Ejemplo n.º 1
0
 /**
  * Cancels a user account by deleting all the information related to them.
  * @param array $aVal
  * @return Phpfox_Error if password doesnt match | false if user does not have enough permissions or password is not set
  */
 public function cancelAccount($aVal)
 {
     Phpfox::isUser(true);
     define('PHPFOX_CANCEL_ACCOUNT', true);
     if (!isset($aVal['password']) && !Phpfox::getUserBy('fb_user_id') && !Phpfox::getUserBy('janrain_user_id')) {
         return Phpfox_Error::set(Phpfox::getPhrase('user.please_enter_your_password'));
     }
     if (!Phpfox::getUserParam('user.can_delete_own_account')) {
         return Phpfox_Error::set(Phpfox::getPhrase('user.you_are_not_allowed_to_delete_your_own_account'));
     }
     // confirm $aVal[password] == user password
     // get user's data
     $aRow = $this->database()->select('password_salt, password')->from(Phpfox::getT('user'))->where('user_id = ' . Phpfox::getUserId())->execute('getSlaveRow');
     if (!Phpfox::getUserBy('fb_user_id') && !Phpfox::getUserBy('janrain_user_id')) {
         $error = false;
         if (strlen($aRow['password']) > 32) {
             $Hash = new Core\Hash();
             if (!$Hash->check($aVal['password'], $aRow['password'])) {
                 Phpfox_Error::set(Phpfox::getPhrase('user.invalid_password'));
                 $error = true;
             }
         } else {
             if (!Phpfox::getLib('hash')->setHash($aVal['password'], $aRow['password_salt']) != $aRow['password']) {
                 $error = true;
             }
         }
         if ($sPlugin = Phpfox_Plugin::get('user.service_cancellations_process_cancelaccount_invalid_password')) {
             eval($sPlugin);
         }
         if ($error) {
             return Phpfox_Error::set(Phpfox::getPhrase('user.invalid_password'));
         }
     }
     Phpfox::getService('user.cancellations.process')->feedbackCancellation($aVal);
     // mass callback
     Phpfox::massCallback('onDeleteUser', Phpfox::getUserId());
     // log out adter having deleted all the info
     Phpfox::getService('user.auth')->logout();
     Phpfox_Url::instance()->send('', null, Phpfox::getPhrase('user.your_account_has_been_deleted'));
     return true;
 }
Ejemplo n.º 2
0
 public function updatePassword($aVals)
 {
     Phpfox::isUser(true);
     if (empty($aVals['old_password'])) {
         return Phpfox_Error::set(Phpfox::getPhrase('user.missing_old_password'));
     }
     if (empty($aVals['new_password'])) {
         return Phpfox_Error::set(Phpfox::getPhrase('user.missing_new_password'));
     }
     if (empty($aVals['confirm_password'])) {
         return Phpfox_Error::set(Phpfox::getPhrase('user.confirm_your_new_password'));
     }
     if ($aVals['confirm_password'] != $aVals['new_password']) {
         return Phpfox_Error::set(Phpfox::getPhrase('user.your_confirmed_password_does_not_match_your_new_password'));
     }
     $aUser = Phpfox::getService('user')->getUser(Phpfox::getUserId());
     if (strlen($aUser['password']) > 32) {
         $Hash = new Core\Hash();
         if (!$Hash->check($aVals['old_password'], $aUser['password'])) {
             return Phpfox_Error::set(Phpfox::getPhrase('user.your_current_password_does_not_match_your_old_password'));
         }
     } else {
         if (Phpfox::getLib('hash')->setHash($aVals['old_password'], $aUser['password_salt']) != $aUser['password']) {
             return Phpfox_Error::set(Phpfox::getPhrase('user.your_current_password_does_not_match_your_old_password'));
         }
     }
     $sSalt = $this->_getSalt();
     $aInsert = array();
     $aInsert['password'] = Phpfox::getLib('hash')->setHash($aVals['new_password'], $sSalt);
     $aInsert['password_salt'] = $sSalt;
     $this->database()->update($this->_sTable, $aInsert, 'user_id = ' . Phpfox::getUserId());
     list($bLogged, $aUser) = Phpfox::getService('user.auth')->login($aUser['email'], $aVals['new_password'], false, 'email');
     $this->database()->insert(Phpfox::getT('user_ip'), array('user_id' => Phpfox::getUserId(), 'type_id' => 'update_password', 'ip_address' => Phpfox::getIp(), 'time_stamp' => PHPFOX_TIME));
     ($sPlugin = Phpfox_Plugin::get('user.service_process_updatepassword')) ? eval($sPlugin) : false;
     return $bLogged ? true : false;
 }
Ejemplo n.º 3
0
 public function login($sLogin, $sPassword, $bRemember = false, $sType = 'email', $bNoPasswordCheck = false)
 {
     $sSelect = 'user_id, email, user_name, password, password_salt, status_id';
     /* Used to control the return in case we detect a brute force attack */
     $bReturn = false;
     $sLogin = $this->database()->escape($sLogin);
     if ($sPlugin = Phpfox_Plugin::get('user.service_auth_login__start')) {
         eval($sPlugin);
         if (isset($mReturn)) {
             return $mReturn;
         }
     }
     $aRow = $this->database()->select($sSelect)->from($this->_sTable)->where($sType == 'both' ? "email = '" . $sLogin . "' OR user_name = '" . $sLogin . "'" : ($sType == 'email' ? "email" : "user_name") . " = '" . $sLogin . "'")->execute('getRow');
     if ($sPlugin = Phpfox_Plugin::get('user.service_auth_login_skip_email_verification')) {
         eval($sPlugin);
     }
     if (!defined('PHPFOX_INSTALLER') && isset($aRow['status_id']) && $aRow['status_id'] == 1 && !isset($bEmailVerification)) {
         Phpfox::getLib('session')->set('cache_user_id', $aRow['user_id']);
         if (defined('PHPFOX_MUST_PAY_FIRST')) {
             Phpfox_Url::instance()->send('subscribe.register', array('id' => PHPFOX_MUST_PAY_FIRST, 'login' => '1'));
         }
         Phpfox_Url::instance()->send('user.verify', null, Phpfox::getPhrase('user.you_need_to_verify_your_email_address_before_logging_in', array('email' => $aRow['email'])));
     }
     if (!isset($aRow['user_name'])) {
         switch (Phpfox::getParam('user.login_type')) {
             case 'user_name':
                 $sMessage = Phpfox::getPhrase('user.invalid_user_name');
                 break;
             case 'email':
                 $sMessage = Phpfox::getPhrase('user.invalid_email');
                 break;
             default:
                 $sMessage = Phpfox::getPhrase('user.invalid_login_id');
         }
         Phpfox_Error::set($sMessage);
         if ($sPlugin = Phpfox_Plugin::get('user.service_auth_login__no_user_name')) {
             eval($sPlugin);
         }
         //return array(false, $aRow);
         $bReturn = true;
     } else {
         $bDoPhpfoxLoginCheck = true;
         if ($sPlugin = Phpfox_Plugin::get('user.service_auth_login__password')) {
             eval($sPlugin);
         }
         if (strlen($aRow['password']) > 32) {
             $Hash = new Core\Hash();
             if (!$Hash->check($sPassword, $aRow['password'])) {
                 Phpfox_Error::set(Phpfox::getPhrase('user.invalid_password'));
                 $bReturn = true;
             }
         } else {
             if (!$bNoPasswordCheck && $bDoPhpfoxLoginCheck && Phpfox::getLib('hash')->setHash($sPassword, $aRow['password_salt']) != $aRow['password']) {
                 Phpfox_Error::set(Phpfox::getPhrase('user.invalid_password'));
                 //return array(false, $aRow);
                 $bReturn = true;
             }
         }
     }
     /* Add the check for the brute force here */
     if (!empty($aRow) && !defined('PHPFOX_INSTALLER') && Phpfox::getParam('user.brute_force_time_check') > 0) {
         /* Check if the account is already locked */
         $iLocked = $this->database()->select('brute_force_locked_at')->from(Phpfox::getT('user_field'))->where('user_id = ' . $aRow['user_id'])->execute('getSlaveField');
         $iUnlockTimeOut = $iLocked + Phpfox::getParam('user.brute_force_cool_down') * 60;
         $iRemaining = $iUnlockTimeOut - PHPFOX_TIME;
         $iTimeFrom = PHPFOX_TIME - 60 * Phpfox::getParam('user.brute_force_time_check');
         $iAttempts = $this->database()->select('COUNT(*)')->from(Phpfox::getT('user_ip'))->where('user_id = ' . $aRow['user_id'] . ' AND type_id = "login_failed" AND time_stamp > ' . $iTimeFrom)->execute('getSlaveField');
         $aReplace = array('iCoolDown' => Phpfox::getParam('user.brute_force_cool_down'), 'sForgotLink' => Phpfox_Url::instance()->makeUrl('user.password.request'), 'iUnlockTimeOut' => ceil($iRemaining / 60));
         if ($iRemaining > 0) {
             Phpfox_Error::reset();
             Phpfox_Error::set(Phpfox::getPhrase('user.brute_force_account_locked', $aReplace));
             return array(false, $aRow);
         }
         if ($iAttempts >= Phpfox::getParam('user.brute_force_attempts_count')) {
             $this->database()->update(Phpfox::getT('user_field'), array('brute_force_locked_at' => PHPFOX_TIME), 'user_id = ' . $aRow['user_id']);
             Phpfox_Error::reset();
             /* adjust new remaining time*/
             $aReplace['iUnlockTimeOut'] = Phpfox::getParam('user.brute_force_cool_down');
             Phpfox_Error::set(Phpfox::getPhrase('user.brute_force_account_locked', $aReplace));
             $bReturn = true;
         }
     }
     if ($bReturn == true) {
         /* Log the attempt */
         $this->database()->insert(Phpfox::getT('user_ip'), array('user_id' => isset($aRow['user_id']) ? $aRow['user_id'] : '0', 'type_id' => 'login_failed', 'ip_address' => Phpfox::getIp(), 'time_stamp' => PHPFOX_TIME));
         return array(false, $aRow);
     }
     // ban check
     $oBan = Phpfox::getService('ban');
     if (!$oBan->check('email', $aRow['email'])) {
         Phpfox_Error::set(Phpfox::getPhrase('ban.global_ban_message'));
     }
     if (!$oBan->check('ip', Phpfox_Request::instance()->getIp())) {
         // this is a new phrase, text: "Your IP address is not allowed"
         Phpfox_Error::set(Phpfox::getPhrase('ban.not_allowed_ip_address'));
     }
     $aBanned = Phpfox::getService('ban')->isUserBanned($aRow);
     if ($aBanned['is_banned']) {
         if (isset($aBanned['reason']) && !empty($aBanned['reason'])) {
             $aBanned['reason'] = str_replace(''', "'", Phpfox::getLib('parse.output')->parse($aBanned['reason']));
             $sReason = preg_replace('/\\{phrase var=\'(.*)\'\\}/ise', "'' . Phpfox::getPhrase('\\1',array(), false, null, '" . Phpfox::getUserBy('language_id') . "') . ''", $aBanned['reason']);
             Phpfox_Error::set($sReason);
         } else {
             Phpfox_Error::set(Phpfox::getPhrase('ban.global_ban_message'));
         }
     }
     if (Phpfox_Error::isPassed()) {
         if ($sPlugin = Phpfox_Plugin::get('user.service_auth_login__cookie_start')) {
             eval($sPlugin);
         }
         $sPasswordHash = Phpfox::getLib('hash')->setRandomHash(Phpfox::getLib('hash')->setHash($aRow['password'], $aRow['password_salt']));
         // Set cookie (yummy)
         $iTime = $bRemember ? PHPFOX_TIME + 3600 * 24 * 365 : 0;
         Phpfox::setCookie($this->_sNameCookieUserId, $aRow['user_id'], $iTime, Phpfox::getParam('core.force_secure_site') ? true : false);
         Phpfox::setCookie($this->_sNameCookieHash, $sPasswordHash, $iTime, Phpfox::getParam('core.force_secure_site') ? true : false);
         if (!defined('PHPFOX_INSTALLER')) {
             Phpfox::getLib('session')->remove(Phpfox::getParam('core.theme_session_prefix') . 'theme');
         }
         $this->database()->update($this->_sTable, array('last_login' => PHPFOX_TIME), 'user_id = ' . $aRow['user_id']);
         $this->database()->insert(Phpfox::getT('user_ip'), array('user_id' => $aRow['user_id'], 'type_id' => 'login', 'ip_address' => Phpfox::getIp(), 'time_stamp' => PHPFOX_TIME));
         if (Phpfox::getParam('core.auth_user_via_session')) {
             $this->database()->delete(Phpfox::getT('session'), 'user_id = ' . (int) $aRow['user_id']);
             $this->database()->insert(Phpfox::getT('session'), array('user_id' => $aRow['user_id'], 'last_activity' => PHPFOX_TIME, 'id_hash' => Phpfox_Request::instance()->getIdHash()));
         }
         if ($sPlugin = Phpfox_Plugin::get('user.service_auth_login__cookie_end')) {
             eval($sPlugin);
         }
         return array(true, $aRow);
     }
     if ($sPlugin = Phpfox_Plugin::get('user.service_auth_login__end')) {
         eval($sPlugin);
     }
     return array(false, $aRow);
 }