$check = str_replace('/', '\\/', CAT_Helper_Directory::sanitizePath(CAT_ADMIN_PATH));
if (preg_match('~^' . $check . '~i', $path)) {
define('CAT_REQUIRE_ADMIN', true);
if (!CAT_Users::getInstance()->is_authenticated()) {
CAT_Users::getInstance()->handleLogin();
exit(0);
}
// always enable CSRF protection in backend; does not work with
// AJAX so scripts called via AJAX should set this constant
if (!defined('CAT_AJAX_CALL')) {
//echo "class.secure is calling enableCSRFMagic<br />";
CAT_Helper_Protect::getInstance()->enableCSRFMagic();
}
global $parser;
if (!is_object($parser)) {
$parser = CAT_Helper_Template::getInstance('Dwoo');
}
// initialize template search path
$parser->setPath(CAT_THEME_PATH . '/templates');
$parser->setFallbackPath(CAT_THEME_PATH . '/templates');
}
} else {
define('CAT_REQUIRE_ADMIN', false);
}
}
if (!defined('CAT_INITIALIZED')) {
require dirname(__FILE__) . '/initialize.php';
}
$admin_dir = str_replace(CAT_PATH, '', CAT_ADMIN_PATH);
$db = new database();
$direct_access_allowed = array();
/**
* handle user login
**/
public static function handleLogin($output = true)
{
global $parser;
if (!is_object($parser)) {
$parser = CAT_Helper_Template::getInstance('Dwoo');
}
CAT_Backend::initPaths();
$val = CAT_Helper_Validate::getInstance();
$lang = CAT_Helper_I18n::getInstance();
$self = self::getInstance();
$redirect_url = $val->sanitizePost('redirect');
if (!self::is_authenticated()) {
// --- login attempt ---
if ($val->sanitizePost('username_fieldname')) {
// get input data
$user = htmlspecialchars($val->sanitizePost($val->sanitizePost('username_fieldname')), ENT_QUOTES);
$pw = $val->sanitizePost($val->sanitizePost('password_fieldname'));
$name = preg_match('/[\\;\\=\\&\\|\\<\\> ]/', $user) ? '' : $user;
$min_length = CAT_Registry::exists('AUTH_MIN_LOGIN_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_LOGIN_LENGTH') : 5;
$min_pass_length = CAT_Registry::exists('AUTH_MIN_PASS_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_PASS_LENGTH') : 5;
// check common issues
// we do not check for too long and don't give too much hints!
if (!$name) {
self::setLoginError($lang->translate('Invalid credentials'));
}
if (!self::$loginerror && $user == '' || $pw == '') {
self::setLoginError($lang->translate('Please enter your username and password.'));
}
if (!self::$loginerror && strlen($user) < $min_length) {
self::setLoginError($lang->translate('Invalid credentials'));
}
if (!self::$loginerror && !CAT_Registry::defined('ALLOW_SHORT_PASSWORDS') && strlen($pw) < $min_pass_length) {
self::setLoginError($lang->translate('Invalid credentials'));
}
if (!self::$loginerror) {
$query = 'SELECT * FROM `:prefix:users` WHERE `username`=:name AND `password`=:pw';
$qAct = 'SELECT `active` FROM `:prefix:users` WHERE `username` = :name AND `password` = :pw';
$result = $self->db()->query($query, array('name' => $name, 'pw' => md5($pw)));
$active = $self->db()->query($qAct, array('name' => $name, 'pw' => md5($pw)));
if ($active && $result->rowCount() == 1) {
// get default user preferences
$prefs = self::getDefaultUserOptions();
// get basic user data
$user = $result->fetchRow(MYSQL_ASSOC);
// add this user's options
$prefs = array_merge($prefs, self::getUserOptions($user['user_id']));
foreach (self::$sessioncols as $key) {
$_SESSION[strtoupper($key)] = $user[$key];
}
// ----- preferences -----
$_SESSION['LANGUAGE'] = $user['language'] != '' ? $user['language'] : (isset($prefs['language']) ? $prefs['language'] : 'DE');
$_SESSION['TIMEZONE_STRING'] = isset($prefs['timezone_string']) && $prefs['timezone_string'] != '' ? $prefs['timezone_string'] : CAT_Registry::get('DEFAULT_TIMEZONE_STRING');
$_SESSION['CAT_DATE_FORMAT'] = isset($prefs['date_format']) && $prefs['date_format'] != '' ? $prefs['date_format'] : CAT_Registry::get('CAT_DEFAULT_DATE_FORMAT');
$_SESSION['CAT_TIME_FORMAT'] = isset($prefs['time_format']) && $prefs['time_format'] != '' ? $prefs['time_format'] : CAT_Registry::get('CAT_DEFAULT_TIME_FORMAT');
if (defined('WB2COMPAT') && WB2COMPAT === true) {
$wb2compat_format_map = CAT_Registry::get('WB2COMPAT_FORMAT_MAP');
$_SESSION['DATE_FORMAT'] = isset($_SESSION['CAT_DATE_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_DATE_FORMAT']] : '';
$_SESSION['TIME_FORMAT'] = isset($_SESSION['CAT_TIME_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_TIME_FORMAT']] : '';
}
date_default_timezone_set($_SESSION['TIMEZONE_STRING']);
$_SESSION['SYSTEM_PERMISSIONS'] = 0;
$_SESSION['MODULE_PERMISSIONS'] = array();
$_SESSION['TEMPLATE_PERMISSIONS'] = array();
$_SESSION['GROUP_NAME'] = array();
$first_group = true;
foreach (explode(",", $user['groups_id']) as $cur_group_id) {
$query = "SELECT * FROM `:prefix:groups` WHERE group_id=:id";
$result = $self->db()->query($query, array('id' => $cur_group_id));
$results = $result->fetch();
$_SESSION['GROUP_NAME'][$cur_group_id] = $results['name'];
// Set system permissions
if ($results['system_permissions'] != '') {
$_SESSION['SYSTEM_PERMISSIONS'] = $results['system_permissions'];
}
// Set module permissions
if ($results['module_permissions'] != '') {
if ($first_group) {
$_SESSION['MODULE_PERMISSIONS'] = explode(',', $results['module_permissions']);
} else {
$_SESSION['MODULE_PERMISSIONS'] = array_intersect($_SESSION['MODULE_PERMISSIONS'], explode(',', $results['module_permissions']));
}
}
// Set template permissions
if ($results['template_permissions'] != '') {
if ($first_group) {
$_SESSION['TEMPLATE_PERMISSIONS'] = explode(',', $results['template_permissions']);
} else {
$_SESSION['TEMPLATE_PERMISSIONS'] = array_intersect($_SESSION['TEMPLATE_PERMISSIONS'], explode(',', $results['template_permissions']));
}
}
$first_group = false;
}
// foreach ( explode(",",$user['groups_id']) as $cur_group_id )
// Update the users table with current ip and timestamp
$get_ts = time();
$get_ip = $_SERVER['REMOTE_ADDR'];
$query = "UPDATE `:prefix:users` SET login_when=:when, login_ip=:ip WHERE user_id=:id";
$self->db()->query($query, array('when' => $get_ts, 'ip' => $get_ip, 'id' => $user['user_id']));
if ($redirect_url) {
return $redirect_url;
}
if (self::getInstance()->checkPermission('start', 'start')) {
return CAT_ADMIN_URL . '/start/index.php?initial=true';
} else {
return CAT_URL . '/index.php';
}
} else {
if (!$active && $result->rowCount() == 1) {
self::setLoginError($lang->translate('Your account has been disabled. Please contact the administrator.'));
} else {
self::setLoginError($lang->translate('Invalid credentials'));
}
}
}
if ($val->fromSession('ATTEMPTS') > CAT_Registry::get('MAX_ATTEMPTS') && CAT_Registry::exists('AUTO_DISABLE_USERS') && CAT_Registry::get('AUTO_DISABLE_USERS') === true) {
// if we have a user name
if ($name) {
self::disableAccount($name);
}
return CAT_THEME_URL . '/templates/warning.html';
}
return false;
}
if (!$output) {
return false;
}
$username_fieldname = $val->createFieldname('username_');
$tpl_data = array('USERNAME_FIELDNAME' => $username_fieldname, 'PASSWORD_FIELDNAME' => $val->createFieldname('password_'), 'USERNAME' => $val->sanitizePost($username_fieldname), 'ACTION_URL' => CAT_ADMIN_URL . '/login/index.php', 'LOGIN_URL' => CAT_ADMIN_URL . '/login/index.php', 'DEFAULT_URL' => CAT_ADMIN_URL . '/start/index.php', 'WARNING_URL' => CAT_THEME_URL . '/templates/warning.html', 'REDIRECT_URL' => ADMIN_URL . '/start/index.php', 'FORGOTTEN_DETAILS_APP' => ADMIN_URL . '/login/forgot/index.php', 'MIN_USERNAME_LEN' => AUTH_MIN_LOGIN_LENGTH, 'MAX_USERNAME_LEN' => AUTH_MAX_LOGIN_LENGTH, 'MIN_PASSWORD_LEN' => AUTH_MIN_PASS_LENGTH, 'MAX_PASSWORD_LEN' => AUTH_MAX_PASS_LENGTH, 'PAGES_DIRECTORY' => PAGES_DIRECTORY, 'ATTEMPTS' => $val->fromSession('ATTEMTPS'), 'MESSAGE' => self::$loginerror);
$tpl_data['meta']['LANGUAGE'] = strtolower(LANGUAGE);
$tpl_data['meta']['CHARSET'] = defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : "utf-8";
$parser->output('login', $tpl_data);
} else {
if ($redirect_url) {
header('Location: ' . $redirect_url);
}
if (self::getInstance()->checkPermission('start', 'start')) {
header('Location: ' . CAT_ADMIN_URL . '/start/index.php');
} else {
header('Location: ' . CAT_URL . '/index.php');
}
}
}
