/** * * */ function processAjaxCheck(&$dbHandler) { // Send a json reply, include localized strings for use in js to display a login form. doSessionStart(true); echo json_encode(array('validSession' => checkSessionValid($dbHandler, false), 'username_label' => lang_get('login_name'), 'password_label' => lang_get('password'), 'login_label' => lang_get('btn_login'), 'timeout_info' => lang_get('timeout_info'))); }
echo json_encode(array('success' => false, 'reason' => $gui->note)); } else { $doRender = true; } } else { $args->currentUser = $_SESSION['currentUser']; logAuditEvent(TLS("audit_login_succeeded", $args->login, $_SERVER['REMOTE_ADDR']), "LOGIN", $args->currentUser->dbID, "users"); if ($args->action == 'ajaxlogin') { echo json_encode(array('success' => true)); } else { redirect($_SESSION['basehref'] . "index.php" . ($args->preqURI ? "?reqURI=" . urlencode($args->preqURI) : "")); } } break; case 'ajaxcheck': doSessionStart(); unset($_SESSION['basehref']); setPaths(); $validSession = checkSessionValid($db, false); // Send a json reply, include localized strings for use in js to display a login form. echo json_encode(array('validSession' => $validSession, 'username_label' => lang_get('login_name'), 'password_label' => lang_get('password'), 'login_label' => lang_get('btn_login'))); break; case 'loginform': $doRender = true; break; } // BUGID 0003129 if ($doRender) { $logPeriodToDelete = config_get('removeEventsOlderThan'); $g_tlLogger->deleteEventsFor(null, strtotime("-{$logPeriodToDelete} days UTC")); $smarty = new TLSmarty();
/** * General GUI page initialization procedure * - init session * - init database * - check rights * - initialize project data (if requested) * * @param integer $db DB connection identifier * @param boolean $initProject (optional) Set true if adjustment of Product or * Test Plan is required; default is FALSE * @param boolean $bDontCheckSession (optional) Set to true if no session should be * started */ function testlinkInitPage(&$db, $initProject = FALSE, $bDontCheckSession = false, $userRightsCheckFunction = null) { doSessionStart(); setPaths(); set_dt_formats(); doDBConnect($db); static $pageStatistics = null; if (!$pageStatistics && config_get('log_level') == 'EXTENDED') { $pageStatistics = new tlPageStatistics($db); } if (!$bDontCheckSession) { checkSessionValid($db); } if ($userRightsCheckFunction) { checkUserRightsFor($db, $userRightsCheckFunction); } // adjust Product and Test Plan to $_SESSION if ($initProject) { initProject($db, $_REQUEST); } // used to disable the attachment feature if there are problems with repository path /** @TODO this check should not be done anytime but on login and using */ global $g_repositoryType; global $g_attachments; global $g_repositoryPath; $g_attachments->disabled_msg = ""; if ($g_repositoryType == TL_REPOSITORY_TYPE_FS) { $ret = checkForRepositoryDir($g_repositoryPath); if (!$ret['status_ok']) { $g_attachments->enabled = FALSE; $g_attachments->disabled_msg = $ret['msg']; } } }
* Validates the CSRF tokens found in $_POST variable. Raoses user * errors if the token is not found or invalid. * * @return true if validated correctly, otherwise false */ function csrfguard_start() { if (count($_POST)) { if (!isset($_POST['CSRFName'])) { //trigger_error("No CSRFName found, probable invalid request.",E_USER_ERROR); //return false; redirect($_SESSION['basehref'] . 'error.php?message=No CSRFName found, probable invalid request.'); exit; } // 20151107 $name = trim($_POST['CSRFName']); $token = trim($_POST['CSRFToken']); $good = strlen($name) > 0 && strlen($token) > 0; if (!$good || !csrfguard_validate_token($name, $token)) { //trigger_error("Invalid CSRF token.",E_USER_ERROR); //return false; redirect($_SESSION['basehref'] . 'error.php?message=Invalid CSRF token.'); exit; } } } // this way is runned always // Need to understand if this is needed // doSessionStart(false); // csrfguard_start();
/** * */ function setUpEnvForAnonymousAccess(&$dbHandler, $apikey, $rightsCheck = null, $opt = null) { $my = array('opt' => array('setPaths' => false, 'clearSession' => false)); $my['opt'] = array_merge($my['opt'], (array) $opt); if ($my['opt']['clearSession']) { $_SESSION = null; } doSessionStart($my['opt']['setPaths']); if (isset($_SESSION['locale']) && !is_null($_SESSION['locale'])) { setDateTimeFormats($_SESSION['locale']); } doDBConnect($dbHandler); // @since 1.9.14 $checkMode = 'paranoic'; if (property_exists($rightsCheck->args, 'envCheckMode')) { $checkMode = $rightsCheck->args->envCheckMode; } switch ($checkMode) { case 'hippie': $tk = array('testplan', 'testproject'); break; default: $tk[] = intval($rightsCheck->args->tplan_id) != 0 ? 'testplan' : 'testproject'; break; } foreach ($tk as $ak) { $item = getEntityByAPIKey($dbHandler, $apikey, $ak); if (!is_null($item)) { break; } } $status_ok = false; if (!is_null($item)) { $_SESSION['lastActivity'] = time(); $userObj = new tlUser(); $_SESSION['currentUser'] = $userObj; $_SESSION['userID'] = -1; $_SESSION['locale'] = config_get('default_language'); // if user do this: // 1. login to test link // 2. get direct link and open in new tab or new window while still logged // 3. logout // If user refresh tab / window open on (2), because on (3) we destroyed // session we have loose basehref, and we are not able to recreate it. // Without basehref we are not able to get CSS, JS, etc. // In this situation we destroy session, this way user is forced to login // again in one of two ways // a. using the direct link // b. using traditional login // In both way we assure that behaivour will be OK. // if (!isset($_SESSION['basehref'])) { // echo $rightsCheck->redirect_target; session_unset(); session_destroy(); if (property_exists($rightsCheck, 'redirect_target') && !is_null($rightsCheck->redirect_target)) { redirect($rightsCheck->redirect_target); } else { // best guess for all features that live on ./lib/results/ redirect("../../login.php?note=logout"); } exit; } if (!is_null($rightsCheck->method)) { checkUserRightsFor($dbHandler, $rightsCheck->method, true); } $status_ok = true; } return $status_ok; }
/** * Purge form security tokens that are older than 3 days, or used * for form validation. * @param string Form name */ function form_security_purge($p_form_name) { if (PHP_CLI == php_mode() || OFF == config_get_global('form_security_validation')) { return; } doSessionStart(); $t_tokens = isset($_SESSION['form_security_tokens']) ? $_SESSION['form_security_tokens'] : null; # Short-circuit if we don't have any tokens for the given form name if (!isset($t_tokens[$p_form_name]) || !is_array($t_tokens[$p_form_name]) || count($t_tokens[$p_form_name]) < 1) { return; } # Get the form input $t_form_token = $p_form_name . '_token'; $t_input = gpc_get_string($t_form_token, ''); # Get the date claimed by the token $t_date = utf8_substr($t_input, 0, 8); # Generate a date string of three days ago $t_purge_date = date('Ymd', time() - 3 * 24 * 60 * 60); # Purge old token data, and the currently-used token unset($t_tokens[$p_form_name][$t_date][$t_input]); foreach ($t_tokens as $t_form_name => $t_dates) { foreach ($t_dates as $t_date => $t_date_tokens) { if ($t_date < $t_purge_date) { unset($t_tokens[$t_form_name][$t_date]); } } } $_SESSION['form_security_tokens'] = $t_tokens; return; }
/** * General GUI page initialization procedure * - init session * - init database * * @param integer $db DB connection identifier * @param boolean $checkSession (optional) */ function testlinkInitPage(&$db, $checkSession = true) { doSessionStart(); setPaths(); set_dt_formats(); doDBConnect($db); static $pageStatistics = null; if (!$pageStatistics && config_get('log_level') == 'EXTENDED') { $pageStatistics = new tlPageStatistics($db); } if ($checkSession) { checkSessionValid($db); } }