} else {
// See if the temporary cookie was found. If yes, then the
// browser does support cookies. If not, then we disable
// the use of cookies.
if (!isset($_COOKIE['phorum_tmp_cookie'])) {
$PHORUM['use_cookies'] = PHORUM_NO_COOKIES;
}
// Check if the login credentials are right.
$user_id = phorum_api_user_authenticate(PHORUM_FORUM_SESSION, $_POST['username'], $_POST['password']);
// They are. Setup the active user and start a Phorum session.
if ($user_id) {
// Make the authenticated user the active Phorum user
// and start a Phorum user session. Because this is a fresh
// login, we can enable the short term session and we request
// refreshing of the session id(s).
if (phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $user_id, PHORUM_FLAG_SESSION_ST) && phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_LOGIN)) {
// Destroy the temporary cookie that is used for testing
// for cookie compatibility.
if (isset($_COOKIE['phorum_tmp_cookie'])) {
setcookie('phorum_tmp_cookie', '', 0, $PHORUM['session_path'], $PHORUM['session_domain']);
}
// Determine the URL to redirect the user to.
// If redir is a number, it is a URL constant.
$php = PHORUM_FILE_EXTENSION;
if (is_numeric($_POST['redir'])) {
$redir = phorum_api_url((int) $_POST['redir']);
} elseif (!empty($PHORUM['use_cookies']) && !strstr($_POST['redir'], "register.{$php}") && !strstr($_POST['redir'], "login.{$php}")) {
$redir = $_POST['redir'];
} else {
$redir = phorum_api_url(PHORUM_LIST_URL);
}
$PHORUM["DATA"]["HTML_TITLE"] = htmlspecialchars(strip_tags($PHORUM["DATA"]["HTML_TITLE"]), ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]);
// For non-admin users, check if the forum is set to
// read-only or administrator-only mode.
if (empty($PHORUM["user"]["admin"]) && isset($PHORUM['status'])) {
if ($PHORUM["status"] == PHORUM_MASTER_STATUS_ADMIN_ONLY && phorum_page != 'css' && phorum_page != 'javascript' && phorum_page != 'login') {
phorum_build_common_urls();
$PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["AdminOnlyMessage"];
phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, NULL);
/**
* @todo Not compatible with portable / embedded Phorum setups.
*/
phorum_api_output('message');
exit;
} elseif ($PHORUM['status'] == PHORUM_MASTER_STATUS_READ_ONLY) {
$PHORUM['DATA']['GLOBAL_ERROR'] = $PHORUM['DATA']['LANG']['ReadOnlyMessage'];
phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, NULL);
}
}
// If moderator notifications are on and the person is a mod,
// lets find out if anything needs attention.
$PHORUM["user"]["NOTICE"]["MESSAGES"] = FALSE;
$PHORUM["user"]["NOTICE"]["USERS"] = FALSE;
$PHORUM["user"]["NOTICE"]["GROUPS"] = FALSE;
if ($PHORUM["DATA"]["LOGGEDIN"]) {
// By default, only bug the user on the list, index and cc pages.
// The template can override this behaviour by setting a comma
// separated list of phorum_page names in a template define statement
// like this: {DEFINE show_notify_for_pages "page 1,page 2,..,page n"}
if (isset($PHORUM["TMP"]["show_notify_for_pages"])) {
$show_notify_for_pages = explode(",", $PHORUM["TMP"]["show_notify_for_pages"]);
} else {
/**
* Destroy a Phorum user session.
*
* This will destroy a Phorum user session and set the active
* Phorum user to the anonymous user.
*
* @param string $type
* The type of session to destroy. This must be one of
* {@link PHORUM_FORUM_SESSION} or {@link PHORUM_ADMIN_SESSION}.
* See the documentation for {@link phorum_api_user_session_create()}
* for more information on Phorum user sessions.
*/
function phorum_api_user_session_destroy($type)
{
$PHORUM = $GLOBALS['PHORUM'];
/**
* [hook]
* user_session_destroy
*
* [description]
* Allow modules to override Phorum's session destroy management or
* to even fully omit destroying a session (for example useful
* if the hook <hook>user_session_restore</hook> is used
* to inherit an external session from some 3rd party application).
*
* [category]
* User authentication and session handling
*
* [when]
* Just before Phorum runs its own session destroy code
* in the user API function
* <literal>phorum_api_user_session_destroy()</literal>.
*
* [input]
* The session type for which a session must be destroyed.
* This can be either <literal>PHORUM_FORUM_SESSION</literal>
* or <literal>PHORUM_ADMIN_SESSION</literal>.
*
* [output]
* Same as input if Phorum has to run its standard session
* destroy code or NULL if that code should be fully skipped.
*
* [example]
* See the <hook>user_session_create</hook> hook for an example
* of how to let Phorum setup the PHP session that is destroyed
* in this example hook.
* <hookcode>
* function phorum_mod_foo_user_session_destroy($type)
* {
* // Let Phorum handle destroying of admin sessions on its own.
* if ($type == PHORUM_ADMIN_SESSION) return $type;
*
* // Override the session handling for front end forum sessions.
* // We could for example have stored the session in a standard
* // PHP session. First, we start a PHP session if that was
* // not done yet.
* if (!session_id()) session_start();
*
* // After starting the PHP session, we can clear the session
* // data for the Phorum user. In the user_session_create hook
* // example code, we stored the user_id for the active user
* // in the session. Here we clear that data. We could also
* // have destroyed the full PHP session, but in that case we
* // would risk destroying session data that was setup by
* // other PHP scripts.
* unset($_SESSION['phorum_user_id']);
*
* // Tell Phorum not to run its own session destroy code.
* return NULL;
* }
* </hookcode>
*/
$do_phorum_destroy_session = TRUE;
if (isset($PHORUM['hooks']['user_session_destroy'])) {
if (phorum_hook('user_session_destroy', $type) === NULL) {
$do_phorum_destroy_session = FALSE;
}
}
if ($do_phorum_destroy_session) {
// Destroy session cookie(s). We do not care here if use_cookies is
// enabled or not. We just want to clean out all that we have here.
if ($type == PHORUM_FORUM_SESSION) {
setcookie(PHORUM_SESSION_SHORT_TERM, '', time() - 86400, $PHORUM['session_path'], $PHORUM['session_domain']);
setcookie(PHORUM_SESSION_LONG_TERM, '', time() - 86400, $PHORUM['session_path'], $PHORUM['session_domain']);
} elseif ($type == PHORUM_ADMIN_SESSION) {
setcookie(PHORUM_SESSION_ADMIN, '', time() - 86400, $PHORUM['session_path'], $PHORUM['session_domain']);
} else {
trigger_error('phorum_api_user_session_destroy(): Illegal session type: ' . htmlspecialchars($type), E_USER_ERROR);
return NULL;
}
// If cookies are not in use, then the long term session is reset
// to a new value. That way we fully invalidate URI authentication
// data, so that old URL's won't work anymore. We can only do this
// if we have an active Phorum user.
if ($PHORUM['use_cookies'] == PHORUM_NO_COOKIES && $type == PHORUM_FORUM_SESSION && !empty($PHORUM['user']) && !empty($PHORUM['user']['user_id'])) {
$user = $PHORUM['user'];
$sessid_lt = md5($user['username'] . microtime() . $user['password']);
phorum_api_user_save_raw(array('user_id' => $user['user_id'], 'sessid_lt' => $sessid_lt));
}
}
// Force Phorum to see the anonymous user from here on.
phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, NULL);
}
/**
* A common function which is used to save the userdata from the post-data.
* @param panel - The panel for which to save data.
* @return array - An array containing $error and $okmsg.
*/
function phorum_controlcenter_user_save($panel)
{
$PHORUM = $GLOBALS['PHORUM'];
$error = "";
$okmsg = "";
// Setup the default userdata fields that can be changed
// from the control panel interface.
$userdata = array('signature' => NULL, 'hide_email' => NULL, 'hide_activity' => NULL, 'password' => NULL, 'password_temp' => NULL, 'tz_offset' => NULL, 'is_dst' => NULL, 'user_language' => NULL, 'threaded_list' => NULL, 'threaded_read' => NULL, 'email_notify' => NULL, 'show_signature' => NULL, 'pm_email_notify' => NULL, 'email' => NULL, 'email_temp' => NULL, 'user_template' => NULL, 'moderation_email' => NULL, 'real_name' => NULL);
// Add custom profile fields as acceptable fields.
foreach ($PHORUM["PROFILE_FIELDS"] as $id => $field) {
if ($id === "num_fields" || !empty($field['deleted'])) {
continue;
}
$userdata[$field["name"]] = NULL;
}
// Update userdata with $_POST information.
foreach ($_POST as $key => $val) {
if (array_key_exists($key, $userdata)) {
$userdata[$key] = $val;
}
}
// Remove unused profile fields.
foreach ($userdata as $key => $val) {
if (is_null($val)) {
unset($userdata[$key]);
}
}
// Set static userdata.
$userdata["user_id"] = $PHORUM["user"]["user_id"];
/**
* [hook]
* cc_save_user
*
* [description]
* This hook works the same way as the <hook>before_register</hook>
* hook, so you can also use it for changing and checking the user data
* that will be saved in the database. There's one difference. If you
* want to check a custom field, you'll also need to check the panel
* which you are on, because this hook is called from multiple panels.
* The panel that you are on will be stored in the
* <literal>panel</literal> field of the user data.<sbr/>
* <sbr/>
* The example hook belows demonstrates code which could be used if you
* have added a custom field to the template for the option
* <literal>Edit My Profile</literal> in the control panel.
*
* [category]
* Control center
*
* [when]
* In <filename>control.php</filename>, right before data for a user is
* saved in the control panel.
*
* [input]
* An array containing the user data to save.
* <ul>
* <li>error:
* modules can fill this field with an error message to show.</li>
* </ul>
*
* [output]
* The same array as the one that was used for the hook call
* argument, possibly with the "error" field updated in it.
*
* [example]
* <hookcode>
* function phorum_mod_foo_cc_save_user ($data)
* {
* // Only check data for the panel "user".
* if ($data['panel'] != "user") return $data;
*
* $myfield = trim($data['your_custom_field']);
* if (empty($myfield)) {
* $data['error'] = 'You need to fill in my custom field';
* }
*
* return $data;
* }
* </hookcode>
*/
if (isset($PHORUM["hooks"]["cc_save_user"])) {
$userdata = phorum_hook("cc_save_user", $userdata);
}
// Set $error, in case the cc_save_user hook did set an error.
if (isset($userdata['error'])) {
$error = $userdata['error'];
unset($userdata['error']);
// Try to update the userdata in the database.
} elseif (!phorum_api_user_save($userdata)) {
// Updating the user failed.
$error = $PHORUM["DATA"]["LANG"]["ErrUserAddUpdate"];
} else {
// Updating the user was successful.
$okmsg = $PHORUM["DATA"]["LANG"]["ProfileUpdatedOk"];
// Let the userdata be reloaded.
phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $userdata["user_id"]);
// If a new password was set, then reset all session id(s), so
// other computers or browser will lose any active session that
// they are running.
if (isset($userdata["password"]) && $userdata["password"] != '') {
phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_ALL);
}
// Copy data from the updated user back into the user template data.
$formatted = phorum_api_user_format(array($GLOBALS['PHORUM']['user']));
foreach ($formatted[0] as $key => $val) {
$GLOBALS['PHORUM']['DATA']['USER'][$key] = $val;
}
// Copy data from the updated user back into the template data.
// Leave PANEL and forum_id alone (these are injected into the
// userdata in the template from this script).
foreach ($GLOBALS["PHORUM"]["DATA"]["PROFILE"] as $key => $val) {
if ($key == "PANEL" || $key == "forum_id") {
continue;
}
if (isset($GLOBALS["PHORUM"]["user"][$key])) {
$GLOBALS["PHORUM"]["DATA"]["PROFILE"][$key] = $GLOBALS["PHORUM"]["user"][$key];
} else {
$GLOBALS["PHORUM"]["DATA"]["PROFILE"][$key] = "";
}
}
}
return array($error, $okmsg);
}
function testUserApiSetActiveUser()
{
$user_id = phorum_api_user_search('username', 'testuser' . $this->sharedFixture, '=');
$ret = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $user_id);
$this->assertTrue($ret, 'Setting given user_id active again.');
$ret = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, array('foo' => 'bar'));
$this->assertFalse($ret, 'set_active_user with invalid array given.');
$ret = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, array('foo'));
$this->assertFalse($ret, 'set_active_user with invalid user-input.');
// set active user
$GLOBALS['PHORUM']['user'] = phorum_api_user_get($user_id);
// create session
$ret = phorum_api_user_session_create(PHORUM_FORUM_SESSION);
$this->assertTrue($ret, 'Creating user-session');
}
// but WITHOUT ANY WARRANTY, without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. //
// //
// You should have received a copy of the Phorum License //
// along with this program. //
// //
////////////////////////////////////////////////////////////////////////////////
// don't allow this page to be loaded directly
if (!defined("PHORUM_ADMIN")) {
exit;
}
require_once PHORUM_PATH . '/include/api/user.php';
require_once PHORUM_PATH . '/include/api/sign.php';
if (isset($_POST["username"]) && isset($_POST["password"])) {
$user_id = phorum_api_user_authenticate(PHORUM_ADMIN_SESSION, trim($_POST["username"]), trim($_POST["password"]));
if ($user_id && phorum_api_user_set_active_user(PHORUM_ADMIN_SESSION, $user_id) && phorum_api_user_session_create(PHORUM_ADMIN_SESSION)) {
// update the token and time
$GLOBALS["PHORUM"]["user"]['settings_data']['admin_token_time'] = time();
$sig_data = $GLOBALS["PHORUM"]["user"]['user_id'] . time() . $GLOBALS["PHORUM"]["user"]['username'];
$GLOBALS["PHORUM"]["user"]['settings_data']['admin_token'] = phorum_api_sign($sig_data);
$GLOBALS["PHORUM"]['admin_token'] = $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token'];
$tmp_user = array('user_id' => $GLOBALS["PHORUM"]["user"]['user_id'], 'settings_data' => $GLOBALS["PHORUM"]["user"]['settings_data']);
phorum_api_user_save($tmp_user);
if (!empty($_POST["target"])) {
$target_url = phorum_admin_build_url($_POST['target'], TRUE);
phorum_api_redirect($target_url);
} else {
$redir_url = phorum_admin_build_url(NULL, TRUE);
phorum_api_redirect($redir_url);
}
exit;
/**
* A common function which is used to save the userdata from the post-data.
* @param panel - The panel for which to save data.
* @return array - An array containing $error and $okmsg.
*/
function phorum_controlcenter_user_save($panel)
{
global $PHORUM;
$error = "";
$okmsg = "";
// Setup the default userdata fields that can be changed
// from the control panel interface.
$userdata = array('signature' => NULL, 'hide_email' => NULL, 'hide_activity' => NULL, 'tz_offset' => NULL, 'is_dst' => NULL, 'user_language' => NULL, 'threaded_list' => NULL, 'threaded_read' => NULL, 'email_notify' => NULL, 'show_signature' => NULL, 'pm_email_notify' => NULL, 'user_template' => NULL, 'moderation_email' => NULL, 'real_name' => NULL);
// Password related fields can only be updated from the password panel.
if ($panel == 'password') {
$userdata['password'] = NULL;
$userdata['password_temp'] = NULL;
}
// E-mail address related fields can only be updated from the email panel.
if ($panel == 'email') {
$userdata['email'] = NULL;
$userdata['email_temp'] = NULL;
}
// E-mail address related fields can only be updated from the email panel.
if ($panel == 'email') {
$userdata['email'] = NULL;
$userdata['email_temp'] = NULL;
}
// Add custom profile fields as acceptable fields.
foreach ($PHORUM["CUSTOM_FIELDS"][PHORUM_CUSTOM_FIELD_USER] as $id => $field) {
if ($id === "num_fields" || !empty($field['deleted'])) {
continue;
}
$userdata[$field["name"]] = NULL;
}
// Update userdata with $_POST information.
foreach ($_POST as $key => $val) {
if (array_key_exists($key, $userdata)) {
$userdata[$key] = $val;
}
}
// Remove unused profile fields.
foreach ($userdata as $key => $val) {
if (is_null($val)) {
unset($userdata[$key]);
}
}
// Set static userdata.
$userdata["user_id"] = $PHORUM["user"]["user_id"];
// Run a hook, so module writers can update and check the userdata.
if (isset($PHORUM["hooks"]["cc_save_user"])) {
$userdata = phorum_api_hook("cc_save_user", $userdata);
}
// Set $error, in case the cc_save_user hook did set an error.
if (isset($userdata['error'])) {
$error = $userdata['error'];
unset($userdata['error']);
// Try to update the userdata in the database.
} elseif (!phorum_api_user_save($userdata)) {
// Updating the user failed.
$error = $PHORUM["DATA"]["LANG"]["ErrUserAddUpdate"];
} else {
// Updating the user was successful.
$okmsg = $PHORUM["DATA"]["LANG"]["ProfileUpdatedOk"];
// Let the userdata be reloaded.
phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $userdata["user_id"]);
// If a new password was set, then reset all session id(s), so
// other computers or browser will lose any active session that
// they are running.
if (isset($userdata["password"]) && $userdata["password"] != '') {
phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_ALL);
}
// Copy data from the updated user back into the user template data.
$formatted = phorum_api_format_users(array($PHORUM['user']));
foreach ($formatted[0] as $key => $val) {
$PHORUM['DATA']['USER'][$key] = $val;
}
// Copy data from the updated user back into the template data.
// Leave PANEL and forum_id alone (these are injected into the
// userdata in the template from this script).
foreach ($PHORUM["DATA"]["PROFILE"] as $key => $val) {
if ($key == "PANEL" || $key == "forum_id") {
continue;
}
if (isset($PHORUM["user"][$key])) {
if (is_array($val)) {
// array-data would be (most often) broken when html encoded
$PHORUM["DATA"]["PROFILE"][$key] = $PHORUM["user"][$key];
} elseif (substr($key, 0, 9) == 'signature') {
// the signature needs special care - e.g. for the formatted sig
// Fake a message here so we can run the sig through format_message.
$fake_messages = array(array("author" => "", "email" => "", "subject" => "", "body" => $PHORUM["user"]["signature"]));
$fake_messages = phorum_format_messages($fake_messages);
$PHORUM["DATA"]["PROFILE"]["signature_formatted"] = $fake_messages[0]["body"];
// Format the user signature using standard message body formatting
// or HTML escape it
$PHORUM["DATA"]["PROFILE"]["signature"] = htmlspecialchars($PHORUM["user"]["signature"], ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]);
} else {
// same handling as when loading the page for the first time
$PHORUM["DATA"]["PROFILE"][$key] = htmlspecialchars($PHORUM["user"][$key], ENT_COMPAT, $PHORUM['DATA']['HCHARSET']);
}
} else {
$PHORUM["DATA"]["PROFILE"][$key] = "";
}
}
}
return array($error, $okmsg);
}
<?php
# Handle a user forum login
if (!defined('PHORUM')) {
return;
}
require_once "./include/api/base.php";
require_once "./include/api/user.php";
// Check the username and password.
$user_id = phorum_api_user_authenticate(PHORUM_FORUM_SESSION, "username", "password");
if (!$user_id) {
die("Username or password incorrect!\n");
}
// Make the authenticated user the active user for Phorum. This is all
// that is needed to tell Phorum that this user is logged in.
$set_active = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $user_id, PHORUM_FLAG_SESSION_ST);
if (!$set_active) {
die("Setting user_id {$user_id} as the active user failed!\n");
}
// Create a session for the active user, so the user will be remembered
// on subsequent requests.
phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_LOGIN);
// appropriate at login time
