Mercurial Mercurial > repos > enano-1.1 / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
includes/sessions.php
changeset 1081 745200a9cc2a
parent 1079 fcc42560afe6
child 1084 742cb0f10766
equal deleted inserted replaced
1080:6358f769ecb1 1081:745200a9cc2a 
     1 <?php
 
     1 <?php
 
     2 
     2 
     3 /*
 
     3 /*
 
     4  * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
 
     4  * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
 
     5  * Version 1.1.6 (Caoineag beta 1)
 
     5  * Copyright (C) 2006-2009 Dan Fuhry
 
     6  * Copyright (C) 2006-2008 Dan Fuhry
 
       
     7  * sessions.php - everything related to security and user management
 
     6  * sessions.php - everything related to security and user management
 
     8  *
 
     7  *
 
     9  * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
 
     8  * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
 
    10  * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 
     9  * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 
    11  *
 
    10  *
 
   154    * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
 
   153    * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
 
   155    * @var string
 
   154    * @var string
 
   156    */
 
   155    */
 
   157    
   156    
   158   var $auth_level = 1;
 
   157   var $auth_level = 1;
 
       
   158   
       
   159   /**
 
       
   160    * Preference for date formatting
 
       
   161    * @var string
 
       
   162    */
 
       
   163   
       
   164   var $date_format = DATE_4;
 
       
   165   
       
   166   /**
 
       
   167    * Preference for time formatting
 
       
   168    * @var string
 
       
   169    */
 
       
   170   
       
   171   var $time_format = TIME_24_NS;
 
   159   
   172   
   160   /**
 
   173   /**
 
   161    * State variable to track if a session timed out
 
   174    * State variable to track if a session timed out
 
   162    * @var bool
 
   175    * @var bool
 
   163    */
 
   176    */
 
   722     if ( $db->numrows() < 1 )
 
   735     if ( $db->numrows() < 1 )
 
   723     {
 
   736     {
 
   724       // This wasn't logged in <1.0.2, dunno how it slipped through
 
   737       // This wasn't logged in <1.0.2, dunno how it slipped through
 
   725       if ( $level > USER_LEVEL_MEMBER )
 
   738       if ( $level > USER_LEVEL_MEMBER )
 
   726         $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
 
   739         $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
 
   727                    . '  (\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', '
 
   740                    . '  (\'security\', \'admin_auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', '
 
   728                       . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   741                       . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   729       else
 
   742       else
 
   730         $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary) VALUES\n"
 
   743         $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary) VALUES\n"
 
   731                    . '  (\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', '
 
   744                    . '  (\'security\', \'auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', '
 
   732                       . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   745                       . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   733       
   746       
   734       // Do we also need to increment the lockout countdown?
 
   747       // Do we also need to increment the lockout countdown?
 
   735       if ( @$lockout_data['lockout_policy'] != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   748       if ( @$lockout_data['lockout_policy'] != 'disable' && !defined('IN_ENANO_INSTALL') )
 
   736       {
 
   749       {
 
   824         );
 
   837         );
 
   825       $sess = $this->register_session($row['user_id'], $username, ( isset($password_hmac) ? $password_hmac : $password ), $level, $remember);
 
   838       $sess = $this->register_session($row['user_id'], $username, ( isset($password_hmac) ? $password_hmac : $password ), $level, $remember);
 
   826       if($sess)
 
   839       if($sess)
 
   827       {
 
   840       {
 
   828         if($level > USER_LEVEL_MEMBER)
 
   841         if($level > USER_LEVEL_MEMBER)
 
   829           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   842           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_good\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   830         else
 
   843         else
 
   831           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   844           $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_good\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   832         
   845         
   833         $code = $plugins->setHook('login_success');
 
   846         $code = $plugins->setHook('login_success');
 
   834         foreach ( $code as $cmd )
 
   847         foreach ( $code as $cmd )
 
   835         {
 
   848         {
 
   836           eval($cmd);
 
   849           eval($cmd);
 
   847         );
 
   860         );
 
   848     }
 
   861     }
 
   849     else
 
   862     else
 
   850     {
 
   863     {
 
   851       if($level > USER_LEVEL_MEMBER)
 
   864       if($level > USER_LEVEL_MEMBER)
 
   852         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   865         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
 
   853       else
 
   866       else
 
   854         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   867         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
 
   855         
   868         
   856       // Do we also need to increment the lockout countdown?
 
   869       // Do we also need to increment the lockout countdown?
 
   857       if ( !defined('IN_ENANO_INSTALL') && $lockout_data['lockout_policy'] != 'disable' )
 
   870       if ( !defined('IN_ENANO_INSTALL') && $lockout_data['lockout_policy'] != 'disable' )
 
   858       {
 
   871       {
 
   859         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   872         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
 
   965     {
 
   978     {
 
   966       // Stash it in a cookie
 
   979       // Stash it in a cookie
 
   967       // For now, make the cookie last forever, we can change this in 1.1.x
 
   980       // For now, make the cookie last forever, we can change this in 1.1.x
 
   968       setcookie( 'sid', $session_key, time()+15552000, scriptPath.'/', null, $GLOBALS['is_https']);
 
   981       setcookie( 'sid', $session_key, time()+15552000, scriptPath.'/', null, $GLOBALS['is_https']);
 
   969       $_COOKIE['sid'] = $session_key;
 
   982       $_COOKIE['sid'] = $session_key;
 
       
   983       $this->sid = $session_key;
 
   970     }
 
   984     }
 
   971     // $keyhash is stored in the database, this is for compatibility with the older DB structure
 
   985     // $keyhash is stored in the database, this is for compatibility with the older DB structure
 
   972     $keyhash = md5($session_key);
 
   986     $keyhash = md5($session_key);
 
   973     // Record the user's IP
 
   987     // Record the user's IP
 
   974     $ip = $_SERVER['REMOTE_ADDR'];
 
   988     $ip = $_SERVER['REMOTE_ADDR'];
 
  1190     
  1204     
  1191     $columns_groupby = "u.user_id, u.username, u.password, u.password_salt, u.email, u.real_name, u.user_level, u.theme, u.style, u.signature,\n"
 
  1205     $columns_groupby = "u.user_id, u.username, u.password, u.password_salt, u.email, u.real_name, u.user_level, u.theme, u.style, u.signature,\n"
 
  1192                       . "           u.reg_time, u.account_active, u.activation_key, u.user_lang, u.user_timezone, u.user_title, u.user_dst,\n"
 
  1206                       . "           u.reg_time, u.account_active, u.activation_key, u.user_lang, u.user_timezone, u.user_title, u.user_dst,\n"
 
  1193                       . "           k.salt, k.source_ip, k.time, k.auth_level, k.key_type, x.user_id, x.user_aim, x.user_yahoo, x.user_msn,\n"
 
  1207                       . "           k.salt, k.source_ip, k.time, k.auth_level, k.key_type, x.user_id, x.user_aim, x.user_yahoo, x.user_msn,\n"
 
  1194                       . "           x.user_xmpp, x.user_homepage, x.user_location, x.user_job, x.user_hobbies, x.email_public,\n"
 
  1208                       . "           x.user_xmpp, x.user_homepage, x.user_location, x.user_job, x.user_hobbies, x.email_public,\n"
 
  1195                       . "           x.disable_js_fx";
 
  1209                       . "           x.disable_js_fx, x.date_format, x.time_format";
 
  1196     
  1210     
  1197     $joins = "  LEFT JOIN " . table_prefix . "users AS u\n"
 
  1211     $joins = "  LEFT JOIN " . table_prefix . "users AS u\n"
 
  1198             . "    ON ( u.user_id=k.user_id )\n"
 
  1212             . "    ON ( u.user_id=k.user_id )\n"
 
  1199             . "  LEFT JOIN " . table_prefix . "users_extra AS x\n"
 
  1213             . "  LEFT JOIN " . table_prefix . "users_extra AS x\n"
 
  1200             . "    ON ( u.user_id=x.user_id OR x.user_id IS NULL )\n"
 
  1214             . "    ON ( u.user_id=x.user_id OR x.user_id IS NULL )\n"
 
  1219                             . "  GROUP BY $columns_groupby;");
 
  1233                             . "  GROUP BY $columns_groupby;");
 
  1220     }
 
  1234     }
 
  1221     
  1235     
  1222     if ( !$query && ( defined('IN_ENANO_INSTALL') or defined('IN_ENANO_UPGRADE') ) )
 
  1236     if ( !$query && ( defined('IN_ENANO_INSTALL') or defined('IN_ENANO_UPGRADE') ) )
 
  1223     {
 
  1237     {
 
  1224       $query = $this->sql('SELECT u.user_id AS uid,u.username,u.password,\'\' AS password_salt,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms, 1440 AS user_timezone, \'0;0;0;0;60\' AS user_dst, ' . SK_SHORT . ' AS key_type FROM '.table_prefix.'session_keys AS k
 
  1238       $key_md5 = $loose_call ? $key : md5($key);
 
       
  1239       $query = $this->sql('SELECT u.user_id AS uid,u.username,u.password,\'\' AS password_salt,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms, 1440 AS user_timezone, \'0;0;0;0;60\' AS user_dst, ' . SK_SHORT . ' AS key_type, k.salt FROM '.table_prefix.'session_keys AS k
 
  1225                              LEFT JOIN '.table_prefix.'users AS u
 
  1240                              LEFT JOIN '.table_prefix.'users AS u
 
  1226                                ON ( u.user_id=k.user_id )
 
  1241                                ON ( u.user_id=k.user_id )
 
  1227                              LEFT JOIN '.table_prefix.'privmsgs AS p
 
  1242                              LEFT JOIN '.table_prefix.'privmsgs AS p
 
  1228                                ON ( p.message_to=u.username AND p.message_read=0 )
 
  1243                                ON ( p.message_to=u.username AND p.message_read=0 )
 
  1229                              WHERE k.session_key=\''.$key.'\'
 
  1244                              WHERE k.session_key=\''.$key_md5.'\'
 
  1230                                AND k.salt=\''.$salt.'\'
 
  1245                              GROUP BY u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,k.salt;');
 
  1231                              GROUP BY u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level;');
 
       
  1232     }
 
  1246     }
 
  1233     else if ( !$query )
 
  1247     else if ( !$query )
 
  1234     {
 
  1248     {
 
  1235       $db->_die();
 
  1249       $db->_die();
 
  1236     }
 
  1250     }
 
  1237     if($db->numrows() < 1)
 
  1251     if($db->numrows() < 1)
 
  1238     {
 
  1252     {
 
  1239       // echo '(debug) $session->validate_session: Key was not found in database<br />';
 
  1253       echo '(debug) $session->validate_session: Key was not found in database: ' . $key_md5 . '<br />';
 
  1240       return false;
 
  1254       return false;
 
  1241     }
 
  1255     }
 
  1242     $row = $db->fetchrow();
 
  1256     $row = $db->fetchrow();
 
  1243     profiler_log("SessionManager: session check: selected and fetched results");
 
  1257     profiler_log("SessionManager: session check: selected and fetched results");
 
  1244     
  1258     
  1343       if ( isset($row[$column]) )
 
  1357       if ( isset($row[$column]) )
 
  1344         $user_extra[$column] = $row[$column];
 
  1358         $user_extra[$column] = $row[$column];
 
  1345       else
 
  1359       else
 
  1346         $user_extra[$column] = '';
 
  1360         $user_extra[$column] = '';
 
  1347     }
 
  1361     }
 
       
  1362     
       
  1363     if ( isset($row['date_format']) )
 
       
  1364       $this->date_format = $row['date_format'];
 
       
  1365     if ( isset($row['time_format']) )
 
       
  1366       $this->time_format = $row['time_format'];
 
  1348     
  1367     
  1349     $this->user_extra = $user_extra;
 
  1368     $this->user_extra = $user_extra;
 
  1350     // Leave the rest to PHP's automatic garbage collector ;-)
 
  1369     // Leave the rest to PHP's automatic garbage collector ;-)
 
  1351     
  1370     
  1352     $row['password'] = '';
 
  1371     $row['password'] = '';
 
  2227    */
 
  2246    */
 
  2228   
  2247   
  2229   function admin_activation_request($u)
 
  2248   function admin_activation_request($u)
 
  2230   {
 
  2249   {
 
  2231     global $db;
 
  2250     global $db;
 
  2232     $this->sql('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, author, edit_summary) VALUES(\'admin\', \'activ_req\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$this->username.'\', \''.$db->escape($u).'\');');
 
  2251     $this->sql('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, author, edit_summary) VALUES(\'admin\', \'activ_req\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$this->username.'\', \''.$db->escape($u).'\');');
 
  2233   }
 
  2252   }
 
  2234   
  2253   
  2235   /**
 
  2254   /**
 
  2236    * Activates a user account. If the action fails, a report is sent to the admin.
 
  2255    * Activates a user account. If the action fails, a report is sent to the admin.
 
  2237    * @param string $user The username of the user requesting activation
 
  2256    * @param string $user The username of the user requesting activation
 
  2243     global $db, $session, $paths, $template, $plugins; // Common objects
 
  2262     global $db, $session, $paths, $template, $plugins; // Common objects
 
  2244     $this->sql('UPDATE '.table_prefix.'users SET account_active=1 WHERE username=\''.$db->escape($user).'\' AND activation_key=\''.$db->escape($key).'\';');
 
  2263     $this->sql('UPDATE '.table_prefix.'users SET account_active=1 WHERE username=\''.$db->escape($user).'\' AND activation_key=\''.$db->escape($key).'\';');
 
  2245     $r = mysql_affected_rows();
 
  2264     $r = mysql_affected_rows();
 
  2246     if ( $r > 0 )
 
  2265     if ( $r > 0 )
 
  2247     {
 
  2266     {
 
  2248       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2267       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_good\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2249     }
 
  2268     }
 
  2250     else
 
  2269     else
 
  2251     {
 
  2270     {
 
  2252       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2271       $e = $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'activ_bad\', '.time().', \''.enano_date(ED_DATE | ED_TIME).'\', \''.$db->escape($user).'\', \''.$_SERVER['REMOTE_ADDR'].'\')');
 
  2253     }
 
  2272     }
 
  2254     return $r;
 
  2273     return $r;
 
  2255   }
 
  2274   }
 
  2256   
  2275   
  2257   /**
 
  2276   /**
Enano CMS (1.1.x)