1
+ − 1 <?php
+ − 2
+ − 3 /*
+ − 4 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
411
+ − 5 * Version 1.1.2 (Caoineag alpha 2)
1
+ − 6 * Copyright (C) 2006-2007 Dan Fuhry
+ − 7 * sessions.php - everything related to security and user management
+ − 8 *
+ − 9 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 10 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 11 *
+ − 12 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 13 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 14 */
+ − 15
+ − 16 /**
+ − 17 * Anything and everything related to security and user management. This includes AES encryption, which is illegal in some countries.
+ − 18 * Documenting the API was not easy - I hope you folks enjoy it.
+ − 19 * @package Enano
+ − 20 * @subpackage Session manager
+ − 21 * @category security, user management, logins, etc.
+ − 22 */
+ − 23
+ − 24 class sessionManager {
+ − 25
+ − 26 # Variables
+ − 27
+ − 28 /**
+ − 29 * Whether we're logged in or not
+ − 30 * @var bool
+ − 31 */
+ − 32
+ − 33 var $user_logged_in = false;
+ − 34
+ − 35 /**
+ − 36 * Our current low-privilege session key
+ − 37 * @var string
+ − 38 */
+ − 39
+ − 40 var $sid;
+ − 41
+ − 42 /**
+ − 43 * Username of currently logged-in user, or IP address if not logged in
+ − 44 * @var string
+ − 45 */
+ − 46
+ − 47 var $username;
+ − 48
+ − 49 /**
436
+ − 50 * User ID of currently logged-in user, or 1 if not logged in
1
+ − 51 * @var int
+ − 52 */
+ − 53
436
+ − 54 var $user_id = 1;
1
+ − 55
+ − 56 /**
+ − 57 * Real name of currently logged-in user, or blank if not logged in
+ − 58 * @var string
+ − 59 */
+ − 60
+ − 61 var $real_name;
+ − 62
+ − 63 /**
+ − 64 * E-mail address of currently logged-in user, or blank if not logged in
+ − 65 * @var string
+ − 66 */
+ − 67
+ − 68 var $email;
+ − 69
+ − 70 /**
31
+ − 71 * List of "extra" user information fields (IM handles, etc.)
+ − 72 * @var array (associative)
+ − 73 */
+ − 74
+ − 75 var $user_extra;
+ − 76
+ − 77 /**
1
+ − 78 * User level of current user
+ − 79 * USER_LEVEL_GUEST: guest
+ − 80 * USER_LEVEL_MEMBER: regular user
+ − 81 * USER_LEVEL_CHPREF: default - pseudo-level that allows changing password and e-mail address (requires re-authentication)
+ − 82 * USER_LEVEL_MOD: moderator
+ − 83 * USER_LEVEL_ADMIN: administrator
+ − 84 * @var int
+ − 85 */
+ − 86
+ − 87 var $user_level;
+ − 88
+ − 89 /**
+ − 90 * High-privilege session key
+ − 91 * @var string or false if not running on high-level authentication
+ − 92 */
+ − 93
+ − 94 var $sid_super;
+ − 95
+ − 96 /**
+ − 97 * The user's theme preference, defaults to $template->default_theme
+ − 98 * @var string
+ − 99 */
+ − 100
+ − 101 var $theme;
+ − 102
+ − 103 /**
+ − 104 * The user's style preference, or style auto-detected based on theme if not logged in
+ − 105 * @var string
+ − 106 */
+ − 107
+ − 108 var $style;
+ − 109
+ − 110 /**
+ − 111 * Signature of current user - appended to comments, etc.
+ − 112 * @var string
+ − 113 */
+ − 114
+ − 115 var $signature;
+ − 116
+ − 117 /**
+ − 118 * UNIX timestamp of when we were registered, or 0 if not logged in
+ − 119 * @var int
+ − 120 */
+ − 121
+ − 122 var $reg_time;
+ − 123
+ − 124 /**
+ − 125 * MD5 hash of the current user's password, if applicable
+ − 126 * @var string OR bool false
+ − 127 */
+ − 128
+ − 129 var $password_hash;
+ − 130
+ − 131 /**
+ − 132 * The number of unread private messages this user has.
+ − 133 * @var int
+ − 134 */
+ − 135
+ − 136 var $unread_pms = 0;
+ − 137
+ − 138 /**
+ − 139 * AES key used to encrypt passwords and session key info - irreversibly destroyed when disallow_password_grab() is called
+ − 140 * @var string
+ − 141 */
+ − 142
+ − 143 var $private_key;
+ − 144
+ − 145 /**
+ − 146 * Regex that defines a valid username, minus the ^ and $, these are added later
+ − 147 * @var string
+ − 148 */
+ − 149
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 150 var $valid_username = '([^<>&\?\'"%\n\r\t\a\/]+)';
1
+ − 151
+ − 152 /**
+ − 153 * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
+ − 154 * @var string
+ − 155 */
+ − 156
436
+ − 157 var $auth_level = 1;
1
+ − 158
+ − 159 /**
+ − 160 * State variable to track if a session timed out
+ − 161 * @var bool
+ − 162 */
+ − 163
+ − 164 var $sw_timed_out = false;
+ − 165
+ − 166 /**
+ − 167 * Switch to track if we're started or not.
+ − 168 * @access private
+ − 169 * @var bool
+ − 170 */
+ − 171
+ − 172 var $started = false;
+ − 173
+ − 174 /**
+ − 175 * Switch to control compatibility mode (for older Enano websites being upgraded)
+ − 176 * @access private
+ − 177 * @var bool
+ − 178 */
+ − 179
+ − 180 var $compat = false;
+ − 181
+ − 182 /**
+ − 183 * Our list of permission types.
+ − 184 * @access private
+ − 185 * @var array
+ − 186 */
+ − 187
+ − 188 var $acl_types = Array();
+ − 189
+ − 190 /**
+ − 191 * The list of descriptions for the permission types
+ − 192 * @var array
+ − 193 */
+ − 194
+ − 195 var $acl_descs = Array();
+ − 196
+ − 197 /**
+ − 198 * A list of dependencies for ACL types.
+ − 199 * @var array
+ − 200 */
+ − 201
+ − 202 var $acl_deps = Array();
+ − 203
+ − 204 /**
246
+ − 205 * Our tell-all list of permissions. Do not even try to change this.
+ − 206 * @access private
1
+ − 207 * @var array
+ − 208 */
+ − 209
+ − 210 var $perms = Array();
+ − 211
+ − 212 /**
+ − 213 * A cache variable - saved after sitewide permissions are checked but before page-specific permissions.
+ − 214 * @var array
+ − 215 * @access private
+ − 216 */
+ − 217
+ − 218 var $acl_base_cache = Array();
+ − 219
+ − 220 /**
+ − 221 * Stores the scope information for ACL types.
+ − 222 * @var array
+ − 223 * @access private
+ − 224 */
+ − 225
+ − 226 var $acl_scope = Array();
+ − 227
+ − 228 /**
+ − 229 * Array to track which default permissions are being used
+ − 230 * @var array
+ − 231 * @access private
+ − 232 */
+ − 233
+ − 234 var $acl_defaults_used = Array();
+ − 235
+ − 236 /**
+ − 237 * Array to track group membership.
+ − 238 * @var array
+ − 239 */
+ − 240
+ − 241 var $groups = Array();
+ − 242
+ − 243 /**
+ − 244 * Associative array to track group modship.
+ − 245 * @var array
+ − 246 */
+ − 247
+ − 248 var $group_mod = Array();
+ − 249
+ − 250 # Basic functions
+ − 251
+ − 252 /**
+ − 253 * Constructor.
+ − 254 */
+ − 255
+ − 256 function __construct()
+ − 257 {
+ − 258 global $db, $session, $paths, $template, $plugins; // Common objects
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 259
289
2b60c89dc27f
Fixed a few major bugs with the upgrade script and the config file not getting loaded properly due to IN_ENANO_INSTALL
Dan
diff
changeset
+ − 260 if ( defined('IN_ENANO_INSTALL') && !defined('IN_ENANO_UPGRADE') )
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 261 {
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 262 @include(ENANO_ROOT.'/config.new.php');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 263 }
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 264 else
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 265 {
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 266 @include(ENANO_ROOT.'/config.php');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 267 }
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 268
1
+ − 269 unset($dbhost, $dbname, $dbuser, $dbpasswd);
+ − 270 if(isset($crypto_key))
+ − 271 {
+ − 272 $this->private_key = $crypto_key;
+ − 273 $this->private_key = hexdecode($this->private_key);
+ − 274 }
+ − 275 else
+ − 276 {
+ − 277 if(is_writable(ENANO_ROOT.'/config.php'))
+ − 278 {
+ − 279 // Generate and stash a private key
+ − 280 // This should only happen during an automated silent gradual migration to the new encryption platform.
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 281 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 282 $this->private_key = $aes->gen_readymade_key();
+ − 283
+ − 284 $config = file_get_contents(ENANO_ROOT.'/config.php');
+ − 285 if(!$config)
+ − 286 {
+ − 287 die('$session->__construct(): can\'t get the contents of config.php');
+ − 288 }
+ − 289
+ − 290 $config = str_replace("?>", "\$crypto_key = '{$this->private_key}';\n?>", $config);
+ − 291 // And while we're at it...
+ − 292 $config = str_replace('MIDGET_INSTALLED', 'ENANO_INSTALLED', $config);
+ − 293 $fh = @fopen(ENANO_ROOT.'/config.php', 'w');
+ − 294 if ( !$fh )
+ − 295 {
+ − 296 die('$session->__construct(): Couldn\'t open config file for writing to store the private key, I tried to avoid something like this...');
+ − 297 }
+ − 298
+ − 299 fwrite($fh, $config);
+ − 300 fclose($fh);
+ − 301 }
+ − 302 else
+ − 303 {
+ − 304 die_semicritical('Crypto error', '<p>No private key was found in the config file, and we can\'t generate one because we don\'t have write access to the config file. Please CHMOD config.php to 666 or 777 and reload this page.</p>');
+ − 305 }
+ − 306 }
+ − 307 // Check for compatibility mode
+ − 308 if(defined('IN_ENANO_INSTALL'))
+ − 309 {
+ − 310 $q = $db->sql_query('SELECT old_encryption FROM '.table_prefix.'users LIMIT 1;');
+ − 311 if(!$q)
+ − 312 {
+ − 313 $error = mysql_error();
+ − 314 if(strstr($error, "Unknown column 'old_encryption'"))
+ − 315 $this->compat = true;
+ − 316 else
+ − 317 $db->_die('This should never happen and is a bug - the only error that was supposed to happen here didn\'t happen. (sessions.php in constructor, during compat mode check)');
+ − 318 }
+ − 319 $db->free_result();
+ − 320 }
+ − 321 }
+ − 322
+ − 323 /**
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 324 * PHP 4 compatible constructor. Deprecated in 1.1.x.
1
+ − 325 */
+ − 326
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 327 /*
1
+ − 328 function sessionManager()
+ − 329 {
+ − 330 $this->__construct();
+ − 331 }
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 332 */
1
+ − 333
+ − 334 /**
+ − 335 * Wrapper function to sanitize strings for MySQL and HTML
+ − 336 * @param string $text The text to sanitize
+ − 337 * @return string
+ − 338 */
+ − 339
+ − 340 function prepare_text($text)
+ − 341 {
+ − 342 global $db;
+ − 343 return $db->escape(htmlspecialchars($text));
+ − 344 }
+ − 345
+ − 346 /**
+ − 347 * Makes a SQL query and handles error checking
+ − 348 * @param string $query The SQL query to make
+ − 349 * @return resource
+ − 350 */
+ − 351
+ − 352 function sql($query)
+ − 353 {
+ − 354 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 355 $result = $db->sql_query($query);
+ − 356 if(!$result)
+ − 357 {
+ − 358 $db->_die('The error seems to have occurred somewhere in the session management code.');
+ − 359 }
+ − 360 return $result;
+ − 361 }
+ − 362
+ − 363 # Session restoration and permissions
+ − 364
+ − 365 /**
+ − 366 * Initializes the basic state of things, including most user prefs, login data, cookie stuff
+ − 367 */
+ − 368
+ − 369 function start()
+ − 370 {
+ − 371 global $db, $session, $paths, $template, $plugins; // Common objects
209
+ − 372 global $lang;
406
+ − 373 global $timezone;
1
+ − 374 if($this->started) return;
+ − 375 $this->started = true;
+ − 376 $user = false;
+ − 377 if(isset($_COOKIE['sid']))
+ − 378 {
+ − 379 if($this->compat)
+ − 380 {
+ − 381 $userdata = $this->compat_validate_session($_COOKIE['sid']);
+ − 382 }
+ − 383 else
+ − 384 {
+ − 385 $userdata = $this->validate_session($_COOKIE['sid']);
+ − 386 }
+ − 387 if(is_array($userdata))
+ − 388 {
+ − 389 $data = RenderMan::strToPageID($paths->get_pageid_from_url());
+ − 390
+ − 391 if(!$this->compat && $userdata['account_active'] != 1 && $data[1] != 'Special' && $data[1] != 'Admin')
+ − 392 {
209
+ − 393 $language = intval(getConfig('default_language'));
+ − 394 $lang = new Language($language);
406
+ − 395 @setlocale(LC_ALL, $lang->lang_code);
209
+ − 396
1
+ − 397 $this->logout();
+ − 398 $a = getConfig('account_activation');
+ − 399 switch($a)
+ − 400 {
+ − 401 case 'none':
+ − 402 default:
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 403 $solution = $lang->get('user_login_noact_solution_none');
1
+ − 404 break;
+ − 405 case 'user':
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 406 $solution = $lang->get('user_login_noact_solution_user');
1
+ − 407 break;
+ − 408 case 'admin':
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 409 $solution = $lang->get('user_login_noact_solution_admin');
1
+ − 410 break;
+ − 411 }
127
+ − 412
+ − 413 // admin activation request opportunity
+ − 414 $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'logs WHERE log_type=\'admin\' AND action=\'activ_req\' AND edit_summary=\'' . $db->escape($userdata['username']) . '\';');
+ − 415 if ( !$q )
+ − 416 $db->_die();
+ − 417
+ − 418 $can_request = ( $db->numrows() < 1 );
+ − 419 $db->free_result();
+ − 420
+ − 421 if ( isset($_POST['logout']) )
+ − 422 {
+ − 423 $this->sid = $_COOKIE['sid'];
+ − 424 $this->user_logged_in = true;
+ − 425 $this->user_id = intval($userdata['user_id']);
+ − 426 $this->username = $userdata['username'];
+ − 427 $this->auth_level = USER_LEVEL_MEMBER;
+ − 428 $this->user_level = USER_LEVEL_MEMBER;
+ − 429 $this->logout();
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 430 redirect(scriptPath . '/', $lang->get('user_login_noact_msg_logout_success_title'), $lang->get('user_login_noact_msg_logout_success_body'), 5);
127
+ − 431 }
+ − 432
+ − 433 if ( $can_request && !isset($_POST['activation_request']) )
+ − 434 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 435 $form = '<p>' . $lang->get('user_login_noact_msg_ask_admins') . '</p>
127
+ − 436 <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 437 <p><input type="submit" name="activation_request" value="' . $lang->get('user_login_noact_btn_request_activation') . '" /> <input type="submit" name="logout" value="' . $lang->get('user_login_noact_btn_log_out') . '" /></p>
127
+ − 438 </form>';
+ − 439 }
+ − 440 else
+ − 441 {
+ − 442 if ( $can_request && isset($_POST['activation_request']) )
+ − 443 {
+ − 444 $this->admin_activation_request($userdata['username']);
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 445 $form = '<p>' . $lang->get('user_login_noact_msg_admins_just_asked') . '</p>
127
+ − 446 <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 447 <p><input type="submit" name="logout" value="' . $lang->get('user_login_noact_btn_log_out') . '" /></p>
127
+ − 448 </form>';
+ − 449 }
+ − 450 else
+ − 451 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 452 $form = '<p>' . $lang->get('user_login_noact_msg_admins_asked') . '</p>
127
+ − 453 <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 454 <p><input type="submit" name="logout" value="' . $lang->get('user_login_noact_btn_log_out') . '" /></p>
127
+ − 455 </form>';
+ − 456 }
+ − 457 }
+ − 458
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 459 die_semicritical($lang->get('user_login_noact_title'), '<p>' . $lang->get('user_login_noact_msg_intro') . ' '.$solution.'</p>' . $form);
1
+ − 460 }
+ − 461
+ − 462 $this->sid = $_COOKIE['sid'];
+ − 463 $this->user_logged_in = true;
+ − 464 $this->user_id = intval($userdata['user_id']);
+ − 465 $this->username = $userdata['username'];
+ − 466 $this->password_hash = $userdata['password'];
+ − 467 $this->user_level = intval($userdata['user_level']);
+ − 468 $this->real_name = $userdata['real_name'];
+ − 469 $this->email = $userdata['email'];
+ − 470 $this->unread_pms = $userdata['num_pms'];
+ − 471 if(!$this->compat)
+ − 472 {
+ − 473 $this->theme = $userdata['theme'];
+ − 474 $this->style = $userdata['style'];
+ − 475 $this->signature = $userdata['signature'];
+ − 476 $this->reg_time = $userdata['reg_time'];
+ − 477 }
436
+ − 478 $this->auth_level = USER_LEVEL_MEMBER;
1
+ − 479 if(!isset($template->named_theme_list[$this->theme]))
+ − 480 {
+ − 481 if($this->compat || !is_object($template))
+ − 482 {
+ − 483 $this->theme = 'oxygen';
+ − 484 $this->style = 'bleu';
+ − 485 }
+ − 486 else
+ − 487 {
+ − 488 $this->theme = $template->default_theme;
+ − 489 $this->style = $template->default_style;
+ − 490 }
+ − 491 }
+ − 492 $user = true;
406
+ − 493 $GLOBALS['timezone'] = $userdata['user_timezone'];
1
+ − 494
209
+ − 495 // Set language
+ − 496 if ( !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ − 497 {
+ − 498 $lang_id = intval($userdata['user_lang']);
+ − 499 $lang = new Language($lang_id);
406
+ − 500 @setlocale(LC_ALL, $lang->lang_code);
209
+ − 501 }
1
+ − 502
+ − 503 if(isset($_REQUEST['auth']) && !$this->sid_super)
+ − 504 {
+ − 505 // Now he thinks he's a moderator. Or maybe even an administrator. Let's find out if he's telling the truth.
+ − 506 if($this->compat)
+ − 507 {
+ − 508 $key = $_REQUEST['auth'];
+ − 509 $super = $this->compat_validate_session($key);
+ − 510 }
+ − 511 else
+ − 512 {
+ − 513 $key = strrev($_REQUEST['auth']);
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 514 if ( !empty($key) && ( strlen($key) / 2 ) % 4 == 0 )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 515 {
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 516 $super = $this->validate_session($key);
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 517 }
1
+ − 518 }
+ − 519 if(is_array($super))
+ − 520 {
+ − 521 $this->auth_level = intval($super['auth_level']);
+ − 522 $this->sid_super = $_REQUEST['auth'];
+ − 523 }
+ − 524 }
+ − 525 }
+ − 526 }
+ − 527 if(!$user)
+ − 528 {
+ − 529 //exit;
+ − 530 $this->register_guest_session();
+ − 531 }
+ − 532 if(!$this->compat)
+ − 533 {
+ − 534 // init groups
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 535 $q = $this->sql('SELECT g.group_name,g.group_id,m.is_mod FROM '.table_prefix.'groups AS g' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 536 . ' LEFT JOIN '.table_prefix.'group_members AS m' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 537 . ' ON g.group_id=m.group_id' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 538 . ' WHERE ( m.user_id='.$this->user_id.'' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 539 . ' OR g.group_name=\'Everyone\')' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 540 . ' ' . ( enano_version() == '1.0RC1' ? '' : 'AND ( m.pending != 1 OR m.pending IS NULL )' ) . '' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 541 . ' ORDER BY group_id ASC;'); // Make sure "Everyone" comes first so the permissions can be overridden
1
+ − 542 if($row = $db->fetchrow())
+ − 543 {
+ − 544 do {
+ − 545 $this->groups[$row['group_id']] = $row['group_name'];
+ − 546 $this->group_mod[$row['group_id']] = ( intval($row['is_mod']) == 1 );
+ − 547 } while($row = $db->fetchrow());
+ − 548 }
+ − 549 else
+ − 550 {
+ − 551 die('No group info');
+ − 552 }
+ − 553 }
+ − 554 $this->check_banlist();
+ − 555
+ − 556 if ( isset ( $_GET['printable'] ) )
+ − 557 {
+ − 558 $this->theme = 'printable';
+ − 559 $this->style = 'default';
+ − 560 }
+ − 561
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 562 profiler_log('Sessions started');
1
+ − 563 }
+ − 564
+ − 565 # Logins
+ − 566
+ − 567 /**
+ − 568 * Attempts to perform a login using crypto functions
+ − 569 * @param string $username The username
+ − 570 * @param string $aes_data The encrypted password, hex-encoded
+ − 571 * @param string $aes_key The MD5 hash of the encryption key, hex-encoded
+ − 572 * @param string $challenge The 256-bit MD5 challenge string - first 128 bits should be the hash, the last 128 should be the challenge salt
+ − 573 * @param int $level The privilege level we're authenticating for, defaults to 0
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 574 * @param array $captcha_hash Optional. If we're locked out and the lockout policy is captcha, this should be the identifier for the code.
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 575 * @param array $captcha_code Optional. If we're locked out and the lockout policy is captcha, this should be the code the user entered.
436
+ − 576 * @param bool $lookup_key Optional. If true (default) this queries the database for the "real" encryption key. Else, uses what is given.
1
+ − 577 * @return string 'success' on success, or error string on failure
+ − 578 */
+ − 579
436
+ − 580 function login_with_crypto($username, $aes_data, $aes_key_id, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false, $lookup_key = true)
1
+ − 581 {
+ − 582 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 583
+ − 584 $privcache = $this->private_key;
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 585
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 586 if ( !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 587 {
436
+ − 588 $timestamp_cutoff = time() - $duration;
+ − 589 $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+ − 590 $fails = $db->numrows();
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 591 // Lockout stuff
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 592 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 593 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 594 // convert to minutes
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 595 $duration = $duration * 60;
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 596 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 597 if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 598 {
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 599 // policy is captcha -- check if it's correct, and if so, bypass lockout check
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 600 $real_code = $this->get_captcha($captcha_hash);
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 601 }
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 602 if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && strtolower($real_code) == strtolower($captcha_code) ) )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 603 {
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 604 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
182
c69730750be3
Fixed the security hole (really, I'm a moron - used $failed > $threshold instead of $failed >= $threashold) and patched up some...erm... math issues
Dan
diff
changeset
+ − 605 if ( $fails >= $threshold )
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 606 {
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 607 // ooh boy, somebody's in trouble ;-)
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 608 $row = $db->fetchrow();
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 609 $db->free_result();
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 610 return array(
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 611 'success' => false,
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 612 'error' => 'locked_out',
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 613 'lockout_threshold' => $threshold,
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 614 'lockout_duration' => ( $duration / 60 ),
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 615 'lockout_fails' => $fails,
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 616 'lockout_policy' => $policy,
182
c69730750be3
Fixed the security hole (really, I'm a moron - used $failed > $threshold instead of $failed >= $threashold) and patched up some...erm... math issues
Dan
diff
changeset
+ − 617 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ),
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 618 'lockout_last_time' => $row['timestamp']
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 619 );
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 620 }
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 621 }
436
+ − 622 $db->free_result();
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 623 }
1
+ − 624
+ − 625 // Instanciate the Rijndael encryption object
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 626 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 627
+ − 628 // Fetch our decryption key
+ − 629
436
+ − 630 if ( $lookup_key )
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 631 {
436
+ − 632 $aes_key = $this->fetch_public_key($aes_key_id);
+ − 633 if ( !$aes_key )
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 634 {
436
+ − 635 // It could be that our key cache is full. If it seems larger than 65KB, clear it
+ − 636 if ( strlen(getConfig('login_key_cache')) > 65000 )
+ − 637 {
+ − 638 setConfig('login_key_cache', '');
+ − 639 return array(
+ − 640 'success' => false,
+ − 641 'error' => 'key_not_found_cleared',
+ − 642 );
+ − 643 }
304
+ − 644 return array(
+ − 645 'success' => false,
436
+ − 646 'error' => 'key_not_found'
304
+ − 647 );
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 648 }
436
+ − 649 }
+ − 650 else
+ − 651 {
+ − 652 $aes_key =& $aes_key_id;
292
b3cfaf0a505c
Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
Dan
diff
changeset
+ − 653 }
1
+ − 654
+ − 655 // Convert the key to a binary string
+ − 656 $bin_key = hexdecode($aes_key);
+ − 657
+ − 658 if(strlen($bin_key) != AES_BITS / 8)
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 659 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 660 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 661 'error' => 'key_wrong_length'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 662 );
1
+ − 663
+ − 664 // Decrypt our password
+ − 665 $password = $aes->decrypt($aes_data, $bin_key, ENC_HEX);
+ − 666
+ − 667 // Initialize our success switch
+ − 668 $success = false;
+ − 669
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 670 // Escaped username
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 671 $username = str_replace('_', ' ', $username);
135
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 672 $db_username_lower = $this->prepare_text(strtolower($username));
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 673 $db_username = $this->prepare_text($username);
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 674
1
+ − 675 // Select the user data from the table, and decrypt that so we can verify the password
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 676 $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
1
+ − 677 if($db->numrows() < 1)
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 678 {
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 679 // This wasn't logged in <1.0.2, dunno how it slipped through
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 680 if($level > USER_LEVEL_MEMBER)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 681 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 682 else
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 683 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 684
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 685 if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 686 {
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 687 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 688 // increment fail count
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 689 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', ' . time() . ', \'credential\');');
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 690 $fails++;
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 691 // ooh boy, somebody's in trouble ;-)
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 692 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 693 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 694 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 695 'lockout_threshold' => $threshold,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 696 'lockout_duration' => ( $duration / 60 ),
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 697 'lockout_fails' => $fails,
182
c69730750be3
Fixed the security hole (really, I'm a moron - used $failed > $threshold instead of $failed >= $threashold) and patched up some...erm... math issues
Dan
diff
changeset
+ − 698 'time_rem' => ( $duration / 60 ),
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 699 'lockout_policy' => $policy
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 700 );
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 701 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 702
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 703 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 704 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 705 'error' => 'invalid_credentials'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 706 );
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 707 }
1
+ − 708 $row = $db->fetchrow();
+ − 709
+ − 710 // Check to see if we're logging in using a temporary password
+ − 711
+ − 712 if((intval($row['temp_password_time']) + 3600*24) > time() )
+ − 713 {
+ − 714 $temp_pass = $aes->decrypt( $row['temp_password'], $this->private_key, ENC_HEX );
+ − 715 if( $temp_pass == $password )
+ − 716 {
+ − 717 $url = makeUrlComplete('Special', 'PasswordReset/stage2/' . $row['user_id'] . '/' . $row['temp_password']);
+ − 718
+ − 719 $code = $plugins->setHook('login_password_reset');
+ − 720 foreach ( $code as $cmd )
+ − 721 {
+ − 722 eval($cmd);
+ − 723 }
+ − 724
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 725 redirect($url, '', '', 0);
1
+ − 726 exit;
+ − 727 }
+ − 728 }
+ − 729
+ − 730 if($row['old_encryption'] == 1)
+ − 731 {
+ − 732 // The user's password is stored using the obsolete and insecure MD5 algorithm, so we'll update the field with the new password
+ − 733 if(md5($password) == $row['password'])
+ − 734 {
+ − 735 $pass_stashed = $aes->encrypt($password, $this->private_key, ENC_HEX);
+ − 736 $this->sql('UPDATE '.table_prefix.'users SET password=\''.$pass_stashed.'\',old_encryption=0 WHERE user_id='.$row['user_id'].';');
+ − 737 $success = true;
+ − 738 }
+ − 739 }
+ − 740 else
+ − 741 {
+ − 742 // Our password field is up-to-date with the >=1.0RC1 encryption standards, so decrypt the password in the table and see if we have a match; if so then do challenge authentication
+ − 743 $real_pass = $aes->decrypt(hexdecode($row['password']), $this->private_key, ENC_BINARY);
436
+ − 744 if($password === $real_pass && is_string($password))
1
+ − 745 {
436
+ − 746 // Yay! We passed AES authentication. Previously an MD5 challenge was done here, this was deemed redundant in 1.1.3.
+ − 747 // It didn't seem to provide any additional security...
+ − 748 $success = true;
1
+ − 749 }
+ − 750 }
+ − 751 if($success)
+ − 752 {
+ − 753 if($level > $row['user_level'])
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 754 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 755 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 756 'error' => 'too_big_for_britches'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 757 );
436
+ − 758
+ − 759 /*
+ − 760 return array(
+ − 761 'success' => false,
+ − 762 'error' => 'Successful authentication, but session manager is in debug mode - remove the "return array(...);" in includes/sessions.php:' . ( __LINE__ - 2 )
+ − 763 );
+ − 764 */
1
+ − 765
+ − 766 $sess = $this->register_session(intval($row['user_id']), $username, $password, $level);
+ − 767 if($sess)
+ − 768 {
+ − 769 $this->username = $username;
+ − 770 $this->user_id = intval($row['user_id']);
+ − 771 $this->theme = $row['theme'];
+ − 772 $this->style = $row['style'];
+ − 773
+ − 774 if($level > USER_LEVEL_MEMBER)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 775 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
1
+ − 776 else
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 777 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
1
+ − 778
+ − 779 $code = $plugins->setHook('login_success');
+ − 780 foreach ( $code as $cmd )
+ − 781 {
+ − 782 eval($cmd);
+ − 783 }
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 784 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 785 'success' => true
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 786 );
1
+ − 787 }
+ − 788 else
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 789 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 790 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 791 'error' => 'backend_fail'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 792 );
1
+ − 793 }
+ − 794 else
+ − 795 {
+ − 796 if($level > USER_LEVEL_MEMBER)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 797 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
1
+ − 798 else
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 799 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
1
+ − 800
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 801 // Do we also need to increment the lockout countdown?
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 802 if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 803 {
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 804 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 805 // increment fail count
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 806 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', ' . time() . ', \'credential\');');
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 807 $fails++;
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 808 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 809 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 810 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 811 'lockout_threshold' => $threshold,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 812 'lockout_duration' => ( $duration / 60 ),
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 813 'lockout_fails' => $fails,
182
c69730750be3
Fixed the security hole (really, I'm a moron - used $failed > $threshold instead of $failed >= $threashold) and patched up some...erm... math issues
Dan
diff
changeset
+ − 814 'time_rem' => ( $duration / 60 ),
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 815 'lockout_policy' => $policy
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 816 );
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 817 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 818
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 819 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 820 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 821 'error' => 'invalid_credentials'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 822 );
1
+ − 823 }
+ − 824 }
+ − 825
+ − 826 /**
+ − 827 * Attempts to login without using crypto stuff, mainly for use when the other side doesn't like Javascript
+ − 828 * This method of authentication is inherently insecure, there's really nothing we can do about it except hope and pray that everyone moves to Firefox
+ − 829 * Technically it still uses crypto, but it only decrypts the password already stored, which is (obviously) required for authentication
+ − 830 * @param string $username The username
+ − 831 * @param string $password The password -OR- the MD5 hash of the password if $already_md5ed is true
+ − 832 * @param bool $already_md5ed This should be set to true if $password is an MD5 hash, and should be false if it's plaintext. Defaults to false.
+ − 833 * @param int $level The privilege level we're authenticating for, defaults to 0
+ − 834 */
+ − 835
436
+ − 836 function login_without_crypto($username, $password, $already_md5ed = false, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false)
1
+ − 837 {
+ − 838 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 839
+ − 840 $pass_hashed = ( $already_md5ed ) ? $password : md5($password);
+ − 841
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 842 // Replace underscores with spaces in username
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 843 // (Added in 1.0.2)
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 844 $username = str_replace('_', ' ', $username);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 845
1
+ − 846 // Perhaps we're upgrading Enano?
+ − 847 if($this->compat)
+ − 848 {
+ − 849 return $this->login_compat($username, $pass_hashed, $level);
+ − 850 }
+ − 851
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 852 if ( !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 853 {
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 854 // Lockout stuff
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 855 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 856 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 857 // convert to minutes
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 858 $duration = $duration * 60;
436
+ − 859
+ − 860 // get the lockout status
+ − 861 $timestamp_cutoff = time() - $duration;
+ − 862 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ − 863 $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+ − 864 $fails = $db->numrows();
+ − 865
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 866 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
436
+ − 867 $captcha_good = false;
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 868 if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 869 {
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 870 // policy is captcha -- check if it's correct, and if so, bypass lockout check
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 871 $real_code = $this->get_captcha($captcha_hash);
436
+ − 872 $captcha_good = ( strtolower($real_code) === strtolower($captcha_code) );
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 873 }
436
+ − 874 if ( $policy != 'disable' && !$captcha_good )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 875 {
436
+ − 876 if ( $fails >= $threshold )
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 877 {
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 878 // ooh boy, somebody's in trouble ;-)
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 879 $row = $db->fetchrow();
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 880 $db->free_result();
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 881 return array(
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 882 'success' => false,
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 883 'error' => 'locked_out',
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 884 'lockout_threshold' => $threshold,
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 885 'lockout_duration' => ( $duration / 60 ),
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 886 'lockout_fails' => $fails,
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 887 'lockout_policy' => $policy,
436
+ − 888 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ),
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 889 'lockout_last_time' => $row['timestamp']
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 890 );
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 891 }
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 892 }
436
+ − 893 $db->free_result();
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 894 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 895
1
+ − 896 // Instanciate the Rijndael encryption object
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 897 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 898
+ − 899 // Initialize our success switch
+ − 900 $success = false;
+ − 901
+ − 902 // Retrieve the real password from the database
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 903 $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.$this->prepare_text(strtolower($username)).'\';');
1
+ − 904 if($db->numrows() < 1)
188
+ − 905 {
+ − 906 // This wasn't logged in <1.0.2, dunno how it slipped through
+ − 907 if($level > USER_LEVEL_MEMBER)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 908 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
188
+ − 909 else
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 910 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 911
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 912 // Do we also need to increment the lockout countdown?
377
bb3e6c3bd4f4
Removed stray debugging info from ACL editor success notification; added ability for guests to set language on URI (?lang=eng); added html_in_pages ACL type and separated from php_in_pages so HTML can be embedded but not PHP; rewote portions of the path manager to better abstract URL input; added Zend Framework into list of BSD-licensed libraries; localized some remaining strings; got the migration script working, but just barely; fixed display bug in Special:Contributions; localized Main Page button in admin panel
Dan
diff
changeset
+ − 913 if ( @$policy != 'disable' && !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 914 {
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 915 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 916 // increment fail count
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 917 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', ' . time() . ', \'credential\');');
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 918 $fails++;
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 919 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 920 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 921 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 922 'lockout_threshold' => $threshold,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 923 'lockout_duration' => ( $duration / 60 ),
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 924 'lockout_fails' => $fails,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 925 'lockout_policy' => $policy
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 926 );
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 927 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 928
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 929 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 930 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 931 'error' => 'invalid_credentials'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 932 );
188
+ − 933 }
1
+ − 934 $row = $db->fetchrow();
+ − 935
+ − 936 // Check to see if we're logging in using a temporary password
+ − 937
+ − 938 if((intval($row['temp_password_time']) + 3600*24) > time() )
+ − 939 {
+ − 940 $temp_pass = $aes->decrypt( $row['temp_password'], $this->private_key, ENC_HEX );
+ − 941 if( md5($temp_pass) == $pass_hashed )
+ − 942 {
+ − 943 $code = $plugins->setHook('login_password_reset');
+ − 944 foreach ( $code as $cmd )
+ − 945 {
+ − 946 eval($cmd);
+ − 947 }
+ − 948
+ − 949 header('Location: ' . makeUrlComplete('Special', 'PasswordReset/stage2/' . $row['user_id'] . '/' . $row['temp_password']) );
+ − 950
+ − 951 exit;
+ − 952 }
+ − 953 }
+ − 954
+ − 955 if($row['old_encryption'] == 1)
+ − 956 {
+ − 957 // The user's password is stored using the obsolete and insecure MD5 algorithm - we'll update the field with the new password
+ − 958 if($pass_hashed == $row['password'] && !$already_md5ed)
+ − 959 {
+ − 960 $pass_stashed = $aes->encrypt($password, $this->private_key, ENC_HEX);
+ − 961 $this->sql('UPDATE '.table_prefix.'users SET password=\''.$pass_stashed.'\',old_encryption=0 WHERE user_id='.$row['user_id'].';');
+ − 962 $success = true;
+ − 963 }
+ − 964 elseif($pass_hashed == $row['password'] && $already_md5ed)
+ − 965 {
+ − 966 // We don't have the real password so don't bother with encrypting it, just call it success and get out of here
+ − 967 $success = true;
+ − 968 }
+ − 969 }
+ − 970 else
+ − 971 {
+ − 972 // Our password field is up-to-date with the >=1.0RC1 encryption standards, so decrypt the password in the table and see if we have a match
+ − 973 $real_pass = $aes->decrypt($row['password'], $this->private_key);
+ − 974 if($pass_hashed == md5($real_pass))
+ − 975 {
+ − 976 $success = true;
+ − 977 }
+ − 978 }
+ − 979 if($success)
+ − 980 {
+ − 981 if((int)$level > (int)$row['user_level'])
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 982 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 983 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 984 'error' => 'too_big_for_britches'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 985 );
1
+ − 986 $sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level);
+ − 987 if($sess)
+ − 988 {
+ − 989 if($level > USER_LEVEL_MEMBER)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 990 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
1
+ − 991 else
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 992 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
1
+ − 993
+ − 994 $code = $plugins->setHook('login_success');
+ − 995 foreach ( $code as $cmd )
+ − 996 {
+ − 997 eval($cmd);
+ − 998 }
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 999
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1000 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1001 'success' => true
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1002 );
1
+ − 1003 }
+ − 1004 else
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1005 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1006 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1007 'error' => 'backend_fail'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1008 );
1
+ − 1009 }
+ − 1010 else
+ − 1011 {
+ − 1012 if($level > USER_LEVEL_MEMBER)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1013 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
1
+ − 1014 else
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1015 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
1
+ − 1016
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1017 // Do we also need to increment the lockout countdown?
181
06bdbdfec160
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
Dan
diff
changeset
+ − 1018 if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1019 {
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1020 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1021 // increment fail count
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1022 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', ' . time() . ', \'credential\');');
179
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1023 $fails++;
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1024 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1025 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1026 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1027 'lockout_threshold' => $threshold,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1028 'lockout_duration' => ( $duration / 60 ),
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1029 'lockout_fails' => $fails,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1030 'lockout_policy' => $policy
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1031 );
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1032 }
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1033
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1034 return array(
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1035 'success' => false,
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1036 'error' => 'invalid_credentials'
36b287f1d85c
[F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
Dan
diff
changeset
+ − 1037 );
1
+ − 1038 }
+ − 1039 }
+ − 1040
+ − 1041 /**
+ − 1042 * Attempts to log in using the old table structure and algorithm.
+ − 1043 * @param string $username
+ − 1044 * @param string $password This should be an MD5 hash
+ − 1045 * @return string 'success' if successful, or error message on failure
+ − 1046 */
+ − 1047
+ − 1048 function login_compat($username, $password, $level = 0)
+ − 1049 {
+ − 1050 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1051 $pass_hashed =& $password;
+ − 1052 $this->sql('SELECT password,user_id,user_level FROM '.table_prefix.'users WHERE username=\''.$this->prepare_text($username).'\';');
+ − 1053 if($db->numrows() < 1)
+ − 1054 return 'The username and/or password is incorrect.';
+ − 1055 $row = $db->fetchrow();
+ − 1056 if($row['password'] == $password)
+ − 1057 {
+ − 1058 if((int)$level > (int)$row['user_level'])
+ − 1059 return 'You are not authorized for this level of access.';
+ − 1060 $sess = $this->register_session_compat(intval($row['user_id']), $username, $password, $level);
+ − 1061 if($sess)
+ − 1062 return 'success';
+ − 1063 else
+ − 1064 return 'Your login credentials were correct, but an internal error occured while registering the session key in the database.';
+ − 1065 }
+ − 1066 else
+ − 1067 {
+ − 1068 return 'The username and/or password is incorrect.';
+ − 1069 }
+ − 1070 }
+ − 1071
+ − 1072 /**
+ − 1073 * Registers a session key in the database. This function *ASSUMES* that the username and password have already been validated!
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1074 * Basically the session key is a hex-encoded cookie (encrypted with the site's private key) that says "u=[username];p=[sha1 of password];s=[unique key id]"
1
+ − 1075 * @param int $user_id
+ − 1076 * @param string $username
+ − 1077 * @param string $password
+ − 1078 * @param int $level The level of access to grant, defaults to USER_LEVEL_MEMBER
+ − 1079 * @return bool
+ − 1080 */
+ − 1081
+ − 1082 function register_session($user_id, $username, $password, $level = USER_LEVEL_MEMBER)
+ − 1083 {
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1084 // Random key identifier
1
+ − 1085 $salt = md5(microtime() . mt_rand());
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1086
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1087 // SHA1 hash of password, stored in the key
1
+ − 1088 $passha1 = sha1($password);
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1089
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1090 // Unencrypted session key
1
+ − 1091 $session_key = "u=$username;p=$passha1;s=$salt";
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1092
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1093 // Encrypt the key
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1094 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1095 $session_key = $aes->encrypt($session_key, $this->private_key, ENC_HEX);
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1096
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1097 // If we're registering an elevated-privilege key, it needs to be on GET
1
+ − 1098 if($level > USER_LEVEL_MEMBER)
+ − 1099 {
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1100 // Reverse it - cosmetic only ;-)
1
+ − 1101 $hexkey = strrev($session_key);
+ − 1102 $this->sid_super = $hexkey;
+ − 1103 $_GET['auth'] = $hexkey;
+ − 1104 }
+ − 1105 else
+ − 1106 {
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1107 // Stash it in a cookie
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1108 // For now, make the cookie last forever, we can change this in 1.1.x
259
+ − 1109 setcookie( 'sid', $session_key, time()+315360000, scriptPath.'/', null, ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ) );
1
+ − 1110 $_COOKIE['sid'] = $session_key;
+ − 1111 }
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1112 // $keyhash is stored in the database, this is for compatibility with the older DB structure
1
+ − 1113 $keyhash = md5($session_key);
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1114 // Record the user's IP
1
+ − 1115 $ip = ip2hex($_SERVER['REMOTE_ADDR']);
+ − 1116 if(!$ip)
+ − 1117 die('$session->register_session: Remote-Addr was spoofed');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1118 // The time needs to be stashed to enforce the 15-minute limit on elevated session keys
1
+ − 1119 $time = time();
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1120
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1121 // Sanity check
1
+ − 1122 if(!is_int($user_id))
+ − 1123 die('Somehow an SQL injection attempt crawled into our session registrar! (1)');
+ − 1124 if(!is_int($level))
+ − 1125 die('Somehow an SQL injection attempt crawled into our session registrar! (2)');
+ − 1126
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1127 // All done!
1
+ − 1128 $query = $this->sql('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time) VALUES(\''.$keyhash.'\', \''.$salt.'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.');');
+ − 1129 return true;
+ − 1130 }
+ − 1131
+ − 1132 /**
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1133 * Identical to register_session in nature, but uses the old login/table structure. DO NOT use this except in the upgrade script under very controlled circumstances.
1
+ − 1134 * @see sessionManager::register_session()
+ − 1135 * @access private
+ − 1136 */
+ − 1137
+ − 1138 function register_session_compat($user_id, $username, $password, $level = 0)
+ − 1139 {
+ − 1140 $salt = md5(microtime() . mt_rand());
+ − 1141 $thekey = md5($password . $salt);
+ − 1142 if($level > 0)
+ − 1143 {
+ − 1144 $this->sid_super = $thekey;
+ − 1145 }
+ − 1146 else
+ − 1147 {
+ − 1148 setcookie( 'sid', $thekey, time()+315360000, scriptPath.'/' );
+ − 1149 $_COOKIE['sid'] = $thekey;
+ − 1150 }
+ − 1151 $ip = ip2hex($_SERVER['REMOTE_ADDR']);
+ − 1152 if(!$ip)
+ − 1153 die('$session->register_session: Remote-Addr was spoofed');
+ − 1154 $time = time();
+ − 1155 if(!is_int($user_id))
+ − 1156 die('Somehow an SQL injection attempt crawled into our session registrar! (1)');
+ − 1157 if(!is_int($level))
+ − 1158 die('Somehow an SQL injection attempt crawled into our session registrar! (2)');
+ − 1159 $query = $this->sql('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time) VALUES(\''.$thekey.'\', \''.$salt.'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.');');
+ − 1160 return true;
+ − 1161 }
+ − 1162
+ − 1163 /**
+ − 1164 * Creates/restores a guest session
+ − 1165 * @todo implement real session management for guests
+ − 1166 */
+ − 1167
+ − 1168 function register_guest_session()
+ − 1169 {
+ − 1170 global $db, $session, $paths, $template, $plugins; // Common objects
209
+ − 1171 global $lang;
1
+ − 1172 $this->username = $_SERVER['REMOTE_ADDR'];
+ − 1173 $this->user_level = USER_LEVEL_GUEST;
+ − 1174 if($this->compat || defined('IN_ENANO_INSTALL'))
+ − 1175 {
+ − 1176 $this->theme = 'oxygen';
+ − 1177 $this->style = 'bleu';
+ − 1178 }
+ − 1179 else
+ − 1180 {
+ − 1181 $this->theme = ( isset($_GET['theme']) && isset($template->named_theme_list[$_GET['theme']])) ? $_GET['theme'] : $template->default_theme;
+ − 1182 $this->style = ( isset($_GET['style']) && file_exists(ENANO_ROOT.'/themes/'.$this->theme . '/css/'.$_GET['style'].'.css' )) ? $_GET['style'] : substr($template->named_theme_list[$this->theme]['default_style'], 0, strlen($template->named_theme_list[$this->theme]['default_style'])-4);
+ − 1183 }
+ − 1184 $this->user_id = 1;
377
bb3e6c3bd4f4
Removed stray debugging info from ACL editor success notification; added ability for guests to set language on URI (?lang=eng); added html_in_pages ACL type and separated from php_in_pages so HTML can be embedded but not PHP; rewote portions of the path manager to better abstract URL input; added Zend Framework into list of BSD-licensed libraries; localized some remaining strings; got the migration script working, but just barely; fixed display bug in Special:Contributions; localized Main Page button in admin panel
Dan
diff
changeset
+ − 1185 // This is a VERY special case we are allowing. It lets the installer create languages using the Enano API.
209
+ − 1186 if ( !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ − 1187 {
377
bb3e6c3bd4f4
Removed stray debugging info from ACL editor success notification; added ability for guests to set language on URI (?lang=eng); added html_in_pages ACL type and separated from php_in_pages so HTML can be embedded but not PHP; rewote portions of the path manager to better abstract URL input; added Zend Framework into list of BSD-licensed libraries; localized some remaining strings; got the migration script working, but just barely; fixed display bug in Special:Contributions; localized Main Page button in admin panel
Dan
diff
changeset
+ − 1188 $language = ( isset($_GET['lang']) && preg_match('/^[a-z0-9_]+$/', @$_GET['lang']) ) ? $_GET['lang'] : intval(getConfig('default_language'));
209
+ − 1189 $lang = new Language($language);
406
+ − 1190 @setlocale(LC_ALL, $lang->lang_code);
209
+ − 1191 }
1
+ − 1192 }
+ − 1193
+ − 1194 /**
+ − 1195 * Validates a session key, and returns the userdata associated with the key or false
+ − 1196 * @param string $key The session key to validate
+ − 1197 * @return array Keys are 'user_id', 'username', 'email', 'real_name', 'user_level', 'theme', 'style', 'signature', 'reg_time', 'account_active', 'activation_key', and 'auth_level' or bool false if validation failed. The key 'auth_level' is the maximum authorization level that this key provides.
+ − 1198 */
+ − 1199
+ − 1200 function validate_session($key)
+ − 1201 {
+ − 1202 global $db, $session, $paths, $template, $plugins; // Common objects
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1203 profiler_log("SessionManager: checking session: " . sha1($key));
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1204 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1205 $decrypted_key = $aes->decrypt($key, $this->private_key, ENC_HEX);
+ − 1206
+ − 1207 if ( !$decrypted_key )
+ − 1208 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1209 // die_semicritical('AES encryption error', '<p>Something went wrong during the AES decryption process.</p><pre>'.print_r($decrypted_key, true).'</pre>');
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1210 return false;
1
+ − 1211 }
+ − 1212
+ − 1213 $n = preg_match('/^u='.$this->valid_username.';p=([A-Fa-f0-9]+?);s=([A-Fa-f0-9]+?)$/', $decrypted_key, $keydata);
+ − 1214 if($n < 1)
+ − 1215 {
+ − 1216 // echo '(debug) $session->validate_session: Key does not match regex<br />Decrypted key: '.$decrypted_key;
+ − 1217 return false;
+ − 1218 }
+ − 1219 $keyhash = md5($key);
+ − 1220 $salt = $db->escape($keydata[3]);
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1221 // using a normal call to $db->sql_query to avoid failing on errors here
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1222 $query = $db->sql_query('SELECT u.user_id AS uid,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,' . "\n"
371
dc6026376919
Improved compatibility with PostgreSQL and fixed a number of installer bugs; fixed missing "meta" category declaration in language files
Dan
diff
changeset
+ − 1223 . ' u.reg_time,u.account_active,u.activation_key,u.user_lang,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms,' . "\n"
406
+ − 1224 . ' u.user_timezone, x.* FROM '.table_prefix.'session_keys AS k' . "\n"
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1225 . ' LEFT JOIN '.table_prefix.'users AS u' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1226 . ' ON ( u.user_id=k.user_id )' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1227 . ' LEFT JOIN '.table_prefix.'users_extra AS x' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1228 . ' ON ( u.user_id=x.user_id OR x.user_id IS NULL )' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1229 . ' LEFT JOIN '.table_prefix.'privmsgs AS p' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1230 . ' ON ( p.message_to=u.username AND p.message_read=0 )' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1231 . ' WHERE k.session_key=\''.$keyhash.'\'' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1232 . ' AND k.salt=\''.$salt.'\'' . "\n"
371
dc6026376919
Improved compatibility with PostgreSQL and fixed a number of installer bugs; fixed missing "meta" category declaration in language files
Dan
diff
changeset
+ − 1233 . ' GROUP BY u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,u.user_lang,k.source_ip,k.time,k.auth_level,x.user_id, x.user_aim, x.user_yahoo, x.user_msn, x.user_xmpp, x.user_homepage, x.user_location, x.user_job, x.user_hobbies, x.email_public;');
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1234
18
+ − 1235 if ( !$query )
+ − 1236 {
406
+ − 1237 $query = $this->sql('SELECT u.user_id AS uid,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms, 1440 AS user_timezone FROM '.table_prefix.'session_keys AS k
18
+ − 1238 LEFT JOIN '.table_prefix.'users AS u
+ − 1239 ON ( u.user_id=k.user_id )
+ − 1240 LEFT JOIN '.table_prefix.'privmsgs AS p
+ − 1241 ON ( p.message_to=u.username AND p.message_read=0 )
+ − 1242 WHERE k.session_key=\''.$keyhash.'\'
+ − 1243 AND k.salt=\''.$salt.'\'
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1244 GROUP BY u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level;');
18
+ − 1245 }
1
+ − 1246 if($db->numrows() < 1)
+ − 1247 {
+ − 1248 // echo '(debug) $session->validate_session: Key was not found in database<br />';
+ − 1249 return false;
+ − 1250 }
+ − 1251 $row = $db->fetchrow();
+ − 1252 $row['user_id'] =& $row['uid'];
+ − 1253 $ip = ip2hex($_SERVER['REMOTE_ADDR']);
+ − 1254 if($row['auth_level'] > $row['user_level'])
+ − 1255 {
+ − 1256 // Failed authorization check
+ − 1257 // echo '(debug) $session->validate_session: access to this auth level denied<br />';
+ − 1258 return false;
+ − 1259 }
+ − 1260 if($ip != $row['source_ip'])
+ − 1261 {
+ − 1262 // Failed IP address check
+ − 1263 // echo '(debug) $session->validate_session: IP address mismatch<br />';
+ − 1264 return false;
+ − 1265 }
+ − 1266
+ − 1267 // Do the password validation
+ − 1268 $real_pass = $aes->decrypt($row['password'], $this->private_key, ENC_HEX);
+ − 1269
+ − 1270 //die('<pre>'.print_r($keydata, true).'</pre>');
+ − 1271 if(sha1($real_pass) != $keydata[2])
+ − 1272 {
+ − 1273 // Failed password check
+ − 1274 // echo '(debug) $session->validate_session: encrypted password is wrong<br />Real password: '.$real_pass.'<br />Real hash: '.sha1($real_pass).'<br />User hash: '.$keydata[2];
+ − 1275 return false;
+ − 1276 }
+ − 1277
+ − 1278 $time_now = time();
+ − 1279 $time_key = $row['time'] + 900;
+ − 1280 if($time_now > $time_key && $row['auth_level'] > USER_LEVEL_MEMBER)
+ − 1281 {
+ − 1282 // Session timed out
+ − 1283 // echo '(debug) $session->validate_session: super session timed out<br />';
+ − 1284 $this->sw_timed_out = true;
+ − 1285 return false;
+ − 1286 }
+ − 1287
+ − 1288 // If this is an elevated-access session key, update the time
+ − 1289 if( $row['auth_level'] > USER_LEVEL_MEMBER )
+ − 1290 {
+ − 1291 $this->sql('UPDATE '.table_prefix.'session_keys SET time='.time().' WHERE session_key=\''.$keyhash.'\';');
+ − 1292 }
+ − 1293
31
+ − 1294 $user_extra = array();
+ − 1295 foreach ( array('user_aim', 'user_yahoo', 'user_msn', 'user_xmpp', 'user_homepage', 'user_location', 'user_job', 'user_hobbies', 'email_public') as $column )
+ − 1296 {
375
8d0e3a5a6990
[minor] Trying to be a little more careful with values from users_extra in validate_session()
Dan
diff
changeset
+ − 1297 if ( isset($row[$column]) )
8d0e3a5a6990
[minor] Trying to be a little more careful with values from users_extra in validate_session()
Dan
diff
changeset
+ − 1298 $user_extra[$column] = $row[$column];
31
+ − 1299 }
+ − 1300
+ − 1301 $this->user_extra = $user_extra;
+ − 1302 // Leave the rest to PHP's automatic garbage collector ;-)
+ − 1303
1
+ − 1304 $row['password'] = md5($real_pass);
406
+ − 1305 $row['user_timezone'] = intval($row['user_timezone']) - 1440;
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1306
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1307 profiler_log("SessionManager: finished session check");
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1308
1
+ − 1309 return $row;
+ − 1310 }
+ − 1311
+ − 1312 /**
+ − 1313 * Validates a session key, and returns the userdata associated with the key or false. Optimized for compatibility with the old MD5-based auth system.
+ − 1314 * @param string $key The session key to validate
+ − 1315 * @return array Keys are 'user_id', 'username', 'email', 'real_name', 'user_level', 'theme', 'style', 'signature', 'reg_time', 'account_active', 'activation_key', and 'auth_level' or bool false if validation failed. The key 'auth_level' is the maximum authorization level that this key provides.
+ − 1316 */
+ − 1317
+ − 1318 function compat_validate_session($key)
+ − 1319 {
+ − 1320 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1321 $key = $db->escape($key);
+ − 1322
406
+ − 1323 $query = $this->sql('SELECT u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,k.source_ip,k.salt,k.time,k.auth_level,1440 AS user_timezone FROM '.table_prefix.'session_keys AS k
1
+ − 1324 LEFT JOIN '.table_prefix.'users AS u
+ − 1325 ON u.user_id=k.user_id
+ − 1326 WHERE k.session_key=\''.$key.'\';');
+ − 1327 if($db->numrows() < 1)
+ − 1328 {
+ − 1329 // echo '(debug) $session->validate_session: Key '.$key.' was not found in database<br />';
+ − 1330 return false;
+ − 1331 }
+ − 1332 $row = $db->fetchrow();
+ − 1333 $ip = ip2hex($_SERVER['REMOTE_ADDR']);
+ − 1334 if($row['auth_level'] > $row['user_level'])
+ − 1335 {
+ − 1336 // Failed authorization check
+ − 1337 // echo '(debug) $session->validate_session: user not authorized for this access level';
+ − 1338 return false;
+ − 1339 }
+ − 1340 if($ip != $row['source_ip'])
+ − 1341 {
+ − 1342 // Failed IP address check
+ − 1343 // echo '(debug) $session->validate_session: IP address mismatch; IP in table: '.$row['source_ip'].'; reported IP: '.$ip.'';
+ − 1344 return false;
+ − 1345 }
+ − 1346
+ − 1347 // Do the password validation
+ − 1348 $real_key = md5($row['password'] . $row['salt']);
+ − 1349
+ − 1350 //die('<pre>'.print_r($keydata, true).'</pre>');
+ − 1351 if($real_key != $key)
+ − 1352 {
+ − 1353 // Failed password check
+ − 1354 // echo '(debug) $session->validate_session: supplied password is wrong<br />Real key: '.$real_key.'<br />User key: '.$key;
+ − 1355 return false;
+ − 1356 }
+ − 1357
+ − 1358 $time_now = time();
+ − 1359 $time_key = $row['time'] + 900;
+ − 1360 if($time_now > $time_key && $row['auth_level'] >= 1)
+ − 1361 {
+ − 1362 $this->sw_timed_out = true;
+ − 1363 // Session timed out
+ − 1364 // echo '(debug) $session->validate_session: super session timed out<br />';
+ − 1365 return false;
+ − 1366 }
+ − 1367
406
+ − 1368 $row['user_timezone'] = intval($row['user_timezone']) - 1440;
+ − 1369
1
+ − 1370 return $row;
+ − 1371 }
+ − 1372
+ − 1373 /**
+ − 1374 * Demotes us to one less than the specified auth level. AKA destroys elevated authentication and/or logs out the user, depending on $level
+ − 1375 * @param int $level How low we should go - USER_LEVEL_MEMBER means demote to USER_LEVEL_GUEST, and anything more powerful than USER_LEVEL_MEMBER means demote to USER_LEVEL_MEMBER
+ − 1376 * @return string 'success' if successful, or error on failure
+ − 1377 */
+ − 1378
+ − 1379 function logout($level = USER_LEVEL_MEMBER)
+ − 1380 {
+ − 1381 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1382 $ou = $this->username;
+ − 1383 $oid = $this->user_id;
+ − 1384 if($level > USER_LEVEL_CHPREF)
+ − 1385 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1386 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1387 if(!$this->user_logged_in || $this->auth_level < ( USER_LEVEL_MEMBER + 1))
221
+ − 1388 {
+ − 1389 return 'success';
+ − 1390 }
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1391 // See if we can get rid of the cached decrypted session key
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1392 $key_bin = $aes->hextostring(strrev($this->sid_super));
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1393 $key_hash = sha1($key_bin . '::' . $this->private_key);
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1394 aes_decrypt_cache_destroy($key_hash);
1
+ − 1395 // Destroy elevated privileges
+ − 1396 $keyhash = md5(strrev($this->sid_super));
+ − 1397 $this->sql('DELETE FROM '.table_prefix.'session_keys WHERE session_key=\''.$keyhash.'\' AND user_id=\'' . $this->user_id . '\';');
+ − 1398 $this->sid_super = false;
+ − 1399 $this->auth_level = USER_LEVEL_MEMBER;
+ − 1400 }
+ − 1401 else
+ − 1402 {
+ − 1403 if($this->user_logged_in)
+ − 1404 {
378
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1405 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1406 // See if we can get rid of the cached decrypted session key
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1407 $key_bin = $aes->hextostring($this->sid);
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1408 $key_hash = sha1($key_bin . '::' . $this->private_key);
c1c7fa6b329f
Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
diff
changeset
+ − 1409 aes_decrypt_cache_destroy($key_hash);
1
+ − 1410 // Completely destroy our session
+ − 1411 if($this->auth_level > USER_LEVEL_CHPREF)
+ − 1412 {
+ − 1413 $this->logout(USER_LEVEL_ADMIN);
+ − 1414 }
+ − 1415 $this->sql('DELETE FROM '.table_prefix.'session_keys WHERE session_key=\''.md5($this->sid).'\';');
+ − 1416 setcookie( 'sid', '', time()-(3600*24), scriptPath.'/' );
+ − 1417 }
+ − 1418 }
+ − 1419 $code = $plugins->setHook('logout_success'); // , Array('level'=>$level,'old_username'=>$ou,'old_user_id'=>$oid));
+ − 1420 foreach ( $code as $cmd )
+ − 1421 {
+ − 1422 eval($cmd);
+ − 1423 }
+ − 1424 return 'success';
+ − 1425 }
+ − 1426
+ − 1427 # Miscellaneous stuff
+ − 1428
+ − 1429 /**
+ − 1430 * Appends the high-privilege session key to the URL if we are authorized to do high-privilege stuff
+ − 1431 * @param string $url The URL to add session data to
+ − 1432 * @return string
+ − 1433 */
+ − 1434
+ − 1435 function append_sid($url)
+ − 1436 {
+ − 1437 $sep = ( strstr($url, '?') ) ? '&' : '?';
+ − 1438 if ( $this->sid_super )
+ − 1439 {
+ − 1440 $url = $url . $sep . 'auth=' . urlencode($this->sid_super);
+ − 1441 // echo($this->sid_super.'<br/>');
+ − 1442 }
+ − 1443 return $url;
+ − 1444 }
+ − 1445
+ − 1446 /**
+ − 1447 * Grabs the user's password MD5
+ − 1448 * @return string, or bool false if access denied
+ − 1449 */
+ − 1450
+ − 1451 function grab_password_hash()
+ − 1452 {
+ − 1453 if(!$this->password_hash) return false;
+ − 1454 return $this->password_hash;
+ − 1455 }
+ − 1456
+ − 1457 /**
+ − 1458 * Destroys the user's password MD5 in memory
+ − 1459 */
+ − 1460
+ − 1461 function disallow_password_grab()
+ − 1462 {
+ − 1463 $this->password_hash = false;
+ − 1464 return false;
+ − 1465 }
+ − 1466
+ − 1467 /**
+ − 1468 * Generates an AES key and stashes it in the database
+ − 1469 * @return string Hex-encoded AES key
+ − 1470 */
+ − 1471
+ − 1472 function rijndael_genkey()
+ − 1473 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1474 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1475 $key = $aes->gen_readymade_key();
+ − 1476 $keys = getConfig('login_key_cache');
+ − 1477 if(is_string($keys))
+ − 1478 $keys .= $key;
+ − 1479 else
+ − 1480 $keys = $key;
+ − 1481 setConfig('login_key_cache', $keys);
+ − 1482 return $key;
+ − 1483 }
+ − 1484
+ − 1485 /**
+ − 1486 * Generate a totally random 128-bit value for MD5 challenges
+ − 1487 * @return string
+ − 1488 */
+ − 1489
+ − 1490 function dss_rand()
+ − 1491 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1492 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1493 $random = $aes->randkey(128);
+ − 1494 unset($aes);
+ − 1495 return md5(microtime() . $random);
+ − 1496 }
+ − 1497
+ − 1498 /**
+ − 1499 * Fetch a cached login public key using the MD5sum as an identifier. Each key can only be fetched once before it is destroyed.
+ − 1500 * @param string $md5 The MD5 sum of the key
+ − 1501 * @return string, or bool false on failure
+ − 1502 */
+ − 1503
+ − 1504 function fetch_public_key($md5)
+ − 1505 {
+ − 1506 $keys = getConfig('login_key_cache');
+ − 1507 $keys = enano_str_split($keys, AES_BITS / 4);
+ − 1508
+ − 1509 foreach($keys as $i => $k)
+ − 1510 {
+ − 1511 if(md5($k) == $md5)
+ − 1512 {
+ − 1513 unset($keys[$i]);
+ − 1514 if(count($keys) > 0)
+ − 1515 {
+ − 1516 if ( strlen(getConfig('login_key_cache') ) > 64000 )
+ − 1517 {
+ − 1518 // This should only need to be done once every month or so for an average-size site
+ − 1519 setConfig('login_key_cache', '');
+ − 1520 }
+ − 1521 else
+ − 1522 {
+ − 1523 $keys = implode('', array_values($keys));
+ − 1524 setConfig('login_key_cache', $keys);
+ − 1525 }
+ − 1526 }
+ − 1527 else
+ − 1528 {
+ − 1529 setConfig('login_key_cache', '');
+ − 1530 }
+ − 1531 return $k;
+ − 1532 }
+ − 1533 }
+ − 1534 // Couldn't find the key...
+ − 1535 return false;
+ − 1536 }
+ − 1537
+ − 1538 /**
+ − 1539 * Adds a user to a group.
+ − 1540 * @param int User ID
+ − 1541 * @param int Group ID
+ − 1542 * @param bool Group moderator - defaults to false
+ − 1543 * @return bool True on success, false on failure
+ − 1544 */
+ − 1545
+ − 1546 function add_user_to_group($user_id, $group_id, $is_mod = false)
+ − 1547 {
+ − 1548 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1549
+ − 1550 // Validation
+ − 1551 if ( !is_int($user_id) || !is_int($group_id) || !is_bool($is_mod) )
+ − 1552 return false;
+ − 1553 if ( $user_id < 1 || $group_id < 1 )
+ − 1554 return false;
+ − 1555
+ − 1556 $mod_switch = ( $is_mod ) ? '1' : '0';
+ − 1557 $q = $this->sql('SELECT member_id,is_mod FROM '.table_prefix.'group_members WHERE user_id=' . $user_id . ' AND group_id=' . $group_id . ';');
+ − 1558 if ( !$q )
+ − 1559 $db->_die();
+ − 1560 if ( $db->numrows() < 1 )
+ − 1561 {
+ − 1562 // User is not in group
+ − 1563 $this->sql('INSERT INTO '.table_prefix.'group_members(user_id,group_id,is_mod) VALUES(' . $user_id . ', ' . $group_id . ', ' . $mod_switch . ');');
+ − 1564 return true;
+ − 1565 }
+ − 1566 else
+ − 1567 {
+ − 1568 $row = $db->fetchrow();
+ − 1569 // Update modship status
+ − 1570 if ( strval($row['is_mod']) == $mod_switch )
+ − 1571 {
+ − 1572 // Modship unchanged
+ − 1573 return true;
+ − 1574 }
+ − 1575 else
+ − 1576 {
+ − 1577 // Modship changed
+ − 1578 $this->sql('UPDATE '.table_prefix.'group_members SET is_mod=' . $mod_switch . ' WHERE member_id=' . $row['member_id'] . ';');
+ − 1579 return true;
+ − 1580 }
+ − 1581 }
+ − 1582 return false;
+ − 1583 }
+ − 1584
+ − 1585 /**
+ − 1586 * Removes a user from a group.
+ − 1587 * @param int User ID
+ − 1588 * @param int Group ID
+ − 1589 * @return bool True on success, false on failure
+ − 1590 * @todo put a little more error checking in...
+ − 1591 */
+ − 1592
+ − 1593 function remove_user_from_group($user_id, $group_id)
+ − 1594 {
+ − 1595 if ( !is_int($user_id) || !is_int($group_id) )
+ − 1596 return false;
+ − 1597 $this->sql('DELETE FROM '.table_prefix."group_members WHERE user_id=$user_id AND group_id=$group_id;");
+ − 1598 return true;
+ − 1599 }
+ − 1600
+ − 1601 /**
+ − 1602 * Checks the banlist to ensure that we're an allowed user. Doesn't return anything because it dies if the user is banned.
+ − 1603 */
+ − 1604
+ − 1605 function check_banlist()
+ − 1606 {
+ − 1607 global $db, $session, $paths, $template, $plugins; // Common objects
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1608 global $lang;
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1609
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1610 $col_reason = ( $this->compat ) ? '"No reason entered (session manager is in compatibility mode)" AS reason' : 'reason';
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1611 $banned = false;
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1612 if ( $this->user_logged_in )
1
+ − 1613 {
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1614 // check by IP, email, and username
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1615 if ( ENANO_DBLAYER == 'MYSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1616 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1617 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1618 . " ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1619 . " ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' REGEXP ban_value ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1620 . " ( ban_type = " . BAN_USER . " AND is_regex = 0 AND ban_value = '{$this->username}' ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1621 . " ( ban_type = " . BAN_USER . " AND is_regex = 1 AND '{$this->username}' REGEXP ban_value ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1622 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 0 AND ban_value = '{$this->email}' ) OR \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1623 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 1 AND '{$this->email}' REGEXP ban_value ) \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1624 . " ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1625 }
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1626 else if ( ENANO_DBLAYER == 'PGSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1627 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1628 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE \n"
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1629 . " ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR \n"
322
+ − 1630 . " ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' ~ ban_value ) OR \n"
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1631 . " ( ban_type = " . BAN_USER . " AND is_regex = 0 AND ban_value = '{$this->username}' ) OR \n"
322
+ − 1632 . " ( ban_type = " . BAN_USER . " AND is_regex = 1 AND '{$this->username}' ~ ban_value ) OR \n"
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1633 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 0 AND ban_value = '{$this->email}' ) OR \n"
322
+ − 1634 . " ( ban_type = " . BAN_EMAIL . " AND is_regex = 1 AND '{$this->email}' ~ ban_value ) \n"
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1635 . " ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1636 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1637 $q = $this->sql($sql);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1638 if ( $db->numrows() > 0 )
1
+ − 1639 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1640 while ( list($reason_temp, $ban_value, $ban_type, $is_regex) = $db->fetchrow_num() )
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1641 {
425
+ − 1642 if ( $ban_type == BAN_IP && $is_regex != 1 )
1
+ − 1643 {
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1644 // check range
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1645 $regexp = parse_ip_range_regex($ban_value);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1646 if ( !$regexp )
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1647 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1648 continue;
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1649 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1650 if ( preg_match("/$regexp/", $_SERVER['REMOTE_ADDR']) )
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1651 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1652 $reason = $reason_temp;
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1653 $banned = true;
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1654 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1655 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1656 else
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1657 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1658 // User is banned
1
+ − 1659 $banned = true;
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1660 $reason = $reason_temp;
1
+ − 1661 }
+ − 1662 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1663 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1664 $db->free_result();
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1665 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1666 else
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1667 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1668 // check by IP only
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1669 if ( ENANO_DBLAYER == 'MYSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1670 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1671 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1672 ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1673 ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' REGEXP ban_value )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1674 ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1675 }
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1676 else if ( ENANO_DBLAYER == 'PGSQL' )
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1677 {
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1678 $sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1679 ( ban_type = " . BAN_IP . " AND is_regex = 0 ) OR
322
+ − 1680 ( ban_type = " . BAN_IP . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' ~ ban_value )
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1681 ORDER BY ban_type ASC;";
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1682 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1683 $q = $this->sql($sql);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1684 if ( $db->numrows() > 0 )
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1685 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1686 while ( list($reason_temp, $ban_value, $ban_type, $is_regex) = $db->fetchrow_num() )
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1687 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1688 if ( $ban_type == BAN_IP && $row['is_regex'] != 1 )
1
+ − 1689 {
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1690 // check range
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1691 $regexp = parse_ip_range_regex($ban_value);
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1692 if ( !$regexp )
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1693 continue;
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1694 if ( preg_match("/$regexp/", $_SERVER['REMOTE_ADDR']) )
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1695 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1696 $reason = $reason_temp;
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1697 $banned = true;
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1698 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1699 }
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1700 else
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1701 {
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1702 // User is banned
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1703 $reason = $reason_temp;
1
+ − 1704 $banned = true;
+ − 1705 }
+ − 1706 }
+ − 1707 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1708 $db->free_result();
1
+ − 1709 }
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1710 if ( $banned && $paths->get_pageid_from_url() != $paths->nslist['Special'].'CSS' )
1
+ − 1711 {
+ − 1712 // This guy is banned - kill the session, kill the database connection, bail out, and be pretty about it
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 1713 die_semicritical($lang->get('user_ban_msg_title'), '<p>' . $lang->get('user_ban_msg_body') . '</p><div class="error-box"><b>' . $lang->get('user_ban_lbl_reason') . '</b><br />' . $reason . '</div>');
1
+ − 1714 exit;
+ − 1715 }
+ − 1716 }
+ − 1717
+ − 1718 # Registration
+ − 1719
+ − 1720 /**
+ − 1721 * Registers a user. This does not perform any type of login.
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1722 * @param string New user's username
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1723 * @param string This should be unencrypted.
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1724 * @param string E-mail address.
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1725 * @param string Optional, defaults to ''.
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1726 * @param bool Optional. If true, the account is not activated initially and an admin activation request is sent. The caller is responsible for sending the address info and notice.
1
+ − 1727 */
+ − 1728
30
+ − 1729 function create_user($username, $password, $email, $real_name = '', $coppa = false)
13
fdd6b9dd42c3
Installer actually works now on dev servers; minor language change in template.php; code cleanliness fix in sessions.php
Dan
diff
changeset
+ − 1730 {
1
+ − 1731 global $db, $session, $paths, $template, $plugins; // Common objects
370
+ − 1732 global $lang;
1
+ − 1733
+ − 1734 // Initialize AES
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 1735 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 1736
359
+ − 1737 // Since we're recording IP addresses, make sure the user's IP is safe.
+ − 1738 $ip =& $_SERVER['REMOTE_ADDR'];
+ − 1739 if ( !is_valid_ip($ip) )
+ − 1740 return 'Invalid IP';
+ − 1741
+ − 1742 if ( !preg_match('#^'.$this->valid_username.'$#', $username) )
370
+ − 1743 return $lang->get('user_reg_err_username_banned_chars');
359
+ − 1744
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 1745 $username = str_replace('_', ' ', $username);
135
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1746 $user_orig = $username;
1
+ − 1747 $username = $this->prepare_text($username);
+ − 1748 $email = $this->prepare_text($email);
+ − 1749 $real_name = $this->prepare_text($real_name);
+ − 1750
+ − 1751 $nameclause = ( $real_name != '' ) ? ' OR real_name=\''.$real_name.'\'' : '';
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1752 $q = $this->sql('SELECT * FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.strtolower($username).'\' OR email=\''.$email.'\''.$nameclause.';');
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1753 if($db->numrows() > 0)
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1754 {
1
+ − 1755 $row = $db->fetchrow();
370
+ − 1756 $str = 'user_reg_err_dupe';
+ − 1757
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1758 if ( $row['username'] == $username )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1759 {
370
+ − 1760 $str .= '_username';
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1761 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1762 if ( $row['email'] == $email )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1763 {
370
+ − 1764 $str .= '_email';
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1765 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1766 if ( $row['real_name'] == $real_name && $real_name != '' )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1767 {
370
+ − 1768 $str .= '_realname';
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1769 }
370
+ − 1770
371
dc6026376919
Improved compatibility with PostgreSQL and fixed a number of installer bugs; fixed missing "meta" category declaration in language files
Dan
diff
changeset
+ − 1771 return $lang->get($str);
1
+ − 1772 }
+ − 1773
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1774 // Is the password strong enough?
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1775 if ( getConfig('pw_strength_enable') )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1776 {
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1777 $min_score = intval( getConfig('pw_strength_minimum') );
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1778 $pass_score = password_score($password);
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1779 if ( $pass_score < $min_score )
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1780 {
370
+ − 1781 return $lang->get('user_reg_err_password_too_weak');
133
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1782 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1783 }
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1784
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1785 $password = $aes->encrypt($password, $this->private_key, ENC_HEX);
af0f6ec48de3
Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
Dan
diff
changeset
+ − 1786
1
+ − 1787 // Require the account to be activated?
+ − 1788 switch(getConfig('account_activation'))
+ − 1789 {
+ − 1790 case 'none':
+ − 1791 default:
+ − 1792 $active = '1';
+ − 1793 break;
+ − 1794 case 'user':
+ − 1795 $active = '0';
+ − 1796 break;
+ − 1797 case 'admin':
+ − 1798 $active = '0';
+ − 1799 break;
+ − 1800 }
30
+ − 1801 if ( $coppa )
+ − 1802 $active = '0';
+ − 1803
+ − 1804 $coppa_col = ( $coppa ) ? '1' : '0';
1
+ − 1805
+ − 1806 // Generate a totally random activation key
+ − 1807 $actkey = sha1 ( microtime() . mt_rand() );
+ − 1808
30
+ − 1809 // We good, create the user
359
+ − 1810 $this->sql('INSERT INTO '.table_prefix.'users ( username, password, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa, user_registration_ip ) VALUES ( \''.$username.'\', \''.$password.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ', \'' . $ip . '\' );');
1
+ − 1811
31
+ − 1812 // Get user ID and create users_extra entry
+ − 1813 $q = $this->sql('SELECT user_id FROM '.table_prefix."users WHERE username='$username';");
+ − 1814 if ( $db->numrows() > 0 )
+ − 1815 {
359
+ − 1816 list($user_id) = $db->fetchrow_num();
31
+ − 1817 $db->free_result();
+ − 1818
42
45ebe475ff75
I dunno how many times I'm gonna have to fix the "problem seems to be the hex conversion" bug, but this is at least the fourth try.
Dan
diff
changeset
+ − 1819 $this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');');
31
+ − 1820 }
+ − 1821
135
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1822 // Grant edit and very limited mod access to the userpage
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1823 $acl_data = array(
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1824 'read' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1825 'view_source' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1826 'edit_page' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1827 'post_comments' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1828 'edit_comments' => AUTH_ALLOW, // only allows editing own comments
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1829 'history_view' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1830 'history_rollback' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1831 'rename' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1832 'delete_page' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1833 'tag_create' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1834 'tag_delete_own' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1835 'tag_delete_other' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1836 'edit_cat' => AUTH_ALLOW,
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1837 'create_page' => AUTH_ALLOW
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1838 );
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1839 $acl_data = $db->escape($this->perm_to_string($acl_data));
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1840 $userpage = $db->escape(sanitize_page_id($user_orig));
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1841 $cols = "target_type, target_id, page_id, namespace, rules";
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1842 $vals = ACL_TYPE_USER . ", $user_id, '$userpage', 'User', '$acl_data'";
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1843 $q = "INSERT INTO ".table_prefix."acl($cols) VALUES($vals);";
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1844 $this->sql($q);
c5dbad7ec2d0
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
Dan
diff
changeset
+ − 1845
1
+ − 1846 // Require the account to be activated?
30
+ − 1847 if ( $coppa )
+ − 1848 {
+ − 1849 $this->admin_activation_request($username);
+ − 1850 $this->send_coppa_mail($username,$email);
+ − 1851 }
+ − 1852 else
1
+ − 1853 {
30
+ − 1854 switch(getConfig('account_activation'))
+ − 1855 {
+ − 1856 case 'none':
+ − 1857 default:
+ − 1858 break;
+ − 1859 case 'user':
+ − 1860 $a = $this->send_activation_mail($username);
+ − 1861 if(!$a)
+ − 1862 {
+ − 1863 $this->admin_activation_request($username);
370
+ − 1864 return $lang->get('user_reg_err_actmail_failed') . ' ' . $a;
30
+ − 1865 }
+ − 1866 break;
+ − 1867 case 'admin':
1
+ − 1868 $this->admin_activation_request($username);
30
+ − 1869 break;
+ − 1870 }
1
+ − 1871 }
+ − 1872
+ − 1873 // Leave some data behind for the hook
+ − 1874 $code = $plugins->setHook('user_registered'); // , Array('username'=>$username));
+ − 1875 foreach ( $code as $cmd )
+ − 1876 {
+ − 1877 eval($cmd);
+ − 1878 }
+ − 1879
+ − 1880 // $this->register_session($username, $password);
+ − 1881 return 'success';
+ − 1882 }
+ − 1883
+ − 1884 /**
+ − 1885 * Attempts to send an e-mail to the specified user with activation instructions.
+ − 1886 * @param string $u The usernamd of the user requesting activation
+ − 1887 * @return bool true on success, false on failure
+ − 1888 */
+ − 1889
+ − 1890 function send_activation_mail($u, $actkey = false)
+ − 1891 {
+ − 1892 global $db, $session, $paths, $template, $plugins; // Common objects
370
+ − 1893 global $lang;
131
+ − 1894 $q = $this->sql('SELECT username,email FROM '.table_prefix.'users WHERE user_id=2 OR user_level=' . USER_LEVEL_ADMIN . ' ORDER BY user_id ASC;');
1
+ − 1895 $un = $db->fetchrow();
+ − 1896 $admin_user = $un['username'];
+ − 1897 $q = $this->sql('SELECT username,activation_key,account_active,email FROM '.table_prefix.'users WHERE username=\''.$db->escape($u).'\';');
+ − 1898 $r = $db->fetchrow();
+ − 1899 if ( empty($r['email']) )
+ − 1900 $db->_die('BUG: $session->send_activation_mail(): no e-mail address in row');
+ − 1901
370
+ − 1902 $aklink = makeUrlComplete('Special', 'ActivateAccount/'.str_replace(' ', '_', $u).'/'. ( ( is_string($actkey) ) ? $actkey : $r['activation_key'] ) );
+ − 1903 $message = $lang->get('user_reg_activation_email', array(
+ − 1904 'activation_link' => $aklink,
+ − 1905 'admin_user' => $admin_user,
+ − 1906 'username' => $u
+ − 1907 ));
+ − 1908
1
+ − 1909 if(getConfig('smtp_enabled') == '1')
+ − 1910 {
370
+ − 1911 $result = smtp_send_email($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email'));
1
+ − 1912 if($result == 'success') $result = true;
+ − 1913 else { echo $result; $result = false; }
+ − 1914 } else {
370
+ − 1915 $result = mail($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email'));
1
+ − 1916 }
+ − 1917 return $result;
+ − 1918 }
+ − 1919
+ − 1920 /**
30
+ − 1921 * Attempts to send an e-mail to the specified user's e-mail address on file intended for the parents
+ − 1922 * @param string $u The usernamd of the user requesting activation
+ − 1923 * @return bool true on success, false on failure
+ − 1924 */
+ − 1925
+ − 1926 function send_coppa_mail($u, $actkey = false)
+ − 1927 {
+ − 1928 global $db, $session, $paths, $template, $plugins; // Common objects
370
+ − 1929 global $lang;
30
+ − 1930
+ − 1931 $q = $this->sql('SELECT username,email FROM '.table_prefix.'users WHERE user_id=2 OR user_level=' . USER_LEVEL_ADMIN . ' ORDER BY user_id ASC;');
+ − 1932 $un = $db->fetchrow();
+ − 1933 $admin_user = $un['username'];
+ − 1934
+ − 1935 $q = $this->sql('SELECT username,activation_key,account_active,email FROM '.table_prefix.'users WHERE username=\''.$db->escape($u).'\';');
+ − 1936 $r = $db->fetchrow();
+ − 1937 if ( empty($r['email']) )
+ − 1938 $db->_die('BUG: $session->send_activation_mail(): no e-mail address in row');
+ − 1939
+ − 1940 if(isset($_SERVER['HTTPS'])) $prot = 'https';
+ − 1941 else $prot = 'http';
+ − 1942 if($_SERVER['SERVER_PORT'] == '80') $p = '';
+ − 1943 else $p = ':'.$_SERVER['SERVER_PORT'];
+ − 1944 $sidbak = false;
+ − 1945 if($this->sid_super)
+ − 1946 $sidbak = $this->sid_super;
+ − 1947 $this->sid_super = false;
+ − 1948 if($sidbak)
+ − 1949 $this->sid_super = $sidbak;
+ − 1950 unset($sidbak);
+ − 1951 $link = "$prot://".$_SERVER['HTTP_HOST'].scriptPath;
+ − 1952
370
+ − 1953 $message = $lang->get(
+ − 1954 'user_reg_activation_email_coppa',
+ − 1955 array(
+ − 1956 'username' => $u,
+ − 1957 'admin_user' => $admin_user,
+ − 1958 'site_link' => $link
+ − 1959 )
+ − 1960 );
30
+ − 1961
+ − 1962
+ − 1963 if(getConfig('smtp_enabled') == '1')
+ − 1964 {
+ − 1965 $result = smtp_send_email($r['email'], getConfig('site_name').' website account activation', preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email'));
+ − 1966 if($result == 'success')
+ − 1967 {
+ − 1968 $result = true;
+ − 1969 }
+ − 1970 else
+ − 1971 {
+ − 1972 echo $result;
+ − 1973 $result = false;
+ − 1974 }
+ − 1975 }
+ − 1976 else
+ − 1977 {
+ − 1978 $result = mail($r['email'], getConfig('site_name').' website account activation', preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email'));
+ − 1979 }
+ − 1980 return $result;
+ − 1981 }
+ − 1982
+ − 1983 /**
1
+ − 1984 * Sends an e-mail to a user so they can reset their password.
+ − 1985 * @param int $user The user ID, or username if it's a string
+ − 1986 * @return bool true on success, false on failure
+ − 1987 */
+ − 1988
+ − 1989 function mail_password_reset($user)
+ − 1990 {
+ − 1991 global $db, $session, $paths, $template, $plugins; // Common objects
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 1992 global $lang;
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 1993
1
+ − 1994 if(is_int($user))
+ − 1995 {
+ − 1996 $q = $this->sql('SELECT user_id,username,email FROM '.table_prefix.'users WHERE user_id='.$user.';'); // This is SAFE! This is only called if $user is an integer
+ − 1997 }
+ − 1998 elseif(is_string($user))
+ − 1999 {
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 2000 $q = $this->sql('SELECT user_id,username,email FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=' . ENANO_SQLFUNC_LOWERCASE . '(\''.$db->escape($user).'\');');
1
+ − 2001 }
+ − 2002 else
+ − 2003 {
+ − 2004 return false;
+ − 2005 }
+ − 2006
+ − 2007 $row = $db->fetchrow();
+ − 2008 $temp_pass = $this->random_pass();
+ − 2009
+ − 2010 $this->register_temp_password($row['user_id'], $temp_pass);
+ − 2011
+ − 2012 $site_name = getConfig('site_name');
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2013
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2014 $message = $lang->get('userfuncs_passreset_email', array(
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2015 'username' => $row['username'],
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2016 'site_name' => $site_name,
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2017 'remote_addr' => $_SERVER['REMOTE_ADDR'],
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2018 'temp_pass' => $temp_pass
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 2019 ));
1
+ − 2020
+ − 2021 if(getConfig('smtp_enabled') == '1')
+ − 2022 {
+ − 2023 $result = smtp_send_email($row['email'], getConfig('site_name').' password reset', preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email'));
+ − 2024 if($result == 'success')
+ − 2025 {
+ − 2026 $result = true;
+ − 2027 }
+ − 2028 else
+ − 2029 {
+ − 2030 echo '<p>'.$result.'</p>';
+ − 2031 $result = false;
+ − 2032 }
+ − 2033 } else {
+ − 2034 $result = mail($row['email'], getConfig('site_name').' password reset', preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email'));
+ − 2035 }
+ − 2036 return $result;
+ − 2037 }
+ − 2038
+ − 2039 /**
+ − 2040 * Sets the temporary password for the specified user to whatever is specified.
+ − 2041 * @param int $user_id
+ − 2042 * @param string $password
+ − 2043 * @return bool
+ − 2044 */
+ − 2045
+ − 2046 function register_temp_password($user_id, $password)
+ − 2047 {
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 2048 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 2049 $temp_pass = $aes->encrypt($password, $this->private_key, ENC_HEX);
+ − 2050 $this->sql('UPDATE '.table_prefix.'users SET temp_password=\'' . $temp_pass . '\',temp_password_time='.time().' WHERE user_id='.intval($user_id).';');
+ − 2051 }
+ − 2052
+ − 2053 /**
+ − 2054 * Sends a request to the admin panel to have the username $u activated.
+ − 2055 * @param string $u The username of the user requesting activation
+ − 2056 */
+ − 2057
+ − 2058 function admin_activation_request($u)
+ − 2059 {
+ − 2060 global $db;
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2061 $this->sql('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, author, edit_summary) VALUES(\'admin\', \'activ_req\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$this->username.'\', \''.$db->escape($u).'\');');
1
+ − 2062 }
+ − 2063
+ − 2064 /**
+ − 2065 * Activates a user account. If the action fails, a report is sent to the admin.
+ − 2066 * @param string $user The username of the user requesting activation
+ − 2067 * @param string $key The activation key
+ − 2068 */
+ − 2069
+ − 2070 function activate_account($user, $key)
+ − 2071 {
+ − 2072 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2073 $this->sql('UPDATE '.table_prefix.'users SET account_active=1 WHERE username=\''.$db->escape($user).'\' AND activation_key=\''.$db->escape($key).'\';');
+ − 2074 $r = mysql_affected_rows();
+ − 2075 if ( $r > 0 )
+ − 2076 {
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2077 $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
1
+ − 2078 }
+ − 2079 else
+ − 2080 {
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2081 $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
1
+ − 2082 }
+ − 2083 return $r;
+ − 2084 }
+ − 2085
+ − 2086 /**
+ − 2087 * For a given user level identifier (USER_LEVEL_*), returns a string describing that user level.
+ − 2088 * @param int User level
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2089 * @param bool If true, returns a shorter string. Optional.
1
+ − 2090 * @return string
+ − 2091 */
+ − 2092
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2093 function userlevel_to_string($user_level, $short = false)
1
+ − 2094 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2095 global $lang;
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2096
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2097 static $levels = array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2098 'short' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2099 USER_LEVEL_GUEST => 'Guest',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2100 USER_LEVEL_MEMBER => 'Member',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2101 USER_LEVEL_CHPREF => 'Sensitive preferences changeable',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2102 USER_LEVEL_MOD => 'Moderator',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2103 USER_LEVEL_ADMIN => 'Administrative'
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2104 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2105 'long' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2106 USER_LEVEL_GUEST => 'Low - guest privileges',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2107 USER_LEVEL_MEMBER => 'Standard - normal member level',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2108 USER_LEVEL_CHPREF => 'Medium - user can change his/her own e-mail address and password',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2109 USER_LEVEL_MOD => 'High - moderator privileges',
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2110 USER_LEVEL_ADMIN => 'Highest - administrative privileges'
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2111 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2112 'l10n' => false
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2113 );
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2114
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2115 if ( is_object($lang) && !$levels['l10n'] )
1
+ − 2116 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2117 $levels = array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2118 'short' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2119 USER_LEVEL_GUEST => $lang->get('user_level_short_guest'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2120 USER_LEVEL_MEMBER => $lang->get('user_level_short_member'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2121 USER_LEVEL_CHPREF => $lang->get('user_level_short_chpref'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2122 USER_LEVEL_MOD => $lang->get('user_level_short_mod'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2123 USER_LEVEL_ADMIN => $lang->get('user_level_short_admin')
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2124 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2125 'long' => array(
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2126 USER_LEVEL_GUEST => $lang->get('user_level_long_guest'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2127 USER_LEVEL_MEMBER => $lang->get('user_level_long_member'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2128 USER_LEVEL_CHPREF => $lang->get('user_level_long_chpref'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2129 USER_LEVEL_MOD => $lang->get('user_level_long_mod'),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2130 USER_LEVEL_ADMIN => $lang->get('user_level_long_admin')
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2131 ),
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2132 'l10n' => true
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2133 );
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2134 }
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2135
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2136 $key = ( $short ) ? 'short' : 'long';
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2137 if ( isset($levels[$key][$user_level]) )
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2138 {
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2139 return $levels[$key][$user_level];
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2140 }
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2141 else
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2142 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2143 if ( $short )
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2144 {
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2145 return ( is_object($lang) ) ? $lang->get('user_level_short_unknown', array('user_level' => $user_level)) : "Unknown - $user_level";
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2146 }
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2147 else
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2148 {
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2149 return ( is_object($lang) ) ? $lang->get('user_level_long_unknown', array('user_level' => $user_level)) : "Unknown level ($user_level)";
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2150 }
1
+ − 2151 }
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2152
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2153 return 'Linux rocks!';
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2154
1
+ − 2155 }
+ − 2156
+ − 2157 /**
+ − 2158 * Updates a user's information in the database. Note that any of the values except $user_id can be false if you want to preserve the old values.
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 2159 * Not localized because this really isn't used a whole lot anymore.
1
+ − 2160 * @param int $user_id The user ID of the user to update - this cannot be changed
+ − 2161 * @param string $username The new username
+ − 2162 * @param string $old_pass The current password - only required if sessionManager::$user_level < USER_LEVEL_ADMIN. This should usually be an UNENCRYPTED string. This can also be an array - if it is, key 0 is treated as data AES-encrypted with key 1
+ − 2163 * @param string $password The new password
+ − 2164 * @param string $email The new e-mail address
+ − 2165 * @param string $realname The new real name
+ − 2166 * @param string $signature The updated forum/comment signature
+ − 2167 * @param int $user_level The updated user level
+ − 2168 * @return string 'success' if successful, or array of error strings on failure
+ − 2169 */
+ − 2170
+ − 2171 function update_user($user_id, $username = false, $old_pass = false, $password = false, $email = false, $realname = false, $signature = false, $user_level = false)
+ − 2172 {
+ − 2173 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2174
+ − 2175 // Create some arrays
+ − 2176
+ − 2177 $errors = Array(); // Used to hold error strings
+ − 2178 $strs = Array(); // Sub-query statements
+ − 2179
+ − 2180 // Scan the user ID for problems
+ − 2181 if(intval($user_id) < 1) $errors[] = 'SQL injection attempt';
+ − 2182
+ − 2183 // Instanciate the AES encryption class
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 2184 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
1
+ − 2185
+ − 2186 // If all of our input vars are false, then we've effectively done our job so get out of here
+ − 2187 if($username === false && $password === false && $email === false && $realname === false && $signature === false && $user_level === false)
+ − 2188 {
+ − 2189 // echo 'debug: $session->update_user(): success (no changes requested)';
+ − 2190 return 'success';
+ − 2191 }
+ − 2192
+ − 2193 // Initialize our authentication check
+ − 2194 $authed = false;
+ − 2195
+ − 2196 // Verify the inputted password
+ − 2197 if(is_string($old_pass))
+ − 2198 {
+ − 2199 $q = $this->sql('SELECT password FROM '.table_prefix.'users WHERE user_id='.$user_id.';');
+ − 2200 if($db->numrows() < 1)
+ − 2201 {
+ − 2202 $errors[] = 'The password data could not be selected for verification.';
+ − 2203 }
+ − 2204 else
+ − 2205 {
+ − 2206 $row = $db->fetchrow();
+ − 2207 $real = $aes->decrypt($row['password'], $this->private_key, ENC_HEX);
+ − 2208 if($real == $old_pass)
+ − 2209 $authed = true;
+ − 2210 }
+ − 2211 }
+ − 2212
+ − 2213 elseif(is_array($old_pass))
+ − 2214 {
+ − 2215 $old_pass = $aes->decrypt($old_pass[0], $old_pass[1]);
+ − 2216 $q = $this->sql('SELECT password FROM '.table_prefix.'users WHERE user_id='.$user_id.';');
+ − 2217 if($db->numrows() < 1)
+ − 2218 {
+ − 2219 $errors[] = 'The password data could not be selected for verification.';
+ − 2220 }
+ − 2221 else
+ − 2222 {
+ − 2223 $row = $db->fetchrow();
+ − 2224 $real = $aes->decrypt($row['password'], $this->private_key, ENC_HEX);
+ − 2225 if($real == $old_pass)
+ − 2226 $authed = true;
+ − 2227 }
+ − 2228 }
+ − 2229
+ − 2230 // Initialize our query
+ − 2231 $q = 'UPDATE '.table_prefix.'users SET ';
+ − 2232
+ − 2233 if($this->auth_level >= USER_LEVEL_ADMIN || $authed) // Need the current password in order to update the e-mail address, change the username, or reset the password
+ − 2234 {
+ − 2235 // Username
+ − 2236 if(is_string($username))
+ − 2237 {
+ − 2238 // Check the username for problems
+ − 2239 if(!preg_match('#^'.$this->valid_username.'$#', $username))
+ − 2240 $errors[] = 'The username you entered contains invalid characters.';
+ − 2241 $strs[] = 'username=\''.$db->escape($username).'\'';
+ − 2242 }
+ − 2243 // Password
+ − 2244 if(is_string($password) && strlen($password) >= 6)
+ − 2245 {
+ − 2246 // Password needs to be encrypted before being stashed
+ − 2247 $encpass = $aes->encrypt($password, $this->private_key, ENC_HEX);
+ − 2248 if(!$encpass)
+ − 2249 $errors[] = 'The password could not be encrypted due to an internal error.';
+ − 2250 $strs[] = 'password=\''.$encpass.'\'';
+ − 2251 }
+ − 2252 // E-mail addy
+ − 2253 if(is_string($email))
+ − 2254 {
+ − 2255 // I didn't write this regex.
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 2256 if(!preg_match('/^(?:[\w\d]+\.?)+@((?:(?:[\w\d]\-?)+\.)+\w{2,4}|localhost)$/', $email))
1
+ − 2257 $errors[] = 'The e-mail address you entered is invalid.';
+ − 2258 $strs[] = 'email=\''.$db->escape($email).'\'';
+ − 2259 }
+ − 2260 }
+ − 2261 // Real name
+ − 2262 if(is_string($realname))
+ − 2263 {
+ − 2264 $strs[] = 'real_name=\''.$db->escape($realname).'\'';
+ − 2265 }
+ − 2266 // Forum/comment signature
+ − 2267 if(is_string($signature))
+ − 2268 {
+ − 2269 $strs[] = 'signature=\''.$db->escape($signature).'\'';
+ − 2270 }
+ − 2271 // User level
+ − 2272 if(is_int($user_level))
+ − 2273 {
+ − 2274 $strs[] = 'user_level='.$user_level;
+ − 2275 }
+ − 2276
+ − 2277 // Add our generated query to the query string
+ − 2278 $q .= implode(',', $strs);
+ − 2279
+ − 2280 // One last error check
+ − 2281 if(sizeof($strs) < 1) $errors[] = 'An internal error occured building the SQL query, this is a bug';
+ − 2282 if(sizeof($errors) > 0) return $errors;
+ − 2283
+ − 2284 // Free our temp arrays
+ − 2285 unset($strs, $errors);
+ − 2286
+ − 2287 // Finalize the query and run it
+ − 2288 $q .= ' WHERE user_id='.$user_id.';';
+ − 2289 $this->sql($q);
+ − 2290
+ − 2291 // We also need to trigger re-activation.
+ − 2292 if ( is_string($email) )
+ − 2293 {
+ − 2294 switch(getConfig('account_activation'))
+ − 2295 {
+ − 2296 case 'user':
+ − 2297 case 'admin':
+ − 2298
+ − 2299 if ( $session->user_level >= USER_LEVEL_MOD && getConfig('account_activation') == 'admin' )
+ − 2300 // Don't require re-activation by admins for admins
+ − 2301 break;
+ − 2302
+ − 2303 // retrieve username
+ − 2304 if ( !$username )
+ − 2305 {
+ − 2306 $q = $this->sql('SELECT username FROM '.table_prefix.'users WHERE user_id='.$user_id.';');
+ − 2307 if($db->numrows() < 1)
+ − 2308 {
+ − 2309 $errors[] = 'The username could not be selected.';
+ − 2310 }
+ − 2311 else
+ − 2312 {
+ − 2313 $row = $db->fetchrow();
+ − 2314 $username = $row['username'];
+ − 2315 }
+ − 2316 }
+ − 2317 if ( !$username )
+ − 2318 return $errors;
+ − 2319
+ − 2320 // Generate a totally random activation key
+ − 2321 $actkey = sha1 ( microtime() . mt_rand() );
+ − 2322 $a = $this->send_activation_mail($username, $actkey);
+ − 2323 if(!$a)
+ − 2324 {
+ − 2325 $this->admin_activation_request($username);
+ − 2326 }
+ − 2327 // Deactivate the account until e-mail is confirmed
+ − 2328 $q = $db->sql_query('UPDATE '.table_prefix.'users SET account_active=0,activation_key=\'' . $actkey . '\' WHERE user_id=' . $user_id . ';');
+ − 2329 break;
+ − 2330 }
+ − 2331 }
+ − 2332
+ − 2333 // Yay! We're done
+ − 2334 return 'success';
+ − 2335 }
+ − 2336
+ − 2337 #
+ − 2338 # Access Control Lists
+ − 2339 #
+ − 2340
+ − 2341 /**
+ − 2342 * Creates a new permission field in memory. If the permissions are set in the database, they are used. Otherwise, $default_perm is used.
+ − 2343 * @param string $acl_type An identifier for this field
+ − 2344 * @param int $default_perm Whether permission should be granted or not if it's not specified in the ACLs.
+ − 2345 * @param string $desc A human readable name for the permission type
+ − 2346 * @param array $deps The list of dependencies - this should be an array of ACL types
+ − 2347 * @param string $scope Which namespaces this field should apply to. This should be either a pipe-delimited list of namespace IDs or just "All".
+ − 2348 */
+ − 2349
+ − 2350 function register_acl_type($acl_type, $default_perm = AUTH_DISALLOW, $desc = false, $deps = Array(), $scope = 'All')
+ − 2351 {
+ − 2352 if(isset($this->acl_types[$acl_type]))
+ − 2353 return false;
+ − 2354 else
+ − 2355 {
+ − 2356 if(!$desc)
+ − 2357 {
+ − 2358 $desc = capitalize_first_letter(str_replace('_', ' ', $acl_type));
+ − 2359 }
+ − 2360 $this->acl_types[$acl_type] = $default_perm;
+ − 2361 $this->acl_descs[$acl_type] = $desc;
+ − 2362 $this->acl_deps[$acl_type] = $deps;
+ − 2363 $this->acl_scope[$acl_type] = explode('|', $scope);
+ − 2364 }
+ − 2365 return true;
+ − 2366 }
+ − 2367
+ − 2368 /**
+ − 2369 * Tells us whether permission $type is allowed or not based on the current rules.
+ − 2370 * @param string $type The permission identifier ($acl_type passed to sessionManager::register_acl_type())
+ − 2371 * @param bool $no_deps If true, disables dependency checking
+ − 2372 * @return bool True if allowed, false if denied or if an error occured
+ − 2373 */
+ − 2374
+ − 2375 function get_permissions($type, $no_deps = false)
+ − 2376 {
+ − 2377 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2378 if ( isset( $this->perms[$type] ) )
+ − 2379 {
+ − 2380 if ( $this->perms[$type] == AUTH_DENY )
+ − 2381 $ret = false;
+ − 2382 else if ( $this->perms[$type] == AUTH_WIKIMODE && $paths->wiki_mode )
+ − 2383 $ret = true;
+ − 2384 else if ( $this->perms[$type] == AUTH_WIKIMODE && !$paths->wiki_mode )
+ − 2385 $ret = false;
+ − 2386 else if ( $this->perms[$type] == AUTH_ALLOW )
+ − 2387 $ret = true;
+ − 2388 else if ( $this->perms[$type] == AUTH_DISALLOW )
+ − 2389 $ret = false;
+ − 2390 }
+ − 2391 else if(isset($this->acl_types[$type]))
+ − 2392 {
+ − 2393 if ( $this->acl_types[$type] == AUTH_DENY )
+ − 2394 $ret = false;
+ − 2395 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && $paths->wiki_mode )
+ − 2396 $ret = true;
+ − 2397 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && !$paths->wiki_mode )
+ − 2398 $ret = false;
+ − 2399 else if ( $this->acl_types[$type] == AUTH_ALLOW )
+ − 2400 $ret = true;
+ − 2401 else if ( $this->acl_types[$type] == AUTH_DISALLOW )
+ − 2402 $ret = false;
+ − 2403 }
+ − 2404 else
+ − 2405 {
+ − 2406 // ACL type is undefined
+ − 2407 trigger_error('Unknown access type "' . $type . '"', E_USER_WARNING);
+ − 2408 return false; // Be on the safe side and deny access
+ − 2409 }
+ − 2410 if ( !$no_deps )
+ − 2411 {
+ − 2412 if ( !$this->acl_check_deps($type) )
+ − 2413 return false;
+ − 2414 }
+ − 2415 return $ret;
+ − 2416 }
+ − 2417
+ − 2418 /**
+ − 2419 * Fetch the permissions that apply to the current user for the page specified. The object you get will have the get_permissions method
+ − 2420 * and several other abilities.
+ − 2421 * @param string $page_id
+ − 2422 * @param string $namespace
+ − 2423 * @return object
+ − 2424 */
+ − 2425
+ − 2426 function fetch_page_acl($page_id, $namespace)
+ − 2427 {
+ − 2428 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2429
+ − 2430 if ( count ( $this->acl_base_cache ) < 1 )
+ − 2431 {
+ − 2432 // Permissions table not yet initialized
+ − 2433 return false;
+ − 2434 }
+ − 2435
156
+ − 2436 // cache of permission objects (to save RAM and SQL queries)
+ − 2437 static $objcache = array();
+ − 2438
+ − 2439 if ( count($objcache) == 0 )
+ − 2440 {
+ − 2441 foreach ( $paths->nslist as $key => $_ )
+ − 2442 {
+ − 2443 $objcache[$key] = array();
+ − 2444 }
+ − 2445 }
+ − 2446
+ − 2447 if ( isset($objcache[$namespace][$page_id]) )
+ − 2448 {
+ − 2449 return $objcache[$namespace][$page_id];
+ − 2450 }
+ − 2451
1
+ − 2452 //if ( !isset( $paths->pages[$paths->nslist[$namespace] . $page_id] ) )
+ − 2453 //{
+ − 2454 // // Page does not exist
+ − 2455 // return false;
+ − 2456 //}
+ − 2457
156
+ − 2458 $objcache[$namespace][$page_id] = new Session_ACLPageInfo( $page_id, $namespace, $this->acl_types, $this->acl_descs, $this->acl_deps, $this->acl_base_cache );
+ − 2459 $object =& $objcache[$namespace][$page_id];
1
+ − 2460
+ − 2461 return $object;
+ − 2462
+ − 2463 }
+ − 2464
+ − 2465 /**
+ − 2466 * Read all of our permissions from the database and process/apply them. This should be called after the page is determined.
+ − 2467 * @access private
+ − 2468 */
+ − 2469
+ − 2470 function init_permissions()
+ − 2471 {
+ − 2472 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2473 // Initialize the permissions list with some defaults
+ − 2474 $this->perms = $this->acl_types;
+ − 2475 $this->acl_defaults_used = $this->perms;
+ − 2476
+ − 2477 // Fetch sitewide defaults from the permissions table
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 2478 $bs = 'SELECT rules, target_type, target_id FROM '.table_prefix.'acl' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 2479 . ' WHERE page_id IS NULL AND namespace IS NULL AND' . "\n"
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 2480 . ' ( ';
1
+ − 2481
+ − 2482 $q = Array();
+ − 2483 $q[] = '( target_type='.ACL_TYPE_USER.' AND target_id='.$this->user_id.' )';
+ − 2484 if(count($this->groups) > 0)
+ − 2485 {
+ − 2486 foreach($this->groups as $g_id => $g_name)
+ − 2487 {
+ − 2488 $q[] = '( target_type='.ACL_TYPE_GROUP.' AND target_id='.intval($g_id).' )';
+ − 2489 }
+ − 2490 }
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 2491 $bs .= implode(" OR \n ", $q) . " ) \n ORDER BY target_type ASC, target_id ASC;";
1
+ − 2492 $q = $this->sql($bs);
+ − 2493 if ( $row = $db->fetchrow() )
+ − 2494 {
+ − 2495 do {
+ − 2496 $rules = $this->string_to_perm($row['rules']);
+ − 2497 $is_everyone = ( $row['target_type'] == ACL_TYPE_GROUP && $row['target_id'] == 1 );
+ − 2498 $this->acl_merge_with_current($rules, $is_everyone);
+ − 2499 } while ( $row = $db->fetchrow() );
+ − 2500 }
+ − 2501
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2502 // Cache the sitewide permissions for later use
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2503 $this->acl_base_cache = $this->perms;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2504
1
+ − 2505 // Eliminate types that don't apply to this namespace
+ − 2506 foreach ( $this->perms AS $i => $perm )
+ − 2507 {
+ − 2508 if ( !in_array ( $paths->namespace, $this->acl_scope[$i] ) && !in_array('All', $this->acl_scope[$i]) )
+ − 2509 {
+ − 2510 unset($this->perms[$i]);
+ − 2511 }
+ − 2512 }
+ − 2513
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2514 // PAGE group info
322
+ − 2515 $pg_list = $paths->get_page_groups($paths->page_id, $paths->namespace);
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2516 $pg_info = '';
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2517 foreach ( $pg_list as $g_id )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2518 {
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2519 $pg_info .= ' ( page_id=\'' . $g_id . '\' AND namespace=\'__PageGroup\' ) OR';
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2520 }
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2521
1
+ − 2522 // Build a query to grab ACL info
+ − 2523 $bs = 'SELECT rules,target_type,target_id FROM '.table_prefix.'acl WHERE ( ';
+ − 2524 $q = Array();
+ − 2525 $q[] = '( target_type='.ACL_TYPE_USER.' AND target_id='.$this->user_id.' )';
+ − 2526 if(count($this->groups) > 0)
+ − 2527 {
+ − 2528 foreach($this->groups as $g_id => $g_name)
+ − 2529 {
+ − 2530 $q[] = '( target_type='.ACL_TYPE_GROUP.' AND target_id='.intval($g_id).' )';
+ − 2531 }
+ − 2532 }
+ − 2533 // The reason we're using an ORDER BY statement here is because ACL_TYPE_GROUP is less than ACL_TYPE_USER, causing the user's individual
+ − 2534 // permissions to override group permissions.
322
+ − 2535 $bs .= implode(" OR\n ", $q) . " )\n AND (" . $pg_info . ' ( page_id=\''.$db->escape($paths->page_id).'\' AND namespace=\''.$db->escape($paths->namespace).'\' ) )
1
+ − 2536 ORDER BY target_type ASC, page_id ASC, namespace ASC;';
+ − 2537 $q = $this->sql($bs);
+ − 2538 if ( $row = $db->fetchrow() )
+ − 2539 {
+ − 2540 do {
+ − 2541 $rules = $this->string_to_perm($row['rules']);
+ − 2542 $is_everyone = ( $row['target_type'] == ACL_TYPE_GROUP && $row['target_id'] == 1 );
+ − 2543 $this->acl_merge_with_current($rules, $is_everyone);
+ − 2544 } while ( $row = $db->fetchrow() );
+ − 2545 }
+ − 2546
+ − 2547 }
+ − 2548
+ − 2549 /**
+ − 2550 * Extends the scope of a permission type.
+ − 2551 * @param string The name of the permission type
+ − 2552 * @param string The namespace(s) that should be covered. This can be either one namespace ID or a pipe-delimited list.
+ − 2553 * @param object Optional - the current $paths object, in case we're doing this from the acl_rule_init hook
+ − 2554 */
+ − 2555
+ − 2556 function acl_extend_scope($perm_type, $namespaces, &$p_in)
+ − 2557 {
+ − 2558 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2559 $p_obj = ( is_object($p_in) ) ? $p_in : $paths;
+ − 2560 $nslist = explode('|', $namespaces);
+ − 2561 foreach ( $nslist as $i => $ns )
+ − 2562 {
+ − 2563 if ( !isset($p_obj->nslist[$ns]) )
+ − 2564 {
+ − 2565 unset($nslist[$i]);
+ − 2566 }
+ − 2567 else
+ − 2568 {
+ − 2569 $this->acl_scope[$perm_type][] = $ns;
+ − 2570 if ( isset($this->acl_types[$perm_type]) && !isset($this->perms[$perm_type]) )
+ − 2571 {
+ − 2572 $this->perms[$perm_type] = $this->acl_types[$perm_type];
+ − 2573 }
+ − 2574 }
+ − 2575 }
+ − 2576 }
+ − 2577
+ − 2578 /**
+ − 2579 * Converts a permissions field into a string for database insertion. Similar in spirit to serialize().
+ − 2580 * @param array $perms An associative array with only integers as values
+ − 2581 * @return string
+ − 2582 */
+ − 2583
+ − 2584 function perm_to_string($perms)
+ − 2585 {
+ − 2586 $s = '';
+ − 2587 foreach($perms as $perm => $ac)
+ − 2588 {
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2589 if ( $ac == 'i' )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2590 continue;
1
+ − 2591 $s .= "$perm=$ac;";
+ − 2592 }
+ − 2593 return $s;
+ − 2594 }
+ − 2595
+ − 2596 /**
+ − 2597 * Converts a permissions string back to an array.
+ − 2598 * @param string $perms The result from sessionManager::perm_to_string()
+ − 2599 * @return array
+ − 2600 */
+ − 2601
+ − 2602 function string_to_perm($perms)
+ − 2603 {
+ − 2604 $ret = Array();
+ − 2605 preg_match_all('#([a-z0-9_-]+)=([0-9]+);#i', $perms, $matches);
+ − 2606 foreach($matches[1] as $i => $t)
+ − 2607 {
+ − 2608 $ret[$t] = intval($matches[2][$i]);
+ − 2609 }
+ − 2610 return $ret;
+ − 2611 }
+ − 2612
+ − 2613 /**
+ − 2614 * Merges two ACL arrays. Both parameters should be permission list arrays. The second group takes precedence over the first, but AUTH_DENY always prevails.
+ − 2615 * @param array $perm1 The first set of permissions
+ − 2616 * @param array $perm2 The second set of permissions
+ − 2617 * @return array
+ − 2618 */
+ − 2619
+ − 2620 function acl_merge($perm1, $perm2)
+ − 2621 {
+ − 2622 $ret = $perm1;
+ − 2623 foreach ( $perm2 as $type => $level )
+ − 2624 {
+ − 2625 if ( isset( $ret[$type] ) )
+ − 2626 {
+ − 2627 if ( $ret[$type] != AUTH_DENY )
+ − 2628 $ret[$type] = $level;
+ − 2629 }
+ − 2630 // else
+ − 2631 // {
+ − 2632 // $ret[$type] = $level;
+ − 2633 // }
+ − 2634 }
+ − 2635 return $ret;
+ − 2636 }
+ − 2637
+ − 2638 /**
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2639 * Merges two ACL arrays, but instead of calculating inheritance for missing permission types, just returns 'i' for that type. Useful
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2640 * for explicitly requiring inheritance in ACL editing interfaces
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2641 * @param array $perm1 The first set of permissions
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2642 * @param array $perm2 The second, authoritative set of permissions
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2643 */
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2644
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2645 function acl_merge_inherit($perm1, $perm2)
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2646 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2647 foreach ( $perm1 as $type => $level )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2648 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2649 $perm1[$type][$level] = 'i';
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2650 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2651 $ret = $perm1;
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2652 foreach ( $perm2 as $type => $level )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2653 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2654 if ( isset( $ret[$type] ) )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2655 {
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2656 if ( $ret[$type] != AUTH_DENY )
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2657 $ret[$type] = $level;
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2658 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2659 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2660 return $ret;
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2661 }
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2662
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2663 /**
1
+ − 2664 * Merges the ACL array sent with the current permissions table, deciding precedence based on whether defaults are in effect or not.
+ − 2665 * @param array The array to merge into the master ACL list
+ − 2666 * @param bool If true, $perm is treated as the "new default"
+ − 2667 * @param int 1 if this is a site-wide ACL, 2 if page-specific. Defaults to 2.
+ − 2668 */
+ − 2669
+ − 2670 function acl_merge_with_current($perm, $is_everyone = false, $scope = 2)
+ − 2671 {
+ − 2672 foreach ( $this->perms as $i => $p )
+ − 2673 {
+ − 2674 if ( isset($perm[$i]) )
+ − 2675 {
+ − 2676 if ( $is_everyone && !$this->acl_defaults_used[$i] )
+ − 2677 continue;
+ − 2678 // Decide precedence
+ − 2679 if ( isset($this->acl_defaults_used[$i]) )
+ − 2680 {
+ − 2681 //echo "$i: default in use, overriding to: {$perm[$i]}<br />";
+ − 2682 // Defaults are in use, override
+ − 2683 $this->perms[$i] = $perm[$i];
+ − 2684 $this->acl_defaults_used[$i] = ( $is_everyone );
+ − 2685 }
+ − 2686 else
+ − 2687 {
+ − 2688 //echo "$i: default NOT in use";
+ − 2689 // Defaults are not in use, merge as normal
+ − 2690 if ( $this->perms[$i] != AUTH_DENY )
+ − 2691 {
+ − 2692 //echo ", but overriding";
+ − 2693 $this->perms[$i] = $perm[$i];
+ − 2694 }
+ − 2695 //echo "<br />";
+ − 2696 }
+ − 2697 }
+ − 2698 }
+ − 2699 }
+ − 2700
+ − 2701 /**
+ − 2702 * Merges two ACL arrays. Both parameters should be permission list arrays. The second group takes precedence
+ − 2703 * over the first, without exceptions. This is used to merge the hardcoded defaults with admin-specified
+ − 2704 * defaults, which take precedence.
+ − 2705 * @param array $perm1 The first set of permissions
+ − 2706 * @param array $perm2 The second set of permissions
+ − 2707 * @return array
+ − 2708 */
+ − 2709
+ − 2710 function acl_merge_complete($perm1, $perm2)
+ − 2711 {
+ − 2712 $ret = $perm1;
+ − 2713 foreach ( $perm2 as $type => $level )
+ − 2714 {
+ − 2715 $ret[$type] = $level;
+ − 2716 }
+ − 2717 return $ret;
+ − 2718 }
+ − 2719
+ − 2720 /**
+ − 2721 * Tell us if the dependencies for a given permission are met.
+ − 2722 * @param string The ACL permission ID
+ − 2723 * @return bool
+ − 2724 */
+ − 2725
+ − 2726 function acl_check_deps($type)
+ − 2727 {
+ − 2728 if(!isset($this->acl_deps[$type])) // This will only happen if the permissions table is hacked or improperly accessed
+ − 2729 return true;
+ − 2730 if(sizeof($this->acl_deps[$type]) < 1)
+ − 2731 return true;
+ − 2732 $deps = $this->acl_deps[$type];
+ − 2733 while(true)
+ − 2734 {
+ − 2735 $full_resolved = true;
+ − 2736 $j = sizeof($deps);
+ − 2737 for ( $i = 0; $i < $j; $i++ )
+ − 2738 {
+ − 2739 $b = $deps;
+ − 2740 $deps = array_merge($deps, $this->acl_deps[$deps[$i]]);
+ − 2741 if( $b == $deps )
+ − 2742 {
+ − 2743 break 2;
+ − 2744 }
+ − 2745 $j = sizeof($deps);
+ − 2746 }
+ − 2747 }
+ − 2748 //die('<pre>'.print_r($deps, true).'</pre>');
+ − 2749 foreach($deps as $d)
+ − 2750 {
+ − 2751 if ( !$this->get_permissions($d) )
+ − 2752 {
+ − 2753 return false;
+ − 2754 }
+ − 2755 }
+ − 2756 return true;
+ − 2757 }
+ − 2758
+ − 2759 /**
+ − 2760 * Makes a CAPTCHA code and caches the code in the database
+ − 2761 * @param int $len The length of the code, in bytes
402
+ − 2762 * @param string Optional, the hash to reuse
1
+ − 2763 * @return string A unique identifier assigned to the code. This hash should be passed to sessionManager::getCaptcha() to retrieve the code.
+ − 2764 */
+ − 2765
402
+ − 2766 function make_captcha($len = 7, $hash = '')
1
+ − 2767 {
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2768 global $db, $session, $paths, $template, $plugins; // Common objects
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2769 $code = $this->generate_captcha_code($len);
402
+ − 2770 if ( !preg_match('/^[a-f0-9]{32}([a-z0-9]{8})?$/', $hash) )
+ − 2771 $hash = md5(microtime() . mt_rand());
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2772 $session_data = $db->escape(serialize(array()));
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2773
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2774 // sanity check
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2775 if ( !is_valid_ip(@$_SERVER['REMOTE_ADDR']) || !is_int($this->user_id) )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2776 return false;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2777
402
+ − 2778 $this->sql('DELETE FROM ' . table_prefix . "captcha WHERE session_id = '$hash';");
+ − 2779 $this->sql('INSERT INTO ' . table_prefix . 'captcha(session_id, code, session_data, source_ip, user_id)' . " VALUES('$hash', '$code', '$session_data', '{$_SERVER['REMOTE_ADDR']}', {$this->user_id});");
1
+ − 2780 return $hash;
+ − 2781 }
+ − 2782
+ − 2783 /**
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2784 * Generates a "pronouncable" or "human-friendly" word using various phonics rules
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2785 * @param int Optional. The length of the word.
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2786 * @return string
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2787 */
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2788
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2789 function generate_captcha_code($len = 7)
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2790 {
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2791 // don't use k and x, they get mixed up a lot
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2792 $consonants = 'bcdfghmnpqrsvwyz';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2793 $vowels = 'aeiou';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2794 $prev = 'vowel';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2795 $prev_l = '';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2796 $word = '';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2797 $allow_next_vowel = true;
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2798 for ( $i = 0; $i < $len; $i++ )
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2799 {
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2800 if ( $prev == 'vowel' )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2801 {
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2802 $allow_next_vowel = false;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2803 if ( $prev_l == 'o' && mt_rand(0, 3) == 3 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2804 $word .= 'i';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2805 else if ( $prev_l == 'q' && mt_rand(0, 3) != 1 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2806 $word .= 'u';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2807 else if ( $prev_l == 'o' && mt_rand(0, 3) == 2 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2808 $word .= 'u';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2809 else if ( $prev_l == 'a' && mt_rand(0, 3) == 3 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2810 $word .= 'i';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2811 else if ( $prev_l == 'a' && mt_rand(0, 10) == 7 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2812 $word .= 'o';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2813 else if ( $prev_l == 'a' && mt_rand(0, 7) == 2 && $allow_next_vowel )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2814 $word .= 'u';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2815 else
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2816 {
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2817 $allow_next_vowel = true;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2818 $word .= $consonants{mt_rand(0, (strlen($consonants)-1))};
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2819 }
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2820 }
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2821 else if ( $prev == 'consonant' )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2822 {
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2823 if ( $prev_l == 'p' && mt_rand(0, 7) == 4 )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2824 $word .= 't';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2825 else if ( $prev_l == 'p' && mt_rand(0, 5) == 1 )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2826 $word .= 'h';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2827 else
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2828 $word .= $vowels{mt_rand(0, (strlen($vowels)-1))};
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2829 }
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2830 $prev_l = substr($word, -1);
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2831 $l = ( mt_rand(0, 1) == 1 ) ? strtoupper($prev_l) : strtolower($prev_l);
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2832 $word = substr($word, 0, -1) . $l;
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2833 if ( strstr('aeiou', $prev_l) )
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2834 $prev = 'vowel';
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2835 else
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2836 $prev = 'consonant';
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2837 }
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2838 return $word;
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2839 }
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2840
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2841 /**
1
+ − 2842 * For the given code ID, returns the correct CAPTCHA code, or false on failure
+ − 2843 * @param string $hash The unique ID assigned to the code
+ − 2844 * @return string The correct confirmation code
+ − 2845 */
+ − 2846
+ − 2847 function get_captcha($hash)
+ − 2848 {
+ − 2849 global $db, $session, $paths, $template, $plugins; // Common objects
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2850
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2851 if ( !preg_match('/^[a-f0-9]{32}([a-z0-9]{8})?$/', $hash) )
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2852 {
436
+ − 2853 die("session manager: bad captcha_hash $hash");
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2854 return false;
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2855 }
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2856
402
+ − 2857 // sanity check
436
+ − 2858 if ( !is_valid_ip(@$_SERVER['REMOTE_ADDR']) )
+ − 2859 {
+ − 2860 die("session manager insanity: bad REMOTE_ADDR or invalid UID");
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2861 return false;
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2862 }
402
+ − 2863
436
+ − 2864 $q = $this->sql('SELECT code_id, code FROM ' . table_prefix . "captcha WHERE session_id = '$hash' AND source_ip = '{$_SERVER['REMOTE_ADDR']}';");
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2865 if ( $db->numrows() < 1 )
436
+ − 2866 {
+ − 2867 die("session manager: no rows for captcha_code $hash");
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2868 return false;
436
+ − 2869 }
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2870
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2871 list($code_id, $code) = $db->fetchrow_num();
436
+ − 2872
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2873 $db->free_result();
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2874 $this->sql('DELETE FROM ' . table_prefix . "captcha WHERE code_id = $code_id;");
436
+ − 2875
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 2876 return $code;
1
+ − 2877 }
+ − 2878
+ − 2879 /**
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2880 * (AS OF 1.0.2: Deprecated. Captcha codes are now killed on first fetch for security.) Deletes all CAPTCHA codes cached in the DB for this user.
1
+ − 2881 */
+ − 2882
+ − 2883 function kill_captcha()
+ − 2884 {
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 2885 return true;
1
+ − 2886 }
+ − 2887
+ − 2888 /**
+ − 2889 * Generates a random password.
+ − 2890 * @param int $length Optional - length of password
+ − 2891 * @return string
+ − 2892 */
+ − 2893
+ − 2894 function random_pass($length = 10)
+ − 2895 {
+ − 2896 $valid_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_+@#%&<>';
+ − 2897 $valid_chars = enano_str_split($valid_chars);
+ − 2898 $ret = '';
+ − 2899 for ( $i = 0; $i < $length; $i++ )
+ − 2900 {
+ − 2901 $ret .= $valid_chars[mt_rand(0, count($valid_chars)-1)];
+ − 2902 }
+ − 2903 return $ret;
+ − 2904 }
+ − 2905
+ − 2906 /**
+ − 2907 * Generates some Javascript that calls the AES encryption library.
+ − 2908 * @param string The name of the form
+ − 2909 * @param string The name of the password field
+ − 2910 * @param string The name of the field that switches encryption on or off
+ − 2911 * @param string The name of the field that contains the encryption key
+ − 2912 * @param string The name of the field that will contain the encrypted password
+ − 2913 * @param string The name of the field that handles MD5 challenge data
+ − 2914 * @return string
+ − 2915 */
+ − 2916
+ − 2917 function aes_javascript($form_name, $pw_field, $use_crypt, $crypt_key, $crypt_data, $challenge)
+ − 2918 {
+ − 2919 $code = '
+ − 2920 <script type="text/javascript">
+ − 2921 disableJSONExts();
+ − 2922 str = \'\';
+ − 2923 for(i=0;i<keySizeInBits/4;i++) str+=\'0\';
+ − 2924 var key = hexToByteArray(str);
+ − 2925 var pt = hexToByteArray(str);
+ − 2926 var ct = rijndaelEncrypt(pt, key, \'ECB\');
+ − 2927 var ct = byteArrayToHex(ct);
+ − 2928 switch(keySizeInBits)
+ − 2929 {
+ − 2930 case 128:
+ − 2931 v = \'66e94bd4ef8a2c3b884cfa59ca342b2e\';
+ − 2932 break;
+ − 2933 case 192:
+ − 2934 v = \'aae06992acbf52a3e8f4a96ec9300bd7aae06992acbf52a3e8f4a96ec9300bd7\';
+ − 2935 break;
+ − 2936 case 256:
+ − 2937 v = \'dc95c078a2408989ad48a21492842087dc95c078a2408989ad48a21492842087\';
+ − 2938 break;
+ − 2939 }
+ − 2940 var testpassed = ' . ( ( isset($_GET['use_crypt']) && $_GET['use_crypt']=='0') ? 'false; // CRYPTO-AUTH DISABLED ON USER REQUEST // ' : '' ) . '( ct == v && md5_vm_test() );
+ − 2941 var frm = document.forms.'.$form_name.';
+ − 2942 function runEncryption()
+ − 2943 {
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2944 var frm = document.forms.'.$form_name.';
1
+ − 2945 if(testpassed)
+ − 2946 {
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2947 frm.'.$use_crypt.'.value = \'yes\';
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2948 var cryptkey = frm.'.$crypt_key.'.value;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2949 frm.'.$crypt_key.'.value = hex_md5(cryptkey);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2950 cryptkey = hexToByteArray(cryptkey);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2951 if(!cryptkey || ( ( typeof cryptkey == \'string\' || typeof cryptkey == \'object\' ) ) && cryptkey.length != keySizeInBits / 8 )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2952 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2953 if ( frm._login ) frm._login.disabled = true;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2954 len = ( typeof cryptkey == \'string\' || typeof cryptkey == \'object\' ) ? \'\\nLen: \'+cryptkey.length : \'\';
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2955 alert(\'The key is messed up\\nType: \'+typeof(cryptkey)+len);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 2956 }
1
+ − 2957 pass = frm.'.$pw_field.'.value;
+ − 2958 chal = frm.'.$challenge.'.value;
+ − 2959 challenge = hex_md5(pass + chal) + chal;
+ − 2960 frm.'.$challenge.'.value = challenge;
+ − 2961 pass = stringToByteArray(pass);
+ − 2962 cryptstring = rijndaelEncrypt(pass, cryptkey, \'ECB\');
+ − 2963 if(!cryptstring)
+ − 2964 {
+ − 2965 return false;
+ − 2966 }
+ − 2967 cryptstring = byteArrayToHex(cryptstring);
+ − 2968 frm.'.$crypt_data.'.value = cryptstring;
+ − 2969 frm.'.$pw_field.'.value = \'\';
+ − 2970 }
+ − 2971 return false;
+ − 2972 }
+ − 2973 </script>
+ − 2974 ';
+ − 2975 return $code;
+ − 2976 }
+ − 2977
436
+ − 2978 /**
+ − 2979 * Backend code for the JSON login interface. Basically a frontend to the session API that takes all parameters in one huge array.
+ − 2980 * @param array LoginAPI request
+ − 2981 * @return array LoginAPI response
+ − 2982 */
+ − 2983
+ − 2984 function process_login_request($req)
+ − 2985 {
+ − 2986 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2987
+ − 2988 // Setup EnanoMath and Diffie-Hellman
+ − 2989 global $dh_supported;
+ − 2990 $dh_supported = true;
+ − 2991 try
+ − 2992 {
+ − 2993 require_once(ENANO_ROOT . '/includes/diffiehellman.php');
+ − 2994 }
+ − 2995 catch ( Exception $e )
+ − 2996 {
+ − 2997 $dh_supported = false;
+ − 2998 }
+ − 2999 global $_math;
+ − 3000
+ − 3001 // Check for the mode
+ − 3002 if ( !isset($req['mode']) )
+ − 3003 {
+ − 3004 return array(
+ − 3005 'mode' => 'error',
+ − 3006 'error' => 'ERR_JSON_NO_MODE'
+ − 3007 );
+ − 3008 }
+ − 3009
+ − 3010 // Main processing switch
+ − 3011 switch ( $req['mode'] )
+ − 3012 {
+ − 3013 default:
+ − 3014 return array(
+ − 3015 'mode' => 'error',
+ − 3016 'error' => 'ERR_JSON_INVALID_MODE'
+ − 3017 );
+ − 3018 break;
+ − 3019 case 'getkey':
+ − 3020
+ − 3021 $this->start();
+ − 3022
+ − 3023 // Query database for lockout info
+ − 3024 $locked_out = false;
+ − 3025 // are we locked out?
+ − 3026 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
+ − 3027 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
+ − 3028 // convert to minutes
+ − 3029 $duration = $duration * 60;
+ − 3030 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
+ − 3031 if ( $policy != 'disable' )
+ − 3032 {
+ − 3033 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ − 3034 $timestamp_cutoff = time() - $duration;
+ − 3035 $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+ − 3036 $fails = $db->numrows();
+ − 3037 $row = $db->fetchrow();
+ − 3038 $locked_out = ( $fails >= $threshold );
+ − 3039 $lockdata = array(
+ − 3040 'locked_out' => $locked_out,
+ − 3041 'lockout_threshold' => $threshold,
+ − 3042 'lockout_duration' => ( $duration / 60 ),
+ − 3043 'lockout_fails' => $fails,
+ − 3044 'lockout_policy' => $policy,
+ − 3045 'lockout_last_time' => $row['timestamp'],
+ − 3046 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ),
+ − 3047 'captcha' => ''
+ − 3048 );
+ − 3049 $db->free_result();
+ − 3050 }
+ − 3051
+ − 3052 $response = array('mode' => 'build_box');
+ − 3053 $response['allow_diffiehellman'] = $dh_supported;
+ − 3054
+ − 3055 $response['username'] = ( $this->user_logged_in ) ? $this->username : false;
+ − 3056 $response['aes_key'] = $this->rijndael_genkey();
+ − 3057
+ − 3058 // Lockout info
+ − 3059 $response['locked_out'] = $locked_out;
+ − 3060
+ − 3061 $response['lockout_info'] = $lockdata;
+ − 3062 if ( $policy == 'captcha' && $locked_out )
+ − 3063 {
+ − 3064 $response['lockout_info']['captcha'] = $this->make_captcha();
+ − 3065 }
+ − 3066
+ − 3067 // Can we do Diffie-Hellman? If so, generate and stash a public/private key pair.
+ − 3068 if ( $dh_supported )
+ − 3069 {
+ − 3070 $dh_key_priv = dh_gen_private();
+ − 3071 $dh_key_pub = dh_gen_public($dh_key_priv);
+ − 3072 $dh_key_priv = $_math->str($dh_key_priv);
+ − 3073 $dh_key_pub = $_math->str($dh_key_pub);
+ − 3074 $response['dh_public_key'] = $dh_key_pub;
+ − 3075 // store the keys in the DB
+ − 3076 $q = $db->sql_query('INSERT INTO ' . table_prefix . "diffiehellman( public_key, private_key ) VALUES ( '$dh_key_pub', '$dh_key_priv' );");
+ − 3077 if ( !$q )
+ − 3078 $db->die_json();
+ − 3079 }
+ − 3080
+ − 3081 return $response;
+ − 3082 break;
+ − 3083 case 'login_dh':
+ − 3084 // User is requesting a login and has sent Diffie-Hellman data.
+ − 3085
+ − 3086 //
+ − 3087 // KEY RECONSTRUCTION
+ − 3088 //
+ − 3089
+ − 3090 $userinfo_crypt = $req['userinfo'];
+ − 3091 $dh_public = $req['dh_public_key'];
+ − 3092 $dh_hash = $req['dh_secret_hash'];
+ − 3093
+ − 3094 // Check the key
+ − 3095 if ( !preg_match('/^[0-9]+$/', $dh_public) || !preg_match('/^[0-9]+$/', $req['dh_client_key']) )
+ − 3096 {
+ − 3097 return array(
+ − 3098 'mode' => 'error',
+ − 3099 'error' => 'ERR_DH_KEY_NOT_NUMERIC'
+ − 3100 );
+ − 3101 }
+ − 3102
+ − 3103 // Fetch private key
+ − 3104 $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$dh_public';");
+ − 3105 if ( !$q )
+ − 3106 $db->die_json();
+ − 3107
+ − 3108 if ( $db->numrows() < 1 )
+ − 3109 {
+ − 3110 return array(
+ − 3111 'mode' => 'error',
+ − 3112 'error' => 'ERR_DH_KEY_NOT_FOUND'
+ − 3113 );
+ − 3114 }
+ − 3115
+ − 3116 list($dh_private, $dh_key_id) = $db->fetchrow_num();
+ − 3117 $db->free_result();
+ − 3118
+ − 3119 // We have the private key, now delete the key pair, we no longer need it
+ − 3120 $q = $db->sql_query('DELETE FROM ' . table_prefix . "diffiehellman WHERE key_id = $dh_key_id;");
+ − 3121 if ( !$q )
+ − 3122 $db->die_json();
+ − 3123
+ − 3124 // Generate the shared secret
+ − 3125 $dh_secret = dh_gen_shared_secret($dh_private, $req['dh_client_key']);
+ − 3126 $dh_secret = $_math->str($dh_secret);
+ − 3127
+ − 3128 // Did we get all our math right?
+ − 3129 $dh_secret_check = sha1($dh_secret);
+ − 3130 if ( $dh_secret_check !== $dh_hash )
+ − 3131 {
+ − 3132 return array(
+ − 3133 'mode' => 'error',
+ − 3134 'error' => 'ERR_DH_HASH_NO_MATCH'
+ − 3135 );
+ − 3136 }
+ − 3137
+ − 3138 // All good! Generate the AES key
+ − 3139 $aes_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 ));
+ − 3140 case 'login_aes':
+ − 3141 if ( $req['mode'] == 'login_aes' )
+ − 3142 {
+ − 3143 // login_aes-specific code
+ − 3144 $aes_key = $this->fetch_public_key($req['key_aes']);
+ − 3145 if ( !$aes_key )
+ − 3146 {
+ − 3147 return array(
+ − 3148 'mode' => 'error',
+ − 3149 'error' => 'ERR_AES_LOOKUP_FAILED'
+ − 3150 );
+ − 3151 }
+ − 3152 $userinfo_crypt = $req['userinfo'];
+ − 3153 }
+ − 3154 // shared between the two systems from here on out
+ − 3155
+ − 3156 // decrypt user info
+ − 3157 $aes_key = hexdecode($aes_key);
+ − 3158 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
+ − 3159 $userinfo_json = $aes->decrypt($userinfo_crypt, $aes_key, ENC_HEX);
+ − 3160 if ( !$userinfo_json )
+ − 3161 {
+ − 3162 return array(
+ − 3163 'mode' => 'error',
+ − 3164 'error' => 'ERR_AES_DECRYPT_FAILED'
+ − 3165 );
+ − 3166 }
+ − 3167 // de-JSON user info
+ − 3168 try
+ − 3169 {
+ − 3170 $userinfo = enano_json_decode($userinfo_json);
+ − 3171 }
+ − 3172 catch ( Exception $e )
+ − 3173 {
+ − 3174 return array(
+ − 3175 'mode' => 'error',
+ − 3176 'error' => 'ERR_USERINFO_DECODE_FAILED'
+ − 3177 );
+ − 3178 }
+ − 3179
+ − 3180 if ( !isset($userinfo['username']) || !isset($userinfo['password']) )
+ − 3181 {
+ − 3182 return array(
+ − 3183 'mode' => 'error',
+ − 3184 'error' => 'ERR_USERINFO_MISSING_VALUES'
+ − 3185 );
+ − 3186 }
+ − 3187
+ − 3188 $username =& $userinfo['username'];
+ − 3189 $password =& $userinfo['password'];
+ − 3190
+ − 3191 // attempt the login
+ − 3192 // function login_without_crypto($username, $password, $already_md5ed = false, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false)
+ − 3193 $login_result = $this->login_without_crypto($username, $password, false, intval($req['level']), @$req['captcha_hash'], @$req['captcha_code']);
+ − 3194
+ − 3195 if ( $login_result['success'] )
+ − 3196 {
+ − 3197 return array(
+ − 3198 'mode' => 'login_success',
+ − 3199 'key' => ( $this->sid_super ) ? $this->sid_super : false
+ − 3200 );
+ − 3201 }
+ − 3202 else
+ − 3203 {
+ − 3204 return array(
+ − 3205 'mode' => 'login_failure',
+ − 3206 'error_code' => $login_result['error'],
+ − 3207 // Use this to provide a way to respawn the login box
+ − 3208 'respawn_info' => $this->process_login_request(array('mode' => 'getkey'))
+ − 3209 );
+ − 3210 }
+ − 3211
+ − 3212 break;
+ − 3213 }
+ − 3214
+ − 3215 }
+ − 3216
1
+ − 3217 }
+ − 3218
+ − 3219 /**
+ − 3220 * Class used to fetch permissions for a specific page. Used internally by SessionManager.
+ − 3221 * @package Enano
+ − 3222 * @subpackage Session manager
+ − 3223 * @license http://www.gnu.org/copyleft/gpl.html
+ − 3224 * @access private
+ − 3225 */
+ − 3226
+ − 3227 class Session_ACLPageInfo {
+ − 3228
+ − 3229 /**
+ − 3230 * The page ID of this ACL info package
+ − 3231 * @var string
+ − 3232 */
+ − 3233
+ − 3234 var $page_id;
+ − 3235
+ − 3236 /**
+ − 3237 * The namespace of the page being checked
+ − 3238 * @var string
+ − 3239 */
+ − 3240
+ − 3241 var $namespace;
+ − 3242
+ − 3243 /**
+ − 3244 * Our list of permission types.
+ − 3245 * @access private
+ − 3246 * @var array
+ − 3247 */
+ − 3248
+ − 3249 var $acl_types = Array();
+ − 3250
+ − 3251 /**
+ − 3252 * The list of descriptions for the permission types
+ − 3253 * @var array
+ − 3254 */
+ − 3255
+ − 3256 var $acl_descs = Array();
+ − 3257
+ − 3258 /**
+ − 3259 * A list of dependencies for ACL types.
+ − 3260 * @var array
+ − 3261 */
+ − 3262
+ − 3263 var $acl_deps = Array();
+ − 3264
+ − 3265 /**
246
+ − 3266 * Our tell-all list of permissions. Do not even try to change this.
+ − 3267 * @access private
1
+ − 3268 * @var array
+ − 3269 */
+ − 3270
+ − 3271 var $perms = Array();
+ − 3272
+ − 3273 /**
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3274 * Array to track which default permissions are being used
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3275 * @var array
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3276 * @access private
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3277 */
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3278
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3279 var $acl_defaults_used = Array();
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3280
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3281 /**
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3282 * Tracks whether Wiki Mode is on for the page we're operating on.
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3283 * @var bool
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3284 */
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3285
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3286 var $wiki_mode = false;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3287
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3288 /**
1
+ − 3289 * Constructor.
+ − 3290 * @param string $page_id The ID of the page to check
+ − 3291 * @param string $namespace The namespace of the page to check.
+ − 3292 * @param array $acl_types List of ACL types
+ − 3293 * @param array $acl_descs List of human-readable descriptions for permissions (associative)
+ − 3294 * @param array $acl_deps List of dependencies for permissions. For example, viewing history/diffs depends on the ability to read the page.
+ − 3295 * @param array $base What to start with - this is an attempt to reduce the number of SQL queries.
+ − 3296 */
+ − 3297
+ − 3298 function Session_ACLPageInfo($page_id, $namespace, $acl_types, $acl_descs, $acl_deps, $base)
+ − 3299 {
+ − 3300 global $db, $session, $paths, $template, $plugins; // Common objects
+ − 3301
+ − 3302 $this->acl_deps = $acl_deps;
+ − 3303 $this->acl_types = $acl_types;
+ − 3304 $this->acl_descs = $acl_descs;
+ − 3305
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3306 $this->perms = $acl_types;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3307 $this->perms = $session->acl_merge_complete($this->perms, $base);
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3308
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3309 // PAGE group info
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3310 $pg_list = $paths->get_page_groups($page_id, $namespace);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3311 $pg_info = '';
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3312 foreach ( $pg_list as $g_id )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3313 {
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3314 $pg_info .= ' ( page_id=\'' . $g_id . '\' AND namespace=\'__PageGroup\' ) OR';
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3315 }
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 3316
1
+ − 3317 // Build a query to grab ACL info
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 3318 $bs = 'SELECT rules,target_type,target_id FROM '.table_prefix.'acl WHERE ' . "\n"
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 3319 . ' ( ';
1
+ − 3320 $q = Array();
+ − 3321 $q[] = '( target_type='.ACL_TYPE_USER.' AND target_id='.$session->user_id.' )';
+ − 3322 if(count($session->groups) > 0)
+ − 3323 {
+ − 3324 foreach($session->groups as $g_id => $g_name)
+ − 3325 {
+ − 3326 $q[] = '( target_type='.ACL_TYPE_GROUP.' AND target_id='.intval($g_id).' )';
+ − 3327 }
+ − 3328 }
+ − 3329 // The reason we're using an ORDER BY statement here is because ACL_TYPE_GROUP is less than ACL_TYPE_USER, causing the user's individual
+ − 3330 // permissions to override group permissions.
286
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 3331 $bs .= implode(" OR\n ", $q) . ' ) AND (' . $pg_info . ' page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\' )
1
+ − 3332 ORDER BY target_type ASC, page_id ASC, namespace ASC;';
+ − 3333 $q = $session->sql($bs);
+ − 3334 if ( $row = $db->fetchrow() )
+ − 3335 {
+ − 3336 do {
+ − 3337 $rules = $session->string_to_perm($row['rules']);
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3338 $is_everyone = ( $row['target_type'] == ACL_TYPE_GROUP && $row['target_id'] == 1 );
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3339 $this->acl_merge_with_current($rules, $is_everyone);
1
+ − 3340 } while ( $row = $db->fetchrow() );
+ − 3341 }
+ − 3342
+ − 3343 $this->page_id = $page_id;
+ − 3344 $this->namespace = $namespace;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3345
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3346 $pathskey = $paths->nslist[$this->namespace].$this->page_id;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3347 $ppwm = 2;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3348 if ( isset($paths->pages[$pathskey]) )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3349 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3350 if ( isset($paths->pages[$pathskey]['wiki_mode']) )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3351 $ppwm = $paths->pages[$pathskey]['wiki_mode'];
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3352 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3353 if ( $ppwm == 1 && ( $session->user_logged_in || getConfig('wiki_mode_require_login') != '1' ) )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3354 $this->wiki_mode = true;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3355 else if ( $ppwm == 1 && !$session->user_logged_in && getConfig('wiki_mode_require_login') == '1' )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3356 $this->wiki_mode = true;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3357 else if ( $ppwm == 0 )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3358 $this->wiki_mode = false;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3359 else if ( $ppwm == 2 )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3360 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3361 if ( $session->user_logged_in )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3362 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3363 $this->wiki_mode = ( getConfig('wiki_mode') == '1' );
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3364 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3365 else
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3366 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3367 $this->wiki_mode = ( getConfig('wiki_mode') == '1' && getConfig('wiki_mode_require_login') != '1' );
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3368 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3369 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3370 else
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3371 {
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3372 // Ech. Internal logic failure, this should never happen.
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3373 return false;
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3374 }
1
+ − 3375 }
+ − 3376
+ − 3377 /**
+ − 3378 * Tells us whether permission $type is allowed or not based on the current rules.
+ − 3379 * @param string $type The permission identifier ($acl_type passed to sessionManager::register_acl_type())
+ − 3380 * @param bool $no_deps If true, disables dependency checking
+ − 3381 * @return bool True if allowed, false if denied or if an error occured
+ − 3382 */
+ − 3383
+ − 3384 function get_permissions($type, $no_deps = false)
+ − 3385 {
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3386 // echo '<pre>' . print_r($this->perms, true) . '</pre>';
1
+ − 3387 global $db, $session, $paths, $template, $plugins; // Common objects
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3388
1
+ − 3389 if ( isset( $this->perms[$type] ) )
+ − 3390 {
+ − 3391 if ( $this->perms[$type] == AUTH_DENY )
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3392 {
1
+ − 3393 $ret = false;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3394 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3395 else if ( $this->perms[$type] == AUTH_WIKIMODE && $this->wiki_mode )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3396 {
1
+ − 3397 $ret = true;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3398 }
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3399 else if ( $this->perms[$type] == AUTH_WIKIMODE && !$this->wiki_mode )
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3400 {
1
+ − 3401 $ret = false;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3402 }
1
+ − 3403 else if ( $this->perms[$type] == AUTH_ALLOW )
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3404 {
1
+ − 3405 $ret = true;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3406 }
1
+ − 3407 else if ( $this->perms[$type] == AUTH_DISALLOW )
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3408 {
1
+ − 3409 $ret = false;
338
915d399dfdbf
Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
Dan
diff
changeset
+ − 3410 }
1
+ − 3411 }
+ − 3412 else if(isset($this->acl_types[$type]))
+ − 3413 {
+ − 3414 if ( $this->acl_types[$type] == AUTH_DENY )
+ − 3415 $ret = false;
+ − 3416 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && $paths->wiki_mode )
+ − 3417 $ret = true;
+ − 3418 else if ( $this->acl_types[$type] == AUTH_WIKIMODE && !$paths->wiki_mode )
+ − 3419 $ret = false;
+ − 3420 else if ( $this->acl_types[$type] == AUTH_ALLOW )
+ − 3421 $ret = true;
+ − 3422 else if ( $this->acl_types[$type] == AUTH_DISALLOW )
+ − 3423 $ret = false;
+ − 3424 }
+ − 3425 else
+ − 3426 {
+ − 3427 // ACL type is undefined
+ − 3428 trigger_error('Unknown access type "' . $type . '"', E_USER_WARNING);
+ − 3429 return false; // Be on the safe side and deny access
+ − 3430 }
+ − 3431 if ( !$no_deps )
+ − 3432 {
+ − 3433 if ( !$this->acl_check_deps($type) )
+ − 3434 return false;
+ − 3435 }
+ − 3436 return $ret;
+ − 3437 }
+ − 3438
+ − 3439 /**
+ − 3440 * Tell us if the dependencies for a given permission are met.
+ − 3441 * @param string The ACL permission ID
+ − 3442 * @return bool
+ − 3443 */
+ − 3444
+ − 3445 function acl_check_deps($type)
+ − 3446 {
+ − 3447 if(!isset($this->acl_deps[$type])) // This will only happen if the permissions table is hacked or improperly accessed
+ − 3448 return true;
+ − 3449 if(sizeof($this->acl_deps[$type]) < 1)
+ − 3450 return true;
+ − 3451 $deps = $this->acl_deps[$type];
+ − 3452 while(true)
+ − 3453 {
+ − 3454 $full_resolved = true;
+ − 3455 $j = sizeof($deps);
+ − 3456 for ( $i = 0; $i < $j; $i++ )
+ − 3457 {
+ − 3458 $b = $deps;
+ − 3459 $deps = array_merge($deps, $this->acl_deps[$deps[$i]]);
+ − 3460 if( $b == $deps )
+ − 3461 {
+ − 3462 break 2;
+ − 3463 }
+ − 3464 $j = sizeof($deps);
+ − 3465 }
+ − 3466 }
+ − 3467 //die('<pre>'.print_r($deps, true).'</pre>');
+ − 3468 foreach($deps as $d)
+ − 3469 {
+ − 3470 if ( !$this->get_permissions($d) )
+ − 3471 {
+ − 3472 return false;
+ − 3473 }
+ − 3474 }
+ − 3475 return true;
+ − 3476 }
+ − 3477
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3478 /**
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3479 * Merges the ACL array sent with the current permissions table, deciding precedence based on whether defaults are in effect or not.
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3480 * @param array The array to merge into the master ACL list
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3481 * @param bool If true, $perm is treated as the "new default"
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3482 * @param int 1 if this is a site-wide ACL, 2 if page-specific. Defaults to 2.
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3483 */
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3484
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3485 function acl_merge_with_current($perm, $is_everyone = false, $scope = 2)
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3486 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3487 foreach ( $this->perms as $i => $p )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3488 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3489 if ( isset($perm[$i]) )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3490 {
377
bb3e6c3bd4f4
Removed stray debugging info from ACL editor success notification; added ability for guests to set language on URI (?lang=eng); added html_in_pages ACL type and separated from php_in_pages so HTML can be embedded but not PHP; rewote portions of the path manager to better abstract URL input; added Zend Framework into list of BSD-licensed libraries; localized some remaining strings; got the migration script working, but just barely; fixed display bug in Special:Contributions; localized Main Page button in admin panel
Dan
diff
changeset
+ − 3491 if ( $is_everyone && !@$this->acl_defaults_used[$i] )
72
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3492 continue;
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3493 // Decide precedence
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3494 if ( isset($this->acl_defaults_used[$i]) )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3495 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3496 //echo "$i: default in use, overriding to: {$perm[$i]}<br />";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3497 // Defaults are in use, override
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3498 $this->perms[$i] = $perm[$i];
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3499 $this->acl_defaults_used[$i] = ( $is_everyone );
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3500 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3501 else
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3502 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3503 //echo "$i: default NOT in use";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3504 // Defaults are not in use, merge as normal
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3505 if ( $this->perms[$i] != AUTH_DENY )
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3506 {
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3507 //echo ", but overriding";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3508 $this->perms[$i] = $perm[$i];
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3509 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3510 //echo "<br />";
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3511 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3512 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3513 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3514 }
bda11e521e8a
Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl()
Dan
diff
changeset
+ − 3515
1
+ − 3516 }
+ − 3517
+ − 3518 ?>