<?php
require_once "global/session_start.php";
ft_verify_form_tools_installed();
$g_upgrade_info = ft_upgrade_form_tools();
// only verify the core tables exist if there wasn't a problem upgrading
if (!($g_upgrade_info["upgraded"] && !$g_upgrade_info["success"])) {
ft_verify_core_tables_exist();
}
// if this user is already logged in, redirect them to their specified login page
if (isset($_SESSION["ft"]["account"]) && isset($_SESSION["ft"]["account"]["is_logged_in"]) && isset($_SESSION["ft"]["account"]["login_page"]) && $_SESSION["ft"]["account"]["is_logged_in"] == 1) {
$login_page = $_SESSION["ft"]["account"]["login_page"];
$page = ft_construct_page_url($login_page);
header("location: {$g_root_url}{$page}");
exit;
}
// default settings
$settings = ft_get_settings();
$g_theme = $settings["default_theme"];
$g_swatch = $settings["default_client_swatch"];
// if an account id is included in the query string, use it to determine the appearance of the
// interface, including logo and footer and even language
$id = ft_load_field("id", "id", "");
if (!empty($id)) {
$info = ft_get_account_info($id);
if (isset($info["account_id"])) {
// just in case, boot up the appropriate language file (this overrides any language file already loaded)
$g_theme = $info["theme"];
$language = $info["ui_language"];
if (!empty($language) && is_file("global/lang/{$language}.php")) {
include_once "global/lang/{$language}.php";
/**
* The login procedure for both administrators and clients in. If successful, redirects them to the
* appropriate page, otherwise returns an error.
*
* @param array $infohash This parameter should be a hash (e.g. $_POST or $_GET) containing both
* "username" and "password" keys, containing that information for the user trying
* to log in.
* @param boolean $login_as_client [optional] This optional parameter is used by administrators
* to log in as a particular client, allowing them to view how the account looks,
* even if it is disabled.
* @return string error message string (if error occurs). Otherwise it redirects the user to the
* appropriate page, based on account type.
*/
function ft_login($infohash, $login_as_client = false)
{
global $g_root_url, $g_table_prefix, $LANG;
$settings = ft_get_settings("", "core");
$username = strip_tags($infohash["username"]);
$username = ft_sanitize($username);
$password = isset($infohash["password"]) ? ft_sanitize($infohash["password"]) : "";
$password = strip_tags($password);
// extract info about this user's account
$query = mysql_query("\r\n SELECT account_id, account_type, account_status, password, temp_reset_password, login_page\r\n FROM {$g_table_prefix}accounts\r\n WHERE username = '******'\r\n ");
$account_info = mysql_fetch_assoc($query);
$has_temp_reset_password = empty($account_info["temp_reset_password"]) ? false : true;
// error check user login info
if (!$login_as_client) {
if (empty($password)) {
return $LANG["validation_no_password"];
}
if ($account_info["account_status"] == "disabled") {
return $LANG["validation_account_disabled"];
}
if ($account_info["account_status"] == "pending") {
return $LANG["validation_account_pending"];
}
if (empty($username)) {
return $LANG["validation_account_not_recognized"];
}
$password_correct = md5(md5($password)) == $account_info["password"];
$temp_password_correct = md5(md5($password)) == $account_info["temp_reset_password"];
if (!$password_correct && !$temp_password_correct) {
// if this is a client account and the administrator has enabled the maximum failed login attempts feature,
// keep track of the count
$account_settings = ft_get_account_settings($account_info["account_id"]);
// stores the MAXIMUM number of failed attempts permitted, before the account gets disabled. If the value
// is empty in either the user account or for the default value, that means the administrator doesn't want
// to track the failed login attempts
$max_failed_login_attempts = isset($account_settings["max_failed_login_attempts"]) ? $account_settings["max_failed_login_attempts"] : $settings["default_max_failed_login_attempts"];
if ($account_info["account_type"] == "client" && !empty($max_failed_login_attempts)) {
$num_failed_login_attempts = isset($account_settings["num_failed_login_attempts"]) && !empty($account_settings["num_failed_login_attempts"]) ? $account_settings["num_failed_login_attempts"] : 0;
$num_failed_login_attempts++;
if ($num_failed_login_attempts >= $max_failed_login_attempts) {
ft_disable_client($account_info["account_id"]);
ft_set_account_settings($account_info["account_id"], array("num_failed_login_attempts" => 0));
return $LANG["validation_account_disabled"];
} else {
ft_set_account_settings($account_info["account_id"], array("num_failed_login_attempts" => $num_failed_login_attempts));
}
}
return $LANG["validation_wrong_password"];
}
}
extract(ft_process_hook_calls("main", compact("account_info"), array("account_info")), EXTR_OVERWRITE);
// all checks out. Log them in, after populating sessions
$_SESSION["ft"]["settings"] = $settings;
$_SESSION["ft"]["account"] = ft_get_account_info($account_info["account_id"]);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
// this is deliberate.
$_SESSION["ft"]["account"]["password"] = md5(md5($password));
ft_cache_account_menu($account_info["account_id"]);
// if this is an administrator, ensure the API version is up to date
if ($account_info["account_type"] == "admin") {
ft_update_api_version();
} else {
ft_set_account_settings($account_info["account_id"], array("num_failed_login_attempts" => 0));
}
// for clients, store the forms & form Views that they are allowed to access
if ($account_info["account_type"] == "client") {
$_SESSION["ft"]["permissions"] = ft_get_client_form_views($account_info["account_id"]);
}
// if the user just logged in with a temporary password, append some args to pass to the login page
// so that they will be prompted to changing it upon login
$reset_password_args = array();
if (md5(md5($password)) == $account_info["temp_reset_password"]) {
$reset_password_args["message"] = "change_temp_password";
}
// redirect the user to whatever login page they specified in their settings
$login_url = ft_construct_page_url($account_info["login_page"], "", $reset_password_args);
$login_url = "{$g_root_url}{$login_url}";
if (!$login_as_client) {
ft_update_last_logged_in($account_info["account_id"]);
}
session_write_close();
header("Location: {$login_url}");
exit;
}
/**
* Updates a client menu.
*
* @param array $info
*/
function ft_update_client_menu($info)
{
global $g_table_prefix, $g_pages, $g_root_url, $LANG;
$info = ft_sanitize($info);
$menu_id = $info["menu_id"];
$menu = trim($info["menu"]);
$sortable_id = $info["sortable_id"];
mysql_query("\r\n UPDATE {$g_table_prefix}menus\r\n SET menu = '{$menu}'\r\n WHERE menu_id = {$menu_id}\r\n ");
$sortable_rows = explode(",", $info["{$sortable_id}_sortable__rows"]);
$sortable_new_groups = explode(",", $info["{$sortable_id}_sortable__new_groups"]);
$menu_items = array();
foreach ($sortable_rows as $i) {
// if this row doesn't have a page identifier, just ignore it
if (!isset($info["page_identifier_{$i}"]) || empty($info["page_identifier_{$i}"])) {
continue;
}
$page_identifier = $info["page_identifier_{$i}"];
$display_text = ft_sanitize($info["display_text_{$i}"]);
$custom_options = isset($info["custom_options_{$i}"]) ? ft_sanitize($info["custom_options_{$i}"]) : "";
$is_submenu = isset($info["submenu_{$i}"]) ? "yes" : "no";
// construct the URL for this menu item
$url = ft_construct_page_url($page_identifier, $custom_options);
$menu_items[] = array("url" => $url, "page_identifier" => $page_identifier, "display_text" => $display_text, "custom_options" => $custom_options, "is_submenu" => $is_submenu, "is_new_sort_group" => in_array($i, $sortable_new_groups) ? "yes" : "no");
}
ksort($menu_items);
mysql_query("DELETE FROM {$g_table_prefix}menu_items WHERE menu_id = {$menu_id}");
$order = 1;
foreach ($menu_items as $hash) {
$url = $hash["url"];
$page_identifier = $hash["page_identifier"];
$display_text = $hash["display_text"];
$custom_options = $hash["custom_options"];
$is_submenu = $hash["is_submenu"];
$is_new_sort_group = $hash["is_new_sort_group"];
mysql_query("\r\n INSERT INTO {$g_table_prefix}menu_items (menu_id, display_text, page_identifier, custom_options, url, is_submenu,\r\n list_order, is_new_sort_group)\r\n VALUES ({$menu_id}, '{$display_text}', '{$page_identifier}', '{$custom_options}', '{$url}', '{$is_submenu}',\r\n {$order}, '{$is_new_sort_group}')\r\n ");
$order++;
}
$success = true;
$message = $LANG["notify_client_menu_updated"];
extract(ft_process_hook_calls("end", compact("info"), array("success", "message")), EXTR_OVERWRITE);
return array($success, $message);
}
/**
* This function lets you log a client or administrator in programmatically. By default, it logs the user in
* and redirects them to whatever login page they specified in their user account. However, you can override
* this in two ways: either specify a custom URL where they should be directed to, or avoid redirecting at
* all. If you choose the latter, make sure you've initiated SESSIONS on the calling page - otherwise the
* login account information (needed to be stored in sessions) is lost.
*
* @param array $info a hash with the following possible parameters:
* "username" - the username
* "password" - the password
* "auto_redirect_after_login" - (boolean, defaulted to false) determines whether or not the user should
* be automatically redirected to a URL after a successful login.
* "login_url" - the URL to redirect to (if desired). If this isn't set, but auto_redirect_after_login IS,
* it will log the user in normally, to whatever login page they've specified in their account.
*/
function ft_api_login($info)
{
global $g_root_url, $g_table_prefix, $LANG, $g_api_debug;
$username = ft_sanitize($info["username"]);
$password = isset($info["password"]) ? ft_sanitize($info["password"]) : "";
// extract info about this user's account
$query = mysql_query("\n SELECT account_id, account_type, account_status, password, login_page\n FROM {$g_table_prefix}accounts\n WHERE username = '******'\n ");
$account_info = mysql_fetch_assoc($query);
if (empty($password)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1000, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1000);
}
}
if (empty($account_info)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1004, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1004);
}
}
if ($account_info["account_status"] == "disabled") {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1001, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1001);
}
}
if ($account_info["account_status"] == "pending") {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1002, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1002);
}
}
if (md5(md5($password)) != $account_info["password"]) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1003, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1003);
}
}
// all checks out. Log them in, after populating sessions
$_SESSION["ft"]["settings"] = ft_get_settings("", "core");
// only load the core settings
$_SESSION["ft"]["account"] = ft_get_account_info($account_info["account_id"]);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
$_SESSION["ft"]["account"]["password"] = md5(md5($password));
ft_cache_account_menu($account_info["account_id"]);
// if this is an administrator, build and cache the upgrade link and ensure the API version is up to date
if ($account_info["account_type"] == "admin") {
ft_update_api_version();
ft_build_and_cache_upgrade_info();
}
// for clients, store the forms & form Views that they are allowed to access
if ($account_info["account_type"] == "client") {
$_SESSION["ft"]["permissions"] = ft_get_client_form_views($account_info["account_id"]);
}
// redirect the user to whatever login page they specified in their settings
if (isset($info["auto_redirect_after_login"]) && $info["auto_redirect_after_login"]) {
if (isset($info["login_url"]) && !empty($info["login_url"])) {
session_write_close();
header("Location: {$login_url}");
exit;
} else {
$login_url = ft_construct_page_url($account_info["login_page"]);
$login_url = "{$g_root_url}{$login_url}";
session_write_close();
header("Location: {$login_url}");
exit;
}
}
return array(true, "");
}