<?php

/*

Plugin Name: Special user/login-related pages

Plugin URI: http://enanocms.org/

Description: Provides the pages Special:Login, Special:Logout, Special:Register, and Special:Preferences.

Author: Dan Fuhry

Author URI: http://enanocms.org/

*/

/*

 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between

 * Copyright (C) 2006-2007 Dan Fuhry

 *

 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License

 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied

 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.

 */

global $db, $session, $paths, $template, $plugins; // Common objects

$plugins->attachHook('base_classes_initted', '

  global $paths;

    $paths->add_page(Array(

      \'name\'=>\'Log in\',

      \'urlname\'=>\'Login\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Log out\',

      \'urlname\'=>\'Logout\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Register\',

      \'urlname\'=>\'Register\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Edit Profile\',

      \'urlname\'=>\'Preferences\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Contributions\',

      \'urlname\'=>\'Contributions\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Change style\',

      \'urlname\'=>\'ChangeStyle\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Activate user account\',

      \'urlname\'=>\'ActivateAccount\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Captcha\',

      \'urlname\'=>\'Captcha\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Forgot password\',

      \'urlname\'=>\'PasswordReset\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    $paths->add_page(Array(

      \'name\'=>\'Member list\',

      \'urlname\'=>\'Memberlist\',

      \'namespace\'=>\'Special\',

      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',

      ));

    ');

// function names are IMPORTANT!!! The name pattern is: page_<namespace ID>_<page URLname, without namespace>

$__login_status = '';

function page_Special_Login()

{

  global $db, $session, $paths, $template, $plugins; // Common objects

  global $__login_status;

  $pubkey = $session->rijndael_genkey();

  $challenge = $session->dss_rand();

  if ( isset($_GET['act']) && $_GET['act'] == 'getkey' )

  {

    $username = ( $session->user_logged_in ) ? $session->username : false;

    $response = Array(

      'username' => $username,

      'key' => $pubkey,

      'challenge' => $challenge

      );

    $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);

    $response = $json->encode($response);

    echo $response;

    return null;

  }

  $level = ( isset($_GET['level']) && in_array($_GET['level'], array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9') ) ) ? intval($_GET['level']) : USER_LEVEL_MEMBER;

  if ( isset($_POST['login']) )

  {

    if ( in_array($_POST['auth_level'], array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9') ) )

    {

      $level = intval($_POST['auth_level']);

    }

  }

  if ( $level > USER_LEVEL_MEMBER && !$session->user_logged_in )

  {

    $level = USER_LEVEL_MEMBER;

  }

  if ( $level <= USER_LEVEL_MEMBER && $session->user_logged_in )

    $paths->main_page();

  $template->header();

  echo '<form action="'.makeUrl($paths->nslist['Special'].'Login').'" method="post" name="loginform" onsubmit="runEncryption();">';

  $header = ( $level > USER_LEVEL_MEMBER ) ? 'Please re-enter your login details' : 'Please enter your username and password to log in.';

  if ( isset($_POST['login']) )

  {

    echo '<p>'.$__login_status.'</p>';

  }

  if ( $p = $paths->getAllParams() )

  {

    echo '<input type="hidden" name="return_to" value="'.$p.'" />';

  }

  else if ( isset($_POST['login']) && isset($_POST['return_to']) )

  {

    echo '<input type="hidden" name="return_to" value="'.htmlspecialchars($_POST['return_to']).'" />';

  }

  ?>

    <div class="tblholder">

      <table border="0" style="width: 100%;" cellspacing="1" cellpadding="4">

        <tr>

          <th colspan="3"><?php echo $header; ?></th>

        </tr>

        <tr>

          <td colspan="3" class="row1">

            <?php

            if ( $level <= USER_LEVEL_MEMBER )

            {

              echo '<p>Logging in enables you to use your preferences and access member information. If you don\'t have a username and password here, you can <a href="'.makeUrl($paths->nslist['Special'].'Register').'">create an account</a>.</p>';

            }

            else

            {

              echo '<p>You are requesting that a sensitive operation be performed. To continue, please re-enter your password to confirm your identity.</p>';

            }

            ?>

          </td>

        </tr>

        <tr>

          <td class="row2">

            Username:

          </td>

          <td class="row1">

            <input name="username" size="25" type="text" <?php

              if ( $level <= USER_LEVEL_MEMBER )

              {

                echo 'tabindex="1" ';

              }

              else

              {

                echo 'tabindex="3" ';

              }

              if ( $session->user_logged_in )

              {

                echo 'value="' . $session->username . '"';

              }

              ?> />

          </td>

          <?php if ( $level <= USER_LEVEL_MEMBER ) { ?>

          <td rowspan="2" class="row3">

            <small>Forgot your password? <a href="<?php echo makeUrlNS('Special', 'PasswordReset'); ?>">No problem.</a><br />

            Maybe you need to <a href="<?php echo makeUrlNS('Special', 'Register'); ?>">create an account</a>.</small>

          </td>

          <?php } ?>

        </tr>

        <tr>

          <td class="row2">Password:<br /></td><td class="row1"><input name="pass" size="25" type="password" tabindex="<?php echo ( $level <= USER_LEVEL_MEMBER ) ? '2' : '1'; ?>" /></td>

         </tr>

         <?php if ( $level <= USER_LEVEL_MEMBER && ( !isset($_GET['use_crypt']) || ( isset($_GET['use_crypt']) && $_GET['use_crypt'] != '0' ) ) ) { ?>

         <tr>

           <td class="row3" colspan="3">

             <p><b>Important note regarding cryptography:</b> Some countries do not allow the import or use of cryptographic technology. If you live in one of the countries listed below, you should <a href="<?php if($p=$paths->getParam(0))$u='/'.$p;else $u='';echo makeUrl($paths->page.$u, 'level='.$level.'&use_crypt=0', true); ?>">log in without using encryption</a>.</p>

             <p>This restriction applies to the following countries: Belarus, China, India, Israel, Kazakhstan, Mongolia, Pakistan, Russia, Saudi Arabia, Singapore, Tunisia, Venezuela, and Vietnam.</p>

           </td>

         </tr>

         <?php } else if ( isset($_GET['use_crypt']) && $_GET['use_crypt'] == '0' && $level <= USER_LEVEL_MEMBER ) { ?>

         <tr>

           <td class="row3" colspan="3">

             <p><b>Encrypted logon has been disabled.</b> Unless you live in a country where encryption technology is illegal, you should <a href="<?php if($p=$paths->getParam(0))$u='/'.$p;else $u='';echo makeUrl($paths->page.$u, 'level='.$level.'&use_crypt=1', true); ?>">use encryption when you log on</a> to help protect against password sniffing.</p>

           </td>

         </tr>

         <?php } ?>

         <tr>

           <th colspan="3" style="text-align: center" class="subhead"><input type="submit" name="login" value="Log in" tabindex="<?php echo ( $level <= USER_LEVEL_MEMBER ) ? '3' : '2'; ?>" /></th>

         </tr>

      </table>

    </div>

      <input type="hidden" name="challenge_data" value="<?php echo $challenge; ?>" />

      <input type="hidden" name="use_crypt" value="no" />

      <input type="hidden" name="crypt_key" value="<?php echo $pubkey; ?>" />

      <input type="hidden" name="crypt_data" value="" />

      <input type="hidden" name="auth_level" value="<?php echo (string)$level; ?>" />

      <?php if ( $level <= USER_LEVEL_MEMBER ): ?>

      <script type="text/javascript">

        document.forms.loginform.username.focus();

      </script>

      <?php else: ?>

      <script type="text/javascript">

        document.forms.loginform.pass.focus();

      </script>

      <?php endif; ?>

    </form>

    <?php

      echo $session->aes_javascript('loginform', 'pass', 'use_crypt', 'crypt_key', 'crypt_data', 'challenge_data');

    ?>

  <?php

  $template->footer();

}

function page_Special_Login_preloader() // adding _preloader to the end of the function name calls the function before $session and $paths setup routines are called

{

  global $db, $session, $paths, $template, $plugins; // Common objects

  global $__login_status;

  if ( isset($_GET['act']) && $_GET['act'] == 'ajaxlogin' )

  {

    $plugins->attachHook('login_password_reset', 'SpecialLogin_SendResponse_PasswordReset($row[\'user_id\'], $row[\'temp_password\']);');

    $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);

    $data = $json->decode($_POST['params']);

    $level = ( isset($data['level']) ) ? intval($data['level']) : USER_LEVEL_MEMBER;

    $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level);

    $session->start();

    //echo "$result\n$session->sid_super";

    //exit;

    if ( $result == 'success' )

    {

      $response = Array(

          'result' => 'success',

          'key' => $session->sid_super // ( ( $session->sid_super ) ? $session->sid_super : $session->sid )

        );

    }

    else

    {

      $response = Array(

          'result' => 'error',

          'error' => $result

        );

    }

    $response = $json->encode($response);

    echo $response;

    $db->close();

    exit;

  }

  if(isset($_POST['login'])) {

    if($_POST['use_crypt'] == 'yes')

    {

      $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level']));

    }

    else

    {

      $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level']));

    }

    $session->start();

    $paths->init();

    if($result == 'success')

    {

      $template->load_theme($session->theme, $session->style);

      if(isset($_POST['return_to']))

      {

        $name = ( isset($paths->pages[$_POST['return_to']]['name']) ) ? $paths->pages[$_POST['return_to']]['name'] : $_POST['return_to'];

        redirect( makeUrl($_POST['return_to'], false, true), 'Login successful', 'You have successfully logged into the '.getConfig('site_name').' site as "'.$session->username.'". Redirecting to ' . $name . '...' );

      }

      else

      {

        redirect( makeUrl(getConfig('main_page'), false, true), 'Login successful', 'You have successfully logged into the '.getConfig('site_name').' site as "'.$session->username.'". Redirecting to the main page...' );

      }

    }

    else

    {

      $GLOBALS['__login_status'] = $result;

    }

  }

}

function SpecialLogin_SendResponse_PasswordReset($user_id, $passkey)

{

  $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);

  $response = Array(

      'result' => 'success_reset',

      'user_id' => $user_id,

      'temppass' => $passkey

    );

  $response = $json->encode($response);

  echo $response;

  $db->close();

  exit;

}

function page_Special_Logout() {

  global $db, $session, $paths, $template, $plugins; // Common objects

  if ( !$session->user_logged_in )

    $paths->main_page();

  $l = $session->logout();

  if ( $l == 'success' )

  {

    redirect(makeUrl(getConfig('main_page'), false, true), 'Logged out', 'You have been successfully logged out, and all cookies have been cleared. You will now be transferred to the main page.', 4);

  }

  $template->header();

  echo '<h3>An error occurred during the logout process.</h3><p>'.$l.'</p>';

  $template->footer();

}

function page_Special_Register()

{

  global $db, $session, $paths, $template, $plugins; // Common objects

  // form field trackers

  $username = '';

  $email = '';

  $realname = '';

  if(getConfig('account_activation') == 'disable' && ( ( $session->user_level >= USER_LEVEL_ADMIN && !isset($_GET['IWannaPlayToo']) ) || $session->user_level < USER_LEVEL_ADMIN || !$session->user_logged_in ))

  {

    $s = ($session->user_level >= USER_LEVEL_ADMIN) ? '<p>Oops...it seems that you <em>are</em> the administrator...hehe...you can also <a href="'.makeUrl($paths->page, 'IWannaPlayToo', true).'">force account registration to work</a>.</p>' : '';

    die_friendly('Registration disabled', '<p>The administrator has disabled new user registration on this site.</p>' . $s);

  }

  if ( $session->user_level < USER_LEVEL_ADMIN && $session->user_logged_in )

  {

    $paths->main_page();

  }

  if(isset($_POST['submit'])) 

  {

    $_GET['coppa'] = ( isset($_POST['coppa']) ) ? $_POST['coppa'] : 'x';

    $captcharesult = $session->get_captcha($_POST['captchahash']);

    $session->kill_captcha();

    if($captcharesult != $_POST['captchacode'])

    {

      $s = 'The confirmation code you entered was incorrect.';

    }

    else

    {

      if ( getConfig('enable_coppa') == '1' && ( !isset($_POST['coppa']) || ( isset($_POST['coppa']) && !in_array($_POST['coppa'], array('yes', 'no')) ) ) )

      {

        $s = 'Invalid COPPA input';

      }

      else

      {

        $coppa = ( isset($_POST['coppa']) && $_POST['coppa'] == 'yes' );

        $s = false;

        // decrypt password

        // as with the change pass form, we aren't going to bother checking the confirmation code because if the passwords didn't match

        // and yet the password got encrypted, that means the user screwed with the code, and if the user screwed with the code and thus

        // forgot his password, that's his problem.

        if ( $_POST['use_crypt'] == 'yes' )

        {

          $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);

          $crypt_key = $session->fetch_public_key($_POST['crypt_key']);

          if ( !$crypt_key )

          {

            $s = 'Couldn\'t look up public encryption key';

          }

          else

          {

            $data = $_POST['crypt_data'];

            $bin_key = hexdecode($crypt_key);

            //die("Decrypting with params: key $crypt_key, data $data");

            $password = $aes->decrypt($data, $bin_key, ENC_HEX);

          }

        }

        else

        {

          $password = $_POST['password'];

        }

        // CAPTCHA code was correct, create the account

        // ... and check for errors returned from the crypto API

        if ( !$s )

          $s = $session->create_user($_POST['username'], $password, $_POST['email'], $_POST['real_name'], $coppa);

      }

    }

    if($s == 'success' && !$coppa)

    {

      switch(getConfig('account_activation'))

      {

        case "none":

        default:

          $str = 'You may now <a href="'.makeUrlNS('Special', 'Login').'">log in</a> with the username and password that you created.';

          break;

        case "user":

          $str = 'Because this site requires account activation, you have been sent an e-mail with further instructions. Please follow the instructions in that e-mail to continue your registration.';

          break;

        case "admin":

          $str = 'Because this site requires administrative account activation, you cannot use your account at the moment. A notice has been sent to the site administration team that will alert them that your account has been created.';

          break;

      }

      die_friendly('Registration successful', '<p>Thank you for registering, your user account has been created. '.$str.'</p>');

    }

    else if ( $s == 'success' && $coppa )

    {

      $str = 'However, in compliance with the Childrens\' Online Privacy Protection Act, you must have your parent or legal guardian activate your account. Please ask them to check their e-mail for further information.';

      die_friendly('Registration successful', '<p>Thank you for registering, your user account has been created. '.$str.'</p>');

    }

    $username = htmlspecialchars($_POST['username']);

    $email    = htmlspecialchars($_POST['email']);

    $realname = htmlspecialchars($_POST['real_name']);

  }

  $template->header();

  echo 'A user account enables you to have greater control over your browsing experience.';

  if ( getConfig('enable_coppa') != '1' || ( isset($_GET['coppa']) && in_array($_GET['coppa'], array('yes', 'no')) ) )

  {

    $coppa = ( isset($_GET['coppa']) && $_GET['coppa'] == 'yes' );

    $session->kill_captcha();

    $captchacode = $session->make_captcha();

    $pubkey = $session->rijndael_genkey();

    $challenge = $session->dss_rand();

    ?>

      <h3>Create a user account</h3>

      <form name="regform" action="<?php echo makeUrl($paths->page); ?>" method="post" onsubmit="runEncryption();">

        <div class="tblholder">

          <table border="0" width="100%" cellspacing="1" cellpadding="4">

            <tr><th class="subhead" colspan="3">Please tell us a little bit about yourself.</th></tr>

            <?php if(isset($_POST['submit'])) echo '<tr><td colspan="3" class="row2" style="color: red;">'.$s.'</td></tr>'; ?>

            <!-- FIELD: Username -->

            <tr>

              <td class="row1" style="width: 50%;">

                Preferred username:

                <span id="e_username"></span>

              </td>

              <td class="row1" style="width: 50%;">

                <input tabindex="1" type="text" name="username" size="30" value="<?php echo $username; ?>" onkeyup="namegood = false; validateForm();" onblur="checkUsername();" />

              </td>

              <td class="row1" style="max-width: 24px;">

                <img alt="Good/bad icon" src="<?php echo scriptPath; ?>/images/bad.gif" id="s_username" />

              </td>

            </tr>

            <!-- FIELD: Password -->

            <tr>

              <td class="row3" style="width: 50%;" rowspan="<?php echo ( getConfig('pw_strength_enable') == '1' ) ? '3' : '2'; ?>">

                Password:

                <span id="e_password"></span>

                <?php if ( getConfig('pw_strength_enable') == '1' && getConfig('pw_strength_minimum') > -10 ): ?>

                <small>It needs to score at least <b><?php echo getConfig('pw_strength_minimum'); ?></b> for your registration to be accepted.</small>

                <?php endif; ?>

              </td>

              <td class="row3" style="width: 50%;">

                <input tabindex="2" type="password" name="password" size="15" onkeyup="<?php if ( getConfig('pw_strength_enable') == '1' ): ?>password_score_field(this); <?php endif; ?>validateForm();" /><?php if ( getConfig('pw_strength_enable') == '1' ): ?><span class="password-checker" style="font-weight: bold; color: #aaaaaa;"> Loading...</span><?php endif; ?>

              </td>

              <td rowspan="<?php echo ( getConfig('pw_strength_enable') == '1' ) ? '3' : '2'; ?>" class="row3" style="max-width: 24px;">

                <img alt="Good/bad icon" src="<?php echo scriptPath; ?>/images/bad.gif" id="s_password" />

              </td>

            </tr>

            <!-- FIELD: Password confirmation -->

            <tr>

              <td class="row3" style="width: 50%;">

                <input tabindex="3" type="password" name="password_confirm" size="15" onkeyup="validateForm();" /> <small>Enter your password again to confirm.</small>

              </td>

            </tr>

            <!-- FIELD: Password strength meter -->

            <?php if ( getConfig('pw_strength_enable') == '1' ): ?>

            <tr>

              <td class="row3" style="width: 50%;">

                <div id="pwmeter"></div>

              </td>

            </tr>

            <?php endif; ?>

            <!-- FIELD: E-mail address -->

            <tr>

              <td class="row1" style="width: 50%;">

                <?php

                  if ( $coppa ) echo 'Your parent or guardian\'s e'; 

                  else echo 'E';