function _userGetnewtoken()
{
global $_CONF, $_TABLES, $_USER, $LANG04;
$retval = '';
$uid = 0;
if ($_CONF['passwordspeedlimit'] == 0) {
$_CONF['passwordspeedlimit'] = 300;
// 5 minutes
}
COM_clearSpeedlimit($_CONF['passwordspeedlimit'], 'verifytoken');
$last = COM_checkSpeedlimit('verifytoken');
if ($last > 0) {
$retval .= COM_showMessageText(sprintf($LANG04[93], $last, $_CONF['passwordspeedlimit']), $LANG12[26], true, 'error');
} else {
$username = isset($_POST['username']) ? $_POST['username'] : '';
$passwd = isset($_POST['passwd']) ? $_POST['passwd'] : '';
if (!empty($username) && !empty($passwd) && USER_validateUsername($username, 1)) {
$encryptedPassword = '';
$uid = 0;
$result = DB_query("SELECT uid,passwd FROM {$_TABLES['users']} WHERE username='******'");
if (DB_numRows($result) > 0) {
$row = DB_fetchArray($result);
$encryptedPassword = $row['passwd'];
$uid = $row['uid'];
}
if ($encryptedPassword != '' && SEC_check_hash($passwd, $encryptedPassword)) {
$retval .= requesttoken($uid, 3);
} else {
$retval .= newtokenform($uid);
}
} else {
$retval .= newtokenform($uid);
}
}
return $retval;
}
/**
* Attempt to login a user.
*
* Checks a users username and password against the database. Returns
* users status.
*
* @param string $username who is logging in?
* @param string $password what they claim is their password
* @param int $uid This is an OUTPUT param, pass by ref,
* sends back UID inside it.
* @return int user status, -1 for fail.
*
*/
function SEC_authenticate($username, $password, &$uid)
{
global $_CONF, $_SYSTEM, $_TABLES, $LANG01;
$escaped_name = DB_escapeString(trim($username));
$password = trim(str_replace(array("\r", "\n"), '', $password));
$result = DB_query("SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='******' AND (account_type & " . LOCAL_USER . ")");
$tmp = DB_error();
$nrows = DB_numRows($result);
if ($nrows == 0) {
$result = DB_query("SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE email='{$escaped_name}' AND (account_type & " . LOCAL_USER . ")");
$tmp = DB_error();
$nrows = DB_numRows($result);
}
if ($tmp == 0 && $nrows == 1) {
$U = DB_fetchArray($result);
$uid = $U['uid'];
if ($U['status'] == USER_ACCOUNT_DISABLED) {
// banned, jump to here to save an md5 calc.
return USER_ACCOUNT_DISABLED;
} elseif (!SEC_check_hash($password, $U['passwd'])) {
return -1;
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) {
return USER_ACCOUNT_AWAITING_APPROVAL;
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_VERIFICATION) {
return USER_ACCOUNT_AWAITING_VERIFICATION;
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) {
// Awaiting user activation, activate:
DB_change($_TABLES['users'], 'status', USER_ACCOUNT_ACTIVE, 'username', $escaped_name);
return USER_ACCOUNT_ACTIVE;
} else {
return $U['status'];
// just return their status
}
} else {
$tmp = $LANG01[32] . ": '" . $username;
COM_errorLog($tmp, 1);
return -1;
}
}
/**
* Saves the user's information back to the database
*
* @A array User's data
*
*/
function saveuser($A)
{
global $_CONF, $_TABLES, $_USER, $LANG04, $LANG24, $_US_VERBOSE;
if ($_US_VERBOSE) {
COM_errorLog('**** Inside saveuser in usersettings.php ****', 1);
}
$reqid = DB_getItem($_TABLES['users'], 'pwrequestid', "uid = " . (int) $_USER['uid']);
if ($reqid != $A['uid']) {
DB_change($_TABLES['users'], 'pwrequestid', "NULL", 'uid', (int) $_USER['uid']);
COM_accessLog("An attempt was made to illegally change the account information of user {$_USER['uid']}.");
return COM_refresh($_CONF['site_url'] . '/index.php');
}
if (isset($_POST['merge'])) {
if (COM_applyFilter($_POST['remoteuid'], true) != $_USER['uid']) {
echo COM_refresh($_CONF['site_url'] . '/usersettings.php?mode=edit');
}
USER_mergeAccounts();
}
// If not set or possibly removed from template - initialize variable
if (!isset($A['cooktime'])) {
$A['cooktime'] = 0;
} else {
$A['cooktime'] = COM_applyFilter($A['cooktime'], true);
}
// If empty or invalid - set to user default
// So code after this does not fail the user password required test
if ($A['cooktime'] < 0) {
// note that == 0 is allowed!
$A['cooktime'] = $_USER['cookietimeout'];
}
// to change the password, email address, or cookie timeout,
// we need the user's current password
$account_type = DB_getItem($_TABLES['users'], 'account_type', "uid = {$_USER['uid']}");
$service = DB_getItem($_TABLES['users'], 'remoteservice', "uid = {$_USER['uid']}");
if ($service == '') {
$current_password = DB_getItem($_TABLES['users'], 'passwd', "uid = {$_USER['uid']}");
if (!empty($A['newp']) || $A['email'] != $_USER['email'] || $A['cooktime'] != $_USER['cookietimeout']) {
if (empty($A['passwd']) || !SEC_check_hash($A['passwd'], $current_password)) {
return COM_refresh($_CONF['site_url'] . '/usersettings.php?msg=83');
} elseif ($_CONF['custom_registration'] && function_exists('CUSTOM_userCheck')) {
$ret = CUSTOM_userCheck($A['username'], $A['email']);
if (!empty($ret)) {
// Need a numeric return for the default message handler
// - if not numeric use default message
if (!is_numeric($ret)) {
$ret['number'] = 97;
}
return COM_refresh("{$_CONF['site_url']}/usersettings.php?msg={$ret}");
}
}
} elseif ($_CONF['custom_registration'] && function_exists('CUSTOM_userCheck')) {
$ret = CUSTOM_userCheck($A['username'], $A['email']);
if (!empty($ret)) {
// Need a numeric return for the default message hander - if not numeric use default message
// - if not numeric use default message
if (!is_numeric($ret)) {
$ret = 97;
}
return COM_refresh("{$_CONF['site_url']}/usersettings.php?msg={$ret}");
}
}
}
// Let plugins have a chance to decide what to do before saving the user, return errors.
$msg = PLG_itemPreSave('useredit', $A['username']);
if (!empty($msg)) {
// need a numeric return value - otherwise use default message
if (!is_numeric($msg)) {
$msg = 97;
}
return COM_refresh("{$_CONF['site_url']}/usersettings.php?msg={$msg}");
}
// no need to filter the password as it's encoded anyway
if ($_CONF['allow_username_change'] == 1) {
$A['new_username'] = $A['new_username'];
if (!empty($A['new_username']) && USER_validateUsername($A['new_username']) && $A['new_username'] != $_USER['username']) {
$A['new_username'] = DB_escapeString($A['new_username']);
if (DB_count($_TABLES['users'], 'username', $A['new_username']) == 0) {
if ($_CONF['allow_user_photo'] == 1) {
$photo = DB_getItem($_TABLES['users'], 'photo', "uid = " . (int) $_USER['uid']);
if (!empty($photo) && strstr($photo, $_USER['username']) !== false) {
$newphoto = preg_replace('/' . $_USER['username'] . '/', $_USER['uid'], $photo, 1);
$imgpath = $_CONF['path_images'] . 'userphotos/';
@rename($imgpath . $photo, $imgpath . $newphoto);
DB_change($_TABLES['users'], 'photo', DB_escapeString($newphoto), "uid", (int) $_USER['uid']);
}
}
DB_change($_TABLES['users'], 'username', $A['new_username'], "uid", (int) $_USER['uid']);
} else {
return COM_refresh($_CONF['site_url'] . '/usersettings.php?msg=51');
}
}
}
// a quick spam check with the unfiltered field contents
$profile = '<h1>' . $LANG04[1] . ' ' . $_USER['username'] . '</h1><p>';
// this is a hack, for some reason remoteservice links made SPAMX SLV check barf
if (empty($service)) {
$profile .= COM_createLink($A['homepage'], $A['homepage']) . '<br />';
}
$profile .= $A['location'] . '<br />' . $A['sig'] . '<br />' . $A['about'] . '<br />' . $A['pgpkey'] . '</p>';
$result = PLG_checkforSpam($profile, $_CONF['spamx']);
if ($result > 0) {
COM_displayMessageAndAbort($result, 'spamx', 403, 'Forbidden');
}
$A['email'] = COM_applyFilter($A['email']);
$A['email_conf'] = COM_applyFilter($A['email_conf']);
$A['homepage'] = COM_applyFilter($A['homepage']);
// basic filtering only
$A['fullname'] = COM_truncate(trim(USER_sanitizeName($A['fullname'])), 80);
$A['location'] = strip_tags($A['location']);
$A['sig'] = strip_tags($A['sig']);
$A['about'] = strip_tags($A['about']);
$A['pgpkey'] = strip_tags($A['pgpkey']);
if (!COM_isEmail($A['email'])) {
return COM_refresh($_CONF['site_url'] . '/usersettings.php?msg=52');
} else {
if ($A['email'] !== $A['email_conf']) {
return COM_refresh($_CONF['site_url'] . '/usersettings.php?msg=78');
} else {
if (emailAddressExists($A['email'], $_USER['uid'])) {
return COM_refresh($_CONF['site_url'] . '/usersettings.php?msg=56');
} else {
if ($service == '') {
if (!empty($A['newp'])) {
$A['newp'] = trim($A['newp']);
$A['newp_conf'] = trim($A['newp_conf']);
if ($A['newp'] == $A['newp_conf'] && SEC_check_hash($A['passwd'], $current_password)) {
$passwd = SEC_encryptPassword($A['newp']);
DB_change($_TABLES['users'], 'passwd', DB_escapeString($passwd), "uid", (int) $_USER['uid']);
if ($A['cooktime'] > 0) {
$cooktime = $A['cooktime'];
$token_ttl = $A['cooktime'];
} else {
$cooktime = 0;
$token_ttl = 14400;
}
$ltToken = SEC_createTokenGeneral('ltc', $token_ttl);
SEC_setCookie($_CONF['cookie_password'], $ltToken, time() + $cooktime);
} elseif (!SEC_check_hash($A['passwd'], $current_password)) {
return COM_refresh($_CONF['site_url'] . '/usersettings.php?msg=68');
} elseif ($A['newp'] != $A['newp_conf']) {
return COM_refresh($_CONF['site_url'] . '/usersettings.php?msg=67');
}
}
} else {
// Cookie
if ($A['cooktime'] > 0) {
$cooktime = $A['cooktime'];
} else {
$cooktime = 0;
}
$ltToken = SEC_createTokenGeneral('ltc', $cooktime);
SEC_setCookie($_CONF['cookie_password'], $ltToken, time() + $cooktime);
}
if ($_US_VERBOSE) {
COM_errorLog('cooktime = ' . $A['cooktime'], 1);
}
if ($A['cooktime'] <= 0) {
$cookie_timeout = 0;
$token_ttl = 14400;
} else {
$cookie_timeout = time() + $A['cooktime'];
$token_ttl = $A['cooktime'];
}
SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], $cookie_timeout, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true);
DB_query("DELETE FROM {$_TABLES['tokens']} WHERE owner_id=" . (int) $_USER['uid'] . " AND urlfor='ltc'");
if ($cookie_timeout > 0) {
$ltToken = SEC_createTokenGeneral('ltc', $token_ttl);
SEC_setCookie($_CONF['cookie_password'], $ltToken, $cookie_timeout, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true);
} else {
SEC_setCookie($_CONF['cookie_password'], '', -10000, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true);
}
if ($_CONF['allow_user_photo'] == 1) {
$delete_photo = '';
if (isset($A['delete_photo'])) {
$delete_photo = $A['delete_photo'];
}
$filename = handlePhotoUpload($delete_photo);
}
if (!empty($A['homepage'])) {
$pos = MBYTE_strpos($A['homepage'], ':');
if ($pos === false) {
$A['homepage'] = 'http://' . $A['homepage'];
} else {
$prot = substr($A['homepage'], 0, $pos + 1);
if ($prot != 'http:' && $prot != 'https:') {
$A['homepage'] = 'http:' . substr($A['homepage'], $pos + 1);
}
}
$A['homepage'] = DB_escapeString($A['homepage']);
}
$A['fullname'] = DB_escapeString($A['fullname']);
$A['email'] = DB_escapeString($A['email']);
$A['location'] = DB_escapeString($A['location']);
$A['sig'] = DB_escapeString($A['sig']);
$A['about'] = DB_escapeString($A['about']);
$A['pgpkey'] = DB_escapeString($A['pgpkey']);
if (!empty($filename)) {
if (!file_exists($_CONF['path_images'] . 'userphotos/' . $filename)) {
$filename = '';
}
}
DB_query("UPDATE {$_TABLES['users']} SET fullname='{$A['fullname']}',email='{$A['email']}',homepage='{$A['homepage']}',sig='{$A['sig']}',cookietimeout=" . (int) $A['cooktime'] . ",photo='" . DB_escapeString($filename) . "' WHERE uid=" . (int) $_USER['uid']);
DB_query("UPDATE {$_TABLES['userinfo']} SET pgpkey='{$A['pgpkey']}',about='{$A['about']}',location='{$A['location']}' WHERE uid=" . (int) $_USER['uid']);
// Call custom registration save function if enabled and exists
if ($_CONF['custom_registration'] and function_exists('CUSTOM_userSave')) {
CUSTOM_userSave($_USER['uid']);
}
PLG_userInfoChanged((int) $_USER['uid']);
// at this point, the user information has been saved, but now we're going to check to see if
// the user has requested resynchronization with their remoteservice account
$msg = 5;
// default msg = Your account information has been successfully saved
if (isset($A['resynch'])) {
if ($_CONF['user_login_method']['oauth'] && strpos($_USER['remoteservice'], 'oauth.') === 0) {
$modules = SEC_collectRemoteOAuthModules();
$active_service = count($modules) == 0 ? false : in_array(substr($_USER['remoteservice'], 6), $modules);
if (!$active_service) {
$status = -1;
$msg = 115;
// Remote service has been disabled.
} else {
require_once $_CONF['path_system'] . 'classes/oauthhelper.class.php';
$service = substr($_USER['remoteservice'], 6);
$consumer = new OAuthConsumer($service);
$callback_url = $_CONF['site_url'];
$consumer->setRedirectURL($callback_url);
$user = $consumer->authenticate_user();
$consumer->doSynch($user);
}
}
if ($msg != 5) {
$msg = 114;
// Account saved but re-synch failed.
COM_errorLog($MESSAGE[$msg]);
}
}
PLG_profileExtrasSave();
PLG_profileSave();
if ($_US_VERBOSE) {
COM_errorLog('**** Leaving saveuser in usersettings.php ****', 1);
}
return COM_refresh($_CONF['site_url'] . '/users.php?mode=profile&uid=' . $_USER['uid'] . '&msg=' . $msg);
}
}
}
}
/**
* Check for accounts that still use the default password
*
* @return string text explaining the result of the test
*
* @note If one of our users is also using "password" as their password, this
* test will also detect that, as it checks all accounts.
*
*/
function checkDefaultPassword()
{
global $_TABLES, $failed_tests;
$retval = '';
// check to see if any account still has 'password' as its password.
$pwdRoot = 0;
$pwdUser = 0;
$rootUsers = 0;
$sql = "SELECT ug_uid,passwd FROM {$_TABLES['group_assignments']} AS g LEFT JOIN {$_TABLES['users']} AS u ON g.ug_uid=u.uid WHERE g.ug_main_grp_id = 1";
$result = DB_query($sql);
$rootUsers = DB_numRows($result);
if ($rootUsers > 0) {
for ($i = 0; $i < $rootUsers; $i++) {
list($uid, $hash) = DB_fetchArray($result);
if (SEC_check_hash('password', $hash)) {
$pwdRoot++;
}
}
}
if ($pwdRoot > 0) {
$retval .= '<li>You still have not changed the <strong>default password</strong> from "password" on ' . $pwdRoot . ' Root user account(s).</li>';
$failed_tests++;
} else {
$retval .= '<li>Good! You seem to have changed the default account password already.</li>';
}
return $retval;
}
/**
* Merge User Accounts
*
* This validates the entered password and then merges a remote
* account with a local account.
*
* @return string HTML merge form if error, redirect on success
*
*/
function USER_mergeAccounts()
{
global $_CONF, $_SYSTEM, $_TABLES, $_USER, $LANG04, $LANG12, $LANG20;
$retval = '';
$remoteUID = COM_applyFilter($_POST['remoteuid'], true);
$localUID = COM_applyFilter($_POST['localuid'], true);
$localpwd = $_POST['localp'];
$localResult = DB_query("SELECT * FROM {$_TABLES['users']} WHERE uid=" . (int) $localUID);
$localRow = DB_fetchArray($localResult);
if (SEC_check_hash($localpwd, $localRow['passwd'])) {
// password is valid
$sql = "SELECT * FROM {$_TABLES['users']} WHERE remoteusername <> '' and email='" . DB_escapeString($localRow['email']) . "'";
$result = DB_query($sql);
$numRows = DB_numRows($result);
if ($numRows == 1) {
$remoteRow = DB_fetchArray($result);
if ($remoteUID == $remoteRow['uid']) {
$remoteUID = (int) $remoteRow['uid'];
$remoteService = substr($remoteRow['remoteservice'], 6);
} else {
echo COM_refresh($_CONF['site_url'] . '/index.php');
}
} else {
echo COM_refresh($_CONF['site_url'] . '/index.php');
}
$sql = "UPDATE {$_TABLES['users']} SET remoteusername='******'remoteusername']) . "'," . "remoteservice='" . DB_escapeString($remoteRow['remoteservice']) . "', " . "account_type=3 " . " WHERE uid=" . (int) $localUID;
DB_query($sql);
$_USER['uid'] = $localRow['uid'];
$local_login = true;
SESS_completeLogin($localUID);
$_GROUPS = SEC_getUserGroups($_USER['uid']);
$_RIGHTS = explode(',', SEC_getUserPermissions());
if ($_SYSTEM['admin_session'] > 0 && $local_login) {
if (SEC_isModerator() || SEC_hasRights('story.edit,block.edit,topic.edit,user.edit,plugin.edit,user.mail,syndication.edit', 'OR') || count(PLG_getAdminOptions()) > 0) {
$admin_token = SEC_createTokenGeneral('administration', $_SYSTEM['admin_session']);
SEC_setCookie('token', $admin_token, 0, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true);
}
}
COM_resetSpeedlimit('login');
// log the user out
SESS_endUserSession($remoteUID);
// Let plugins know a user is being merged
PLG_moveUser($remoteUID, $_USER['uid']);
// Ok, now delete everything related to this user
// let plugins update their data for this user
PLG_deleteUser($remoteUID);
if (function_exists('CUSTOM_userDeleteHook')) {
CUSTOM_userDeleteHook($remoteUID);
}
// Call custom account profile delete function if enabled and exists
if ($_CONF['custom_registration'] && function_exists('CUSTOM_userDelete')) {
CUSTOM_userDelete($remoteUID);
}
// remove from all security groups
DB_delete($_TABLES['group_assignments'], 'ug_uid', $remoteUID);
// remove user information and preferences
DB_delete($_TABLES['userprefs'], 'uid', $remoteUID);
DB_delete($_TABLES['userindex'], 'uid', $remoteUID);
DB_delete($_TABLES['usercomment'], 'uid', $remoteUID);
DB_delete($_TABLES['userinfo'], 'uid', $remoteUID);
// delete user photo, if enabled & exists
if ($_CONF['allow_user_photo'] == 1) {
$photo = DB_getItem($_TABLES['users'], 'photo', "uid = {$remoteUID}");
USER_deletePhoto($photo, false);
}
// delete subscriptions
DB_delete($_TABLES['subscriptions'], 'uid', $remoteUID);
// in case the user owned any objects that require Admin access, assign
// them to the Root user with the lowest uid
$rootgroup = DB_getItem($_TABLES['groups'], 'grp_id', "grp_name = 'Root'");
$result = DB_query("SELECT DISTINCT ug_uid FROM {$_TABLES['group_assignments']} WHERE ug_main_grp_id = '{$rootgroup}' ORDER BY ug_uid LIMIT 1");
$A = DB_fetchArray($result);
$rootuser = $A['ug_uid'];
if ($rootuser == '' || $rootuser < 2) {
$rootuser = 2;
}
DB_query("UPDATE {$_TABLES['blocks']} SET owner_id = {$rootuser} WHERE owner_id = {$remoteUID}");
DB_query("UPDATE {$_TABLES['topics']} SET owner_id = {$rootuser} WHERE owner_id = {$remoteUID}");
// now delete the user itself
DB_delete($_TABLES['users'], 'uid', $remoteUID);
} else {
// invalid password - let's try one more time
// need to set speed limit and give them 3 tries
COM_clearSpeedlimit($_CONF['login_speedlimit'], 'merge');
$last = COM_checkSpeedlimit('merge', 4);
if ($last > 0) {
COM_setMsg($LANG04[190], 'error');
echo COM_refresh($_CONF['site_url'] . '/users.php');
} else {
COM_updateSpeedlimit('merge');
USER_mergeAccountScreen($remoteUID, $localUID, $LANG20[3]);
}
return $retval;
}
// can't use COM_setMsg here since the session is being destroyed.
echo COM_refresh($_CONF['site_url'] . '/index.php?msg=522');
}
