/**
* Login function
*
* A number of things are done in this method to prevent illegal entry:
* <ul>
* <li>The username and password are trimmed and escaped to prevent malicious
* SQL being executed
* </ul>
* The schema previously used the MySQL PASSWORD function for encryption. This
* Method has been deprecated in favour of PHP's MD5() function for database independance.
* The check_legacy_password option is no longer valid
*
* Upon a successful username and password match, several fields from the user
* table are loaded in this object for convenient reference. The style, localces
* and preferences are also loaded at this time.
*
* @param string The user login name
* @param string The user password
* @return boolean True if successful, false if not
*/
function login($username, $password)
{
require_once DP_BASE_DIR . '/classes/authenticator.class.php';
$auth_method = dPgetConfig('auth_method', 'sql');
if (@$_POST['login'] != 'login' && @$_POST['login'] != $this->_('login', UI_OUTPUT_RAW) && $_REQUEST['login'] != $auth_method) {
die('You have chosen to log in using an unsupported or disabled login method');
}
$auth =& getauth($auth_method);
$username = trim(db_escape($username));
$password = trim($password);
if (!$auth->authenticate($username, $password)) {
return false;
}
$user_id = $auth->userId($username);
$username = $auth->username;
// Some authentication schemes may collect username in various ways.
// Now that the password has been checked, see if they are allowed to
// access the system
if (!isset($GLOBALS['acl'])) {
$GLOBALS['acl'] =& new dPacl();
}
if (!$GLOBALS['acl']->checkLogin($user_id)) {
dprint(__FILE__, __LINE__, 1, 'Permission check failed');
return false;
}
$q = new DBQuery();
$q->addTable('users');
$q->addQuery('user_id, contact_first_name as user_first_name, contact_last_name as user_last_name, contact_company as user_company, contact_department as user_department, contact_email as user_email, user_type');
$q->addJoin('contacts', 'con', 'contact_id = user_contact');
$q->addWhere("user_id = {$user_id} AND user_username = '******'");
$sql = $q->prepare();
$q->clear();
dprint(__FILE__, __LINE__, 7, "Login SQL: {$sql}");
if (!db_loadObject($sql, $this)) {
dprint(__FILE__, __LINE__, 1, 'Failed to load user information');
return false;
}
// load the user preferences
$this->loadPrefs($this->user_id);
$this->setUserLocale();
$this->checkStyle();
return true;
}
/**
* Login function
*
* A number of things are done in this method to prevent illegal entry:
* <ul>
* <li>The username and password are trimmed and escaped to prevent malicious
* SQL being executed
* </ul>
* The schema previously used the MySQL PASSWORD function for encryption. This
* Method has been deprecated in favour of PHP's MD5() function for database independance.
* The check_legacy_password option is no longer valid
*
* Upon a successful username and password match, several fields from the user
* table are loaded in this object for convenient reference. The style, locales
* and preferences are also loaded at this time.
*
* @param string The user login name
* @param string The user password
* @return boolean True if successful, false if not
*/
public function login($username, $password)
{
$auth_method = w2PgetConfig('auth_method', 'sql');
if ($_POST['login'] != 'login' && $_POST['login'] != $this->_('login', UI_OUTPUT_RAW) && $_REQUEST['login'] != $auth_method) {
die('You have chosen to log in using an unsupported or disabled login method');
}
$auth =& getauth($auth_method);
$username = preg_replace("/[^A-Za-z0-9._@-]/", "", $username);
$username = trim($username);
$password = trim($password);
if (!$auth->authenticate($username, $password)) {
return false;
}
$user_id = $auth->userId($username);
$username = $auth->username;
// Some authentication schemes may collect username in various ways.
// Now that the password has been checked, see if they are allowed to
// access the system
if (!isset($GLOBALS['acl'])) {
$GLOBALS['acl'] = new w2p_Extensions_Permissions();
}
if (!$GLOBALS['acl']->checkLogin($user_id)) {
dprint(__FILE__, __LINE__, 1, 'Permission check failed');
return false;
}
$q = new w2p_Database_Query();
$q->addTable('users');
$q->addQuery('user_id, contact_first_name as user_first_name, ' . 'contact_last_name as user_last_name, contact_display_name as user_display_name, ' . 'contact_company as user_company, contact_department as user_department, user_type');
$q->addJoin('contacts', 'con', 'con.contact_id = user_contact', 'inner');
/* Begin Hack */
/*
* This is a particularly annoying hack but I don't know of a better
* way to resolve #457. In v2.0, there was a refactoring to allow for
* muliple contact methods which resulted in the contact_email being
* removed from the contacts table. If the user is upgrading from
* v1.x and they try to log in before applying the database, crash.
* Info: http://bugs.web2project.net/view.php?id=457
* This hack was deprecated in dbVersion 26 for v2.2 in December 2010.
*/
$qTest = new w2p_Database_Query();
$qTest->addTable('w2pversion');
$qTest->addQuery('max(db_version)');
$dbVersion = $qTest->loadResult();
if ($dbVersion >= 21 && $dbVersion < 26) {
$q->leftJoin('contacts_methods', 'cm', 'cm.contact_id = con.contact_id');
$q->addWhere("cm.method_name = 'email_primary'");
$q->addQuery('cm.method_value AS user_email');
}
/* End Hack */
$q->addWhere('user_id = ' . (int) $user_id . ' AND user_username = \'' . $username . '\'');
$q->loadObject($this);
if (!$this) {
dprint(__FILE__, __LINE__, 1, 'Failed to load user information');
return false;
}
// load the user preferences
$this->loadPrefs($this->user_id);
$this->setUserLocale();
$this->setStyle();
return true;
}