Beispiel #1
0
	/**
	 * Verifies user credentials before creating the theme and displaying the request.
	 */
	public function __construct()
	{
		$user = User::identify();
		if ( !$user->loggedin ) {
			Session::add_to_set( 'login', $_SERVER['REQUEST_URI'], 'original' );
			if ( URL::get_matched_rule()->action == 'admin_ajax' && isset( $_SERVER['HTTP_REFERER'] ) ) {
				 $ar = new AjaxResponse(408, _t('Your session has ended, please log in and try again.') );
				 $ar->out();
			}
			else {
				$post_raw = $_POST->get_array_copy_raw();
				if ( !empty( $post_raw ) ) {
					Session::add_to_set( 'last_form_data', $post_raw, 'post' );
					Session::error( _t( 'We saved the last form you posted. Log back in to continue its submission.' ), 'expired_form_submission' );
				}
				$get_raw = $_GET->get_array_copy_raw();
				if ( !empty( $get_raw ) ) {
					Session::add_to_set( 'last_form_data', $get_raw, 'get' );
					Session::error( _t( 'We saved the last form you posted. Log back in to continue its submission.' ), 'expired_form_submission' );
				}
				Utils::redirect( URL::get( 'auth', array( 'page' => 'login' ) ) );
			}
			exit;
		}

		$last_form_data = Session::get_set( 'last_form_data' ); // This was saved in the "if ( !$user )" above, UserHandler transferred it properly.
		/* At this point, Controller has not created handler_vars, so we have to modify $_POST/$_GET. */
		if ( isset( $last_form_data['post'] ) ) {
			$_POST = $_POST->merge( $last_form_data['post'] );
			$_SERVER['REQUEST_METHOD'] = 'POST'; // This will trigger the proper act_admin switches.
			Session::remove_error( 'expired_form_submission' );
		}
		if ( isset( $last_form_data['get'] ) ) {
			$_GET = $_GET->merge( $last_form_data['get'] );
			Session::remove_error( 'expired_form_submission' );
			// No need to change REQUEST_METHOD since GET is the default.
		}
		$user->remember();

		// Create an instance of the active public theme so that its plugin functions are implemented
		$this->active_theme = Themes::create();

		// setup the stacks for javascript in the admin - it's a method so a plugin can call it externally
		self::setup_stacks();
		
		// on every page load check the plugins currently loaded against the list we last checked for updates and trigger a cron if we need to
		Update::check_plugins();
	}
Beispiel #2
0
 public function loginform_do_login($form)
 {
     $name = $form->habari_username->value;
     $pass = $form->habari_password->value;
     if (null != $name || null != $pass) {
         $user = User::authenticate($name, $pass);
         if ($user instanceof User && $user != false) {
             $userinfo = $user->info;
             // if there's an unused password reset token, unset it to make sure there's no possibility of a compromise that way
             if (isset($userinfo->password_reset)) {
                 unset($userinfo->password_reset);
             }
             /* Successfully authenticated. */
             // Timestamp last login date and time.
             $user->info->authenticate_time = DateTime::create()->format('Y-m-d H:i:s');
             $user->update();
             // Remove left over expired session error message.
             if (Session::has_errors('expired_session')) {
                 Session::remove_error('expired_session');
             }
             $login_session = Session::get_set('login');
             if (!empty($login_session)) {
                 /* Now that we know we're dealing with the same user, transfer the form data so he does not lose his request */
                 if (!empty($login_session['post_data'])) {
                     Session::add_to_set('last_form_data', $last_form_data['post'], 'post');
                 }
                 if (!empty($login_session['get_data'])) {
                     Session::add_to_set('last_form_data', $last_form_data['get'], 'get');
                 }
                 // don't bother parsing out the URL, we store the URI that was requested, so just append that to the hostname and we're done
                 $login_dest = Site::get_url('host') . $login_session['original'];
             } else {
                 $login_session = null;
                 $login_dest = Site::get_url('admin');
             }
             // filter the destination
             $login_dest = Plugins::filter('login_redirect_dest', $login_dest, $user, $login_session);
             // finally, redirect to the destination
             Utils::redirect($login_dest);
             return true;
         }
         /* Authentication failed. */
         // Remove submitted password, see, we're secure!
         $form->habari_password->value = '';
         $this->handler_vars['error'] = _t('Bad credentials');
     }
 }
Beispiel #3
0
 /**
  * Verifies user credentials before creating the theme and displaying the request.
  */
 public function __construct()
 {
     $user = User::identify();
     if (!$user->loggedin) {
         Session::add_to_set('login', $_SERVER['REQUEST_URI'], 'original');
         if (URL::get_matched_rule()->name == 'admin_ajax' && isset($_SERVER['HTTP_REFERER'])) {
             header('Content-Type: text/javascript;charset=utf-8');
             echo '{callback: function(){location.href="' . $_SERVER['HTTP_REFERER'] . '"} }';
         } else {
             $post_raw = $_POST->get_array_copy_raw();
             if (!empty($post_raw)) {
                 Session::add_to_set('last_form_data', $post_raw, 'post');
                 Session::error(_t('We saved the last form you posted. Log back in to continue its submission.'), 'expired_form_submission');
             }
             $get_raw = $_GET->get_array_copy_raw();
             if (!empty($get_raw)) {
                 Session::add_to_set('last_form_data', $get_raw, 'get');
                 Session::error(_t('We saved the last form you posted. Log back in to continue its submission.'), 'expired_form_submission');
             }
             Utils::redirect(URL::get('auth', array('page' => 'login')));
         }
         exit;
     }
     $last_form_data = Session::get_set('last_form_data');
     // This was saved in the "if ( !$user )" above, UserHandler transferred it properly.
     /* At this point, Controller has not created handler_vars, so we have to modify $_POST/$_GET. */
     if (isset($last_form_data['post'])) {
         $_POST = $_POST->merge($last_form_data['post']);
         $_SERVER['REQUEST_METHOD'] = 'POST';
         // This will trigger the proper act_admin switches.
         Session::remove_error('expired_form_submission');
     }
     if (isset($last_form_data['get'])) {
         $_GET = $_GET->merge($last_form_data['get']);
         Session::remove_error('expired_form_submission');
         // No need to change REQUEST_METHOD since GET is the default.
     }
     $user->remember();
     // Create an instance of the active public theme so that its plugin functions are implemented
     $this->active_theme = Themes::create();
     // setup the stacks for javascript in the admin - it's a method so a plugin can call it externally
     self::setup_stacks();
 }
Beispiel #4
0
 /**
  * Either just display the login form; or check a user's credentials, and
  * create a session for them; or handle a password reset request.
  */
 public function act_login()
 {
     // If we're a reset password request, do that.
     if (isset($_POST['submit_button']) && $_POST['submit_button'] === _t('Reset password')) {
         Utils::check_request_method(array('POST'));
         $name = $this->handler_vars['habari_username'];
         if ($name !== NULL) {
             if (!is_numeric($name) && ($user = User::get($name))) {
                 $hash = Utils::random_password();
                 $user->info->password_reset = md5($hash);
                 $user->info->commit();
                 $message = _t('Please visit %1$s to reset your password.', array(URL::get('user', array('page' => 'password_reset', 'id' => $user->id, 'hash' => $hash))));
                 Utils::mail($user->email, _t('[%1$s] Password reset request for %2$s', array(Options::get('title'), $user->displayname)), $message);
             }
             // Moving this inside the check for user existence would allow attackers to test usernames, so don't
             Session::notice(_t('A password reset request has been sent to the user.'));
         }
     } else {
         Utils::check_request_method(array('GET', 'HEAD', 'POST'));
         $name = $_POST['habari_username'];
         $pass = $_POST['habari_password'];
         if (NULL != $name || NULL != $pass) {
             $user = User::authenticate($name, $pass);
             if ($user instanceof User && FALSE != $user) {
                 /* Successfully authenticated. */
                 // Timestamp last login date and time.
                 $user->info->authenticate_time = date('Y-m-d H:i:s');
                 $user->update();
                 // Remove left over expired session error message.
                 if (Session::has_errors('expired_session')) {
                     Session::remove_error('expired_session');
                 }
                 $login_session = Session::get_set('login');
                 if (!empty($login_session)) {
                     /* Now that we know we're dealing with the same user, transfer the form data so he does not lose his request */
                     if (!empty($login_session['post_data'])) {
                         Session::add_to_set('last_form_data', $last_form_data['post'], 'post');
                     }
                     if (!empty($login_session['get_data'])) {
                         Session::add_to_set('last_form_data', $last_form_data['get'], 'get');
                     }
                     /* Redirect to the correct admin page */
                     $dest = explode('/', MultiByte::substr($login_session['original'], MultiByte::strpos($login_session['original'], 'admin/')));
                     if ('' == $dest[0]) {
                         $login_dest = Site::get_url('admin');
                     } else {
                         // Replace '?' with '&' in $dest[1] before call URL::get()
                         // Therefore calling URL::get() with a query string
                         $dest[1] = str_replace('?', '&', $dest[1]);
                         $login_dest = URL::get('admin', 'page=' . $dest[1]);
                     }
                 } else {
                     $login_session = null;
                     $login_dest = Site::get_url('admin');
                 }
                 // filter the destination
                 $login_dest = Plugins::filter('login_redirect_dest', $login_dest, $user, $login_session);
                 // finally, redirect to the destination
                 Utils::redirect($login_dest);
                 return TRUE;
             }
             /* Authentication failed. */
             // Remove submitted password, see, we're secure!
             $_POST['habari_password'] = '';
             $this->handler_vars['error'] = _t('Bad credentials');
         }
     }
     // Display the login form.
     $this->login_form($name);
 }