0d65c1
More optimization work. Moved special page init functions to common instead of common_post hook. Allowed paths to cache page metadata on filesystem. Phased out the redundancy in $paths->pages that paired a number with every urlname as foreach loops are allowed now (and have been for some time). Fixed missing includes for several functions. Rewrote str_replace_once to be a lot more efficient.
Dan
diff
changeset
+ − 2594 if ( is_int($id) && $id == 0 )
4f9bec0d65c1
More optimization work. Moved special page init functions to common instead of common_post hook. Allowed paths to cache page metadata on filesystem. Phased out the redundancy in $paths->pages that paired a number with every urlname as foreach loops are allowed now (and have been for some time). Fixed missing includes for several functions. Rewrote str_replace_once to be a lot more efficient.
Dan
diff
changeset
+ − 2595 $id = 1;
4f9bec0d65c1
More optimization work. Moved special page init functions to common instead of common_post hook. Allowed paths to cache page metadata on filesystem. Phased out the redundancy in $paths->pages that paired a number with every urlname as foreach loops are allowed now (and have been for some time). Fixed missing includes for several functions. Rewrote str_replace_once to be a lot more efficient.
Dan
diff
changeset
+ − 2596
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2597 if ( is_int($id) )
593
4f9bec0d65c1
More optimization work. Moved special page init functions to common instead of common_post hook. Allowed paths to cache page metadata on filesystem. Phased out the redundancy in $paths->pages that paired a number with every urlname as foreach loops are allowed now (and have been for some time). Fixed missing includes for several functions. Rewrote str_replace_once to be a lot more efficient.
Dan
diff
changeset
+ − 2598 $col = "u.user_id = $id";
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2599 else if ( is_string($id) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2600 $col = ENANO_SQLFUNC_LOWERCASE . "(username) = " . ENANO_SQLFUNC_LOWERCASE . "('" . $db->escape($id) . "')";
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2601 else
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2602 // invalid parameter
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2603 return false;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2604
770
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2605 // check the RAM cache
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2606 if ( isset($_cache[$id]) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2607 return $_cache[$id];
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2608
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2609 // check the disk cache
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2610 if ( is_int($id) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2611 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2612 if ( isset($user_ranks[$id]) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2613 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2614 $_cache[$id] =& $user_ranks[$id];
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2615 return $user_ranks[$id];
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2616 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2617 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2618 else if ( is_string($id) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2619 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2620 foreach ( $user_ranks as $key => $valarray )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2621 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2622 if ( is_string($key) && strtolower($key) == strtolower($id) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2623 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2624 $_cache[$id] = $valarray;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2625 return $valarray;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2626 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2627 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2628 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2629
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2630 $sql = $this->generate_rank_sql("\n WHERE $col");
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2631
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2632 $q = $this->sql($sql);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2633 // any results?
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2634 if ( $db->numrows() < 1 )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2635 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2636 // nuttin'.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2637 $db->free_result();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2638 $_cache[$id] = false;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2639 return false;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2640 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2641
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2642 // Found something.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2643 $row = $db->fetchrow();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2644 $db->free_result();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2645
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2646 $row = $this->calculate_user_rank($row);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2647
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2648 $_cache[$id] = $row;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2649 return $row;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2650 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2651
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2652 /**
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2653 * Performs the actual rank calculation based on the contents of a row.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2654 * @param array
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2655 * @return array
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2656 */
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2657
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2658 function calculate_user_rank($row)
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2659 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2660 global $db, $session, $paths, $template, $plugins; // Common objects
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2661 global $lang;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2662
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2663 static $rank_cache = array();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2664 static $group_ranks = array();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2665
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2666 // try to cache that rank info
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2667 if ( !isset($rank_cache[ intval($row['rank_id']) ]) && $row['rank_id'] )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2668 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2669 $rank_cache[ intval($row['rank_id']) ] = array(
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2670 'rank_id' => intval($row['rank_id']),
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2671 'rank_title' => intval($row['rank_title']),
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2672 'rank_style' => intval($row['rank_style'])
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2673 );
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2674 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2675 // cache group info (if appropriate)
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2676 if ( $row['using_group'] && !isset($group_ranks[ intval($row['user_group']) ]) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2677 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2678 $group_ranks[ intval($row['user_group']) ] = intval($row['group_rank_id']);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2679 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2680
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2681 // sanitize and process the as-of-yet rank data
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2682 $row['rank_id'] = intval($row["rank_id"]);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2683 $row['rank_title'] = $row["rank_title"];
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2684
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2685 // if we're falling back to some default, then see if we can use one of the user's other groups
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2686 if ( $row['using_default'] && !empty($row['group_list']) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2687 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2688 $group_list = explode(',', $row['group_list']);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2689 if ( array_walk($group_list, 'intval') )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2690 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2691 // go through the group list and see if any of them has a rank assigned
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2692 foreach ( $group_list as $group_id )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2693 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2694 // cached in RAM? Preferably use that.
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2695 if ( !isset($group_ranks[$group_id]) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2696 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2697 // Not cached - grab it
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2698 $q = $this->sql('SELECT group_rank FROM ' . table_prefix . "groups WHERE group_id = $group_id;");
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2699 if ( $db->numrows() < 1 )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2700 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2701 $db->free_result();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2702 continue;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2703 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2704 list($result) = $db->fetchrow_num();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2705 $db->free_result();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2706
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2707 if ( $result === null || $result < 1 )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2708 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2709 $group_ranks[$group_id] = false;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2710 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2711 else
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2712 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2713 $group_ranks[$group_id] = intval($result);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2714 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2715 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2716 // we've got it now
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2717 if ( $group_ranks[$group_id] )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2718 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2719 // found a group with a rank assigned
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2720 // so get the rank info
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2721 $rank_id =& $group_ranks[$group_id];
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2722 if ( !isset($rank_cache[$rank_id]) )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2723 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2724 $q = $this->sql('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;");
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2725 if ( $db->numrows() < 1 )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2726 {
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2727 $db->free_result();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2728 continue;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2729 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2730 $rank_cache[$rank_id] = $db->fetchrow();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2731 $db->free_result();
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2732 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2733 // set the final rank parameters
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2734 // die("found member-of-group exception with uid {$row['user_id']} gid $group_id rid $rank_id rt {$rank_cache[$rank_id]['rank_title']}");
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2735 $row['rank_id'] = $rank_id;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2736 $row['rank_title'] = $rank_cache[$rank_id]['rank_title'];
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2737 $row['rank_style'] = $rank_cache[$rank_id]['rank_style'];
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2738 break;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2739 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2740 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2741 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2742 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2743
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2744 if ( $row['user_title'] === NULL )
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2745 $row['user_title'] = false;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2746
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2747 $row['user_id'] = intval($row['user_id']);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2748 $row['user_level'] = intval($row['user_level']);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2749 $row['user_group'] = intval($row['user_group']);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2750
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2751 unset($row['user_rank'], $row['group_rank'], $row['group_list'], $row['using_default'], $row['using_group'], $row['user_level'], $row['user_group'], $row['username']);
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2752 return $row;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2753 }
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2754
770
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2755 /**
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2756 * Get the list of ranks that a user is allowed to use. Returns false if they cannot change it.
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2757 * @param string|int User ID or username
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2758 * @return array Associative by rank ID
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2759 */
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2760
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2761 function get_user_possible_ranks($id)
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2762 {
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2763 global $db, $session, $paths, $template, $plugins; // Common objects
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2764
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2765 // cache info in RAM if possible
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2766 static $_cache = array();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2767
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2768 if ( is_int($id) && $id == 0 )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2769 $id = 1;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2770
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2771 if ( is_int($id) )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2772 $col = "u.user_id = $id";
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2773 else if ( is_string($id) )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2774 $col = ENANO_SQLFUNC_LOWERCASE . "(username) = " . ENANO_SQLFUNC_LOWERCASE . "('" . $db->escape($id) . "')";
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2775 else
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2776 // invalid parameter
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2777 return false;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2778
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2779 // check the RAM cache
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2780 if ( isset($_cache[$id]) )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2781 return $_cache[$id];
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2782
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2783 $sql = $this->generate_rank_sql("\n WHERE $col");
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2784
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2785 $q = $this->sql($sql);
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2786 // any results?
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2787 if ( $db->numrows() < 1 )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2788 {
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2789 // nuttin'.
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2790 $db->free_result();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2791 $_cache[$id] = false;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2792 return false;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2793 }
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2794
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2795 // Found something.
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2796 $row = $db->fetchrow();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2797 $db->free_result();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2798
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2799 if ( $row['using_user'] && !$row['user_rank_userset'] )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2800 {
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2801 // The user's rank was set manually by an admin.
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2802 $result = array(
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2803 array(
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2804 'rank_id' => $row['rank_id'],
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2805 'rank_title' => $row['rank_title'],
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2806 'rank_style' => $row['rank_style'],
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2807 'rank_type' => 'user'
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2808 )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2809 );
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2810 $_cache[$id] = $result;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2811 return $result;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2812 }
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2813
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2814 // copy the result to a more permanent array so we can reference this later
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2815 $current_settings = $row;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2816 unset($row);
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2817
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2818 $result = array();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2819
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2820 // first rank available to us will be the one set by the user's user level
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2821 if ( isset($this->level_rank_table[$current_settings['user_level']]) )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2822 {
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2823 $q = $this->sql('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks WHERE rank_id = {$this->level_rank_table[$this->user_level]};");
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2824 if ( $db->numrows() > 0 )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2825 {
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2826 $row = $db->fetchrow();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2827 $row['rank_type'] = 'ulevel';
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2828
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2829 $result[] = $row;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2830 }
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2831 $db->free_result();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2832 }
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2833
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2834 // for each group the user is in, figure out if it has a rank associated with it
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2835 $group_list = explode(',', $current_settings['group_list']);
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2836 foreach ( $group_list as $group_id )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2837 {
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2838 $group_id = intval($group_id);
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2839 $q = $this->sql('SELECT r.rank_id, r.rank_title, r.rank_style FROM ' . table_prefix . "groups AS g\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2840 . " LEFT JOIN " . table_prefix . "ranks AS r\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2841 . " ON ( g.group_rank = r.rank_id )\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2842 . " WHERE g.group_id = $group_id\n"
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2843 . " AND r.rank_id IS NOT NULL;");
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2844 if ( $db->numrows() > 0 )
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2845 {
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2846 $row = $db->fetchrow();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2847 $row['rank_type'] = 'group';
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2848
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2849 $result[] = $row;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2850 }
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2851 $db->free_result();
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2852 }
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2853
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2854 $_cache[$id] = $result;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2855 return $result;
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2856 }
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 2857
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 2858 #
1
+ − 2859 # Access Control Lists
+ − 2860 #
+ − 2861
+ − 2862 /**
+ − 2863 * Creates a new permission field in memory. If the permissions are set in the database, they are used. Otherwise, $default_perm is used.
+ − 2864 * @param string $acl_type An identifier for this field
+ − 2865 * @param int $default_perm Whether permission should be granted or not if it's not specified in the ACLs.
+ − 2866 * @param string $desc A human readable name for the permission type
+ − 2867 * @param array $deps The list of dependencies - this should be an array of ACL types
+ − 2868 * @param string $scope Which namespaces this field should apply to. This should be either a pipe-delimited list of namespace IDs or just "All".
+ − 2869 */
+ − 2870
+ − 2871 function register_acl_type($acl_type, $default_perm = AUTH_DISALLOW, $desc = false, $deps = Array(), $scope = 'All')
+ − 2872 {
+ − 2873 if(isset($this->acl_types[$acl_type]))
+ − 2874 return false;
+ − 2875 else
+ − 2876 {
+ − 2877 if(!$desc)
+ − 2878 {
+ − 2879 $desc = capitalize_first_letter(str_replace('_', ' ', $acl_type));
+ − 2880 }
+ − 2881 $this->acl_types[$acl_type] = $default_perm;
+ − 2882 $this->acl_descs[$acl_type] = $desc;
+ − 2883 $this->acl_deps[$acl_type] = $deps;
+ − 2884 $this->acl_scope[$acl_type] = explode('|', $scope);
+ − 2885 }
+ − 2886 return true;
+ − 2887 }
+ − 2888
+ − 2889 /**
+ − 2890 * Tells us whether permission $type is allowed or not based on the current rules.
+ − 2891 * @param string $type The permission identifier ($acl_type passed to sessionManager::register_acl_type())
+ − 2892 * @param bool $no_deps If true, disables dependency checking
+ − 2893 * @return bool True if allowed, false if denied or if an error occured
+ − 2894 */
+ − 2895
+ − 2896 function get_permissions($type, $no_deps = false)
+ − 2897 {
+ − 2898 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2899 if ( isset( $this->perms[$type] ) )
+ − 2900 {
+ − 2901 if ( $this->perms[$type] == AUTH_DENY )
+ − 2902 $ret = false;
+ − 2903 else if ( $this->perms[$type] == AUTH_WIKIMODE && $paths->wiki_mode )
+ − 2904 $ret = true;
+ − 2905 else if ( $this->perms[$type] == AUTH_WIKIMODE && !$paths->wiki_mode )
+ − 2906 $ret = false;
+ − 2907 else if ( $this->perms[$type] == AUTH_ALLOW )
+ − 2908 $ret = true;
+ − 2909 else if ( $this->perms[$type] == AUTH_DISALLOW )
+ − 2910 $ret = false;
+ − 2911 }
+ − 2912 else if(isset($this->acl_types[$type]))
+ − 2913 {
+ − 2914 if ( $this->acl_types[$type] == AUTH_DENY )
+ − 2915 $ret = false;
+ − 2916 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && $paths->wiki_mode )
+ − 2917 $ret = true;
+ − 2918 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && !$paths->wiki_mode )
+ − 2919 $ret = false;
+ − 2920 else if ( $this->acl_types[$type] == AUTH_ALLOW )
+ − 2921 $ret = true;
+ − 2922 else if ( $this->acl_types[$type] == AUTH_DISALLOW )
+ − 2923 $ret = false;
+ − 2924 }
+ − 2925 else
+ − 2926 {
+ − 2927 // ACL type is undefined
+ − 2928 trigger_error('Unknown access type "' . $type . '"', E_USER_WARNING);
+ − 2929 return false; // Be on the safe side and deny access
+ − 2930 }
+ − 2931 if ( !$no_deps )
+ − 2932 {
+ − 2933 if ( !$this->acl_check_deps($type) )
+ − 2934 return false;
+ − 2935 }
+ − 2936 return $ret;
+ − 2937 }
+ − 2938
+ − 2939 /**
+ − 2940 * Fetch the permissions that apply to the current user for the page specified. The object you get will have the get_permissions method
+ − 2941 * and several other abilities.
+ − 2942 * @param string $page_id
+ − 2943 * @param string $namespace
+ − 2944 * @return object
+ − 2945 */
+ − 2946
+ − 2947 function fetch_page_acl($page_id, $namespace)
+ − 2948 {
+ − 2949 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2950
+ − 2951 if ( count ( $this->acl_base_cache ) < 1 )
+ − 2952 {
+ − 2953 // Permissions table not yet initialized
+ − 2954 return false;
+ − 2955 }
+ − 2956
156
+ − 2957 // cache of permission objects (to save RAM and SQL queries)
+ − 2958 static $objcache = array();
+ − 2959
+ − 2960 if ( count($objcache) == 0 )
+ − 2961 {
+ − 2962 foreach ( $paths->nslist as $key => $_ )
+ − 2963 {
+ − 2964 $objcache[$key] = array();
+ − 2965 }
+ − 2966 }
+ − 2967
+ − 2968 if ( isset($objcache[$namespace][$page_id]) )
+ − 2969 {
+ − 2970 return $objcache[$namespace][$page_id];
+ − 2971 }
+ − 2972
+ − 2973 $objcache[$namespace][$page_id] = new Session_ACLPageInfo( $page_id, $namespace, $this->acl_types, $this->acl_descs, $this->acl_deps, $this->acl_base_cache );
+ − 2974 $object =& $objcache[$namespace][$page_id];
1
+ − 2975
592
+ − 2976 profiler_log("session: fetched ACLs for page {$namespace}:{$page_id}");
+ − 2977
1
+ − 2978 return $object;
554
+ − 2979 }
+ − 2980
+ − 2981 /**
+ − 2982 * Fetch the permissions that apply to an arbitrary user for the page specified. The object you get will have the get_permissions method
+ − 2983 * and several other abilities.
+ − 2984 * @param int|string $user_id_or_name; user ID *or* username of the user
+ − 2985 * @param string $page_id; if null, will be default effective permissions.
+ − 2986 * @param string $namespace; if null, will be default effective permissions.
+ − 2987 * @return object
+ − 2988 */
+ − 2989
+ − 2990 function fetch_page_acl_user($user_id_or_name, $page_id, $namespace)
+ − 2991 {
+ − 2992 global $db, $session, $paths, $template, $plugins; // Common objects
1
+ − 2993
554
+ − 2994 // cache user info
+ − 2995 static $user_info_cache = null;
+ − 2996
+ − 2997 if ( isset($user_info_cache[$user_id_or_name]) )
+ − 2998 {
+ − 2999 $user_id =& $user_info_cache[$user_id_or_name]['user_id'];
+ − 3000 $groups =& $user_info_cache[$user_id_or_name]['groups'];
+ − 3001 }
+ − 3002 else
+ − 3003 {
+ − 3004 $uid_column = ( is_int($user_id_or_name) ) ? "user_id = $user_id_or_name" : "username = '" . $db->escape($user_id_or_name) . "'";
+ − 3005 $q = $db->sql_query('SELECT u.user_id, m.group_id, g.group_name FROM ' . table_prefix . "users AS u\n"
+ − 3006 . " LEFT JOIN " . table_prefix . "group_members AS m\n"
+ − 3007 . " ON ( ( u.user_id = m.user_id AND m.pending = 0 ) OR m.member_id IS NULL )\n"
+ − 3008 . " LEFT JOIN " . table_prefix . "groups AS g\n"
+ − 3009 . " ON ( g.group_id = m.group_id )\n"
+ − 3010 . " WHERE $uid_column;");
+ − 3011 if ( !$q )
+ − 3012 $db->_die();
+ − 3013
711
+ − 3014 // The l10n engine takes care of this later.
+ − 3015 $groups = array(1 => 'Everyone');
554
+ − 3016
+ − 3017 if ( $row = $db->fetchrow() )
+ − 3018 {
+ − 3019 $user_id = intval($row['user_id']);
+ − 3020 if ( $row['group_id'] )
+ − 3021 {
+ − 3022 do
+ − 3023 {
+ − 3024 $groups[ intval($row['group_id'] ) ] = $row['group_name'];
+ − 3025 }
+ − 3026 while ( $row = $db->fetchrow() );
+ − 3027 }
+ − 3028 $db->free_result();
+ − 3029 }
+ − 3030 else
+ − 3031 {
+ − 3032 $db->free_result();
+ − 3033 throw new Exception('Unknown user ID or username');
+ − 3034 }
+ − 3035
+ − 3036 $user_info_cache[$user_id_or_name] = array(
+ − 3037 'user_id' => $user_id,
+ − 3038 'groups' => $groups
+ − 3039 );
+ − 3040 }
+ − 3041
+ − 3042 // cache base permissions
+ − 3043 static $base_cache = array();
+ − 3044 if ( !isset($base_cache[$user_id_or_name]) )
+ − 3045 {
+ − 3046 $base_cache[$user_id_or_name] = $this->acl_types;
+ − 3047 $current_perms =& $base_cache[$user_id_or_name];
+ − 3048 $current_perms['__resolve_table'] = array();
+ − 3049
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3050 $bs = 'SELECT rules, target_type, target_id, rule_id, page_id, namespace, g.group_name FROM '.table_prefix."acl AS a\n"
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3051 . " LEFT JOIN " . table_prefix . "groups AS g\n"
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3052 . " ON ( ( a.target_type = " . ACL_TYPE_GROUP . " AND a.target_id = g.group_id ) OR ( a.target_type != " . ACL_TYPE_GROUP . " ) )\n"
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3053 . ' WHERE page_id IS NULL AND namespace IS NULL AND' . "\n"
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3054 . ' ( ';
554
+ − 3055
+ − 3056 $q = Array();
+ − 3057 $q[] = '( target_type='.ACL_TYPE_USER.' AND target_id= ' . $user_id . ' )';
+ − 3058 if(count($groups) > 0)
+ − 3059 {
+ − 3060 foreach($groups as $g_id => $g_name)
+ − 3061 {
+ − 3062 $q[] = '( target_type='.ACL_TYPE_GROUP.' AND target_id='.intval($g_id).' )';
+ − 3063 }
+ − 3064 }
+ − 3065 $bs .= implode(" OR \n ", $q) . " ) \n ORDER BY target_type ASC, target_id ASC;";
+ − 3066 $q = $this->sql($bs);
+ − 3067 foreach ( $this->acl_types as $perm_type => $_ )
+ − 3068 {
+ − 3069 // init the resolver table with blanks
+ − 3070 $current_perms['__resolve_table'][$perm_type] = array(
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3071 'src' => ACL_INHERIT_ENANO_DEFAULT,
554
+ − 3072 'rule_id' => -1
+ − 3073 );
+ − 3074 }
+ − 3075 if ( $row = $db->fetchrow() )
+ − 3076 {
+ − 3077 do {
+ − 3078 $rules = $this->string_to_perm($row['rules']);
+ − 3079 $is_everyone = ( $row['target_type'] == ACL_TYPE_GROUP && $row['target_id'] == 1 );
+ − 3080 // track where these rulings are coming from
+ − 3081 $src = ( $is_everyone ) ? ACL_INHERIT_GLOBAL_EVERYONE : ( $row['target_type'] == ACL_TYPE_GROUP ? ACL_INHERIT_GLOBAL_GROUP : ACL_INHERIT_GLOBAL_USER );
+ − 3082 foreach ( $rules as $perm_type => $_ )
+ − 3083 {
+ − 3084 $current_perms['__resolve_table'][$perm_type] = array(
+ − 3085 'src' => $src,
+ − 3086 'rule_id' => $row['rule_id']
+ − 3087 );
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3088 if ( $row['group_name'] )
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3089 {
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3090 $current_perms['__resolve_table'][$perm_type]['group_name'] = $row['group_name'];
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 3091 }
554
+ − 3092 }
+ − 3093 // merge it in
+ − 3094 $current_perms = $this->acl_merge($current_perms, $rules, $is_everyone, $_defaults_used);
+ − 3095 } while ( $row = $db->fetchrow() );
+ − 3096 }
+ − 3097 }
+ − 3098
+ − 3099 // cache of permission objects (to save RAM and SQL queries)
+ − 3100 static $objcache = array();
+ − 3101
+ − 3102 if ( count($objcache) == 0 )
+ − 3103 {
+ − 3104 foreach ( $paths->nslist as $key => $_ )
+ − 3105 {
+ − 3106 $objcache[$key] = array();
+ − 3107 }
+ − 3108 }
+ − 3109
+ − 3110 if ( !isset($objcache[$namespace][$page_id]) )
+ − 3111 {
+ − 3112 $objcache[$namespace][$page_id] = array();
+ − 3113 }
+ − 3114
+ − 3115 if ( isset($objcache[$namespace][$page_id][$user_id_or_name]) )
+ − 3116 {
+ − 3117 return $objcache[$namespace][$page_id][$user_id_or_name];
+ − 3118 }
+ − 3119
+ − 3120 //if ( !isset( $paths->pages[$paths->nslist[$namespace] . $page_id] ) )
+ − 3121 //{
+ − 3122 // // Page does not exist
+ − 3123 // return false;
+ − 3124 //}
+ − 3125
+ − 3126 $objcache[$namespace][$page_id][$user_id_or_name] = new Session_ACLPageInfo(
+ − 3127 $page_id, // $page_id,
+ − 3128 $namespace, // $namespace,
+ − 3129 $this->acl_types, // $acl_types,
+ − 3130 $this->acl_descs, // $acl_descs,
+ − 3131 $this->acl_deps, // $acl_deps,
+ − 3132 $base_cache[$user_id_or_name], // $base,
+ − 3133 $user_info_cache[$user_id_or_name]['user_id'], // $user_id = null,
+ − 3134 $user_info_cache[$user_id_or_name]['groups'], // $groups = null,
+ − 3135 $base_cache[$user_id_or_name]['__resolve_table'] // $resolve_table = array()
+ − 3136 );
+ − 3137 $object =& $objcache[$namespace][$page_id][$user_id_or_name];
+ − 3138
+ − 3139 return $object;
1
+ − 3140 }
+ − 3141
+ − 3142 /**
571
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3143 * Checks if the given ACL rule type applies to a namespace.
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3144 * @param string ACL rule type
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3145 * @param string Namespace
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3146 * @return bool
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3147 */
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3148
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3149 function check_acl_scope($acl_rule, $namespace)
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3150 {
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3151 if ( !isset($this->acl_scope[$acl_rule]) )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3152 return false;
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3153 if ( $this->acl_scope[$acl_rule] === array('All') )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3154 return true;
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3155 return ( in_array($namespace, $this->acl_scope[$acl_rule]) ) ? true : false;
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3156 }
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3157
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3158 /**
1
+ − 3159 * Read all of our permissions from the database and process/apply them. This should be called after the page is determined.
+ − 3160 * @access private
+ − 3161 */
+ − 3162
+ − 3163 function init_permissions()
+ − 3164 {
+ − 3165 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 3166 // Initialize the permissions list with some defaults
+ − 3167 $this->perms = $this->acl_types;
+ − 3168 $this->acl_defaults_used = $this->perms;
+ − 3169
+ − 3170 // Fetch sitewide defaults from the permissions table
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 3171 $bs = 'SELECT rules, target_type, target_id FROM '.table_prefix.'acl' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 3172 . ' WHERE page_id IS NULL AND namespace IS NULL AND' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 3173 . ' ( ';
1
+ − 3174
+ − 3175 $q = Array();
+ − 3176 $q[] = '( target_type='.ACL_TYPE_USER.' AND target_id='.$this->user_id.' )';
+ − 3177 if(count($this->groups) > 0)
+ − 3178 {
+ − 3179 foreach($this->groups as $g_id => $g_name)
+ − 3180 {
+ − 3181 $q[] = '( target_type='.ACL_TYPE_GROUP.' AND target_id='.intval($g_id).' )';
+ − 3182 }
+ − 3183 }
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 3184 $bs .= implode(" OR \n ", $q) . " ) \n ORDER BY target_type ASC, target_id ASC;";
1
+ − 3185 $q = $this->sql($bs);
+ − 3186 if ( $row = $db->fetchrow() )
+ − 3187 {
+ − 3188 do {
+ − 3189 $rules = $this->string_to_perm($row['rules']);
+ − 3190 $is_everyone = ( $row['target_type'] == ACL_TYPE_GROUP && $row['target_id'] == 1 );
+ − 3191 $this->acl_merge_with_current($rules, $is_everyone);
+ − 3192 } while ( $row = $db->fetchrow() );
+ − 3193 }
+ − 3194
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3195 // Cache the sitewide permissions for later use
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3196 $this->acl_base_cache = $this->perms;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3197
592
+ − 3198 profiler_log('session: base ACL set calculated');
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3199
592
+ − 3200 // Load and calculate permissions for the current page
+ − 3201 $page_acl = $this->fetch_page_acl($paths->page_id, $paths->namespace);
+ − 3202 $this->perms = $page_acl->perms;
+ − 3203 $this->acl_defaults_used = $page_acl->acl_defaults_used;
1
+ − 3204 }
+ − 3205
+ − 3206 /**
+ − 3207 * Extends the scope of a permission type.
+ − 3208 * @param string The name of the permission type
+ − 3209 * @param string The namespace(s) that should be covered. This can be either one namespace ID or a pipe-delimited list.
+ − 3210 * @param object Optional - the current $paths object, in case we're doing this from the acl_rule_init hook
+ − 3211 */
+ − 3212
+ − 3213 function acl_extend_scope($perm_type, $namespaces, &$p_in)
+ − 3214 {
+ − 3215 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 3216 $p_obj = ( is_object($p_in) ) ? $p_in : $paths;
+ − 3217 $nslist = explode('|', $namespaces);
+ − 3218 foreach ( $nslist as $i => $ns )
+ − 3219 {
+ − 3220 if ( !isset($p_obj->nslist[$ns]) )
+ − 3221 {
+ − 3222 unset($nslist[$i]);
+ − 3223 }
+ − 3224 else
+ − 3225 {
571
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3226 if ( $this->acl_scope[$perm_type] !== array('All') )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 3227 $this->acl_scope[$perm_type][] = $ns;
1
+ − 3228 if ( isset($this->acl_types[$perm_type]) && !isset($this->perms[$perm_type]) )
+ − 3229 {
+ − 3230 $this->perms[$perm_type] = $this->acl_types[$perm_type];
+ − 3231 }
+ − 3232 }
+ − 3233 }
+ − 3234 }
+ − 3235
+ − 3236 /**
+ − 3237 * Converts a permissions field into a string for database insertion. Similar in spirit to serialize().
+ − 3238 * @param array $perms An associative array with only integers as values
+ − 3239 * @return string
+ − 3240 */
+ − 3241
+ − 3242 function perm_to_string($perms)
+ − 3243 {
+ − 3244 $s = '';
+ − 3245 foreach($perms as $perm => $ac)
+ − 3246 {
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3247 if ( $ac == 'i' )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3248 continue;
1
+ − 3249 $s .= "$perm=$ac;";
+ − 3250 }
+ − 3251 return $s;
+ − 3252 }
+ − 3253
+ − 3254 /**
+ − 3255 * Converts a permissions string back to an array.
+ − 3256 * @param string $perms The result from sessionManager::perm_to_string()
+ − 3257 * @return array
+ − 3258 */
+ − 3259
+ − 3260 function string_to_perm($perms)
+ − 3261 {
+ − 3262 $ret = Array();
+ − 3263 preg_match_all('#([a-z0-9_-]+)=([0-9]+);#i', $perms, $matches);
+ − 3264 foreach($matches[1] as $i => $t)
+ − 3265 {
+ − 3266 $ret[$t] = intval($matches[2][$i]);
+ − 3267 }
+ − 3268 return $ret;
+ − 3269 }
+ − 3270
+ − 3271 /**
+ − 3272 * Merges two ACL arrays. Both parameters should be permission list arrays. The second group takes precedence over the first, but AUTH_DENY always prevails.
+ − 3273 * @param array $perm1 The first set of permissions
+ − 3274 * @param array $perm2 The second set of permissions
554
+ − 3275 * @param bool $is_everyone If true, applies exceptions for "Everyone" group
+ − 3276 * @param array|reference $defaults_used Array that will be filled with default usage data
1
+ − 3277 * @return array
+ − 3278 */
+ − 3279
570
+ − 3280 function acl_merge($perm1, $perm2, $is_everyone = false, &$defaults_used = array())
1
+ − 3281 {
+ − 3282 $ret = $perm1;
554
+ − 3283 if ( !is_array(@$defaults_used) )
+ − 3284 {
+ − 3285 $defaults_used = array();
+ − 3286 }
+ − 3287 foreach ( $perm1 as $i => $p )
1
+ − 3288 {
554
+ − 3289 if ( isset($perm2[$i]) )
1
+ − 3290 {
711
+ − 3291 if ( $is_everyone && isset($defaults_used[$i]) && $defaults_used[$i] === false )
554
+ − 3292 continue;
+ − 3293 // Decide precedence
+ − 3294 if ( isset($defaults_used[$i]) )
+ − 3295 {
+ − 3296 // echo "$i: default in use, overriding to: {$perm2[$i]}<br />";
+ − 3297 // Defaults are in use, override
+ − 3298
+ − 3299 // CHANGED - 1.1.4:
+ − 3300 // For some time this has been intentionally relaxed so that the following
+ − 3301 // exception is available to Deny permissions:
+ − 3302 // If the rule applies to the group "Everyone" on the entire site,
+ − 3303 // Deny settings could be overriden.
+ − 3304 // This is documented at: http://docs.enanocms.org/Help:4.2
+ − 3305 if ( $perm1[$i] != AUTH_DENY )
+ − 3306 {
+ − 3307 $perm1[$i] = $perm2[$i];
+ − 3308 $defaults_used[$i] = ( $is_everyone );
+ − 3309 }
+ − 3310 }
+ − 3311 else
+ − 3312 {
+ − 3313 // echo "$i: default NOT in use";
+ − 3314 // Defaults are not in use, merge as normal
+ − 3315 if ( $perm1[$i] != AUTH_DENY )
+ − 3316 {
+ − 3317 // echo ", but overriding";
+ − 3318 $perm1[$i] = $perm2[$i];
+ − 3319 }
+ − 3320 // echo "<br />";
+ − 3321 }
1
+ − 3322 }
+ − 3323 }
554
+ − 3324 return $perm1;
1
+ − 3325 }
+ − 3326
+ − 3327 /**
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3328 * Merges two ACL arrays, but instead of calculating inheritance for missing permission types, just returns 'i' for that type. Useful
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3329 * for explicitly requiring inheritance in ACL editing interfaces
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3330 * @param array $perm1 The first set of permissions
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3331 * @param array $perm2 The second, authoritative set of permissions
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3332 */
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3333
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3334 function acl_merge_inherit($perm1, $perm2)
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3335 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3336 foreach ( $perm1 as $type => $level )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3337 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3338 $perm1[$type][$level] = 'i';
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3339 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3340 $ret = $perm1;
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3341 foreach ( $perm2 as $type => $level )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3342 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3343 if ( isset( $ret[$type] ) )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3344 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3345 if ( $ret[$type] != AUTH_DENY )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3346 $ret[$type] = $level;
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3347 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3348 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3349 return $ret;
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3350 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3351
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 3352 /**
1
+ − 3353 * Merges the ACL array sent with the current permissions table, deciding precedence based on whether defaults are in effect or not.
+ − 3354 * @param array The array to merge into the master ACL list
+ − 3355 * @param bool If true, $perm is treated as the "new default"
+ − 3356 * @param int 1 if this is a site-wide ACL, 2 if page-specific. Defaults to 2.
+ − 3357 */
+ − 3358
+ − 3359 function acl_merge_with_current($perm, $is_everyone = false, $scope = 2)
+ − 3360 {
554
+ − 3361 $this->perms = $this->acl_merge($this->perms, $perm, $is_everyone, $this->acl_defaults_used);
1
+ − 3362 }
+ − 3363
+ − 3364 /**
+ − 3365 * Merges two ACL arrays. Both parameters should be permission list arrays. The second group takes precedence
+ − 3366 * over the first, without exceptions. This is used to merge the hardcoded defaults with admin-specified
+ − 3367 * defaults, which take precedence.
+ − 3368 * @param array $perm1 The first set of permissions
+ − 3369 * @param array $perm2 The second set of permissions
+ − 3370 * @return array
+ − 3371 */
+ − 3372
+ − 3373 function acl_merge_complete($perm1, $perm2)
+ − 3374 {
+ − 3375 $ret = $perm1;
+ − 3376 foreach ( $perm2 as $type => $level )
+ − 3377 {
+ − 3378 $ret[$type] = $level;
+ − 3379 }
+ − 3380 return $ret;
+ − 3381 }
+ − 3382
+ − 3383 /**
+ − 3384 * Tell us if the dependencies for a given permission are met.
+ − 3385 * @param string The ACL permission ID
+ − 3386 * @return bool
+ − 3387 */
+ − 3388
749
+ − 3389 function acl_check_deps($type, $debug = false)
1
+ − 3390 {
749
+ − 3391 // This will only happen if the permissions table is hacked or improperly accessed
+ − 3392 if(!isset($this->acl_deps[$type]))
1
+ − 3393 return true;
749
+ − 3394 // Permission has no dependencies?
1
+ − 3395 if(sizeof($this->acl_deps[$type]) < 1)
+ − 3396 return true;
749
+ − 3397 // go through them all and build a flat list of dependencies
1
+ − 3398 $deps = $this->acl_deps[$type];
+ − 3399 while(true)
+ − 3400 {
+ − 3401 $j = sizeof($deps);
+ − 3402 for ( $i = 0; $i < $j; $i++ )
+ − 3403 {
+ − 3404 $b = $deps;
+ − 3405 $deps = array_merge($deps, $this->acl_deps[$deps[$i]]);
+ − 3406 if( $b == $deps )
+ − 3407 {
+ − 3408 break 2;
+ − 3409 }
+ − 3410 $j = sizeof($deps);
+ − 3411 }
+ − 3412 }
749
+ − 3413 $debugdata = array();
1
+ − 3414 foreach($deps as $d)
+ − 3415 {
749
+ − 3416 // Our dependencies are fully resolved, so tell get_permissions() to not recursively call this function
+ − 3417 if ( !$this->get_permissions($d, true) )
1
+ − 3418 {
749
+ − 3419 if ( $debug )
+ − 3420 {
+ − 3421 $debugdata[] = $d;
+ − 3422 }
+ − 3423 else
+ − 3424 {
+ − 3425 return false;
+ − 3426 }
1
+ − 3427 }
+ − 3428 }
749
+ − 3429 return $debug ? $debugdata : true;
1
+ − 3430 }
+ − 3431
+ − 3432 /**
+ − 3433 * Makes a CAPTCHA code and caches the code in the database
+ − 3434 * @param int $len The length of the code, in bytes
402
+ − 3435 * @param string Optional, the hash to reuse
1
+ − 3436 * @return string A unique identifier assigned to the code. This hash should be passed to sessionManager::getCaptcha() to retrieve the code.
+ − 3437 */
+ − 3438
402
+ − 3439 function make_captcha($len = 7, $hash = '')
1
+ − 3440 {
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3441 global $db, $session, $paths, $template, $plugins; // Common objects
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3442 $code = $this->generate_captcha_code($len);
402
+ − 3443 if ( !preg_match('/^[a-f0-9]{32}([a-z0-9]{8})?$/', $hash) )
+ − 3444 $hash = md5(microtime() . mt_rand());
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3445 $session_data = $db->escape(serialize(array()));
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3446
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3447 // sanity check
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3448 if ( !is_valid_ip(@$_SERVER['REMOTE_ADDR']) || !is_int($this->user_id) )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3449 return false;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3450
402
+ − 3451 $this->sql('DELETE FROM ' . table_prefix . "captcha WHERE session_id = '$hash';");
+ − 3452 $this->sql('INSERT INTO ' . table_prefix . 'captcha(session_id, code, session_data, source_ip, user_id)' . " VALUES('$hash', '$code', '$session_data', '{$_SERVER['REMOTE_ADDR']}', {$this->user_id});");
1
+ − 3453 return $hash;
+ − 3454 }
+ − 3455
+ − 3456 /**
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3457 * Generates a "pronouncable" or "human-friendly" word using various phonics rules
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3458 * @param int Optional. The length of the word.
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3459 * @return string
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3460 */
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3461
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3462 function generate_captcha_code($len = 7)
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3463 {
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3464 // don't use k and x, they get mixed up a lot
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3465 $consonants = 'bcdfghmnpqrsvwyz';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3466 $vowels = 'aeiou';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3467 $prev = 'vowel';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3468 $prev_l = '';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3469 $word = '';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3470 $allow_next_vowel = true;
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3471 for ( $i = 0; $i < $len; $i++ )
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3472 {
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3473 if ( $prev == 'vowel' )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3474 {
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3475 $allow_next_vowel = false;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3476 if ( $prev_l == 'o' && mt_rand(0, 3) == 3 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3477 $word .= 'i';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3478 else if ( $prev_l == 'q' && mt_rand(0, 3) != 1 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3479 $word .= 'u';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3480 else if ( $prev_l == 'o' && mt_rand(0, 3) == 2 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3481 $word .= 'u';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3482 else if ( $prev_l == 'a' && mt_rand(0, 3) == 3 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3483 $word .= 'i';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3484 else if ( $prev_l == 'a' && mt_rand(0, 10) == 7 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3485 $word .= 'o';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3486 else if ( $prev_l == 'a' && mt_rand(0, 7) == 2 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3487 $word .= 'u';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3488 else
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3489 {
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3490 $allow_next_vowel = true;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3491 $word .= $consonants{mt_rand(0, (strlen($consonants)-1))};
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3492 }
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3493 }
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3494 else if ( $prev == 'consonant' )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3495 {
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3496 if ( $prev_l == 'p' && mt_rand(0, 7) == 4 )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3497 $word .= 't';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3498 else if ( $prev_l == 'p' && mt_rand(0, 5) == 1 )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3499 $word .= 'h';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3500 else
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3501 $word .= $vowels{mt_rand(0, (strlen($vowels)-1))};
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3502 }
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3503 $prev_l = substr($word, -1);
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3504 $l = ( mt_rand(0, 1) == 1 ) ? strtoupper($prev_l) : strtolower($prev_l);
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3505 $word = substr($word, 0, -1) . $l;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3506 if ( strstr('aeiou', $prev_l) )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3507 $prev = 'vowel';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3508 else
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3509 $prev = 'consonant';
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3510 }
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3511 return $word;
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3512 }
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3513
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3514 /**
1
+ − 3515 * For the given code ID, returns the correct CAPTCHA code, or false on failure
+ − 3516 * @param string $hash The unique ID assigned to the code
+ − 3517 * @return string The correct confirmation code
+ − 3518 */
+ − 3519
+ − 3520 function get_captcha($hash)
+ − 3521 {
+ − 3522 global $db, $session, $paths, $template, $plugins; // Common objects
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3523
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3524 if ( !preg_match('/^[a-f0-9]{32}([a-z0-9]{8})?$/', $hash) )
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3525 {
436
+ − 3526 die("session manager: bad captcha_hash $hash");
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3527 return false;
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3528 }
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3529
402
+ − 3530 // sanity check
436
+ − 3531 if ( !is_valid_ip(@$_SERVER['REMOTE_ADDR']) )
+ − 3532 {
+ − 3533 die("session manager insanity: bad REMOTE_ADDR or invalid UID");
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3534 return false;
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3535 }
402
+ − 3536
436
+ − 3537 $q = $this->sql('SELECT code_id, code FROM ' . table_prefix . "captcha WHERE session_id = '$hash' AND source_ip = '{$_SERVER['REMOTE_ADDR']}';");
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3538 if ( $db->numrows() < 1 )
436
+ − 3539 {
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3540 return false;
436
+ − 3541 }
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3542
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3543 list($code_id, $code) = $db->fetchrow_num();
436
+ − 3544
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3545 $db->free_result();
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3546 $this->sql('DELETE FROM ' . table_prefix . "captcha WHERE code_id = $code_id;");
436
+ − 3547
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 3548 return $code;
1
+ − 3549 }
+ − 3550
+ − 3551 /**
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3552 * (AS OF 1.0.2: Deprecated. Captcha codes are now killed on first fetch for security.) Deletes all CAPTCHA codes cached in the DB for this user.
1
+ − 3553 */
+ − 3554
+ − 3555 function kill_captcha()
+ − 3556 {
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 3557 return true;
1
+ − 3558 }
+ − 3559
+ − 3560 /**
+ − 3561 * Generates a random password.
+ − 3562 * @param int $length Optional - length of password
+ − 3563 * @return string
+ − 3564 */
+ − 3565
+ − 3566 function random_pass($length = 10)
+ − 3567 {
+ − 3568 $valid_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_+@#%&<>';
+ − 3569 $valid_chars = enano_str_split($valid_chars);
+ − 3570 $ret = '';
+ − 3571 for ( $i = 0; $i < $length; $i++ )
+ − 3572 {
+ − 3573 $ret .= $valid_chars[mt_rand(0, count($valid_chars)-1)];
+ − 3574 }
+ − 3575 return $ret;
+ − 3576 }
+ − 3577
+ − 3578 /**
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3579 * Generates some Javascript that calls the AES encryption library. Put this after your </form>.
1
+ − 3580 * @param string The name of the form
+ − 3581 * @param string The name of the password field
+ − 3582 * @param string The name of the field that switches encryption on or off
+ − 3583 * @param string The name of the field that contains the encryption key
+ − 3584 * @param string The name of the field that will contain the encrypted password
+ − 3585 * @param string The name of the field that handles MD5 challenge data
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3586 * @param string The name of the field that tells if the server supports DiffieHellman
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3587 * @param string The name of the field with the DiffieHellman public key
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3588 * @param string The name of the field that the client should populate with its public key
1
+ − 3589 * @return string
+ − 3590 */
+ − 3591
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3592 function aes_javascript($form_name, $pw_field, $use_crypt = 'use_crypt', $crypt_key = 'crypt_key', $crypt_data = 'crypt_data', $challenge = 'challenge_data', $dh_supported = 'dh_supported', $dh_pubkey = 'dh_public_key', $dh_client_pubkey = 'dh_client_public_key')
1
+ − 3593 {
+ − 3594 $code = '
+ − 3595 <script type="text/javascript">
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3596
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3597 function runEncryption(nowhiteout)
1
+ − 3598 {
691
+ − 3599 var frm = document.forms.'.$form_name.';
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3600 if ( !nowhiteout )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3601 whiteOutForm(frm);
691
+ − 3602
586
234ddd896555
Made encryption work in form-based logon again; modified load_component() to fetch compressed versions when possible
Dan
diff
changeset
+ − 3603 load_component(\'crypto\');
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3604 var testpassed = ' . ( ( isset($_GET['use_crypt']) && $_GET['use_crypt']=='0') ? 'false; // CRYPTO-AUTH DISABLED ON USER REQUEST // ' : '' ) . '( aes_self_test() && md5_vm_test() );
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3605 var use_diffiehellman = false;' . "\n";
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3606 if ( $dh_supported && $dh_pubkey )
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3607 {
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3608 $code .= <<<EOF
542
5841df0ab575
Added ETag support and increased caching settings to try and speed the system up. Result of a YSlow audit.
Dan
diff
changeset
+ − 3609 if ( frm.$dh_supported.value == 'true' && !is_iPhone )
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3610 use_diffiehellman = true;
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3611 EOF;
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3612 }
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3613 $code .= '
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3614
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3615 if ( frm[\'' . $dh_supported . '\'] )
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3616 {
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3617 frm[\'' . $dh_supported . '\'].value = ( use_diffiehellman ) ? "true" : "false";
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3618 }
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3619
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3620 if ( frm["' . $pw_field . '_confirm"] )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3621 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3622 pass1 = frm.' . $pw_field . '.value;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3623 pass2 = frm.' . $pw_field . '_confirm.value;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3624 if ( pass1 != pass2 )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3625 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3626 load_component("l10n");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3627 alert($lang.get("userfuncs_passreset_err_no_match"));
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3628 return false;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3629 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3630 if ( pass1.length < 6 )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3631 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3632 load_component("l10n");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3633 alert($lang.get("userfuncs_passreset_err_too_short"));
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3634 return false;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3635 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3636 frm.' . $pw_field . '_confirm.value = "";
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3637 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3638
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3639 if ( testpassed && use_diffiehellman )
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3640 {
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3641 // try to blank out the table to prevent double submits and what have you
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3642 var el = frm.' . $pw_field . ';
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3643 while ( el.tagName != "BODY" && el.tagName != "TABLE" )
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3644 {
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3645 el = el.parentNode;
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3646 }
691
+ − 3647 /*
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3648 if ( el.tagName == "TABLE" )
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3649 {
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3650 whiteOutElement(el);
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3651 }
691
+ − 3652 */
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3653
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3654 frm.'.$use_crypt.'.value = \'yes_dh\';
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3655
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3656 // Perform Diffie Hellman stuff
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3657 // console.info("DiffieHellman: started keygen process");
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3658 var dh_priv = dh_gen_private();
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3659 var dh_pub = dh_gen_public(dh_priv);
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3660 var secret = dh_gen_shared_secret(dh_priv, frm.' . $dh_pubkey . '.value);
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3661 // console.info("DiffieHellman: finished keygen process");
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3662
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3663 // secret_hash is used to verify that the server guesses the correct secret
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3664 var secret_hash = hex_sha1(secret);
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3665
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3666 // give the server our values
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3667 frm.' . $crypt_key . '.value = secret_hash;
629
+ − 3668 ' . ( $dh_supported ? 'frm.' . $dh_client_pubkey . '.value = dh_pub;' : '' ) . '
507
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3669
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3670 // console.info("DiffieHellman: set public values");
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3671
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3672 // crypt_key is the actual AES key
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3673 var crypt_key = (hex_sha256(secret)).substr(0, (keySizeInBits / 4));
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3674
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3675 // Perform encryption
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3676 crypt_key = hexToByteArray(crypt_key);
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3677 var pass = frm.'.$pw_field.'.value;
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3678 pass = stringToByteArray(pass);
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3679 var cryptstring = rijndaelEncrypt(pass, crypt_key, \'ECB\');
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3680 if(!cryptstring)
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3681 {
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3682 return false;
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3683 }
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3684 cryptstring = byteArrayToHex(cryptstring);
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3685 // console.info("DiffieHellman: finished AES");
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3686 frm.'.$crypt_data.'.value = cryptstring;
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3687 frm.'.$pw_field.'.value = \'\';
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3688 // console.info("DiffieHellman: ready to submit");
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3689 }
586fd7d3202d
Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
Dan
diff
changeset
+ − 3690 else if ( testpassed && !use_diffiehellman )
1
+ − 3691 {
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3692 frm.'.$use_crypt.'.value = \'yes\';
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3693 var cryptkey = frm.'.$crypt_key.'.value;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3694 frm.'.$crypt_key.'.value = hex_md5(cryptkey);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3695 cryptkey = hexToByteArray(cryptkey);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3696 if(!cryptkey || ( ( typeof cryptkey == \'string\' || typeof cryptkey == \'object\' ) ) && cryptkey.length != keySizeInBits / 8 )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3697 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3698 if ( frm._login ) frm._login.disabled = true;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3699 len = ( typeof cryptkey == \'string\' || typeof cryptkey == \'object\' ) ? \'\\nLen: \'+cryptkey.length : \'\';
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3700 alert(\'The key is messed up\\nType: \'+typeof(cryptkey)+len);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3701 }
1
+ − 3702 pass = frm.'.$pw_field.'.value;
+ − 3703 chal = frm.'.$challenge.'.value;
+ − 3704 challenge = hex_md5(pass + chal) + chal;
+ − 3705 frm.'.$challenge.'.value = challenge;
+ − 3706 pass = stringToByteArray(pass);
+ − 3707 cryptstring = rijndaelEncrypt(pass, cryptkey, \'ECB\');
+ − 3708 if(!cryptstring)
+ − 3709 {
+ − 3710 return false;
+ − 3711 }
+ − 3712 cryptstring = byteArrayToHex(cryptstring);
+ − 3713 frm.'.$crypt_data.'.value = cryptstring;
+ − 3714 frm.'.$pw_field.'.value = \'\';
+ − 3715 }
+ − 3716 }
+ − 3717 </script>
+ − 3718 ';
+ − 3719 return $code;
+ − 3720 }
+ − 3721
436
+ − 3722 /**
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3723 * Generates the HTML form elements required for an encrypted logon experience.
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3724 * @return string
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3725 */
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3726
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3727 function generate_aes_form()
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3728 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3729 $return = '<input type="hidden" name="use_crypt" value="no" />';
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3730 $return .= '<input type="hidden" name="crypt_key" value="' . $this->rijndael_genkey() . '" />';
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3731 $return .= '<input type="hidden" name="crypt_data" value="" />';
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3732 $return .= '<input type="hidden" name="challenge_data" value="' . $this->dss_rand() . '" />';
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3733
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3734 require_once(ENANO_ROOT . '/includes/math.php');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3735 require_once(ENANO_ROOT . '/includes/diffiehellman.php');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3736
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3737 global $dh_supported, $_math;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3738 if ( $dh_supported )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3739 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3740 $dh_key_priv = dh_gen_private();
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3741 $dh_key_pub = dh_gen_public($dh_key_priv);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3742 $dh_key_priv = $_math->str($dh_key_priv);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3743 $dh_key_pub = $_math->str($dh_key_pub);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3744 // store the keys in the DB
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3745 $this->sql('INSERT INTO ' . table_prefix . "diffiehellman( public_key, private_key ) VALUES ( '$dh_key_pub', '$dh_key_priv' );");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3746
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3747 $return .= "<input type=\"hidden\" name=\"dh_supported\" value=\"true\" />
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3748 <input type=\"hidden\" name=\"dh_public_key\" value=\"$dh_key_pub\" />
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3749 <input type=\"hidden\" name=\"dh_client_public_key\" value=\"\" />";
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3750 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3751 else
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3752 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3753 $return .= "<input type=\"hidden\" name=\"dh_supported\" value=\"false\" />";
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3754 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3755 return $return;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3756 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3757
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3758 /**
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3759 * If you used all the same form fields as the normal login interface, this will take care of DiffieHellman for you and return the key.
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3760 * @param string Password field name (defaults to "password")
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3761 * @return string
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3762 */
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3763
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3764 function get_aes_post($fieldname = 'password')
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3765 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3766 global $db, $session, $paths, $template, $plugins; // Common objects
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3767
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3768 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3769 if ( $_POST['use_crypt'] == 'yes' )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3770 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3771 $crypt_key = $this->fetch_public_key($_POST['crypt_key']);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3772 if ( !$crypt_key )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3773 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3774 throw new Exception($lang->get('user_err_key_not_found'));
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3775 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3776 $crypt_key = hexdecode($crypt_key);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3777 $data = $aes->decrypt($_POST['crypt_data'], $crypt_key, ENC_HEX);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3778 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3779 else if ( $_POST['use_crypt'] == 'yes_dh' )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3780 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3781 require_once(ENANO_ROOT . '/includes/math.php');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3782 require_once(ENANO_ROOT . '/includes/diffiehellman.php');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3783
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3784 global $dh_supported, $_math;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3785
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3786 if ( !$dh_supported )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3787 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3788 throw new Exception('Server does not support DiffieHellman, denying request');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3789 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3790
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3791 // Fetch private key
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3792 $dh_public = $_POST['dh_public_key'];
826
+ − 3793 if ( !ctype_digit($dh_public) )
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3794 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3795 throw new Exception('ERR_DH_KEY_NOT_INTEGER');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3796 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3797 $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$dh_public';");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3798 if ( !$q )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3799 $db->die_json();
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3800
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3801 if ( $db->numrows() < 1 )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3802 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3803 throw new Exception('ERR_DH_KEY_NOT_FOUND');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3804 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3805
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3806 list($dh_private, $dh_key_id) = $db->fetchrow_num();
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3807 $db->free_result();
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3808
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3809 // We have the private key, now delete the key pair, we no longer need it
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3810 $q = $db->sql_query('DELETE FROM ' . table_prefix . "diffiehellman WHERE key_id = $dh_key_id;");
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3811 if ( !$q )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3812 $db->die_json();
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3813
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3814 // Generate the shared secret
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3815 $dh_secret = dh_gen_shared_secret($dh_private, $_POST['dh_client_public_key']);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3816 $dh_secret = $_math->str($dh_secret);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3817
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3818 // Did we get all our math right?
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3819 $dh_secret_check = sha1($dh_secret);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3820 $dh_hash = $_POST['crypt_key'];
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3821 if ( $dh_secret_check !== $dh_hash )
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3822 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3823 throw new Exception('ERR_DH_HASH_NO_MATCH');
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3824 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3825
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3826 // All good! Generate the AES key
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3827 $aes_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 ));
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3828
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3829 // decrypt user info
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3830 $aes_key = hexdecode($aes_key);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3831 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3832 $data = $aes->decrypt($_POST['crypt_data'], $aes_key, ENC_HEX);
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3833 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3834 else
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3835 {
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3836 $data = $_POST[$fieldname];
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3837 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3838 return $data;
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3839 }
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3840
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 3841 /**
436
+ − 3842 * Backend code for the JSON login interface. Basically a frontend to the session API that takes all parameters in one huge array.
+ − 3843 * @param array LoginAPI request
+ − 3844 * @return array LoginAPI response
+ − 3845 */
+ − 3846
725
+ − 3847 function process_login_request($req, $_dbgtmp = false)
436
+ − 3848 {
+ − 3849 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 3850
+ − 3851 // Setup EnanoMath and Diffie-Hellman
+ − 3852 global $dh_supported;
725
+ − 3853 if ( !function_exists('dh_gen_private') )
436
+ − 3854 {
725
+ − 3855 require_once(ENANO_ROOT.'/includes/math.php');
+ − 3856
+ − 3857 $dh_supported = true;
+ − 3858 try
+ − 3859 {
+ − 3860 require_once(ENANO_ROOT . '/includes/diffiehellman.php');
+ − 3861 }
+ − 3862 catch ( Exception $e )
+ − 3863 {
+ − 3864 $dh_supported = false;
+ − 3865 }
436
+ − 3866 }
+ − 3867 global $_math;
+ − 3868
+ − 3869 // Check for the mode
+ − 3870 if ( !isset($req['mode']) )
+ − 3871 {
+ − 3872 return array(
+ − 3873 'mode' => 'error',
+ − 3874 'error' => 'ERR_JSON_NO_MODE'
+ − 3875 );
+ − 3876 }
+ − 3877
+ − 3878 // Main processing switch
+ − 3879 switch ( $req['mode'] )
+ − 3880 {
+ − 3881 default:
+ − 3882 return array(
+ − 3883 'mode' => 'error',
+ − 3884 'error' => 'ERR_JSON_INVALID_MODE'
+ − 3885 );
+ − 3886 break;
+ − 3887 case 'getkey':
+ − 3888
+ − 3889 $this->start();
+ − 3890
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 3891 $locked_out = $this->get_lockout_info($lockdata);
436
+ − 3892
+ − 3893 $response = array('mode' => 'build_box');
+ − 3894 $response['allow_diffiehellman'] = $dh_supported;
+ − 3895
+ − 3896 $response['username'] = ( $this->user_logged_in ) ? $this->username : false;
+ − 3897 $response['aes_key'] = $this->rijndael_genkey();
+ − 3898
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 3899 $response['extended_time'] = intval(getConfig('session_remember_time', '30'));
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 3900
436
+ − 3901 // Lockout info
+ − 3902 $response['locked_out'] = $locked_out;
+ − 3903
+ − 3904 $response['lockout_info'] = $lockdata;
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 3905 if ( $lockdata['lockout_policy'] == 'captcha' && $locked_out )
436
+ − 3906 {
+ − 3907 $response['lockout_info']['captcha'] = $this->make_captcha();
+ − 3908 }
+ − 3909
+ − 3910 // Can we do Diffie-Hellman? If so, generate and stash a public/private key pair.
+ − 3911 if ( $dh_supported )
+ − 3912 {
+ − 3913 $dh_key_priv = dh_gen_private();
+ − 3914 $dh_key_pub = dh_gen_public($dh_key_priv);
+ − 3915 $dh_key_priv = $_math->str($dh_key_priv);
+ − 3916 $dh_key_pub = $_math->str($dh_key_pub);
+ − 3917 $response['dh_public_key'] = $dh_key_pub;
+ − 3918 // store the keys in the DB
+ − 3919 $q = $db->sql_query('INSERT INTO ' . table_prefix . "diffiehellman( public_key, private_key ) VALUES ( '$dh_key_pub', '$dh_key_priv' );");
+ − 3920 if ( !$q )
+ − 3921 $db->die_json();
+ − 3922 }
+ − 3923
+ − 3924 return $response;
+ − 3925 break;
+ − 3926 case 'login_dh':
+ − 3927 // User is requesting a login and has sent Diffie-Hellman data.
+ − 3928
+ − 3929 //
+ − 3930 // KEY RECONSTRUCTION
+ − 3931 //
+ − 3932
+ − 3933 $userinfo_crypt = $req['userinfo'];
+ − 3934 $dh_public = $req['dh_public_key'];
+ − 3935 $dh_hash = $req['dh_secret_hash'];
+ − 3936
+ − 3937 // Check the key
826
+ − 3938 if ( !ctype_digit($dh_public) || !ctype_digit($req['dh_client_key']) )
436
+ − 3939 {
+ − 3940 return array(
+ − 3941 'mode' => 'error',
+ − 3942 'error' => 'ERR_DH_KEY_NOT_NUMERIC'
+ − 3943 );
+ − 3944 }
+ − 3945
+ − 3946 // Fetch private key
+ − 3947 $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$dh_public';");
+ − 3948 if ( !$q )
+ − 3949 $db->die_json();
+ − 3950
+ − 3951 if ( $db->numrows() < 1 )
+ − 3952 {
+ − 3953 return array(
+ − 3954 'mode' => 'error',
+ − 3955 'error' => 'ERR_DH_KEY_NOT_FOUND'
+ − 3956 );
+ − 3957 }
+ − 3958
+ − 3959 list($dh_private, $dh_key_id) = $db->fetchrow_num();
+ − 3960 $db->free_result();
+ − 3961
+ − 3962 // We have the private key, now delete the key pair, we no longer need it
+ − 3963 $q = $db->sql_query('DELETE FROM ' . table_prefix . "diffiehellman WHERE key_id = $dh_key_id;");
+ − 3964 if ( !$q )
+ − 3965 $db->die_json();
+ − 3966
+ − 3967 // Generate the shared secret
+ − 3968 $dh_secret = dh_gen_shared_secret($dh_private, $req['dh_client_key']);
+ − 3969 $dh_secret = $_math->str($dh_secret);
+ − 3970
+ − 3971 // Did we get all our math right?
+ − 3972 $dh_secret_check = sha1($dh_secret);
+ − 3973 if ( $dh_secret_check !== $dh_hash )
+ − 3974 {
+ − 3975 return array(
+ − 3976 'mode' => 'error',
770
62fed244fa1c
Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
Dan
diff
changeset
+ − 3977 'error' => 'ERR_DH_HASH_NO_MATCH',
436
+ − 3978 );
+ − 3979 }
+ − 3980
+ − 3981 // All good! Generate the AES key
+ − 3982 $aes_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 ));
+ − 3983 case 'login_aes':
+ − 3984 if ( $req['mode'] == 'login_aes' )
+ − 3985 {
+ − 3986 // login_aes-specific code
+ − 3987 $aes_key = $this->fetch_public_key($req['key_aes']);
+ − 3988 if ( !$aes_key )
+ − 3989 {
+ − 3990 return array(
+ − 3991 'mode' => 'error',
+ − 3992 'error' => 'ERR_AES_LOOKUP_FAILED'
+ − 3993 );
+ − 3994 }
+ − 3995 $userinfo_crypt = $req['userinfo'];
+ − 3996 }
+ − 3997 // shared between the two systems from here on out
+ − 3998
+ − 3999 // decrypt user info
+ − 4000 $aes_key = hexdecode($aes_key);
+ − 4001 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
518
+ − 4002 // using "true" here disables caching of the decrypted login info (which includes the password)
+ − 4003 $userinfo_json = $aes->decrypt($userinfo_crypt, $aes_key, ENC_HEX, true);
436
+ − 4004 if ( !$userinfo_json )
+ − 4005 {
+ − 4006 return array(
+ − 4007 'mode' => 'error',
+ − 4008 'error' => 'ERR_AES_DECRYPT_FAILED'
+ − 4009 );
+ − 4010 }
+ − 4011 // de-JSON user info
+ − 4012 try
+ − 4013 {
+ − 4014 $userinfo = enano_json_decode($userinfo_json);
+ − 4015 }
+ − 4016 catch ( Exception $e )
+ − 4017 {
+ − 4018 return array(
+ − 4019 'mode' => 'error',
+ − 4020 'error' => 'ERR_USERINFO_DECODE_FAILED'
+ − 4021 );
+ − 4022 }
+ − 4023
+ − 4024 if ( !isset($userinfo['username']) || !isset($userinfo['password']) )
+ − 4025 {
+ − 4026 return array(
+ − 4027 'mode' => 'error',
+ − 4028 'error' => 'ERR_USERINFO_MISSING_VALUES'
+ − 4029 );
+ − 4030 }
+ − 4031
+ − 4032 $username =& $userinfo['username'];
+ − 4033 $password =& $userinfo['password'];
+ − 4034
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4035 // At this point if any extra info was injected into the login data packet, we need to let plugins process it
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4036 /**
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4037 * Called upon processing an incoming login request. If you added anything to the userinfo object during the jshook
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4038 * login_build_userinfo, that will be in the $userinfo array here. Expected return values are: true if your plugin has
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4039 * not only succeeded but ALSO issued a session key (bypass the whole Enano builtin login process) and an associative array
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4040 * with "mode" set to "error" and an error string in "error" to send an error back to the client. Any return value other
1001
+ − 4041 * than these will be treated as a pass-through, and the user's password will be validated through Enano's standard process.
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4042 * @hook login_process_userdata_json
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4043 */
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4044
897
f31c252c52c1
session: login_process_userdata_json hook should work with more than one installed auth plugin now
Dan
diff
changeset
+ − 4045 $code = $plugins->setHook('login_process_userdata_json', true);
1065
+ − 4046
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4047 foreach ( $code as $cmd )
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4048 {
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4049 $result = eval($cmd);
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4050 if ( $result === true )
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4051 {
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4052 return array(
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4053 'mode' => 'login_success',
1001
+ − 4054 'key' => ( $this->sid_super ) ? $this->sid_super : false,
+ − 4055 'user_id' => $this->user_id,
+ − 4056 'user_level' => $this->user_level
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4057 );
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4058 }
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4059 else if ( is_array($result) )
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4060 {
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4061 if ( isset($result['mode']) && $result['mode'] === 'error' && isset($result['error']) )
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4062 {
895
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4063 // Pass back any additional information from the error response
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4064 $append = $result;
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4065 unset($append['mode'], $append['error']);
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4066
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4067 $return = array(
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4068 'mode' => 'login_failure',
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4069 'error_code' => $result['error'],
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4070 // Use this to provide a way to respawn the login box
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4071 'respawn_info' => $this->process_login_request(array('mode' => 'getkey'))
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4072 );
895
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4073
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4074 $return = array_merge($append, $return);
d6b095673a47
Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
Dan
diff
changeset
+ − 4075 return $return;
843
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4076 }
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4077 }
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4078 }
4415e50e4e84
Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
Dan
diff
changeset
+ − 4079
472
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4080 // If we're logging in with a temp password, attach to the login_password_reset hook to send our JSON response
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4081 // A bit hackish since it just dies with the response :-(
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 4082 $plugins->attachHook('login_password_reset', '$this->process_login_request(array(\'mode\' => \'respond_password_reset\', \'user_id\' => $row[\'user_id\'], \'temp_password\' => $this->pk_encrypt($password)));');
472
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4083
436
+ − 4084 // attempt the login
+ − 4085 // function login_without_crypto($username, $password, $already_md5ed = false, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false)
688
f2a824ce5f18
Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
Dan
diff
changeset
+ − 4086 $login_result = $this->login_without_crypto($username, $password, false, intval($req['level']), @$req['captcha_hash'], @$req['captcha_code'], @$req['remember']);
436
+ − 4087
+ − 4088 if ( $login_result['success'] )
+ − 4089 {
+ − 4090 return array(
+ − 4091 'mode' => 'login_success',
1001
+ − 4092 'key' => ( $this->sid_super ) ? $this->sid_super : false,
1026
f0431eb8161e
AJAX login: fixed improper run of login_submit_early; fixed failure to redirect if main_page_members == current page
Dan
diff
changeset
+ − 4093 'user_id' => $this->user_id,
f0431eb8161e
AJAX login: fixed improper run of login_submit_early; fixed failure to redirect if main_page_members == current page
Dan
diff
changeset
+ − 4094 'user_level' => $this->user_level
436
+ − 4095 );
+ − 4096 }
+ − 4097 else
+ − 4098 {
+ − 4099 return array(
+ − 4100 'mode' => 'login_failure',
+ − 4101 'error_code' => $login_result['error'],
+ − 4102 // Use this to provide a way to respawn the login box
+ − 4103 'respawn_info' => $this->process_login_request(array('mode' => 'getkey'))
+ − 4104 );
+ − 4105 }
+ − 4106
+ − 4107 break;
471
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4108 case 'clean_key':
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4109 // Clean out a key, since it won't be used.
472
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4110 // This is called when the user clicks Cancel in the AJAX login interface.
471
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4111 if ( !empty($req['key_aes']) )
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4112 {
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4113 $this->fetch_public_key($req['key_aes']);
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4114 }
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4115 if ( !empty($req['key_dh']) )
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4116 {
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4117 $pk = $db->escape($req['key_dh']);
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4118 $q = $db->sql_query('DELETE FROM ' . table_prefix . "diffiehellman WHERE public_key = '$pk';");
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4119 if ( !$q )
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4120 $db->die_json();
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4121 }
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4122 return array(
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4123 'mode' => 'noop'
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4124 );
7906fb190fc1
Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
Dan
diff
changeset
+ − 4125 break;
472
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4126 case 'respond_password_reset':
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4127 die(enano_json_encode(array(
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4128 'mode' => 'login_success_reset',
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4129 'user_id' => $req['user_id'],
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4130 'temp_password' => $req['temp_password'],
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4131 'respawn_info' => $this->process_login_request(array('mode' => 'getkey'))
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4132 )));
bc4b58034f4d
Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
diff
changeset
+ − 4133 break;
811
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4134 case 'logout':
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4135 if ( !$this->started )
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4136 $this->start();
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4137 if ( !isset($req['csrf_token']) )
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4138 return array(
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4139 'mode' => 'error',
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4140 'error' => 'Invalid CSRF token'
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4141 );
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4142
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4143 if ( $req['csrf_token'] !== $this->csrf_token )
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4144 return array(
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4145 'mode' => 'error',
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4146 'error' => 'Invalid CSRF token'
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4147 );
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4148 $level = isset($req['level']) && is_int($req['level']) ? $req['level'] : USER_LEVEL_MEMBER;
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4149 if ( ($result = $this->logout($level)) === 'success' )
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4150 {
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4151 return array(
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4152 'mode' => 'logout_success'
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4153 );
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4154 }
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4155 else
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4156 {
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4157 return array(
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4158 'mode' => 'error',
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4159 'error' => $result
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4160 );
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4161 }
5c807fe77020
Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
Dan
diff
changeset
+ − 4162 break;
436
+ − 4163 }
+ − 4164
+ − 4165 }
+ − 4166
1
+ − 4167 }
+ − 4168
+ − 4169 /**
+ − 4170 * Class used to fetch permissions for a specific page. Used internally by SessionManager.
+ − 4171 * @package Enano
+ − 4172 * @subpackage Session manager
+ − 4173 * @license http://www.gnu.org/copyleft/gpl.html
+ − 4174 * @access private
+ − 4175 */
+ − 4176
+ − 4177 class Session_ACLPageInfo {
+ − 4178
+ − 4179 /**
+ − 4180 * The page ID of this ACL info package
+ − 4181 * @var string
+ − 4182 */
+ − 4183
+ − 4184 var $page_id;
+ − 4185
+ − 4186 /**
+ − 4187 * The namespace of the page being checked
+ − 4188 * @var string
+ − 4189 */
+ − 4190
+ − 4191 var $namespace;
+ − 4192
+ − 4193 /**
+ − 4194 * Our list of permission types.
+ − 4195 * @access private
+ − 4196 * @var array
+ − 4197 */
+ − 4198
+ − 4199 var $acl_types = Array();
+ − 4200
+ − 4201 /**
+ − 4202 * The list of descriptions for the permission types
+ − 4203 * @var array
+ − 4204 */
+ − 4205
+ − 4206 var $acl_descs = Array();
+ − 4207
+ − 4208 /**
+ − 4209 * A list of dependencies for ACL types.
+ − 4210 * @var array
+ − 4211 */
+ − 4212
+ − 4213 var $acl_deps = Array();
+ − 4214
+ − 4215 /**
246
+ − 4216 * Our tell-all list of permissions. Do not even try to change this.
+ − 4217 * @access private
1
+ − 4218 * @var array
+ − 4219 */
+ − 4220
+ − 4221 var $perms = Array();
+ − 4222
+ − 4223 /**
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4224 * Array to track which default permissions are being used
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4225 * @var array
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4226 * @access private
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4227 */
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4228
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4229 var $acl_defaults_used = Array();
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4230
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4231 /**
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4232 * Tracks whether Wiki Mode is on for the page we're operating on.
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4233 * @var bool
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4234 */
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4235
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4236 var $wiki_mode = false;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4237
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4238 /**
554
+ − 4239 * Tracks where permissions were calculated using the ACL_INHERIT_* constants. Layout:
+ − 4240 * array(
+ − 4241 * [permission_name] => array(
+ − 4242 * [src] => ACL_INHERIT_*
+ − 4243 * [rule_id] => integer
+ − 4244 * ),
+ − 4245 * ...
+ − 4246 * )
+ − 4247 *
+ − 4248 * @var array
+ − 4249 */
+ − 4250
+ − 4251 var $perm_resolve_table = array();
+ − 4252
+ − 4253 #
+ − 4254 # USER PARAMETERS
+ − 4255 #
+ − 4256
+ − 4257 /**
+ − 4258 * User ID
+ − 4259 * @var int
+ − 4260 */
+ − 4261
+ − 4262 var $user_id = 1;
+ − 4263
+ − 4264 /**
+ − 4265 * Group membership associative array (group_id => group_name)
+ − 4266 * @var array
+ − 4267 */
+ − 4268
+ − 4269 var $groups = array();
+ − 4270
+ − 4271 /**
1
+ − 4272 * Constructor.
+ − 4273 * @param string $page_id The ID of the page to check
+ − 4274 * @param string $namespace The namespace of the page to check.
+ − 4275 * @param array $acl_types List of ACL types
+ − 4276 * @param array $acl_descs List of human-readable descriptions for permissions (associative)
+ − 4277 * @param array $acl_deps List of dependencies for permissions. For example, viewing history/diffs depends on the ability to read the page.
+ − 4278 * @param array $base What to start with - this is an attempt to reduce the number of SQL queries.
554
+ − 4279 * @param int|string $user_id_or_name Username or ID to search for, defaults to current user
+ − 4280 * @param array $resolve_table Debugging info for tracking where rules came from, defaults to a blank array.
1
+ − 4281 */
+ − 4282
554
+ − 4283 function __construct($page_id, $namespace, $acl_types, $acl_descs, $acl_deps, $base, $user_id = null, $groups = null, $resolve_table = array())
1
+ − 4284 {
+ − 4285 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 4286
554
+ − 4287 // hack
+ − 4288 if ( isset($base['__resolve_table']) )
+ − 4289 {
+ − 4290 unset($base['__resolve_table']);
+ − 4291 }
+ − 4292
571
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4293 foreach ( $acl_types as $perm_type => $_ )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4294 {
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4295 if ( !$session->check_acl_scope($perm_type, $namespace) )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4296 {
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4297 unset($acl_types[$perm_type]);
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4298 unset($acl_deps[$perm_type]);
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4299 unset($acl_descs[$perm_type]);
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4300 unset($base[$perm_type]);
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4301 }
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4302 }
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4303
1
+ − 4304 $this->acl_deps = $acl_deps;
+ − 4305 $this->acl_types = $acl_types;
+ − 4306 $this->acl_descs = $acl_descs;
+ − 4307
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4308 $this->perms = $acl_types;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4309 $this->perms = $session->acl_merge_complete($this->perms, $base);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4310
554
+ − 4311 $this->perm_resolve_table = array();
+ − 4312 if ( is_array($resolve_table) )
+ − 4313 $this->perm_resolve_table = $resolve_table;
+ − 4314
+ − 4315 if ( is_int($user_id) && is_array($groups) )
+ − 4316 {
+ − 4317 $this->user_id = $user_id;
+ − 4318 $this->groups = $groups;
+ − 4319 }
+ − 4320 else
+ − 4321 {
+ − 4322 $this->user_id = $session->user_id;
+ − 4323 $this->groups = $session->groups;
+ − 4324 }
+ − 4325
+ − 4326 $this->page_id = $page_id;
+ − 4327 $this->namespace = $namespace;
+ − 4328
+ − 4329 $this->__calculate();
+ − 4330 }
+ − 4331
+ − 4332 /**
+ − 4333 * Performs the actual permission calculation.
+ − 4334 * @access private
+ − 4335 */
+ − 4336
+ − 4337 private function __calculate()
+ − 4338 {
+ − 4339 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 4340
+ − 4341 $page_id =& $this->page_id;
+ − 4342 $namespace =& $this->namespace;
+ − 4343
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4344 // PAGE group info
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4345 $pg_list = $paths->get_page_groups($page_id, $namespace);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4346 $pg_info = '';
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4347 foreach ( $pg_list as $g_id )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4348 {
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4349 $pg_info .= ' ( page_id=\'' . $g_id . '\' AND namespace=\'__PageGroup\' ) OR';
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4350 }
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 4351
1
+ − 4352 // Build a query to grab ACL info
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4353 $bs = 'SELECT rules,target_type,target_id,page_id,namespace,rule_id,pg.pg_name,g.group_name FROM '.table_prefix."acl AS a\n"
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4354 . " LEFT JOIN " . table_prefix . "page_groups AS pg\n"
618
+ − 4355 . " ON ( ( a.page_id = CAST(pg.pg_id AS char) AND a.namespace = '__PageGroup' ) OR ( a.namespace != '__PageGroup' ) )\n"
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4356 . " LEFT JOIN " . table_prefix . "groups AS g\n"
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4357 . " ON ( ( a.target_type = " . ACL_TYPE_GROUP . " AND a.target_id = g.group_id ) OR ( a.target_type != " . ACL_TYPE_GROUP . " ) )\n";
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4358
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4359 $bs .= ' WHERE ' . "\n"
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 4360 . ' ( ';
1
+ − 4361 $q = Array();
554
+ − 4362 $q[] = '( target_type='.ACL_TYPE_USER.' AND target_id='.$this->user_id.' )';
+ − 4363 if(count($this->groups) > 0)
1
+ − 4364 {
554
+ − 4365 foreach($this->groups as $g_id => $g_name)
1
+ − 4366 {
+ − 4367 $q[] = '( target_type='.ACL_TYPE_GROUP.' AND target_id='.intval($g_id).' )';
+ − 4368 }
+ − 4369 }
+ − 4370 // The reason we're using an ORDER BY statement here is because ACL_TYPE_GROUP is less than ACL_TYPE_USER, causing the user's individual
+ − 4371 // permissions to override group permissions.
554
+ − 4372 $bs .= implode(" OR\n ", $q) . ' ) AND (' . $pg_info . ' ( page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\' ) )
1
+ − 4373 ORDER BY target_type ASC, page_id ASC, namespace ASC;';
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4374
1
+ − 4375 $q = $session->sql($bs);
+ − 4376 if ( $row = $db->fetchrow() )
+ − 4377 {
+ − 4378 do {
+ − 4379 $rules = $session->string_to_perm($row['rules']);
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4380 $is_everyone = ( $row['target_type'] == ACL_TYPE_GROUP && $row['target_id'] == 1 );
554
+ − 4381 // log where this comes from
+ − 4382 if ( $row['namespace'] == '__PageGroup' )
+ − 4383 {
+ − 4384 $src = ( $is_everyone ) ? ACL_INHERIT_PG_EVERYONE : ( $row['target_type'] == ACL_TYPE_GROUP ? ACL_INHERIT_PG_GROUP : ACL_INHERIT_PG_USER );
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4385 $pg_name = $row['pg_name'];
554
+ − 4386 }
+ − 4387 else
+ − 4388 {
+ − 4389 $src = ( $is_everyone ) ? ACL_INHERIT_LOCAL_EVERYONE : ( $row['target_type'] == ACL_TYPE_GROUP ? ACL_INHERIT_LOCAL_GROUP : ACL_INHERIT_LOCAL_USER );
+ − 4390 }
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4391 if ( $row['group_name'] )
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4392 {
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4393 $group_name = $row['group_name'];
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4394 }
554
+ − 4395 foreach ( $rules as $perm_type => $perm_value )
+ − 4396 {
576
+ − 4397 if ( !isset($this->perms[$perm_type]) )
+ − 4398 continue;
+ − 4399
554
+ − 4400 if ( $this->perms[$perm_type] == AUTH_DENY )
+ − 4401 continue;
+ − 4402
571
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4403 if ( !$session->check_acl_scope($perm_type, $this->namespace) )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4404 continue;
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4405
554
+ − 4406 $this->perm_resolve_table[$perm_type] = array(
+ − 4407 'src' => $src,
+ − 4408 'rule_id' => $row['rule_id']
+ − 4409 );
556
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4410 if ( isset($pg_name) )
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4411 {
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4412 $this->perm_resolve_table[$perm_type]['pg_name'] = $pg_name;
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4413 }
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4414 if ( isset($group_name) )
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4415 {
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4416 $this->perm_resolve_table[$perm_type]['group_name'] = $group_name;
63e131c38876
More work done on effective permissions API, namely reporting of page group and usergroup names
Dan
diff
changeset
+ − 4417 }
554
+ − 4418 }
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4419 $this->acl_merge_with_current($rules, $is_everyone);
1
+ − 4420 } while ( $row = $db->fetchrow() );
+ − 4421 }
+ − 4422
+ − 4423 $this->page_id = $page_id;
+ − 4424 $this->namespace = $namespace;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4425
749
+ − 4426 $pathskey = $paths->nslist[$this->namespace].sanitize_page_id($this->page_id);
953
323c4cd1aa37
Made some more changes to the way namespaces are handled, for optimization purposes. This is a bit of a structural reorganization: $paths->pages is obsoleted in its entirety; calculating page existence and metadata is now the job of the Namespace_* backend class. There are many things in PageProcessor that should be reorganized, and page actions in general should really be rethought. This is probably the beginning of a long process that will be taking place over the course of the betas.
Dan
diff
changeset
+ − 4427 $ns = namespace_factory($this->page_id, $this->namespace);
323c4cd1aa37
Made some more changes to the way namespaces are handled, for optimization purposes. This is a bit of a structural reorganization: $paths->pages is obsoleted in its entirety; calculating page existence and metadata is now the job of the Namespace_* backend class. There are many things in PageProcessor that should be reorganized, and page actions in general should really be rethought. This is probably the beginning of a long process that will be taking place over the course of the betas.
Dan
diff
changeset
+ − 4428 $cdata = $ns->get_cdata();
323c4cd1aa37
Made some more changes to the way namespaces are handled, for optimization purposes. This is a bit of a structural reorganization: $paths->pages is obsoleted in its entirety; calculating page existence and metadata is now the job of the Namespace_* backend class. There are many things in PageProcessor that should be reorganized, and page actions in general should really be rethought. This is probably the beginning of a long process that will be taking place over the course of the betas.
Dan
diff
changeset
+ − 4429 $ppwm = $cdata['wiki_mode'];
323c4cd1aa37
Made some more changes to the way namespaces are handled, for optimization purposes. This is a bit of a structural reorganization: $paths->pages is obsoleted in its entirety; calculating page existence and metadata is now the job of the Namespace_* backend class. There are many things in PageProcessor that should be reorganized, and page actions in general should really be rethought. This is probably the beginning of a long process that will be taking place over the course of the betas.
Dan
diff
changeset
+ − 4430 unset($ns, $cdata);
323c4cd1aa37
Made some more changes to the way namespaces are handled, for optimization purposes. This is a bit of a structural reorganization: $paths->pages is obsoleted in its entirety; calculating page existence and metadata is now the job of the Namespace_* backend class. There are many things in PageProcessor that should be reorganized, and page actions in general should really be rethought. This is probably the beginning of a long process that will be taking place over the course of the betas.
Dan
diff
changeset
+ − 4431
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4432 if ( $ppwm == 1 && ( $session->user_logged_in || getConfig('wiki_mode_require_login') != '1' ) )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4433 $this->wiki_mode = true;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4434 else if ( $ppwm == 1 && !$session->user_logged_in && getConfig('wiki_mode_require_login') == '1' )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4435 $this->wiki_mode = true;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4436 else if ( $ppwm == 0 )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4437 $this->wiki_mode = false;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4438 else if ( $ppwm == 2 )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4439 {
749
+ − 4440 if ( $this->user_id > 1 )
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4441 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4442 $this->wiki_mode = ( getConfig('wiki_mode') == '1' );
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4443 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4444 else
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4445 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4446 $this->wiki_mode = ( getConfig('wiki_mode') == '1' && getConfig('wiki_mode_require_login') != '1' );
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4447 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4448 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4449 else
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4450 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4451 // Ech. Internal logic failure, this should never happen.
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4452 return false;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4453 }
1
+ − 4454 }
+ − 4455
+ − 4456 /**
+ − 4457 * Tells us whether permission $type is allowed or not based on the current rules.
+ − 4458 * @param string $type The permission identifier ($acl_type passed to sessionManager::register_acl_type())
+ − 4459 * @param bool $no_deps If true, disables dependency checking
+ − 4460 * @return bool True if allowed, false if denied or if an error occured
+ − 4461 */
+ − 4462
+ − 4463 function get_permissions($type, $no_deps = false)
+ − 4464 {
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4465 // echo '<pre>' . print_r($this->perms, true) . '</pre>';
1
+ − 4466 global $db, $session, $paths, $template, $plugins; // Common objects
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4467
1
+ − 4468 if ( isset( $this->perms[$type] ) )
+ − 4469 {
+ − 4470 if ( $this->perms[$type] == AUTH_DENY )
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4471 {
1
+ − 4472 $ret = false;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4473 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4474 else if ( $this->perms[$type] == AUTH_WIKIMODE && $this->wiki_mode )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4475 {
1
+ − 4476 $ret = true;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4477 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4478 else if ( $this->perms[$type] == AUTH_WIKIMODE && !$this->wiki_mode )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4479 {
1
+ − 4480 $ret = false;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4481 }
1
+ − 4482 else if ( $this->perms[$type] == AUTH_ALLOW )
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4483 {
1
+ − 4484 $ret = true;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4485 }
1
+ − 4486 else if ( $this->perms[$type] == AUTH_DISALLOW )
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4487 {
1
+ − 4488 $ret = false;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 4489 }
1
+ − 4490 }
+ − 4491 else if(isset($this->acl_types[$type]))
+ − 4492 {
+ − 4493 if ( $this->acl_types[$type] == AUTH_DENY )
+ − 4494 $ret = false;
+ − 4495 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && $paths->wiki_mode )
+ − 4496 $ret = true;
+ − 4497 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && !$paths->wiki_mode )
+ − 4498 $ret = false;
+ − 4499 else if ( $this->acl_types[$type] == AUTH_ALLOW )
+ − 4500 $ret = true;
+ − 4501 else if ( $this->acl_types[$type] == AUTH_DISALLOW )
+ − 4502 $ret = false;
+ − 4503 }
+ − 4504 else
+ − 4505 {
+ − 4506 // ACL type is undefined
571
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4507 $caller = 'unknown';
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4508 if ( function_exists('debug_backtrace') )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4509 {
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4510 if ( $bt = @debug_backtrace() )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4511 {
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4512 foreach ( $bt as $trace )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4513 {
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4514 $file = basename($trace['file']);
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4515 if ( $file != 'sessions.php' )
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4516 {
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4517 $caller = $file . ':' . $trace['line'];
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4518 break;
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4519 }
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4520 }
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4521 }
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4522 }
66e14e61613e
Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
Dan
diff
changeset
+ − 4523 trigger_error('Unknown access type "' . $type . '", called from ' . $caller . '', E_USER_WARNING);
1
+ − 4524 return false; // Be on the safe side and deny access
+ − 4525 }
+ − 4526 if ( !$no_deps )
+ − 4527 {
+ − 4528 if ( !$this->acl_check_deps($type) )
+ − 4529 return false;
+ − 4530 }
+ − 4531 return $ret;
+ − 4532 }
+ − 4533
+ − 4534 /**
+ − 4535 * Tell us if the dependencies for a given permission are met.
+ − 4536 * @param string The ACL permission ID
749
+ − 4537 * @param bool If true, does not return a boolean value, but instead returns array of dependencies that fail
1
+ − 4538 * @return bool
+ − 4539 */
+ − 4540
749
+ − 4541 function acl_check_deps($type, $debug = false)
1
+ − 4542 {
749
+ − 4543 // This will only happen if the permissions table is hacked or improperly accessed
+ − 4544 if(!isset($this->acl_deps[$type]))
+ − 4545 return $debug ? array() : true;
+ − 4546 // Permission has no dependencies?
1
+ − 4547 if(sizeof($this->acl_deps[$type]) < 1)
749
+ − 4548 return $debug ? array() : true;
+ − 4549 // go through them all and build a flat list of dependencies
1
+ − 4550 $deps = $this->acl_deps[$type];
+ − 4551 while(true)
+ − 4552 {
+ − 4553 $j = sizeof($deps);
+ − 4554 for ( $i = 0; $i < $j; $i++ )
+ − 4555 {
+ − 4556 $b = $deps;
+ − 4557 $deps = array_merge($deps, $this->acl_deps[$deps[$i]]);
+ − 4558 if( $b == $deps )
+ − 4559 {
+ − 4560 break 2;
+ − 4561 }
+ − 4562 $j = sizeof($deps);
+ − 4563 }
+ − 4564 }
749
+ − 4565 $debugdata = array();
1
+ − 4566 foreach($deps as $d)
+ − 4567 {
749
+ − 4568 // Our dependencies are fully resolved, so tell get_permissions() to not recursively call this function
+ − 4569 if ( !$this->get_permissions($d, true) )
1
+ − 4570 {
749
+ − 4571 if ( $debug )
+ − 4572 {
+ − 4573 $debugdata[] = $d;
+ − 4574 }
+ − 4575 else
+ − 4576 {
+ − 4577 return false;
+ − 4578 }
1
+ − 4579 }
+ − 4580 }
749
+ − 4581 return $debug ? $debugdata : true;
1
+ − 4582 }
+ − 4583
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4584 /**
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4585 * Merges the ACL array sent with the current permissions table, deciding precedence based on whether defaults are in effect or not.
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4586 * @param array The array to merge into the master ACL list
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4587 * @param bool If true, $perm is treated as the "new default"
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4588 * @param int 1 if this is a site-wide ACL, 2 if page-specific. Defaults to 2.
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4589 */
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4590
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4591 function acl_merge_with_current($perm, $is_everyone = false, $scope = 2)
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4592 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4593 foreach ( $this->perms as $i => $p )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4594 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4595 if ( isset($perm[$i]) )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4596 {
377
bb3e6c3bd4f4
Removed stray debugging info from ACL editor success notification; added ability for guests to set language on URI (?lang=eng); added html_in_pages ACL type and separated from php_in_pages so HTML can be embedded but not PHP; rewote portions of the path manager to better abstract URL input; added Zend Framework into list of BSD-licensed libraries; localized some remaining strings; got the migration script working, but just barely; fixed display bug in Special:Contributions; localized Main Page button in admin panel
Dan
diff
changeset
+ − 4597 if ( $is_everyone && !@$this->acl_defaults_used[$i] )
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4598 continue;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4599 // Decide precedence
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4600 if ( isset($this->acl_defaults_used[$i]) )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4601 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4602 //echo "$i: default in use, overriding to: {$perm[$i]}<br />";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4603 // Defaults are in use, override
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4604 $this->perms[$i] = $perm[$i];
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4605 $this->acl_defaults_used[$i] = ( $is_everyone );
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4606 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4607 else
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4608 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4609 //echo "$i: default NOT in use";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4610 // Defaults are not in use, merge as normal
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4611 if ( $this->perms[$i] != AUTH_DENY )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4612 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4613 //echo ", but overriding";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4614 $this->perms[$i] = $perm[$i];
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4615 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4616 //echo "<br />";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4617 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4618 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4619 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4620 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 4621
1
+ − 4622 }
+ − 4623
466
+ − 4624 /**
+ − 4625 * Cron task - clears out the database of Diffie-Hellman keys
+ − 4626 */
+ − 4627
+ − 4628 function cron_clean_login_cache()
+ − 4629 {
+ − 4630 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 4631
+ − 4632 if ( !$db->sql_query('DELETE FROM ' . table_prefix . 'diffiehellman;') )
+ − 4633 $db->_die();
+ − 4634
+ − 4635 setConfig('login_key_cache', '');
+ − 4636 }
+ − 4637
+ − 4638 register_cron_task('cron_clean_login_cache', 72);
+ − 4639
480
+ − 4640 /**
+ − 4641 * Cron task - clears out outdated high-auth session keys
+ − 4642 */
+ − 4643
+ − 4644 function cron_clean_old_admin_keys()
+ − 4645 {
+ − 4646 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 4647
+ − 4648 $threshold = time() - ( 15 * 60 );
+ − 4649 $ul_member = USER_LEVEL_MEMBER;
+ − 4650 if ( !$db->sql_query('DELETE FROM ' . table_prefix . "session_keys WHERE time < $threshold AND auth_level > $ul_member;") )
+ − 4651 $db->_die();
+ − 4652 }
+ − 4653
+ − 4654 // Once a week
+ − 4655 register_cron_task('cron_clean_old_admin_keys', 168);
+ − 4656
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 4657 /**
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 4658 * Cron task - regenerate cached user rank information
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 4659 */
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 4660
573
43e7254afdb4
Renamed some functions (that were new in this release anyway) due to compatibility broken with PunBB bridge
Dan
diff
changeset
+ − 4661 register_cron_task('generate_cache_userranks', 0.25);
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 4662
1
+ − 4663 ?>