Beispiel #1
0
 function Login_Process()
 {
     $arg2 = $this->directlogin == true ? 'direct' : '';
     // only process if user hit "post"
     if (gp('gp_posted', '', false) == '') {
         return;
     }
     vgfSet('LoginAttemptOK', false);
     // Error title
     vgfSet('ERROR_TITLE', '*');
     // If the user supplied a loginUID, this is a post and we
     // must process the request.
     $ale = vgaGet('login_errors', array());
     $app = $GLOBALS['AG']['application'];
     $em000 = isset($ale['000']) ? $ale['000'] : "That username/password combination did not work.  Please try again.";
     $em001 = isset($ale['001']) ? $ale['001'] : "That username/password combination did not work.  Please try again.";
     $em002 = isset($ale['002']) ? $ale['002'] : "That username/password combination did not work.  Please try again.";
     $em099 = isset($ale['099']) ? $ale['099'] : "That username/password combination did not work.  Please try again.";
     $terror = "";
     $uid = gp('loginUID');
     $uid = MakeUserID($uid);
     //$uid = str_replace('@','_',$uid);
     //$uid = str_replace('.','_',$uid);
     $pwd = gp("loginPWD", "", false);
     // First check, never allow the database server's superuser
     // account
     //
     if ($uid == "postgres") {
         ErrorAdd($em000);
         if (vgfGet('loglogins', false)) {
             sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt as postgres");
             fwLogEntry('1011', 'Attempt login as postgres', '', $arg2);
         }
         return;
     }
     $app = $GLOBALS['AG']['application'];
     if (substr($uid, 0, strlen($app)) == $app) {
         ErrorAdd($em001);
         if (vgfGet('loglogins', false)) {
             sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt as group role");
             fwLogEntry('1012', 'Attempt login as group role', $uid, $arg2);
         }
         return;
     }
     // Begin with a connection attempt.
     // on fail, otherwise continue
     $tcs = @SQL_CONN($uid, $pwd);
     if ($tcs === false) {
         ErrorAdd($em099);
         if (vgfGet('loglogins', false)) {
             sysLog(LOG_NOTICE, "Andromeda:{$app}:Bad login attempt server rejected");
             fwLogEntry('1013', 'Server rejected username/password', $uid, $arg2);
         }
         return;
     } else {
         SQL_CONNCLOSE($tcs);
     }
     // The rest of this routine uses an admin connection.  If we
     // have an error, we must close the connection before returning!
     //    ...yes, yes, that's bad form, all complaints to /dev/null
     //
     if (vgfGet('loglogins', false)) {
         fwLogEntry('1010', 'Login OK', $uid, $arg2);
     }
     scDBConn_Push();
     // See if they are a root user.  If not, do they have an
     //  active account?
     $root = false;
     $admin = false;
     $group_id_eff = '';
     $results = SQL("\n         Select oid\n           FROM pg_roles   \n          WHERE rolname = CAST('{$uid}' as name)\n            AND rolsuper= true");
     $cr = SQL_NUMROWS($results);
     if ($cr != 0) {
         $root = true;
     } else {
         $results = SQL("Select * from users WHERE LOWER(user_id)='{$uid}'" . "AND (user_disabled<>'Y' or user_disabled IS NULL)");
         $cr = SQL_NUMROWS($results);
         if ($cr == 0) {
             scDBConn_Pop();
             ErrorAdd($em002);
             sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt code 002");
             return;
         } else {
             $userinfo = SQL_Fetch_Array($results);
             $group_id_eff = $userinfo['group_id_eff'];
             SessionSet('user_name', $userinfo['user_name']);
         }
     }
     // Flag if the user is an administrator
     if ($root == true) {
         $admin = true;
     } else {
         $results = SQL("select count(*) as admin from usersxgroups " . "where user_id='{$uid}' and group_id ='{$app}" . "_admin'");
         $row = SQL_FETCH_ARRAY($results);
         $admin = intval($row["admin"]) > 0 ? true : false;
     }
     // Get the users' groups
     $groups = "";
     if ($root) {
         $results = SQL("\n            select group_id \n              from zdd.groups \n             where COALESCE(grouplist,'')=''");
     } else {
         $results = SQL("select group_id from usersxgroups WHERE LOWER(user_id)='{$uid}'");
     }
     while ($row = SQL_FETCH_ARRAY($results)) {
         $agroups[] = "'" . trim($row['group_id']) . "'";
         #$groups.=ListDelim($groups)."'".trim($row["group_id"])."'";
     }
     $groups = array();
     if (!empty($agroups)) {
         $groups = implode(",", $agroups);
     }
     //scDBConn_Pop();
     // We have a successful login.  If somebody else was already
     // logged in, we need to wipe out that person's session.  But
     // don't do this if there was an anonymous login.
     if (LoggedIn()) {
         $uid_previous = SessionGet('UID');
         if ($uid != $uid_previous) {
             //Session_Destroy();
             SessionReset();
             //Index_Hidden_Session_Start(false);
         }
     }
     // We know who they are and that they can connect,
     // see if there is any app-specific confirmation required
     //
     if (function_exists('app_login_process')) {
         //echo "Calling the process now";
         if (!app_login_process($uid, $pwd, $admin, $groups)) {
             return;
         }
     }
     // Protect the session from hijacking, generate a new ID
     Session_regenerate_id();
     // We now have a successful connection, set some
     // flags and lets go
     //
     vgfSet('LoginAttemptOK', true);
     SessionSet("UID", $uid);
     SessionSet("PWD", $pwd);
     SessionSet("ADMIN", $admin);
     SessionSet("ROOT", $root);
     SessionSet("GROUP_ID_EFF", $group_id_eff);
     SessionSet("groups", $groups);
     if (gp('gpz_page') == '') {
         # KFD 9/12/08, extra command to not change page
         if (gp('st2keep') != 1) {
             gpSet('gp_page', '');
         }
     }
     $GLOBALS['session_st'] = 'N';
     // for "N"ormal
     // -------------------------------------------------------------------
     // We are about to make the menu.  Before doing so, see if there
     // are any variables set for the menu layout.  Set defaults and then
     // load from database.
     //
     $this->pmenu = array('MENU_TYPE' => vgaGet('MENU_TYPE', 'div'), 'MENU_CLASS_MODL' => vgaGet('MENU_CLASS_MODL', 'modulename'), 'MENU_CLASS_ITEM' => vgaGet('MENU_CLASS_ITEM', 'menuentry'), 'MENU_TICK' => vgaGET('MENU_TICK', ' - '));
     //$sql = "SELECT * from variables WHERE variable like 'MENU%'";
     //$dbres = SQL($sql);
     //while ($row = SQL_FETCH_ARRAY($dbres)) {
     //   $this->pmenu[trim($row['variable'])]=trim($row['variable_value']);
     //}
     // -------------------------------------------------------------------
     // KFD 10/28/06, Modified to examine "nomenu" instead of permsel
     //   pulls all tables user has nomenu='N'.  The basic idea is
     //   to remove from $AGMENU the stuff they don't see
     //
     // GET AGMENU
     $AGMENU = array();
     // avoid compiler warning, populated next line
     include "ddmodules.php";
     // Pull distinct modules person has any menu options in.
     $sq = "SELECT DISTINCT module\n             FROM zdd.perm_tabs \n            WHERE nomenu='N'\n              AND group_id iN ({$groups})";
     $modules = SQL_AllRows($sq, 'module');
     $AGkeys = array_keys($AGMENU);
     foreach ($AGkeys as $AGkey) {
         if (!isset($modules[$AGkey])) {
             unset($AGMENU[$AGkey]);
         }
     }
     // Now recurse the remaining modules and do the same trick
     // for each one, removing the tables that don't exist
     foreach ($AGMENU as $module => $moduleinfo) {
         $sq = "SELECT DISTINCT table_id\n                FROM zdd.perm_tabs \n               WHERE nomenu='N'\n                 AND module = '{$module}'\n                 AND group_id iN ({$groups})";
         $tables = SQL_AllRows($sq, 'table_id');
         $tkeys = array_keys($moduleinfo['items']);
         foreach ($tkeys as $tkey) {
             if (!isset($tables[$tkey])) {
                 unset($AGMENU[$module]['items'][$tkey]);
             }
         }
     }
     // KFD 12/18/06.  Put all table permissions into session
     $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n           WHERE group_id IN ({$groups})\n             AND nomenu='N'", 'table_id');
     SessionSet('TABLEPERMSMENU', array_keys($table_perms));
     $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n           WHERE group_id IN ({$groups})\n             AND permsel='Y'", 'table_id');
     SessionSet('TABLEPERMSSEL', array_keys($table_perms));
     $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n           WHERE group_id IN ({$groups})\n             AND permins='Y'", 'table_id');
     SessionSet('TABLEPERMSINS', array_keys($table_perms));
     $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n           WHERE group_id IN ({$groups})\n             AND permupd='Y'", 'table_id');
     SessionSet('TABLEPERMSUPD', array_keys($table_perms));
     $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n           WHERE group_id IN ({$groups})\n             AND permdel='Y'", 'table_id');
     SessionSet('TABLEPERMSDEL', array_keys($table_perms));
     //echo "<div style='background-color:white'>";
     //echo "$uid $groups $group_id_eff";
     //hprint_r(SessionGet('TABLEPERMSMENU'));
     //hprint_r(SessionGet('TABLEPERMSSEL'));
     //echo "</div>";
     // KFD 7/9/07, we always use joomla templates now, don't need
     // options to turn them off
     //if(defined('_ANDROMEDA_JOOMLA')) {
     // In a hybrid situation, put the menu into the session
     SessionSet('AGMENU', $AGMENU);
     //}
     $HTML_Menu = "";
     $WML_Menu = "";
     /*
     foreach ($AGMENU as $key=>$module) {
        //if($key=="datadict") continue;
        //if($key=="sysref")   continue;
        $HTML_Module="";
        $WML_Module="";
        foreach($module["items"] as $itemname=>$item) {
           if (!isset($item["mode"])) { $item["mode"]="normal"; }
           switch ($item["mode"]) {
              case "normal":
                 $ins=false;
                 $extra=array();
                 if($item['menu_parms']<>'') {
                    $aextras=explode('&',$item['menu_parms']);
                    foreach($aextras as $aextra) {
                       list($var,$value)=explode("=",$aextra);
                       $extra[$var]=$value;
                    }
                 }
                 $HTML_Module.=$this->_MenuItem(
                    $item['description'],$itemname,$ins,$extra
                 );
                 $WML_Module.="<div>";
                 $WML_Module.=hLink(
                    '',$item['description'],'?gp_page='.$itemname
                 );
                 $WML_Module.="</div>";
                 break;
              case "ins":
                 //if ($admin || isset($tables_ins[$item["name"]]))  {
                    $HTML_Module.=$this->_MenuItem(
                       $item['description'],$itemname,true
                    );
                 //}
                 break;
                    
                    #$HTML_Module.=
                    #   "\n<font class=\"tablename\">- <a href=\"index.php?gp_page=".$itemname."\">".
                    #   $item["description"]."</a></font><br />";
                    
              }
        }
        
        // the module is defined AFTER its contents so it can be
        // left off if it has no entries
        if ($HTML_Module!="") {
           $HTML_Menu.=$this->_MenuModule($module['description']);
           $HTML_Menu.=$HTML_Module;
        }
        if ($WML_Module!="") {
           $WML_Menu.="<div><b>".$module['description']."</b></div>";
           $WML_Menu.=$WML_Module;
        }
     }
     */
     DynamicSave("menu_" . $uid . ".php", $HTML_Menu);
     DynamicSave("menu_wml_" . $uid . ".php", $WML_Menu);
     // -------------------------------------------------------------------
     // Fetch and cache user preferences
     if (vgaGet('member_profiles')) {
         cacheMember_Profiles();
     }
     // -------------------------------------------------------------------
     // Now find the user's table permissions more precisely table by table
     $sql = "select p.table_id,\n\t\t\t\tmax(case when p.permins='Y' then 1 else 0 end) as permins,\n\t\t\t\tmax(case when p.permupd='Y' then 1 else 0 end) as permupd,\n\t\t\t\tmax(case when p.permdel='Y' then 1 else 0 end) as permdel,\n\t\t\t\tmax(case when p.permsel='Y' then 1 else 0 end) as permsel\n\t\t\t\tfrom zdd.perm_tabs  P\n\t\t\t\tWHERE group_id in ({$groups})\n\t\t\t\tGROUP BY p.table_id";
     //echo $sql;
     $results = SQL($sql);
     $HTML_Perms = "<?php\n\$table_perms = array();\n";
     while ($row = SQL_FETCH_ARRAY($results)) {
         $tn = $row["table_id"];
         $ti = $row["permins"];
         $tu = $row["permupd"];
         $td = $row["permdel"];
         $ts = $row["permsel"];
         $HTML_Perms .= "\$table_perms[\"{$tn}\"]=array(\"ins\"=>{$ti},\"upd\"=>{$tu},\"del\"=>{$td},\"sel\"=>{$ts});\n";
     }
     $HTML_Perms .= "?>\n";
     DynamicSave("perms_" . $uid . ".php", $HTML_Perms);
     /* October 28, 2006, KFD.  Rem'd this all out, column and row security
              made this irrelevant
     		// -------------------------------------------------------------------
     		// Find out if this user has any UID Columns, columns that create
     		// filters on the user's UID
     		$sql = "Select column_id FROM groupuids WHERE group_id IN ($groups)";
     		//echo $sql;
     		$results = SQL($sql);
     		$groupuids = array();
     		while ($row = SQL_FETCH_ARRAY($results)) {
     			//echo "Found this one".$row["column_id"];
     			$groupuids[$row["column_id"]] = $row["column_id"];
     		}
     		SessionSet("groupuids",$groupuids);
           */
     scDBConn_Pop();
     return;
 }
Beispiel #2
0
function SQL_CONNDEFAULT()
{
    global $AG;
    $uid = SessionGet('UID', '');
    $pwd = SessionGet('PWD', '');
    return SQL_CONN($uid, $pwd);
}