# HG changeset patch
# User Dan
# Date 1192931053 14400
# Node ID ebe99e82a59ac6e1518c189302a0333f42bd6b0b
# Parent 9dbbec5e6096c6a3b18db93cf8be1682db5d2f48# Parent 9237767a23ae2181da59467ef6f4bd7e96396722
Merging in changes from stable
diff -r 9237767a23ae -r ebe99e82a59a .hgtags
--- a/.hgtags Sat Oct 20 11:11:40 2007 -0400
+++ b/.hgtags Sat Oct 20 21:44:13 2007 -0400
@@ -5,3 +5,4 @@
6f0bbf88c3251ca597cb76ac8b59a1ee61d6dd3d rebrand
0b5244001799fa29e83bf06c5f14eb69350f171c rebrand
42c6c83b8a004163c9cc2d85f3c8eada3b73adf6 rebrand
+d53cc29308f4f4b97fc6d054e9e0855f37137409 rebrand
diff -r 9237767a23ae -r ebe99e82a59a ajax.php
--- a/ajax.php Sat Oct 20 11:11:40 2007 -0400
+++ b/ajax.php Sat Oct 20 21:44:13 2007 -0400
@@ -2,7 +2,7 @@
/*
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
- * Version 1.0.2 (Coblynau)
+ * Version 1.1.1
* Copyright (C) 2006-2007 Dan Fuhry
*
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
@@ -33,50 +33,35 @@
define('ENANO_ROOT', dirname($filename));
require(ENANO_ROOT.'/includes/functions.php');
require(ENANO_ROOT.'/includes/dbal.php');
- require(ENANO_ROOT.'/includes/json.php');
$db = new mysql();
$db->connect();
- // result is sent using JSON
- $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);
- $return = Array(
- 'mode' => 'success',
- 'users_real' => Array()
- );
-
- // should be connected to the DB now
+ // should be connected now
$name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false;
if ( !$name )
{
- $return = array(
- 'mode' => 'error',
- 'error' => 'Invalid URI'
- );
- die( $json->encode($return) );
+ die('userlist = new Array(); errorstring=\'Invalid URI\'');
}
- $allowanon = ( isset($_GET['allowanon']) && $_GET['allowanon'] == '1' ) ? '' : ' AND user_id > 1';
- $q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\')' . $allowanon . ' ORDER BY username ASC;');
+ $q = $db->sql_query('SELECT username,user_id FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\');');
if ( !$q )
{
- $return = array(
- 'mode' => 'error',
- 'error' => 'MySQL error selecting username data: '.addslashes(mysql_error())
- );
- die( $json->encode($return) );
+ die('userlist = new Array(); errorstring=\'MySQL error selecting username data: '.addslashes(mysql_error()).'\'');
}
+ if($db->numrows() < 1)
+ {
+ die('userlist = new Array(); errorstring=\'No usernames found\';');
+ }
+ echo 'var errorstring = false; userlist = new Array();';
$i = 0;
while($r = $db->fetchrow())
{
- $return['users_real'][] = $r['username'];
+ echo "userlist[$i] = '".addslashes($r['username'])."'; ";
$i++;
}
$db->free_result();
// all done! :-)
$db->close();
-
- echo $json->encode( $return );
-
exit;
}
diff -r 9237767a23ae -r ebe99e82a59a includes/captcha.php
--- a/includes/captcha.php Sat Oct 20 11:11:40 2007 -0400
+++ b/includes/captcha.php Sat Oct 20 21:44:13 2007 -0400
@@ -1,7 +1,8 @@
For security reasons, Enano mandates that high-privilege logins last only 15 minutes, with the time being reset each time a page is loaded (or, more specifically, each time the session API is started). The consequence of this is that if you are performing an action in the administration panel that takes more than 15 minutes, your session may be terminated. The keep-alive feature attempts to relieve this by sending a "ping" to the server every 10 minutes.
Please note that keep-alive state is determined by a cookie. Thus, if you log out and then back in as a different administrator, keep-alive will use the same setting that was used when you were logged in as the first administrative user. In the same way, if you log into the administration panel under your account from another computer, keep-alive will be set to "off".
For more information:
Overview of Enano'+"'"+'s security model');
}
+function ajaxShowCaptcha(code)
+{
+ var mydiv = document.createElement('div');
+ mydiv.style.backgroundColor = '#FFFFFF';
+ mydiv.style.padding = '10px';
+ mydiv.style.position = 'absolute';
+ mydiv.style.top = '0px';
+ mydiv.id = 'autoCaptcha';
+ var img = document.createElement('img');
+ img.onload = function()
+ {
+ if ( this.loaded )
+ return true;
+ var mydiv = document.getElementById('autoCaptcha');
+ var width = getWidth();
+ var divw = $(mydiv).Width();
+ var left = ( width / 2 ) - ( divw / 2 );
+ mydiv.style.left = left + 'px';
+ fly_in_top(mydiv, false, true);
+ this.loaded = true;
+ };
+ img.src = makeUrlNS('Special', 'Captcha/' + code);
+ img.onclick = function() { this.src = this.src + '/a'; };
+ img.style.cursor = 'pointer';
+ mydiv.appendChild(img);
+ domObjChangeOpac(0, mydiv);
+ var body = document.getElementsByTagName('body')[0];
+ body.appendChild(mydiv);
+}
+
diff -r 9237767a23ae -r ebe99e82a59a includes/clientside/static/misc.js
--- a/includes/clientside/static/misc.js Sat Oct 20 11:11:40 2007 -0400
+++ b/includes/clientside/static/misc.js Sat Oct 20 21:44:13 2007 -0400
@@ -302,6 +302,51 @@
var ajax_auth_mb_cache = false;
var ajax_auth_level_cache = false;
var ajax_auth_error_string = false;
+var ajax_auth_show_captcha = false;
+
+function ajaxAuthErrorToString($data)
+{
+ var $errstring = $data.error;
+ // this was literally copied straight from the PHP code.
+ switch($data.error)
+ {
+ case 'key_not_found':
+ $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.';
+ break;
+ case 'key_wrong_length':
+ $errstring = 'The encryption key was the wrong length.';
+ break;
+ case 'too_big_for_britches':
+ $errstring = 'You are trying to authenticate at a level that your user account does not permit.';
+ break;
+ case 'invalid_credentials':
+ $errstring = 'You have entered an invalid username or password. Please enter your login details again.';
+ if ( $data.lockout_policy == 'lockout' )
+ {
+ $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will be locked out from logging in for '+$data['lockout_duration']+' minutes.';
+ }
+ else if ( $data.lockout_policy == 'captcha' )
+ {
+ $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will have to enter a visual confirmation code before logging in, effective for '+$data['lockout_duration']+' minutes.';
+ }
+ break;
+ case 'backend_fail':
+ $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.';
+ break;
+ case 'locked_out':
+ $attempts = parseInt($data['lockout_fails']);
+ if ( $attempts > $data['lockout_threshold'])
+ $attempts = $data['lockout_threshold'];
+ $time_rem = $data.time_rem;
+ $s = ( $time_rem == 1 ) ? '' : 's';
+ $errstring = "You have used up all "+$data['lockout_threshold']+" allowed login attempts. Please wait "+$time_rem+" minute"+$s+" before attempting to log in again";
+ if ( $data['lockout_policy'] == 'captcha' )
+ $errstring += ', or enter the visual confirmation code shown above in the appropriate box';
+ $errstring += '.';
+ break;
+ }
+ return $errstring;
+}
function ajaxPromptAdminAuth(call_on_ok, level)
{
@@ -320,6 +365,17 @@
var title = ( level > USER_LEVEL_MEMBER ) ? 'You are requesting a sensitive operation.' : 'Please enter your username and password to continue.';
ajax_auth_mb_cache = new messagebox(MB_OKCANCEL|MB_ICONLOCK, title, loading_win);
ajax_auth_mb_cache.onbeforeclick['OK'] = ajaxValidateLogin;
+ ajax_auth_mb_cache.onbeforeclick['Cancel'] = function()
+ {
+ if ( document.getElementById('autoCaptcha') )
+ {
+ var to = fly_out_top(document.getElementById('autoCaptcha'), false, true);
+ setTimeout(function() {
+ var d = document.getElementById('autoCaptcha');
+ d.parentNode.removeChild(d);
+ }, to);
+ }
+ }
ajaxAuthLoginInnerSetup();
}
@@ -335,6 +391,20 @@
return false;
}
response = parseJSON(response);
+ var disable_controls = false;
+ if ( response.locked_out && !ajax_auth_error_string )
+ {
+ response.error = 'locked_out';
+ ajax_auth_error_string = ajaxAuthErrorToString(response);
+ if ( response.lockout_policy == 'captcha' )
+ {
+ ajax_auth_show_captcha = response.captcha;
+ }
+ else
+ {
+ disable_controls = true;
+ }
+ }
var level = ajax_auth_level_cache;
var form_html = '';
var shown_error = false;
@@ -348,14 +418,28 @@
{
form_html += 'Please re-enter your login details, to verify your identity.
';
}
+ if ( ajax_auth_show_captcha )
+ {
+ var captcha_html = ' \
+ \
+ ';
+ }
+ else
+ {
+ var captcha_html = '';
+ }
+ var disableme = ( disable_controls ) ? 'disabled="disabled" ' : '';
form_html += ' \
Code in image: \
+ \
+
Username: | \ + | Username: | \ |
Password: | \ + | Password: | \ |
\
Trouble logging in? Try the full login form. '; @@ -383,8 +467,21 @@ { $('ajaxlogin_user').object.focus(); } - $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; - $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + if ( ajax_auth_show_captcha ) + { + $('ajaxlogin_captcha_code').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; + $('ajaxlogin_captcha_code').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + } + else + { + $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; + $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + } + if ( disable_controls ) + { + var panel = document.getElementById('messageBoxButtons'); + panel.firstChild.disabled = true; + } /* ## This causes the background image to disappear under Fx 2 if ( shown_error ) @@ -398,6 +495,11 @@ fader.start(); } */ + if ( ajax_auth_show_captcha ) + { + ajaxShowCaptcha(ajax_auth_show_captcha); + ajax_auth_show_captcha = false; + } } }); } @@ -412,6 +514,15 @@ password = document.getElementById('ajaxlogin_pass').value; auth_enabled = false; + if ( document.getElementById('autoCaptcha') ) + { + var to = fly_out_top(document.getElementById('autoCaptcha'), false, true); + setTimeout(function() { + var d = document.getElementById('autoCaptcha'); + d.parentNode.removeChild(d); + }, to); + } + disableJSONExts(); // @@ -467,6 +578,12 @@ 'level' : ajax_auth_level_cache }; + if ( document.getElementById('ajaxlogin_captcha_hash') ) + { + json_data.captcha_hash = document.getElementById('ajaxlogin_captcha_hash').value; + json_data.captcha_code = document.getElementById('ajaxlogin_captcha_code').value; + } + json_data = toJSONString(json_data); json_data = encodeURIComponent(json_data); @@ -509,18 +626,23 @@ } break; case 'error': - if ( response.error == 'The username and/or password is incorrect.' ) + if ( response.data.error == 'invalid_credentials' || response.data.error == 'locked_out' ) { - ajax_auth_error_string = response.error; + ajax_auth_error_string = ajaxAuthErrorToString(response.data); mb_current_obj.updateContent(''); document.getElementById('messageBox').style.backgroundColor = '#C0C0C0'; var mb_parent = document.getElementById('messageBox').parentNode; new Spry.Effect.Shake(mb_parent, {duration: 1500}).start(); setTimeout("document.getElementById('messageBox').style.backgroundColor = '#FFF'; ajaxAuthLoginInnerSetup();", 2500); + + if ( response.data.lockout_policy == 'captcha' && response.data.error == 'locked_out' ) + { + ajax_auth_show_captcha = response.captcha; + } } else { - alert(response.error); + ajax_auth_error_string = ajaxAuthErrorToString(response.data); ajaxAuthLoginInnerSetup(); } break; diff -r 9237767a23ae -r ebe99e82a59a includes/comment.php --- a/includes/comment.php Sat Oct 20 11:11:40 2007 -0400 +++ b/includes/comment.php Sat Oct 20 21:44:13 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9237767a23ae -r ebe99e82a59a includes/common.php --- a/includes/common.php Sat Oct 20 11:11:40 2007 -0400 +++ b/includes/common.php Sat Oct 20 21:44:13 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -23,7 +23,7 @@ exit; } -$version = '1.0.2'; +$version = '1.1.1'; function microtime_float() { @@ -68,9 +68,6 @@ if ( file_exists( ENANO_ROOT . '/_nightly.php') ) require(ENANO_ROOT.'/_nightly.php'); -// List of scheduled tasks -$cron_tasks = array(); - // Start including files. LOTS of files. Yeah! require_once(ENANO_ROOT.'/includes/constants.php'); dc_here('Enano CMS '.$version.' (dev) - debug window Powered by debugConsole'); diff -r 9237767a23ae -r ebe99e82a59a includes/constants.php --- a/includes/constants.php Sat Oct 20 11:11:40 2007 -0400 +++ b/includes/constants.php Sat Oct 20 21:44:13 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * constants.php - important defines used Enano-wide * @@ -70,7 +70,7 @@ define('MAX_PMS_PER_BATCH', 7); // The maximum number of users that users can send PMs to in one go; restriction does not apply to users with mod_misc rights define('SEARCH_RESULTS_PER_PAGE', 10); define('MYSQL_MAX_PACKET_SIZE', 1048576); // 1MB; this is the default in MySQL 4.x I think -define('SEARCH_MODE', 'FULLTEXT'); // Can be FULLTEXT or BUILTIN +define('SEARCH_MODE', 'BUILTIN'); // Can be FULLTEXT or BUILTIN // Sidebar diff -r 9237767a23ae -r ebe99e82a59a includes/dbal.php --- a/includes/dbal.php Sat Oct 20 11:11:40 2007 -0400 +++ b/includes/dbal.php Sat Oct 20 21:44:13 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9237767a23ae -r ebe99e82a59a includes/email.php --- a/includes/email.php Sat Oct 20 11:11:40 2007 -0400 +++ b/includes/email.php Sat Oct 20 21:44:13 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9237767a23ae -r ebe99e82a59a includes/functions.php --- a/includes/functions.php Sat Oct 20 11:11:40 2007 -0400 +++ b/includes/functions.php Sat Oct 20 21:44:13 2007 -0400 @@ -2796,7 +2796,7 @@ $strip_tags = implode('|', $strip_tags); // Strip out the tags and replace with placeholders - preg_match_all("#<($strip_tags)([ ]+.*?)?>(.*?)($strip_tags)>#is", $html, $matches); + preg_match_all("#<($strip_tags)(.*?)>(.*?)($strip_tags)>#is", $html, $matches); $seed = md5(microtime() . mt_rand()); // Random value used for placeholders for ($i = 0;$i < sizeof($matches[1]); $i++) { @@ -2804,7 +2804,7 @@ } // Optimize (but don't obfuscate) Javascript - preg_match_all('/'; } ?> @@ -2979,7 +3026,7 @@ echo ' $_GET[\'side\'] contained an SQL injection attempt ';
break;
}
- $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . intval($_GET['id']) . ';');
+ $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$query)
{
echo $db->get_error();
@@ -2989,7 +3036,7 @@
echo 'Item moved. ';
break;
case 'delete':
- $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); // Already checked for injection attempts ;-)
+ $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); // Already checked for injection attempts ;-)
if(!$query)
{
echo $db->get_error();
@@ -3004,7 +3051,7 @@
echo 'Item deleted. ';
break;
case 'disenable';
- $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo $db->get_error();
@@ -3014,22 +3061,7 @@
$r = $db->fetchrow();
$db->free_result();
$e = ( $r['item_enabled'] == 1 ) ? '0' : '1';
- $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . intval($_GET['id']) . ';');
- if(!$q)
- {
- echo $db->get_error();
- $template->footer();
- exit;
- }
- if(isset($_GET['ajax']))
- {
- ob_end_clean();
- die('GOOD');
- }
- break;
- case 'rename';
- $newname = $db->escape($_POST['newname']);
- $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_name=\''.$newname.'\' WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo $db->get_error();
@@ -3043,7 +3075,7 @@
}
break;
case 'getsource':
- $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo $db->get_error();
@@ -3059,7 +3091,7 @@
case 'save':
if ( defined('ENANO_DEMO_MODE') )
{
- $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
@@ -3075,13 +3107,13 @@
$_POST['content'] = sanitize_html($_POST['content'], true);
}
}
- $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
exit;
}
- $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
@@ -3173,8 +3205,6 @@
$parser = $template->makeParserText($vars['sidebar_section']);
$c = $template->tplWikiFormat($row['block_content'], false, 'sidebar-editor.tpl');
$c = preg_replace('#(.*?)#is', '\\2', $c);
- // fix for the "Administration" link that somehow didn't get rendered properly
- $c = preg_replace("/(^|\n)([ ]*)(.+)<\/a>()([\r\n]+|$)/isU", '\\1\\2 '.$__login_status.' '; + $errstring = $__login_status['error']; + switch($__login_status['error']) + { + case 'key_not_found': + $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.'; + break; + case 'key_wrong_length': + $errstring = 'The encryption key was the wrong length.'; + break; + case 'too_big_for_britches': + $errstring = 'You are trying to authenticate at a level that your user account does not permit.'; + break; + case 'invalid_credentials': + $errstring = 'You have entered an invalid username or password. Please enter your login details again.'; + if ( $__login_status['lockout_policy'] == 'lockout' ) + { + $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will be locked out from logging in for '.$__login_status['lockout_duration'].' minutes.'; + } + else if ( $__login_status['lockout_policy'] == 'captcha' ) + { + $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will have to enter a visual confirmation code before logging in, effective for '.$__login_status['lockout_duration'].' minutes.'; + } + break; + case 'backend_fail': + $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.'; + break; + case 'locked_out': + $attempts = intval($__login_status['lockout_fails']); + if ( $attempts > $__login_status['lockout_threshold']) + $attempts = $__login_status['lockout_threshold']; + + $server_time = time(); + $time_rem = $__login_status['lockout_duration'] - round( ( $server_time - $__login_status['lockout_last_time'] ) / 60 ); + + $s = ( $time_rem == 1 ) ? '' : 's'; + $errstring = "You have used up all {$__login_status['lockout_threshold']} allowed login attempts. Please wait {$time_rem} minute$s before attempting to log in again"; + if ( $__login_status['lockout_policy'] == 'captcha' ) + $errstring .= ', or enter the visual confirmation code shown above in the appropriate box'; + $errstring .= '.'; + break; + } + echo ''.$errstring.' ';
}
if ( $p = $paths->getAllParams() )
{
@@ -189,7 +276,7 @@
?> />
|
- + |
Forgot your password? No problem. Maybe you need to create an account. |
@@ -198,6 +285,21 @@
|
Password: | |||
Code in image: | + | ||
+ + | +|||
@@ -242,12 +344,12 @@
$plugins->attachHook('login_password_reset', 'SpecialLogin_SendResponse_PasswordReset($row[\'user_id\'], $row[\'temp_password\']);');
$json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);
$data = $json->decode($_POST['params']);
+ $captcha_hash = ( isset($data['captcha_hash']) ) ? $data['captcha_hash'] : false;
+ $captcha_code = ( isset($data['captcha_code']) ) ? $data['captcha_code'] : false;
$level = ( isset($data['level']) ) ? intval($data['level']) : USER_LEVEL_MEMBER;
- $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level);
+ $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level, $captcha_hash, $captcha_code);
$session->start();
- //echo "$result\n$session->sid_super";
- //exit;
- if ( $result == 'success' )
+ if ( $result['success'] )
{
$response = Array(
'result' => 'success',
@@ -256,9 +358,16 @@
}
else
{
+ $captcha = '';
+ if ( $result['error'] == 'locked_out' && $result['lockout_policy'] == 'captcha' )
+ {
+ $session->kill_captcha();
+ $captcha = $session->make_captcha();
+ }
$response = Array(
'result' => 'error',
- 'error' => $result
+ 'data' => $result,
+ 'captcha' => $captcha
);
}
$response = $json->encode($response);
@@ -267,17 +376,19 @@
exit;
}
if(isset($_POST['login'])) {
+ $captcha_hash = ( isset($_POST['captcha_hash']) ) ? $_POST['captcha_hash'] : false;
+ $captcha_code = ( isset($_POST['captcha_code']) ) ? $_POST['captcha_code'] : false;
if($_POST['use_crypt'] == 'yes')
{
- $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level']));
+ $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level']), $captcha_hash, $captcha_code);
}
else
{
- $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level']));
+ $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level']), $captcha_hash, $captcha_code);
}
$session->start();
$paths->init();
- if($result == 'success')
+ if($result['success'])
{
$template->load_theme($session->theme, $session->style);
if(isset($_POST['return_to']))
diff -r 9237767a23ae -r ebe99e82a59a plugins/admin/PageGroups.php
--- a/plugins/admin/PageGroups.php Sat Oct 20 11:11:40 2007 -0400
+++ b/plugins/admin/PageGroups.php Sat Oct 20 21:44:13 2007 -0400
@@ -2,7 +2,7 @@
/*
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
- * Version 1.0.2 (Coblynau)
+ * Version 1.1.1
* Copyright (C) 2006-2007 Dan Fuhry
*
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
@@ -602,23 +602,6 @@
echo ' The affecting tag was updated. ';
}
}
- else if ( $_POST['pg_type'] == PAGE_GRP_REGEX )
- {
- $target = $_POST['pg_target'];
- if ( empty($target) )
- {
- echo 'Please enter an expression to match against.. ';
- }
- else
- {
- $target = $db->escape($target);
- $q = $db->sql_query('UPDATE '.table_prefix.'page_groups SET pg_target=\'' . $target . '\' WHERE pg_id=' . $edit_id . ';');
- if ( !$q )
- $db->_die();
- else
- echo 'The expression to match against was updated. ';
- }
- }
else if ( $_POST['pg_type'] == PAGE_GRP_CATLINK )
{
$target = $_POST['pg_target'];
@@ -877,22 +860,6 @@
|
|||
- Regular expression to use: - Be sure to include the starting and ending delimiters and any flags you might need. - These pages might help: Pattern modifiers • - Pattern syntax - Examples: /^(Special|Admin):/i • /^Image:([0-9]+)$/ - Developers, remember that this will be matched against the full page identifier string. This means that /^About_Enano$/ - will NOT match the page Special:About_Enano. - |
- - - | -Login failed. Bad password? | ';
+ echo '|
Login failed: '. $result['error'] . ' | |||