function DoSetup() { global $PathPrefix; if (isset($_SESSION['db']) and $_SESSION['db'] != '') { include $PathPrefix . 'includes/GetConfig.php'; } $db = $_SESSION['db']; // Used a bit in the following. if (isset($_SESSION['DB_Maintenance'])) { if ($_SESSION['DB_Maintenance'] != 0) { if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['DB_Maintenance_LastRun']), 'd') > $_SESSION['DB_Maintenance']) { /*Do the DB maintenance routing for the DB_type selected */ DB_Maintenance($db); //purge the audit trail if necessary if (isset($_SESSION['MonthsAuditTrail'])) { $sql = "DELETE FROM audittrail\n\t\t\t\t\t\t WHERE transactiondate <= '" . Date('Y-m-d', mktime(0, 0, 0, Date('m') - $_SESSION['MonthsAuditTrail'])) . "'"; $ErrMsg = _('There was a problem deleting expired audit-trail history'); $result = DB_query($sql, $db); } $_SESSION['DB_Maintenance_LastRun'] = Date('Y-m-d'); } } } /*Check to see if currency rates need to be updated */ if (isset($_SESSION['UpdateCurrencyRatesDaily'])) { if ($_SESSION['UpdateCurrencyRatesDaily'] != 0) { if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['UpdateCurrencyRatesDaily']), 'd') > 0) { $CurrencyRates = GetECBCurrencyRates(); // gets rates from ECB see includes/MiscFunctions.php /*Loop around the defined currencies and get the rate from ECB */ $CurrenciesResult = DB_query("SELECT currabrev FROM currencies", $db); while ($CurrencyRow = DB_fetch_row($CurrenciesResult)) { if ($CurrencyRow[0] != $_SESSION['CompanyRecord']['currencydefault']) { $UpdateCurrRateResult = DB_query("UPDATE currencies SET\n\t\t\t\t\t\t\t\t\t\t\t rate='" . GetCurrencyRate($CurrencyRow[0], $CurrencyRates) . "'\n\t\t\t\t\t\t\t\t\t\t\t WHERE currabrev='" . $CurrencyRow[0] . "'", $db); } } $_SESSION['UpdateCurrencyRatesDaily'] = Date('Y-m-d'); $UpdateConfigResult = DB_query("UPDATE config SET confvalue = '" . Date('Y-m-d') . "' WHERE confname='UpdateCurrencyRatesDaily'", $db); } } } }
function userLogin($Name, $Password, $SysAdminEmail = '', $db) { global $debug; global $PathPrefix; if (!isset($_SESSION['AccessLevel']) or $_SESSION['AccessLevel'] == '' or isset($Name) and $Name != '') { /* if not logged in */ $_SESSION['AccessLevel'] = ''; $_SESSION['CustomerID'] = ''; $_SESSION['UserBranch'] = ''; $_SESSION['SalesmanLogin'] = ''; $_SESSION['Module'] = ''; $_SESSION['PageSize'] = ''; $_SESSION['UserStockLocation'] = ''; $_SESSION['AttemptsCounter']++; // Show login screen if (!isset($Name) or $Name == '') { $_SESSION['DatabaseName'] = ''; $_SESSION['CompanyName'] = ''; return UL_SHOWLOGIN; } /* The SQL to get the user info must use the * syntax because the field name could change between versions if the fields are specifed directly then the sql fails and the db upgrade will fail */ $sql = "SELECT *\n\t\t\t\tFROM www_users\n\t\t\t\tWHERE www_users.userid='" . $Name . "'"; $ErrMsg = _('Could not retrieve user details on login because'); $debug = 1; $PasswordVerified = false; $Auth_Result = DB_query($sql, $ErrMsg); if (DB_num_rows($Auth_Result) > 0) { $myrow = DB_fetch_array($Auth_Result); if (VerifyPass($Password, $myrow['password'])) { $PasswordVerified = true; } elseif (isset($GLOBALS['CryptFunction'])) { /*if the password stored in the DB was compiled the old way, * the previous comparison will fail, * try again with the old hashing algorithm, * then re-hash the password using the new algorithm. * The next version should not have $CryptFunction any more for new installs. */ switch ($GLOBALS['CryptFunction']) { case 'sha1': if ($myrow['password'] == sha1($Password)) { $PasswordVerified = true; } break; case 'md5': if ($myrow['password'] == md5($Password)) { $PasswordVerified = true; } break; default: if ($myrow['password'] == $Password) { $PasswordVerified = true; } } if ($PasswordVerified) { $sql = "UPDATE www_users SET password = '******'" . " WHERE userid = '" . $Name . "';"; DB_query($sql); } } } // Populate session variables with data base results if ($PasswordVerified) { if ($myrow['blocked'] == 1) { //the account is blocked return UL_BLOCKED; } /*reset the attempts counter on successful login */ $_SESSION['UserID'] = $myrow['userid']; $_SESSION['AttemptsCounter'] = 0; $_SESSION['AccessLevel'] = $myrow['fullaccess']; $_SESSION['CustomerID'] = $myrow['customerid']; $_SESSION['UserBranch'] = $myrow['branchcode']; $_SESSION['DefaultPageSize'] = $myrow['pagesize']; $_SESSION['UserStockLocation'] = $myrow['defaultlocation']; $_SESSION['UserEmail'] = $myrow['email']; $_SESSION['ModulesEnabled'] = explode(",", $myrow['modulesallowed']); $_SESSION['UsersRealName'] = $myrow['realname']; $_SESSION['Theme'] = $myrow['theme']; $_SESSION['Language'] = $myrow['language']; $_SESSION['SalesmanLogin'] = $myrow['salesman']; $_SESSION['CanCreateTender'] = $myrow['cancreatetender']; $_SESSION['AllowedDepartment'] = $myrow['department']; $_SESSION['ShowDashboard'] = $myrow['showdashboard']; if (isset($myrow['pdflanguage'])) { $_SESSION['PDFLanguage'] = $myrow['pdflanguage']; } else { $_SESSION['PDFLanguage'] = '0'; //default to latin western languages } if ($myrow['displayrecordsmax'] > 0) { $_SESSION['DisplayRecordsMax'] = $myrow['displayrecordsmax']; } else { $_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax']; // default comes from config.php } $sql = "UPDATE www_users SET lastvisitdate='" . date('Y-m-d H:i:s') . "'\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'"; $Auth_Result = DB_query($sql); /*get the security tokens that the user has access to */ $sql = "SELECT tokenid\n\t\t\t\t\tFROM securitygroups\n\t\t\t\t\tWHERE secroleid = '" . $_SESSION['AccessLevel'] . "'"; $Sec_Result = DB_query($sql); $_SESSION['AllowedPageSecurityTokens'] = array(); if (DB_num_rows($Sec_Result) == 0) { return UL_CONFIGERR; } else { $i = 0; $UserIsSysAdmin = FALSE; while ($myrow = DB_fetch_row($Sec_Result)) { if ($myrow[0] == 15) { $UserIsSysAdmin = TRUE; } $_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0]; $i++; } } /*User is logged in so get configuration parameters - save in session*/ include $PathPrefix . 'includes/GetConfig.php'; if (isset($_SESSION['DB_Maintenance'])) { if ($_SESSION['DB_Maintenance'] > 0) { //run the DB maintenance script if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['DB_Maintenance_LastRun']), 'd') >= $_SESSION['DB_Maintenance']) { /*Do the DB maintenance routing for the DB_type selected */ DB_Maintenance(); $_SESSION['DB_Maintenance_LastRun'] = Date('Y-m-d'); /* Audit trail purge only runs if DB_Maintenance is enabled */ if (isset($_SESSION['MonthsAuditTrail'])) { $sql = "DELETE FROM audittrail\n\t\t\t\t\t\t\t\t\tWHERE transactiondate <= '" . Date('Y-m-d', mktime(0, 0, 0, Date('m') - $_SESSION['MonthsAuditTrail'])) . "'"; $ErrMsg = _('There was a problem deleting expired audit-trail history'); $result = DB_query($sql); } } } } /*Check to see if currency rates need to be updated */ if (isset($_SESSION['UpdateCurrencyRatesDaily'])) { if ($_SESSION['UpdateCurrencyRatesDaily'] != 0) { /* Only run the update to currency rates if today is after the last update i.e. only runs once a day */ if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['UpdateCurrencyRatesDaily']), 'd') > 0) { if ($_SESSION['ExchangeRateFeed'] == 'ECB') { $CurrencyRates = GetECBCurrencyRates(); // gets rates from ECB see includes/MiscFunctions.php /*Loop around the defined currencies and get the rate from ECB */ if ($CurrencyRates != false) { $CurrenciesResult = DB_query("SELECT currabrev FROM currencies"); while ($CurrencyRow = DB_fetch_row($CurrenciesResult)) { if ($CurrencyRow[0] != $_SESSION['CompanyRecord']['currencydefault']) { $UpdateCurrRateResult = DB_query("UPDATE currencies SET rate='" . GetCurrencyRate($CurrencyRow[0], $CurrencyRates) . "'\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE currabrev='" . $CurrencyRow[0] . "'", $db); } } } } else { $CurrenciesResult = DB_query("SELECT currabrev FROM currencies"); while ($CurrencyRow = DB_fetch_row($CurrenciesResult)) { if ($CurrencyRow[0] != $_SESSION['CompanyRecord']['currencydefault']) { $UpdateCurrRateResult = DB_query("UPDATE currencies SET rate='" . google_currency_rate($CurrencyRow[0]) . "'\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE currabrev='" . $CurrencyRow[0] . "'", $db); } } } $_SESSION['UpdateCurrencyRatesDaily'] = Date('Y-m-d'); $UpdateConfigResult = DB_query("UPDATE config SET confvalue = '" . Date('Y-m-d') . "' WHERE confname='UpdateCurrencyRatesDaily'"); } } } /* Set the logo if not yet set. * will be done only once per session and each time * we are not in session (i.e. before login) */ if (empty($_SESSION['LogoFile'])) { /* find a logo in companies/CompanyDir */ if (file_exists($PathPrefix . 'companies/' . $_SESSION['DatabaseName'] . '/logo.png')) { $_SESSION['LogoFile'] = 'companies/' . $_SESSION['DatabaseName'] . '/logo.png'; } elseif (file_exists($PathPrefix . 'companies/' . $_SESSION['DatabaseName'] . '/logo.jpg')) { $_SESSION['LogoFile'] = 'companies/' . $_SESSION['DatabaseName'] . '/logo.jpg'; } } if (!isset($_SESSION['DB_Maintenance'])) { return UL_CONFIGERR; } else { if ($_SESSION['DB_Maintenance'] == -1 and !in_array(15, $_SESSION['AllowedPageSecurityTokens'])) { // the configuration setting has been set to -1 ==> Allow SysAdmin Access Only // the user is NOT a SysAdmin return UL_MAINTENANCE; } } } else { // Incorrect password // 5 login attempts, show failed login screen if (!isset($_SESSION['AttemptsCounter'])) { $_SESSION['AttemptsCounter'] = 0; } elseif ($_SESSION['AttemptsCounter'] >= 5 and isset($Name)) { /*User blocked from future accesses until sysadmin releases */ $sql = "UPDATE www_users\n\t\t\t\t\t\t\tSET blocked=1\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'"; $Auth_Result = DB_query($sql); if ($SysAdminEmail != '') { $EmailSubject = _('User access blocked') . ' ' . $Name; $EmailText = _('User ID') . ' ' . $Name . ' - ' . $Password . ' - ' . _('has been blocked access at') . ' ' . Date('Y-m-d H:i:s') . ' ' . _('from IP') . ' ' . $_SERVER["REMOTE_ADDR"] . ' ' . _('due to too many failed attempts.'); if ($_SESSION['SmtpSetting'] == 0) { mail($SysAdminEmail, $EmailSubject, $EmailText); } else { include 'includes/htmlMimeMail.php'; $mail = new htmlMimeMail(); $mail->setSubject($EmailSubject); $mail->setText($EmailText); $result = SendmailBySmtp($mail, array($SysAdminEmail)); } } return UL_BLOCKED; } return UL_NOTVALID; } } // End of userid/password check // Run with debugging messages for the system administrator(s) but not anyone else return UL_OK; /* All is well */ }