Mercurial Mercurial > repos > enano-1.1 / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
includes/sessions.php
changeset 345 4ccdfeee9a11
parent 340 993fb077944f
child 359 e0787bb6285b
equal deleted inserted replaced
344:be6c5fdd9203 345:4ccdfeee9a11 
   322       $db->free_result();
 
   322       $db->free_result();
 
   323     }
 
   323     }
 
   324   }
 
   324   }
 
   325   
   325   
   326   /**
 
   326   /**
 
   327    * PHP 4 compatible constructor.
 
   327    * PHP 4 compatible constructor. Deprecated in 1.1.x.
 
   328    */
 
   328    */
 
   329    
   329    
       
   330   /*
 
   330   function sessionManager()
 
   331   function sessionManager()
 
   331   {
 
   332   {
 
   332     $this->__construct();
 
   333     $this->__construct();
 
   333   }
 
   334   }
 
       
   335   */
 
   334   
   336   
   335   /**
 
   337   /**
 
   336    * Wrapper function to sanitize strings for MySQL and HTML
 
   338    * Wrapper function to sanitize strings for MySQL and HTML
 
   337    * @param string $text The text to sanitize
 
   339    * @param string $text The text to sanitize
 
   338    * @return string
 
   340    * @return string
 
   591       if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
 
   593       if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
 
   592       {
 
   594       {
 
   593         // policy is captcha -- check if it's correct, and if so, bypass lockout check
 
   595         // policy is captcha -- check if it's correct, and if so, bypass lockout check
 
   594         $real_code = $this->get_captcha($captcha_hash);
 
   596         $real_code = $this->get_captcha($captcha_hash);
 
   595       }
 
   597       }
 
   596       if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
 
   598       if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && strtolower($real_code) == strtolower($captcha_code) ) )
 
   597       {
 
   599       {
 
   598         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   600         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   599         $timestamp_cutoff = time() - $duration;
 
   601         $timestamp_cutoff = time() - $duration;
 
   600         $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
 
   602         $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
 
   601         $fails = $db->numrows();
 
   603         $fails = $db->numrows();
 
   666     $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
 
   668     $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
 
   667     if($db->numrows() < 1)
 
   669     if($db->numrows() < 1)
 
   668     {
 
   670     {
 
   669       // This wasn't logged in <1.0.2, dunno how it slipped through
 
   671       // This wasn't logged in <1.0.2, dunno how it slipped through
 
   670       if($level > USER_LEVEL_MEMBER)
 
   672       if($level > USER_LEVEL_MEMBER)
 
   671         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   673         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   672       else
 
   674       else
 
   673         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   675         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   674     
   676     
   675       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   677       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   676       {
 
   678       {
 
   677         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   679         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   678         // increment fail count
 
   680         // increment fail count
 
   756         $this->user_id = intval($row['user_id']);
 
   758         $this->user_id = intval($row['user_id']);
 
   757         $this->theme = $row['theme'];
 
   759         $this->theme = $row['theme'];
 
   758         $this->style = $row['style'];
 
   760         $this->style = $row['style'];
 
   759         
   761         
   760         if($level > USER_LEVEL_MEMBER)
 
   762         if($level > USER_LEVEL_MEMBER)
 
   761           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   763           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   762         else
 
   764         else
 
   763           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   765           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   764         
   766         
   765         $code = $plugins->setHook('login_success');
 
   767         $code = $plugins->setHook('login_success');
 
   766         foreach ( $code as $cmd )
 
   768         foreach ( $code as $cmd )
 
   767         {
 
   769         {
 
   768           eval($cmd);
 
   770           eval($cmd);
 
   778         );
 
   780         );
 
   779     }
 
   781     }
 
   780     else
 
   782     else
 
   781     {
 
   783     {
 
   782       if($level > USER_LEVEL_MEMBER)
 
   784       if($level > USER_LEVEL_MEMBER)
 
   783         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   785         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   784       else
 
   786       else
 
   785         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   787         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   786         
   788         
   787       // Do we also need to increment the lockout countdown?
 
   789       // Do we also need to increment the lockout countdown?
 
   788       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   790       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   789       {
 
   791       {
 
   790         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   792         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   884     $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.$this->prepare_text(strtolower($username)).'\';');
 
   886     $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.$this->prepare_text(strtolower($username)).'\';');
 
   885     if($db->numrows() < 1)
 
   887     if($db->numrows() < 1)
 
   886     {
 
   888     {
 
   887       // This wasn't logged in <1.0.2, dunno how it slipped through
 
   889       // This wasn't logged in <1.0.2, dunno how it slipped through
 
   888       if($level > USER_LEVEL_MEMBER)
 
   890       if($level > USER_LEVEL_MEMBER)
 
   889         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   891         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   890       else
 
   892       else
 
   891         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   893         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   892       
   894       
   893       // Do we also need to increment the lockout countdown?
 
   895       // Do we also need to increment the lockout countdown?
 
   894       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   896       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   895       {
 
   897       {
 
   896         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   898         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   966         );
 
   968         );
 
   967       $sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level);
 
   969       $sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level);
 
   968       if($sess)
 
   970       if($sess)
 
   969       {
 
   971       {
 
   970         if($level > USER_LEVEL_MEMBER)
 
   972         if($level > USER_LEVEL_MEMBER)
 
   971           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   973           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   972         else
 
   974         else
 
   973           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   975           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   974         
   976         
   975         $code = $plugins->setHook('login_success');
 
   977         $code = $plugins->setHook('login_success');
 
   976         foreach ( $code as $cmd )
 
   978         foreach ( $code as $cmd )
 
   977         {
 
   979         {
 
   978           eval($cmd);
 
   980           eval($cmd);
 
   989         );
 
   991         );
 
   990     }
 
   992     }
 
   991     else
 
   993     else
 
   992     {
 
   994     {
 
   993       if($level > USER_LEVEL_MEMBER)
 
   995       if($level > USER_LEVEL_MEMBER)
 
   994         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   996         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   995       else
 
   997       else
 
   996         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   998         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   997         
   999         
   998       // Do we also need to increment the lockout countdown?
 
  1000       // Do we also need to increment the lockout countdown?
 
   999       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
  1001       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
 
  1000       {
 
  1002       {
 
  1001         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
  1003         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
  2044    */
 
  2046    */
 
  2045   
  2047   
  2046   function admin_activation_request($u)
 
  2048   function admin_activation_request($u)
 
  2047   {
 
  2049   {
 
  2048     global $db;
 
  2050     global $db;
 
  2049     $this->sql('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, author, edit_summary) VALUES(\'admin\', \'activ_req\', '.time().', \''.date('d M Y h:i a').'\', \''.$this->username.'\', \''.$db->escape($u).'\');');
 
  2051     $this->sql('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, author, edit_summary) VALUES(\'admin\', \'activ_req\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$this->username.'\', \''.$db->escape($u).'\');');
 
  2050   }
 
  2052   }
 
  2051   
  2053   
  2052   /**
 
  2054   /**
 
  2053    * Activates a user account. If the action fails, a report is sent to the admin.
 
  2055    * Activates a user account. If the action fails, a report is sent to the admin.
 
  2054    * @param string $user The username of the user requesting activation
 
  2056    * @param string $user The username of the user requesting activation
 
  2060     global $db, $session, $paths, $template, $plugins; // Common objects
 
  2062     global $db, $session, $paths, $template, $plugins; // Common objects
 
  2061     $this->sql('UPDATE '.table_prefix.'users SET account_active=1 WHERE username=\''.$db->escape($user).'\' AND activation_key=\''.$db->escape($key).'\';');
 
  2063     $this->sql('UPDATE '.table_prefix.'users SET account_active=1 WHERE username=\''.$db->escape($user).'\' AND activation_key=\''.$db->escape($key).'\';');
 
  2062     $r = mysql_affected_rows();
 
  2064     $r = mysql_affected_rows();
 
  2063     if ( $r > 0 )
 
  2065     if ( $r > 0 )
 
  2064     {
 
  2066     {
 
  2065       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_good\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2067       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2066     }
 
  2068     }
 
  2067     else
 
  2069     else
 
  2068     {
 
  2070     {
 
  2069       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2071       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2070     }
 
  2072     }
 
  2071     return $r;
 
  2073     return $r;
 
  2072   }
 
  2074   }
 
  2073   
  2075   
  2074   /**
 
  2076   /**
 
  2547   function perm_to_string($perms)
 
  2549   function perm_to_string($perms)
 
  2548   {
 
  2550   {
 
  2549     $s = '';
 
  2551     $s = '';
 
  2550     foreach($perms as $perm => $ac)
 
  2552     foreach($perms as $perm => $ac)
 
  2551     {
 
  2553     {
 
       
  2554       if ( $ac == 'i' )
 
       
  2555         continue;
 
  2552       $s .= "$perm=$ac;";
 
  2556       $s .= "$perm=$ac;";
 
  2553     }
 
  2557     }
 
  2554     return $s;
 
  2558     return $s;
 
  2555   }
 
  2559   }
 
  2556   
  2560   
  2590       }
 
  2594       }
 
  2591       // else
 
  2595       // else
 
  2592       // {
 
  2596       // {
 
  2593       //   $ret[$type] = $level;
 
  2597       //   $ret[$type] = $level;
 
  2594       // }
 
  2598       // }
 
       
  2599     }
 
       
  2600     return $ret;
 
       
  2601   }
 
       
  2602   
       
  2603   /**
 
       
  2604    * Merges two ACL arrays, but instead of calculating inheritance for missing permission types, just returns 'i' for that type. Useful
 
       
  2605    * for explicitly requiring inheritance in ACL editing interfaces
 
       
  2606    * @param array $perm1 The first set of permissions
 
       
  2607    * @param array $perm2 The second, authoritative set of permissions
 
       
  2608    */
 
       
  2609   
       
  2610   function acl_merge_inherit($perm1, $perm2)
 
       
  2611   {
 
       
  2612     foreach ( $perm1 as $type => $level )
 
       
  2613     {
 
       
  2614       $perm1[$type][$level] = 'i';
 
       
  2615     }
 
       
  2616     $ret = $perm1;
 
       
  2617     foreach ( $perm2 as $type => $level )
 
       
  2618     {
 
       
  2619       if ( isset( $ret[$type] ) )
 
       
  2620       {
 
       
  2621         if ( $ret[$type] != AUTH_DENY )
 
       
  2622           $ret[$type] = $level;
 
       
  2623       }
 
  2595     }
 
  2624     }
 
  2596     return $ret;
 
  2625     return $ret;
 
  2597   }
 
  2626   }
 
  2598   
  2627   
  2599   /**
 
  2628   /**
Enano CMS (1.1.x)