public function user_login($phpbb_vars) { global $phpbb_root_path, $phpEx, $db, $config, $user, $auth, $cache, $template, $_SID; //fail presumption $phpbb_result = "FAIL"; //general info $this->init(true); if (!isset($phpbb_vars["autologin"])) { $phpbb_vars["autologin"] = false; } if (!isset($phpbb_vars["viewonline"])) { $phpbb_vars["viewonline"] = 1; } if (!isset($phpbb_vars["admin"])) { $phpbb_vars["admin"] = 0; } //validate and authenticate $validation = login_db($phpbb_vars["username"], $phpbb_vars["password"]); if ($validation['status'] == 3 && $auth->login($phpbb_vars["username"], $phpbb_vars["password"], $phpbb_vars["autologin"], $phpbb_vars["viewonline"], $phpbb_vars["admin"])) { $phpbb_result = "SUCCESS"; } else { $phpbb_result = (string) $validation['error_msg']; } //login issue noticed by Ezequiel Rabinovich (thanks) $_SESSION['sid'] = $_SID; return $phpbb_result; }
function login($login, $password) { global $db; if ($db['save_dest'] == 'database') { return login_db($login, $password); } else { return login_file($login, $password); } }
/** * Autologin function * * @return array containing the user row or empty if no auto login should take place */ function login_groupoffice(&$username, &$password, $ip = '', $browser = '', $forwarded_for = '') { global $db; if (!$password) { return array('status' => LOGIN_ERROR_PASSWORD, 'error_msg' => 'NO_PASSWORD_SUPPLIED', 'user_row' => array('user_id' => ANONYMOUS)); } if (!$username) { return array('status' => LOGIN_ERROR_USERNAME, 'error_msg' => 'LOGIN_ERROR_USERNAME', 'user_row' => array('user_id' => ANONYMOUS)); } $gorow = user_row_groupoffice($username, $password); if ($gorow) { $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type FROM ' . USERS_TABLE . "\n\t\t\tWHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); if ($row) { // User inactive... if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) { return array('status' => LOGIN_ERROR_ACTIVE, 'error_msg' => 'ACTIVE_ERROR', 'user_row' => $row); } // Successful login... return array('status' => LOGIN_SUCCESS, 'error_msg' => false, 'user_row' => $row); } // this is the user's first login so create an empty profile return array('status' => LOGIN_SUCCESS_CREATE_PROFILE, 'error_msg' => false, 'user_row' => $gorow); } else { // return array( // 'status' => LOGIN_ERROR_USERNAME, // 'error_msg' => 'LOGIN_ERROR_USERNAME', // 'user_row' => array('user_id' => ANONYMOUS), // ); //fallback to regular Phpbb db auth. require_once dirname(__FILE__) . '/auth_db.php'; return login_db($username, $password, $ip, $browser, $forwarded_for); } }
function rss_get_user() { global $db; if ((!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) && isset($_SERVER['REMOTE_USER']) && preg_match('/Basic\\s+(.*)$/i', $_SERVER['REMOTE_USER'], $matches)) { list($name, $password) = explode(':', base64_decode($matches[1]), 2); $_SERVER['PHP_AUTH_USER'] = strip_tags($name); $_SERVER['PHP_AUTH_PW'] = strip_tags($password); } if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { $username = phpbb_clean_username($_SERVER['PHP_AUTH_USER']); $password = $_SERVER['PHP_AUTH_PW']; if (isset($_GET['uid'])) { $uid = intval($_GET['uid']); $uid = (int) $uid; $user_data = get_userdata($uid, false); if (!empty($user_data['username'])) { $username = $user_data['username']; } else { GetHTTPPasswd(); } } if (!function_exists('login_db')) { include IP_ROOT_PATH . 'includes/auth_db.' . PHP_EXT; } $login_result = login_db($username, $password, false, true); if ($login_result['status'] === LOGIN_SUCCESS) { return $row['user_id']; } else { GetHTTPPasswd(); } } else { GetHTTPPasswd(); } return ANONYMOUS; }
/** * Login function * * @param string $username * @param string $password * @param string $ip IP address the login is taking place from. Used to * limit the number of login attempts per IP address. * @param string $browser The user agent used to login * @param string $forwarded_for X_FORWARDED_FOR header sent with login request * @return array A associative array of the format * array( * 'status' => status constant * 'error_msg' => string * 'user_row' => array * ) */ function login_dbandcrowdsso($username, $password, $ip = '', $browser = '', $forwarded_for = '') { global $config; $result = login_db($username, $password, $ip, $browser, $forwarded_for); if ($result['status'] === LOGIN_SUCCESS) { $token = dbandcrowdsso_get_token(); if ($token) { // assume token is correct, afterall authentication was successful // validate session will logout if they don't match anyway return $result; } try { $user = $result['user_row']; $query = 'rest/usermanagement/1/session?validate-password=false'; $request_body = array('username' => $user['username'], 'password' => $password, 'validation-factors' => array('validationFactors' => array(array('name' => 'remote_address', 'value' => (string) $_SERVER['REMOTE_ADDR'])))); $session = dbandcrowdsso_request($query, 'POST', json_encode($request_body)); dbandcrowdsso_setcookie($session->token); return $result; } catch (RuntimeException $e) { // no login if error return array('status' => LOGIN_ERROR_EXTERNAL_AUTH, 'error_msg' => 'Failed to create crowd session: ' . $e->getMessage(), 'user_row' => array('user_id' => ANONYMOUS)); } return array('status' => LOGIN_ERROR_EXTERNAL_AUTH, 'error_msg' => 'Failed to create crowd session with unknown error', 'user_row' => array('user_id' => ANONYMOUS)); } return $result; }
function check_authorization($die = true) { global $db, $cache, $lang, $dbuser, $dbpasswd, $option; $auth_method = request_post_var('auth_method', ''); $board_user = request_post_var('board_user', '', true); $board_user = htmlspecialchars_decode($board_user, ENT_COMPAT); $board_password = request_post_var('board_password', '', true); $board_password = htmlspecialchars_decode($board_password, ENT_COMPAT); $db_user = request_post_var('db_user', '', true); $db_user = htmlspecialchars_decode($db_user, ENT_COMPAT); $db_password = request_post_var('db_password', '', true); $db_password = htmlspecialchars_decode($db_password, ENT_COMPAT); // Change authentication mode if selected option does not allow database authentication if ($option == 'rld' || $option == 'rtd') { $auth_method = 'board'; } switch ($auth_method) { case 'board': include_once IP_ROOT_PATH . 'includes/auth_db.' . PHP_EXT; $login_result = login_db($board_user, $board_password, false, true); $allow_access = false; if ($login_result['status'] === LOGIN_SUCCESS && $login_result['user_row']['user_level'] == ADMIN) { $allow_access = true; } break; case 'db': if ($db_user == $dbuser && $db_password == $dbpasswd) { $allow_access = true; } else { $allow_access = false; } break; default: $allow_access = false; } if (!$allow_access && $die) { ?> <p><span style="color: red;"><?php echo $lang['Auth_failed']; ?> </span></p> </body> </html> <?php exit; } return $allow_access; }
$redirect = request_var('redirect', '', true); $redirect_url = (!empty($redirect) ? urldecode(str_replace(array('&', '?', PHP_EXT . '&'), array('&', '&', PHP_EXT . '?'), $redirect)) : CMS_LOGIN_REDIRECT_PAGE); if (strstr($redirect_url, "\n") || strstr($redirect_url, "\r") || strstr($redirect_url, ';url')) { message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.'); } if(isset($_POST['login']) || isset($_GET['login']) || isset($_POST['logout']) || isset($_GET['logout'])) { if((isset($_POST['login']) || isset($_GET['login'])) && (!$user->data['session_logged_in'] || isset($_POST['admin']))) { $username = isset($_POST['username']) ? phpbb_clean_username($_POST['username']) : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; $login_result = login_db($username, $password, false, true); if ($login_result['status'] === LOGIN_ERROR_ATTEMPTS) { message_die(GENERAL_MESSAGE, sprintf($lang['LOGIN_ATTEMPTS_EXCEEDED'], $config['max_login_attempts'], $config['login_reset_time'])); } if ($login_result['status'] === LOGIN_SUCCESS) { // Is user linking a social network account? if ($config['enable_social_connect']) { $available_networks = SocialConnect::get_available_networks(); $social_network_link = request_var('social_network_link', ''); if (!empty($social_network_link) && !empty($available_networks[$social_network_link]))
//if (($email != $user->data['user_email']) || ($mode == 'register')) if ($email != $user->data['user_email'] || $email_confirm != $user->data['user_email'] || $email != $email_confirm || $mode == 'register') { $result = validate_email($email); if (!empty($result['error'])) { $email = $user->data['user_email']; $email_confirm = $user->data['user_email']; $email = $email_confirm; $error = true; $error_msg .= (isset($error_msg) ? '<br />' : '') . $result['error_msg']; } if ($email != $email_confirm) { $error = true; $error_msg .= (isset($error_msg) ? '<br />' : '') . $lang['Email_mismatch']; } if ($mode == 'editprofile') { $login_result = login_db($username, $cur_password, $user_id, false); if ($login_result['status'] !== LOGIN_SUCCESS) { $email = $user->data['user_email']; $email_confirm = $user->data['user_email']; $error = true; $error_msg .= (isset($error_msg) ? '<br />' : '') . $lang['Current_password_mismatch']; } } } $username_sql = ''; if ($config['allow_namechange'] || $mode == 'register') { if (empty($username)) { // Error is already triggered, since one field is empty. $error = true; } elseif ($username != $user->data['username'] || $mode == 'register') { if (strtolower($username) != strtolower($user->data['username']) || $mode == 'register') {
/** * Login function */ function login_mdc(&$username, &$password) { // apparently phpbb doesn't believe in include_once if (!function_exists('user_add')) { global $phpbb_root_path, $phpEx; include $phpbb_root_path . 'includes/functions_user.' . $phpEx; } // This is fallback because I locked myself out of the database a lot when writing this. In theory we can whack this, but if the MDC db dies or // something like that, we will be locked out of the forum system completely. Seems unlikely, but if it happens it would probably be nice // to have this. if ($username == 'admin') { include_once 'auth_db.php'; return login_db($username, $password); } global $db, $user; $anonymous_user = array('user_id' => ANONYMOUS); $mdcuser = array(); // do not allow empty password if (!$password) { return array('status' => LOGIN_ERROR_PASSWORD, 'error_msg' => 'NO_PASSWORD_SUPPLIED', 'user_row' => $anonymous_user); } if (!$username) { return array('status' => LOGIN_ERROR_USERNAME, 'error_msg' => 'LOGIN_ERROR_USERNAME', 'user_row' => $anonymous_user); } $mdcdb = _auth_mdc_connect_database(); if (is_string($mdcdb)) { return array('status' => LOGIN_ERROR_EXTERNAL_AUTH, 'error_msg' => 'GENERAL_ERROR' . ' ' . $mdcdb, 'user_row' => $anonymous_user); } $_sql = 'SELECT user_id, user_email, user_password, user_name, user_active, user_role_id FROM users WHERE user_name=?'; if ($_stmt = $mdcdb->prepare($_sql)) { $_stmt->bind_param('s', $username); $_stmt->execute(); $_stmt->bind_result($mdcuser['id'], $mdcuser['email'], $mdcuser['password'], $mdcuser['username'], $mdcuser['active'], $mdcuser['user_role_id']); $_stmt->fetch(); $_stmt->close(); } $mdcdb->close(); // increase MDC user ID by 100 to jump over phpBB's default users. $mdcuser['mdcid'] = $mdcuser['id']; $mdcuser['id'] += 100; if ($mdcuser['id'] == 0) { return array('status' => LOGIN_ERROR_USERNAME, 'error_msg' => 'LOGIN_ERROR_USERNAME', 'user_row' => $anonymous_user); } if (!$mdcuser['active']) { return array('status' => LOGIN_ERROR_ACTIVE, 'error_msg' => 'ACTIVE_ERROR', 'user_row' => $anonymous_user); } if (!_auth_mdc_check_password($mdcuser['mdcid'], $password, $mdcuser['password'])) { return array('status' => LOGIN_ERROR_PASSWORD, 'error_msg' => 'LOGIN_ERROR_PASSWORD', 'user_row' => $anonymous_user); } else { // Everything is good on the MDC side. Let's make sure it's all good on the PHPBB side. $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type FROM ' . USERS_TABLE . " WHERE user_id = '" . $db->sql_escape(utf8_clean_string($mdcuser['id'])) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); // The user already exists in the phpbb database. Make sure they're valid, update anything needed, and log them in if ($row) { // User inactive... if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) { return array('status' => LOGIN_ERROR_ACTIVE, 'error_msg' => 'ACTIVE_ERROR', 'user_row' => $row); } // Check if they've changed their name or email on the MDC side. If they have, update them in phpbb. if ($row['username'] != $mdcuser['username'] || $row['user_email'] != $mdcuser['email']) { $sql = ' UPDATE ' . USERS_TABLE . ' SET username="******", user_email="' . $db->sql_escape(utf8_clean_string($mdcuser['email'])) . '" WHERE user_id = "' . $db->sql_escape(utf8_clean_string($mdcuser['id'])) . '"'; $db->sql_query($sql); } // Sync groups from MDC to phpbb _auth_mdc_set_admin($mdcuser); // Successful login... set user_login_attempts to zero... return array('status' => LOGIN_SUCCESS, 'error_msg' => false, 'user_row' => $row); } else { // Everyone is happy, but the user doesn't exist in phpbb yet. That means we'll need to create the row. Normally phpbb // can do this automatically if you return LOGIN_SUCCESS_CREATE_PROFILE here, however, I want to do some special group stuff // so we get to do it ourselves // Check if it's a valid username as far as phpbb is concerned. This is pretty lenient with USERNAME_CHARS_ANY but it will prevent stuff like single quotes if (($ret = validate_username($mdcuser['username'])) !== false) { return array('status' => LOGIN_ERROR_USERNAME, 'error_msg' => $ret, 'user_row' => $anonymous_user); } // retrieve default group id $sql = 'SELECT group_id FROM ' . GROUPS_TABLE . " WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' AND group_type = " . GROUP_SPECIAL; $result = $db->sql_query($sql); $group = $db->sql_fetchrow($result); $db->sql_freeresult($result); if (!$group) { trigger_error('NO_GROUP'); } // generate user account data $new_user_row = array('user_id' => $mdcuser['id'], 'user_type' => USER_NORMAL, 'group_id' => (int) $group['group_id'], 'user_ip' => $user->ip, 'username' => $mdcuser['username'], 'user_password' => phpbb_hash(mt_rand(1000, 100000)), 'user_email' => $mdcuser['email']); if ($id = user_add($new_user_row)) { // We've got a user id. phpbb doesn't have a way to add more than 1 group when creating a user so we have to do that afterwards _auth_mdc_set_admin($mdcuser); return array('status' => LOGIN_SUCCESS, 'error_msg' => false, 'user_row' => $new_user_row); } // Something went wrong. Return general error and anonymous user. return array('status' => LOGIN_ERROR_EXTERNAL_AUTH, 'error_msg' => 'GENERAL_ERROR' . ' Failed to create new user', 'user_row' => array('user_id' => ANONYMOUS)); } } }
public function user_login($phpbb_vars) { // global $phpbb_root_path, $phpEx, $db, $config, $user, $auth, $cache, $template; // // //prezumtia de fail // // $phpbb_result = 'FAIL'; // // // // //general info // // $this->init(true); // // // // if(!isset($phpbb_vars['autologin'])) $phpbb_vars['autologin'] = false; // // if(!isset($phpbb_vars['viewonline'])) $phpbb_vars['viewonline'] = 1; // // if(!isset($phpbb_vars['admin'])) $phpbb_vars['admin'] = 0; // // // // //validate and authenticate // // $validation = login_db($phpbb_vars['username'], $phpbb_vars['password']); // // // // if( // // $validation['status'] == 3 // // && $auth->login( // // $phpbb_vars['username'], // // $phpbb_vars['password'], // // $phpbb_vars['autologin'], // // $phpbb_vars['viewonline'], // // $phpbb_vars['admin'] // // ) // // ) $phpbb_result = 'SUCCESS'; // // // // return $phpbb_result; /* * Ver.0.2 */ global $phpbb_root_path, $phpEx, $db, $config, $user, $auth, $cache, $template, $_SID; //prezumtia de fail $phpbb_result = "FAIL"; //general info $this->init(true); $user->setup(); if ($user->data['is_registered']) { return; } if (!isset($phpbb_vars["autologin"])) { $phpbb_vars["autologin"] = true; } if (!isset($phpbb_vars["viewonline"])) { $phpbb_vars["viewonline"] = 1; } if (!isset($phpbb_vars["admin"])) { $phpbb_vars["admin"] = 0; } //validate and authenticate $validation = login_db($phpbb_vars["username"], $phpbb_vars["password"]); $login = $auth->login($phpbb_vars["username"], $phpbb_vars["password"], $phpbb_vars["autologin"], $phpbb_vars["viewonline"], $phpbb_vars["admin"]); if ($validation['status'] == LOGIN_SUCCESS && $login['status'] == LOGIN_SUCCESS) { $phpbb_result = "SUCCESS"; } $_SESSION['sid'] = $_SID; return $phpbb_result; }