| changeset 832 | 7152ca0a0ce9 |
| parent 826 | dcf5381ce8ba |
| child 843 | 4415e50e4e84 |
| 831:45e887f23282 | 832:7152ca0a0ce9 |
|---|---|
714 . " WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db';") ) |
714 . " WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db';") ) |
715 { |
715 { |
716 $this->sql('SELECT password,\'\' AS password_salt,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix."users\n" |
716 $this->sql('SELECT password,\'\' AS password_salt,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix."users\n" |
717 . " WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db';"); |
717 . " WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db';"); |
718 } |
718 } |
719 if($db->numrows() < 1) |
719 if ( $db->numrows() < 1 ) |
720 { |
720 { |
721 // This wasn't logged in <1.0.2, dunno how it slipped through |
721 // This wasn't logged in <1.0.2, dunno how it slipped through |
722 if($level > USER_LEVEL_MEMBER) |
722 if ( $level > USER_LEVEL_MEMBER ) |
723 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
723 $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" |
724 . ' (\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', ' |
|
725 . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
|
724 else |
726 else |
725 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
727 $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary) VALUES\n" |
728 . ' (\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', ' |
|
729 . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
|
726 |
730 |
727 // Do we also need to increment the lockout countdown? |
731 // Do we also need to increment the lockout countdown? |
728 if ( @$policy != 'disable' && !defined('IN_ENANO_INSTALL') ) |
732 if ( @$policy != 'disable' && !defined('IN_ENANO_INSTALL') ) |
729 { |
733 { |
730 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
734 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
781 $this->sql('UPDATE '.table_prefix."users SET password = '$password_hmac', password_salt = '$hmac_secret', old_encryption = 0 WHERE user_id={$row['user_id']};"); |
785 $this->sql('UPDATE '.table_prefix."users SET password = '$password_hmac', password_salt = '$hmac_secret', old_encryption = 0 WHERE user_id={$row['user_id']};"); |
782 } |
786 } |
783 $success = true; |
787 $success = true; |
784 } |
788 } |
785 } |
789 } |
786 else if ( $row['old_encryption'] == 2 || defined('ENANO_UPGRADE_USE_AES_PASSWORDS') ) |
790 else if ( $row['old_encryption'] == 2 || ( defined('ENANO_UPGRADE_USE_AES_PASSWORDS') ) ) |
787 { |
791 { |
788 // Our password field uses the 1.0RC1-1.1.5 encryption format |
792 // Our password field uses the 1.0RC1-1.1.5 encryption format |
789 $real_pass = $aes->decrypt($row['password'], $this->private_key); |
793 $real_pass = $aes->decrypt($row['password'], $this->private_key); |
790 if($password === $real_pass) |
794 if($password === $real_pass) |
791 { |
795 { |
918 |
922 |
919 // Random key identifier |
923 // Random key identifier |
920 $salt = ''; |
924 $salt = ''; |
921 for ( $i = 0; $i < 32; $i++ ) |
925 for ( $i = 0; $i < 32; $i++ ) |
922 { |
926 { |
923 $salt .= chr(mt_rand(32, 127)); |
927 $salt .= chr(mt_rand(32, 126)); |
924 } |
928 } |
925 |
929 |
926 // Session key |
930 // Session key |
927 if ( defined('ENANO_UPGRADE_USE_AES_PASSWORDS') ) |
931 if ( defined('ENANO_UPGRADE_USE_AES_PASSWORDS') ) |
928 { |
932 { |
944 } |
948 } |
945 else |
949 else |
946 { |
950 { |
947 // Stash it in a cookie |
951 // Stash it in a cookie |
948 // For now, make the cookie last forever, we can change this in 1.1.x |
952 // For now, make the cookie last forever, we can change this in 1.1.x |
949 setcookie( 'sid', $session_key, time()+15552000, scriptPath.'/', null, ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ) ); |
953 setcookie( 'sid', $session_key, time()+15552000, scriptPath.'/', null, $GLOBALS['is_https']); |
950 $_COOKIE['sid'] = $session_key; |
954 $_COOKIE['sid'] = $session_key; |
951 } |
955 } |
952 // $keyhash is stored in the database, this is for compatibility with the older DB structure |
956 // $keyhash is stored in the database, this is for compatibility with the older DB structure |
953 $keyhash = md5($session_key); |
957 $keyhash = md5($session_key); |
954 // Record the user's IP |
958 // Record the user's IP |
1352 else |
1356 else |
1353 { |
1357 { |
1354 if($this->user_logged_in) |
1358 if($this->user_logged_in) |
1355 { |
1359 { |
1356 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); |
1360 $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); |
1357 // See if we can get rid of the cached decrypted session key |
|
1358 $key_bin = hex2bin($this->sid); |
|
1359 $key_hash = sha1($key_bin . '::' . $this->private_key); |
|
1360 aes_decrypt_cache_destroy($key_hash); |
|
1361 // Completely destroy our session |
1361 // Completely destroy our session |
1362 if($this->auth_level > USER_LEVEL_CHPREF) |
1362 if($this->auth_level > USER_LEVEL_CHPREF) |
1363 { |
1363 { |
1364 $this->logout(USER_LEVEL_ADMIN); |
1364 $this->logout(USER_LEVEL_ADMIN); |
1365 } |
1365 } |
1809 { |
1809 { |
1810 return $lang->get('user_reg_err_password_too_weak'); |
1810 return $lang->get('user_reg_err_password_too_weak'); |
1811 } |
1811 } |
1812 } |
1812 } |
1813 |
1813 |
1814 $password = $aes->encrypt($password, $this->private_key, ENC_HEX); |
|
1815 |
|
1816 // Require the account to be activated? |
1814 // Require the account to be activated? |
1817 switch(getConfig('account_activation')) |
1815 switch(getConfig('account_activation')) |
1818 { |
1816 { |
1819 case 'none': |
1817 case 'none': |
1820 default: |
1818 default: |
1834 |
1832 |
1835 // Generate a totally random activation key |
1833 // Generate a totally random activation key |
1836 $actkey = sha1 ( microtime() . mt_rand() ); |
1834 $actkey = sha1 ( microtime() . mt_rand() ); |
1837 |
1835 |
1838 // We good, create the user |
1836 // We good, create the user |
1839 $this->sql('INSERT INTO '.table_prefix.'users ( username, password, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa, user_registration_ip ) VALUES ( \''.$username.'\', \''.$password.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ', \'' . $ip . '\' );'); |
1837 $this->sql('INSERT INTO '.table_prefix.'users ( username, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa, user_registration_ip ) VALUES ( \''.$username.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ', \'' . $ip . '\' );'); |
1840 |
1838 |
1841 // Get user ID and create users_extra entry |
1839 // Get user ID and create users_extra entry |
1842 $q = $this->sql('SELECT user_id FROM '.table_prefix."users WHERE username='$username';"); |
1840 $q = $this->sql('SELECT user_id FROM '.table_prefix."users WHERE username='$username';"); |
1843 if ( $db->numrows() > 0 ) |
1841 if ( $db->numrows() > 0 ) |
1844 { |
1842 { |
1845 list($user_id) = $db->fetchrow_num(); |
1843 list($user_id) = $db->fetchrow_num(); |
1846 $db->free_result(); |
1844 $db->free_result(); |
1847 |
1845 |
1848 $this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');'); |
1846 $this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');'); |
1849 } |
1847 } |
1848 |
|
1849 // Set the password |
|
1850 $this->set_password($user_id, $password); |
|
1850 |
1851 |
1851 // Config option added, 1.1.5 |
1852 // Config option added, 1.1.5 |
1852 if ( getConfig('userpage_grant_acl', '1') == '1' ) |
1853 if ( getConfig('userpage_grant_acl', '1') == '1' ) |
1853 { |
1854 { |
1854 // Grant edit and very limited mod access to the userpage |
1855 // Grant edit and very limited mod access to the userpage |
1877 } |
1878 } |
1878 |
1879 |
1879 // Require the account to be activated? |
1880 // Require the account to be activated? |
1880 if ( $coppa ) |
1881 if ( $coppa ) |
1881 { |
1882 { |
1882 $this->admin_activation_request($username); |
1883 $this->admin_activation_request($user_orig); |
1883 $this->send_coppa_mail($username,$email); |
1884 $this->send_coppa_mail($user_orig, $email); |
1884 } |
1885 } |
1885 else |
1886 else |
1886 { |
1887 { |
1887 switch(getConfig('account_activation')) |
1888 switch(getConfig('account_activation')) |
1888 { |
1889 { |
1889 case 'none': |
1890 case 'none': |
1890 default: |
1891 default: |
1891 break; |
1892 break; |
1892 case 'user': |
1893 case 'user': |
1893 $a = $this->send_activation_mail($username); |
1894 $a = $this->send_activation_mail($user_orig); |
1894 if(!$a) |
1895 if(!$a) |
1895 { |
1896 { |
1896 $this->admin_activation_request($username); |
1897 $this->admin_activation_request($user_orig); |
1897 return $lang->get('user_reg_err_actmail_failed') . ' ' . $a; |
1898 return $lang->get('user_reg_err_actmail_failed') . ' ' . $a; |
1898 } |
1899 } |
1899 break; |
1900 break; |
1900 case 'admin': |
1901 case 'admin': |
1901 $this->admin_activation_request($username); |
1902 $this->admin_activation_request($user_orig); |
1902 break; |
1903 break; |
1903 } |
1904 } |
1904 } |
1905 } |
1905 |
1906 |
1906 // Leave some data behind for the hook |
1907 // Leave some data behind for the hook |
1907 $code = $plugins->setHook('user_registered'); // , Array('username'=>$username)); |
1908 $code = $plugins->setHook('user_registered'); |
1908 foreach ( $code as $cmd ) |
1909 foreach ( $code as $cmd ) |
1909 { |
1910 { |
1910 eval($cmd); |
1911 eval($cmd); |
1911 } |
1912 } |
1912 |
1913 |
1913 // $this->register_session($username, $password); |
1914 // Uncomment to automatically log the user in (WARNING: commented out for a reason - doesn't consider activation and other things) |
1915 // $this->register_session($user_orig, $password); |
|
1914 return 'success'; |
1916 return 'success'; |
1915 } |
1917 } |
1916 |
1918 |
1917 /** |
1919 /** |
1918 * Attempts to send an e-mail to the specified user with activation instructions. |
1920 * Attempts to send an e-mail to the specified user with activation instructions. |
1922 |
1924 |
1923 function send_activation_mail($u, $actkey = false) |
1925 function send_activation_mail($u, $actkey = false) |
1924 { |
1926 { |
1925 global $db, $session, $paths, $template, $plugins; // Common objects |
1927 global $db, $session, $paths, $template, $plugins; // Common objects |
1926 global $lang; |
1928 global $lang; |
1927 $q = $this->sql('SELECT username,email FROM '.table_prefix.'users WHERE user_id=2 OR user_level=' . USER_LEVEL_ADMIN . ' ORDER BY user_id ASC;'); |
|
1928 $un = $db->fetchrow(); |
|
1929 $admin_user = $un['username']; |
|
1930 $q = $this->sql('SELECT username,activation_key,account_active,email FROM '.table_prefix.'users WHERE username=\''.$db->escape($u).'\';'); |
1929 $q = $this->sql('SELECT username,activation_key,account_active,email FROM '.table_prefix.'users WHERE username=\''.$db->escape($u).'\';'); |
1931 $r = $db->fetchrow(); |
1930 $r = $db->fetchrow(); |
1932 if ( empty($r['email']) ) |
1931 if ( empty($r['email']) ) |
1933 $db->_die('BUG: $session->send_activation_mail(): no e-mail address in row'); |
1932 $db->_die('BUG: $session->send_activation_mail(): no e-mail address in row'); |
1934 |
1933 |
1935 $aklink = makeUrlComplete('Special', 'ActivateAccount/'.str_replace(' ', '_', $u).'/'. ( ( is_string($actkey) ) ? $actkey : $r['activation_key'] ) ); |
1934 $aklink = makeUrlComplete('Special', 'ActivateAccount/'.str_replace(' ', '_', $u).'/'. ( ( is_string($actkey) ) ? $actkey : $r['activation_key'] ) ); |
1936 $message = $lang->get('user_reg_activation_email', array( |
1935 $message = $lang->get('user_reg_activation_email', array( |
1937 'activation_link' => $aklink, |
1936 'activation_link' => $aklink, |
1938 'admin_user' => $admin_user, |
|
1939 'username' => $u |
1937 'username' => $u |
1940 )); |
1938 )); |
1941 |
1939 |
1942 if(getConfig('smtp_enabled') == '1') |
1940 if ( getConfig('smtp_enabled') == '1' ) |
1943 { |
1941 { |
1944 $result = smtp_send_email($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email')); |
1942 $result = smtp_send_email($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), getConfig('contact_email')); |
1945 if($result == 'success') $result = true; |
1943 if ( $result == 'success' ) |
1946 else { echo $result; $result = false; } |
1944 { |
1947 } else { |
1945 $result = true; |
1946 } |
|
1947 else |
|
1948 { |
|
1949 echo $result; |
|
1950 $result = false; |
|
1951 } |
|
1952 } |
|
1953 else |
|
1954 { |
|
1948 $result = mail($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email')); |
1955 $result = mail($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?<!\r)\n#s", "\n", $message), 'From: '.getConfig('contact_email')); |
1949 } |
1956 } |
1950 return $result; |
1957 return $result; |
1951 } |
1958 } |
1952 |
1959 |