Project

General

Profile

wb-archiv283 / branches / 2.6.x / wb / framework / class.login.php @ 502

1
<?php
2

    
3
// $Id: class.login.php 423 2007-01-30 10:33:21Z ryan $
4

    
5
/*
6

7
 Website Baker Project <http://www.websitebaker.org/>
8
 Copyright (C) 2004-2007, Ryan Djurovich
9

10
 Website Baker is free software; you can redistribute it and/or modify
11
 it under the terms of the GNU General Public License as published by
12
 the Free Software Foundation; either version 2 of the License, or
13
 (at your option) any later version.
14

15
 Website Baker is distributed in the hope that it will be useful,
16
 but WITHOUT ANY WARRANTY; without even the implied warranty of
17
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
 GNU General Public License for more details.
19

20
 You should have received a copy of the GNU General Public License
21
 along with Website Baker; if not, write to the Free Software
22
 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
23

24
*/
25

    
26
/*
27

28
Login class
29

30
This class will be used to with the login application
31

32
*/
33

    
34
// Stop this file from being accessed directly
35
if(!defined('WB_URL')) {
36
        header('Location: ../index.php');
37
        exit(0);
38
}
39

    
40
define('LOGIN_CLASS_LOADED', true);
41

    
42
// Load the other required class files if they are not already loaded
43
require_once(WB_PATH."/framework/class.admin.php");
44

    
45
class login extends admin {
46
        function login($config_array) {
47
                // Get language vars
48
                global $MESSAGE;
49
                $this->wb();
50
                // Get configuration values
51
                $this->USERS_TABLE = $config_array['USERS_TABLE'];
52
                $this->GROUPS_TABLE = $config_array['GROUPS_TABLE'];
53
                $this->username_fieldname = $config_array['USERNAME_FIELDNAME'];
54
                $this->password_fieldname = $config_array['PASSWORD_FIELDNAME'];
55
                $this->remember_me_option = $config_array['REMEMBER_ME_OPTION'];
56
                $this->max_attemps = $config_array['MAX_ATTEMPS'];
57
                $this->warning_url = $config_array['WARNING_URL'];
58
                $this->login_url = $config_array['LOGIN_URL'];
59
                $this->template_dir = $config_array['TEMPLATE_DIR'];
60
                $this->template_file = $config_array['TEMPLATE_FILE'];
61
                $this->frontend = $config_array['FRONTEND'];
62
                $this->forgotten_details_app = $config_array['FORGOTTEN_DETAILS_APP'];
63
                $this->max_username_len = $config_array['MAX_USERNAME_LEN'];
64
                $this->max_password_len = $config_array['MAX_PASSWORD_LEN'];
65
                if (array_key_exists('REDIRECT_URL',$config_array))
66
                        $this->redirect_url = $config_array['REDIRECT_URL'];
67
                else
68
                        $this->redirect_url = '';
69
                // Get the supplied username and password
70
                if ($this->get_post('username_fieldname') != ''){
71
                        $username_fieldname = $this->get_post('username_fieldname');
72
                        $password_fieldname = $this->get_post('password_fieldname');
73
                } else {
74
                        $username_fieldname = 'username';
75
                        $password_fieldname = 'password';
76
                }
77
                $this->username = $this->add_slashes(strtolower($this->get_post($username_fieldname)));
78
                $this->password = $this->get_post($password_fieldname);
79
                // Figure out if the "remember me" option has been checked
80
                if($this->get_post('remember') == 'true') {
81
                        $this->remember = $this->get_post('remember');
82
                } else {
83
                        $this->remember = false;
84
                }
85
                // Get the length of the supplied username and password
86
                if($this->get_post($username_fieldname) != '') {
87
                        $this->username_len = strlen($this->username);
88
                        $this->password_len = strlen($this->password);
89
                }
90
                // If the url is blank, set it to the default url
91
                $this->url = $this->get_post('url');
92
                if ($this->redirect_url!='') {
93
                        $this->url = $this->redirect_url;
94
                }                
95
                if(strlen($this->url) < 2) {
96
                        $this->url = $config_array['DEFAULT_URL'];
97
                }
98
                if($this->is_authenticated() == true) {
99
                        // User already logged-in, so redirect to default url
100
                        header('Location: '.$this->url);
101
                        exit();
102
                } elseif($this->is_remembered() == true) {
103
                        // User has been "remembered"
104
                        // Get the users password
105
                        $database = new database();
106
                        $query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".$this->get_safe_remember_key()."' LIMIT 1");
107
                        $fetch_details = $query_details->fetchRow();
108
                        $this->username = $fetch_details['username'];
109
                        $this->password = $fetch_details['password'];
110
                        // Check if the user exists (authenticate them)
111
                        if($this->authenticate()) {
112
                                // Authentication successful
113
                                header("Location: ".$this->url);
114
                                exit(0);
115
                        } else {
116
                                $this->message = $MESSAGE['LOGIN']['AUTHENTICATION_FAILED'];
117
                                $this->increase_attemps();
118
                        }
119
                } elseif($this->username == '' AND $this->password == '') {
120
                        $this->message = $MESSAGE['LOGIN']['BOTH_BLANK'];
121
                        $this->increase_attemps();
122
                } elseif($this->username == '') {
123
                        $this->message = $MESSAGE['LOGIN']['USERNAME_BLANK'];
124
                        $this->increase_attemps();
125
                } elseif($this->password == '') {
126
                        $this->message = $MESSAGE['LOGIN']['PASSWORD_BLANK'];
127
                        $this->increase_attemps();
128
                } elseif($this->username_len < $config_array['MIN_USERNAME_LEN']) {
129
                        $this->message = $MESSAGE['LOGIN']['USERNAME_TOO_SHORT'];
130
                        $this->increase_attemps();
131
                } elseif($this->password_len < $config_array['MIN_PASSWORD_LEN']) {
132
                        $this->message = $MESSAGE['LOGIN']['PASSWORD_TOO_SHORT'];
133
                        $this->increase_attemps();
134
                } elseif($this->username_len > $config_array['MAX_USERNAME_LEN']) {
135
                        $this->message = $MESSAGE['LOGIN']['USERNAME_TOO_LONG'];
136
                        $this->increase_attemps();
137
                } elseif($this->password_len > $config_array['MAX_PASSWORD_LEN']) {
138
                        $this->message = $MESSAGE['LOGIN']['PASSWORD_TOO_LONG'];
139
                        $this->increase_attemps();
140
                } else {
141
                        // Check if the user exists (authenticate them)
142
                        $this->password = md5($this->password);
143
                        if($this->authenticate()) {
144
                                // Authentication successful
145
                                //echo $this->url;exit();
146
                                header("Location: ".$this->url);
147
                                exit(0);
148
                        } else {
149
                                $this->message = $MESSAGE['LOGIN']['AUTHENTICATION_FAILED'];
150
                                $this->increase_attemps();
151
                        }
152
                }
153
        }
154
        
155
        // Authenticate the user (check if they exist in the database)
156
        function authenticate() {
157
                // Get user information
158
                $database = new database();
159
                $query = "SELECT * FROM ".$this->USERS_TABLE." WHERE username = '".$this->username."' AND password = '".$this->password."' AND active = '1'";
160
                $results = $database->query($query);
161
                $results_array = $results->fetchRow();
162
                $num_rows = $results->numRows();
163
                if($num_rows) {
164
                        $user_id = $results_array['user_id'];
165
                        $this->user_id = $user_id;
166
                        $_SESSION['USER_ID'] = $user_id;
167
                        $_SESSION['GROUP_ID'] = $results_array['group_id'];
168
                        $_SESSION['USERNAME'] = $results_array['username'];
169
                        $_SESSION['DISPLAY_NAME'] = $results_array['display_name'];
170
                        $_SESSION['EMAIL'] = $results_array['email'];
171
                        $_SESSION['HOME_FOLDER'] = $results_array['home_folder'];
172
                        // Run remember function if needed
173
                        if($this->remember == true) {
174
                                $this->remember($this->user_id);
175
                        }
176
                        // Set language
177
                        if($results_array['language'] != '') {
178
                                $_SESSION['LANGUAGE'] = $results_array['language'];
179
                        }
180
                        // Set timezone
181
                        if($results_array['timezone'] != '-72000') {
182
                                $_SESSION['TIMEZONE'] = $results_array['timezone'];
183
                        } else {
184
                                // Set a session var so apps can tell user is using default tz
185
                                $_SESSION['USE_DEFAULT_TIMEZONE'] = true;
186
                        }
187
                        // Set date format
188
                        if($results_array['date_format'] != '') {
189
                                $_SESSION['DATE_FORMAT'] = $results_array['date_format'];
190
                        } else {
191
                                // Set a session var so apps can tell user is using default date format
192
                                $_SESSION['USE_DEFAULT_DATE_FORMAT'] = true;
193
                        }
194
                        // Set time format
195
                        if($results_array['time_format'] != '') {
196
                                $_SESSION['TIME_FORMAT'] = $results_array['time_format'];
197
                        } else {
198
                                // Set a session var so apps can tell user is using default time format
199
                                $_SESSION['USE_DEFAULT_TIME_FORMAT'] = true;
200
                        }
201
                        // Get group information
202
                        $query = "SELECT * FROM ".$this->GROUPS_TABLE." WHERE group_id = '".$this->get_session('GROUP_ID')."'";
203
                        $results = $database->query($query);
204
                        $results_array = $results->fetchRow();
205
                        $_SESSION['GROUP_NAME'] = $results_array['name'];
206
                        // Set system permissions
207
                        if($results_array['system_permissions'] != '') {
208
                                $_SESSION['SYSTEM_PERMISSIONS'] = explode(',', $results_array['system_permissions']);
209
                        } else {
210
                                $_SESSION['SYSTEM_PERMISSIONS'] = array();
211
                        }
212
                        // Set module permissions
213
                        if($results_array['module_permissions'] != '') {
214
                                $_SESSION['MODULE_PERMISSIONS'] = explode(',', $results_array['module_permissions']);
215
                        } else {
216
                                $_SESSION['MODULE_PERMISSIONS'] = array();
217
                        }
218
                        // Set template permissions
219
                        if($results_array['template_permissions'] != '') {
220
                                $_SESSION['TEMPLATE_PERMISSIONS'] = explode(',', $results_array['template_permissions']);
221
                        } else {
222
                                $_SESSION['TEMPLATE_PERMISSIONS'] = array();
223
                        }
224
                        // Update the users table with current ip and timestamp
225
                        $get_ts = mktime();
226
                        $get_ip = $_SERVER['REMOTE_ADDR'];
227
                        $query = "UPDATE ".$this->USERS_TABLE." SET login_when = '$get_ts', login_ip = '$get_ip' WHERE user_id = '$user_id'";
228
                        $database->query($query);
229
                }
230
                // Return if the user exists or not
231
                return $num_rows;
232
        }
233
        
234
        // Increase the count for login attemps
235
        function increase_attemps() {
236
                if(!isset($_SESSION['ATTEMPS'])) {
237
                        $_SESSION['ATTEMPS'] = 0;
238
                } else {
239
                        $_SESSION['ATTEMPS'] = $this->get_session('ATTEMPS')+1;
240
                }
241
                $this->display_login();
242
        }
243
        
244
        // Function to set a "remembering" cookie for the user
245
        function remember($user_id) {
246
                $remember_key = '';
247
                // Generate user id to append to the remember key
248
                $length = 11-strlen($user_id);
249
                if($length > 0) {
250
                        for($i = 1; $i <= $length; $i++) {
251
                                $remember_key .= '0';
252
                        }
253
                }
254
                // Generate remember key
255
                $remember_key .= $user_id.'_';
256
                $salt = "abchefghjkmnpqrstuvwxyz0123456789";
257
                srand((double)microtime()*1000000);
258
                $i = 0;
259
                while ($i <= 10) {
260
                        $num = rand() % 33;
261
                        $tmp = substr($salt, $num, 1);
262
                        $remember_key = $remember_key . $tmp;
263
                        $i++;
264
                }
265
                $remember_key = $remember_key;
266
                // Update the remember key in the db
267
                $database = new database();
268
                $database->query("UPDATE ".$this->USERS_TABLE." SET remember_key = '$remember_key' WHERE user_id = '$user_id' LIMIT 1");
269
                if($database->is_error()) {
270
                        return false;
271
                } else {
272
                        // Workout options for the cookie
273
                        $cookie_name = 'REMEMBER_KEY';
274
                        $cookie_value = $remember_key;
275
                        $cookie_expire = time()+60*60*24*30;
276
                        // Set the cookie
277
                        if(setcookie($cookie_name, $cookie_value, $cookie_expire, '/')) {
278
                                return true;
279
                        } else {
280
                                return false;
281
                        }
282
                }
283
        }
284
        
285
        // Function to check if a user has been remembered
286
        function is_remembered() {
287
                if(isset($_COOKIE['REMEMBER_KEY']) AND $_COOKIE['REMEMBER_KEY'] != '') {
288
                        // Check if the remember key is correct
289
                        $database = new database();
290
                        $check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$this->get_safe_remember_key()."' LIMIT 1");
291
                        if($check_query->numRows() > 0) {
292
                                $check_fetch = $check_query->fetchRow();
293
                                $user_id = $check_fetch['user_id'];
294
                                // Check the remember key prefix
295
                                $remember_key_prefix = '';
296
                                $length = 11-strlen($user_id);
297
                                if($length > 0) {
298
                                        for($i = 1; $i <= $length; $i++) {
299
                                                $remember_key_prefix .= '0';
300
                                        }
301
                                }
302
                                $remember_key_prefix .= $user_id.'_';
303
                                $length = strlen($remember_key_prefix);
304
                                if(substr($_COOKIE['REMEMBER_KEY'], 0, $length) == $remember_key_prefix) {
305
                                        return true;
306
                                } else {
307
                                        return false;
308
                                }
309
                        } else {
310
                                return false;
311
                        }
312
                } else {
313
                        return false;
314
                }
315
        }
316
        
317
        // Display the login screen
318
        function display_login() {
319
                // Get language vars
320
                global $MESSAGE;
321
                global $MENU;
322
                global $TEXT;
323
                // If attemps more than allowed, warn the user
324
                if($this->get_session('ATTEMPS') > $this->max_attemps) {
325
                        $this->warn();
326
                }
327
                // Show the login form
328
                if($this->frontend != true) {
329
                        require_once(WB_PATH.'/include/phplib/template.inc');
330
                        $template = new Template($this->template_dir);
331
                        $template->set_file('page', $this->template_file);
332
                        $template->set_block('page', 'mainBlock', 'main');
333
                        if($this->remember_me_option != true) {
334
                                $template->set_var('DISPLAY_REMEMBER_ME', 'none');
335
                        } else {
336
                                $template->set_var('DISPLAY_REMEMBER_ME', '');
337
                        }
338
                        $template->set_var(array(
339
                                                                                        'ACTION_URL' => $this->login_url,
340
                                                                                        'ATTEMPS' => $this->get_session('ATTEMPS'),
341
                                                                                        'USERNAME' => $this->username,
342
                                                                                        'USERNAME_FIELDNAME' => $this->username_fieldname,
343
                                                                                        'PASSWORD_FIELDNAME' => $this->password_fieldname,
344
                                                                                        'MESSAGE' => $this->message,
345
                                                                                        'INTERFACE_DIR_URL' =>  ADMIN_URL.'/interface',
346
                                                                                        'MAX_USERNAME_LEN' => $this->max_username_len,
347
                                                                                        'MAX_PASSWORD_LEN' => $this->max_password_len,
348
                                                                                        'WB_URL' => WB_URL,
349
                                                                                        'FORGOTTEN_DETAILS_APP' => $this->forgotten_details_app,
350
                                                                                        'TEXT_FORGOTTEN_DETAILS' => $TEXT['FORGOTTEN_DETAILS'],
351
                                                                                        'TEXT_USERNAME' => $TEXT['USERNAME'],
352
                                                                                        'TEXT_PASSWORD' => $TEXT['PASSWORD'],
353
                                                                                        'TEXT_REMEMBER_ME' => $TEXT['REMEMBER_ME'],
354
                                                                                        'TEXT_LOGIN' => $TEXT['LOGIN'],
355
                                                                                        'TEXT_HOME' => $TEXT['HOME'],
356
                                                                                        'PAGES_DIRECTORY' => PAGES_DIRECTORY,
357
                                                                                        'SECTION_LOGIN' => $MENU['LOGIN']
358
                                                                                        )
359
                                                                        );
360
                        if(defined('DEFAULT_CHARSET')) {
361
                                $charset=DEFAULT_CHARSET;
362
                        } else {
363
                                $charset='utf-8';
364
                        }
365
                        
366
                        $template->set_var('CHARSET', $charset);        
367
                                                                        
368
                                                                        
369
                        $template->parse('main', 'mainBlock', false);
370
                        $template->pparse('output', 'page');
371
                }
372
        }
373

    
374
        // convert "REMEMBER_KEY" to a number and then repad
375
        // any non numeric character will cause intval to return null thus returning 11 0's
376
        function get_safe_remember_key() {
377
                return str_pad(intval(substr($_COOKIE['REMEMBER_KEY'],0,11)),11,"0",STR_PAD_LEFT); // SQL Injection prevention
378
        }
379
        
380
        // Warn user that they have had to many login attemps
381
        function warn() {
382
                header('Location: '.$this->warning_url);
383
                exit(0);
384
        }
385
        
386
}
387

    
388
?>