static function process_login($username, $password = "")
{
$id = session_id();
if (!APC_SESSION and $id and (empty($_SESSION["username"]) or $_SESSION["username"] != $username)) {
$row = db_select_first("simple_sys_session", array("id", "data", "expiry"), "username=@username@", "lastmodified desc", array("username" => $username));
if (!empty($row["id"])) {
$_SESSION = array();
session_decode(rawurldecode($row["data"]));
if ($row["expiry"] < NOW) {
db_delete("simple_sys_session", array("id=@id@"), array("id" => $row["id"]));
}
}
if (!db_count("simple_sys_session", array("id=@id@"), array("id" => $id))) {
db_insert("simple_sys_session", array("expiry" => NOW + LOGIN_TIMEOUT, "id" => $id));
}
}
$_SESSION["username"] = $username;
if ($password != "") {
$_SESSION["password"] = sys_encrypt($password, $id);
}
if (!isset($_SESSION["history"])) {
$_SESSION["history"] = array();
}
$_SESSION["groups"] = array();
$_SESSION["folder_states"] = array();
$base = dirname($_SERVER["SCRIPT_FILENAME"]) . "/";
if (sys_is_super_admin($_SESSION["username"])) {
$_SESSION["ALLOWED_PATH"] = array($base . SIMPLE_STORE . "/home/", $base . SIMPLE_CACHE . "/debug/", $base . SIMPLE_STORE . "/trash/", $base . SIMPLE_CACHE . "/preview/", $base . SIMPLE_STORE . "/backup/");
} else {
$_SESSION["ALLOWED_PATH"] = array($base . SIMPLE_STORE . "/home/" . $_SESSION["username"] . "/", $base . SIMPLE_CACHE . "/preview/");
}
foreach (explode(",", SIMPLE_IMPORT) as $folder) {
if ($folder == "" or !is_dir($folder)) {
continue;
}
if ($folder[0] != "/" and !strpos($folder, ":")) {
$folder = $base . $folder;
}
$_SESSION["ALLOWED_PATH"][] = rtrim(str_replace("\\", "/", $folder), "/") . "/";
}
// TODO2 put in extra function and configure it with setup to fetch groups from somewhere else
if (sys_is_super_admin($_SESSION["username"])) {
$_SESSION["permission_sql"] = "1=1";
$_SESSION["permission_sql_exception"] = "1=0";
$_SESSION["disabled_modules"] = array();
} else {
$_SESSION["permission_sql"] = sql_regexp("r@right@_users", array($username, "anonymous"));
$_SESSION["permission_sql_exception"] = "(rexception_users!='' and " . sql_regexp("rexception_users", array($username, "anonymous"), "|@view@:@right@:%s|") . ")";
$_SESSION["disabled_modules"] = array_flip(explode("|", DISABLED_MODULES));
$rows = db_select("simple_sys_groups", "groupname", array("activated=1", "members like @username_sql@"), "", "", array("username_sql" => "%|" . $username . "|%"));
if (is_array($rows) and count($rows) > 0) {
foreach ($rows as $val) {
$_SESSION["groups"][] = $val["groupname"];
}
$_SESSION["permission_sql"] = "(" . $_SESSION["permission_sql"] . " or " . sql_regexp("r@right@_groups", $_SESSION["groups"]) . ")";
$_SESSION["permission_sql_exception"] = "(" . $_SESSION["permission_sql_exception"] . " or (rexception_groups!='' and " . sql_regexp("rexception_groups", $_SESSION["groups"], "|@view@:@right@:%s|") . "))";
}
}
$_SESSION["permission_sql_read"] = str_replace("@right@", "read", $_SESSION["permission_sql"]);
$_SESSION["permission_sql_write"] = str_replace("@right@", "write", $_SESSION["permission_sql"]);
$_SESSION["ip"] = _login_get_remoteaddr();
$_SESSION["tickets"] = array("templates" => array("dbselect", "simple_templates", array("tplcontent", "tplname"), array("tplname like @search@"), "tplname asc"));
$_SESSION["treevisible"] = true;
$row = db_select_first("simple_sys_users", "*", "username=@username@", "", array("username" => $username));
if (!empty($row["cal_day_begin"])) {
$_SESSION["day_begin"] = sys_date("G", $row["cal_day_begin"] - 1) * 3600;
$_SESSION["day_end"] = sys_date("G", $row["cal_day_end"]) * 3600;
} else {
$_SESSION["day_begin"] = 25200;
// 7:00 = 7*3600
$_SESSION["day_end"] = 64800;
// 18:00 = 18*3600
}
if (!empty($row["enabled_modules"])) {
$row["enabled_modules"] = array_flip(explode("|", trim($row["enabled_modules"], "|")));
$_SESSION["disabled_modules"] = array_diff_key($_SESSION["disabled_modules"], $row["enabled_modules"]);
}
if (!empty($row["timezone"])) {
$_SESSION["timezone"] = $row["timezone"];
} else {
$_SESSION["timezone"] = "";
}
if (!empty($row["theme"])) {
$_SESSION["theme"] = $row["theme"];
} else {
$_SESSION["theme"] = "core";
}
if (!empty($row["home_folder"])) {
$_SESSION["home_folder"] = "index.php?folder=" . rawurlencode($row["home_folder"]);
} else {
if (sys_is_super_admin($username)) {
$anchor = "system";
} else {
$anchor = "home_" . $username;
}
$_SESSION["home_folder"] = "index.php?folder=^" . $anchor;
}
if ($id or isset($_REQUEST["login"])) {
sys_log_stat("logins", 1);
sys_log_message_log("login", sprintf("{t}login %s from %s with %s{/t}", $_SESSION["username"], $_SESSION["ip"], sys::$browser));
}
trigger::login();
if (!empty($row["pwdexpires"]) and $row["pwdexpires"] < NOW) {
sys_warning(sprintf("{t}Password expired. (password of %s has expired){/t}", $username));
self::_redirect("index.php?view=changepwd&find=asset|simple_sys_users|1|username="******"username"]);
} else {
if (!empty($_REQUEST["page"])) {
if (CMS_REAL_URL) {
self::_redirect(CMS_REAL_URL . $_REQUEST["page"]);
}
self::_redirect("cms.php/" . $_REQUEST["page"]);
} else {
if (!empty($_REQUEST["redirect"])) {
self::_redirect($_SESSION["home_folder"]);
}
}
}
}
function login_handle_login($save_session = true)
{
session_set_cookie_params(2592000);
// 1 month
session_name(SESSION_NAME);
if (empty($_REQUEST["iframe"]) and empty($_REQUEST["export"]) and empty($_REQUEST["import"]) and !isset($_REQUEST["plain"]) and $save_session) {
session_set_save_handler("_login_session_none", "_login_session_none", "_login_session_read", "_login_session_write", "_login_session_destroy", "_login_session_none");
register_shutdown_function("session_write_close");
} else {
session_set_save_handler("_login_session_none", "_login_session_none", "_login_session_read", "_login_session_none", "_login_session_none", "_login_session_none");
}
session_start();
header("Cache-Control: private, max-age=1, must-revalidate");
header("Pragma: private");
if (!empty($_COOKIE[SESSION_NAME]) and empty($_SESSION)) {
session_regenerate_id();
}
if (!empty($_SESSION["timezone"])) {
date_default_timezone_set($_SESSION["timezone"]);
}
if (file_exists(SIMPLE_STORE . "/maintenance.lck")) {
$maintenance = true;
} else {
$maintenance = false;
}
if (!DISABLE_BASIC_AUTH and empty($_SESSION["username"]) and !empty($_SERVER["PHP_AUTH_USER"]) and !empty($_SERVER["PHP_AUTH_PW"])) {
$_REQUEST["username"] = modify::strip_ntdomain($_SERVER["PHP_AUTH_USER"]);
$_REQUEST["password"] = $_SERVER["PHP_AUTH_PW"];
}
$ip = _login_get_remoteaddr();
if (!empty($_REQUEST["username"]) and !empty($_REQUEST["password"]) and (!$maintenance or sys_is_super_admin($_REQUEST["username"]))) {
if (!isset($_COOKIE[SESSION_NAME]) and !empty($_REQUEST["loginform"])) {
sys_die('{t}Please activate cookies.{/t} <a href="index.php?logout">{t}Back{/t}</a>');
}
$file = SIMPLE_CACHE . "/ip/" . str_replace(array(".", ":"), "-", $ip);
if (file_exists($file . "_3") and $trials = file_get_contents($file . "_3") and strlen($trials) > 3 and filemtime($file . "_3") > time() - 900) {
$_REQUEST["logout"] = true;
sys_alert("{t}Too many wrong logins. Please wait 15 minutes.{/t}");
} else {
if (login::validate_login($_REQUEST["username"], $_REQUEST["password"])) {
login::process_login($_REQUEST["username"], $_REQUEST["password"]);
} else {
touch($file, time() + 3);
$_REQUEST["logout"] = true;
if (file_exists($file . "_3") and filemtime($file . "_3") < time() - 1800) {
unlink($file . "_3");
}
sys_file_append($file . "_3", "1");
sys_log_stat("wrong_login", 1);
}
}
}
if (!isset($_REQUEST["logout"]) and empty($_SESSION["username"]) and SETUP_AUTH == "htaccess" and !empty($_SERVER["REMOTE_USER"])) {
$_SERVER["REMOTE_USER"] = modify::strip_ntdomain($_SERVER["REMOTE_USER"]);
if (login::validate_login($_SERVER["REMOTE_USER"], "")) {
login::process_login($_SERVER["REMOTE_USER"]);
}
}
if ($maintenance and (empty($_SESSION["username"]) or !sys_is_super_admin($_SESSION["username"]))) {
$_REQUEST["logout"] = true;
sys_alert("{t}Maintenance mode{/t}: {t}Active{/t}.");
}
if (empty($_SESSION["username"]) and ENABLE_ANONYMOUS) {
login_anonymous_session();
}
if (empty($_SESSION["username"]) and ENABLE_ANONYMOUS_CMS and MAIN_SCRIPT == "download.php") {
login_anonymous_session();
}
if (isset($_REQUEST["logout"]) or empty($_SESSION["username"]) and !ENABLE_ANONYMOUS or isset($_SESSION["ip"]) and $_SESSION["ip"] != $ip and $ip != $_SERVER["SERVER_ADDR"]) {
login::show_login();
}
}
private static function _connect($mfolder)
{
static $cache = array();
if (empty($cache[$mfolder])) {
$creds = sys_credentials($mfolder);
if ($creds["server"] == "") {
return false;
}
$basedn = $creds["options"];
if (!$creds["port"]) {
$creds["port"] = 389;
}
if ($creds["ssl"] and !extension_loaded("openssl")) {
sys_warning(sprintf("{t}%s is not compiled / loaded into PHP.{/t}", "OpenSSL"));
return false;
}
if (!function_exists("ldap_connect")) {
sys_warning(sprintf("{t}%s is not compiled / loaded into PHP.{/t}", "LDAP"));
return false;
}
if (!($ds = ldap_connect($creds["server"]))) {
sys_die(sprintf("{t}LDAP connection to host %s failed.{/t}", $creds["server"]));
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
if (!@ldap_bind($ds, $creds["username"], $creds["password"])) {
if (!@ldap_bind($ds)) {
sys_warning("{t}LDAP anonymous connection failed.{/t}");
return false;
}
if ($basedn == "") {
$result_id = @ldap_read($ds, "", "(objectclass=*)", array("namingContexts"));
$attrs = ldap_get_attributes($ds, ldap_first_entry($ds, $result_id));
if (isset($attrs["namingContexts"]) and is_array($attrs["namingContexts"])) {
$basedn = $attrs["namingContexts"][0];
}
}
$creds["username"] = preg_replace("/[\\\\*()#!|&=<>~ ]/", "", $creds["username"]);
$res = ldap_search($ds, $basedn, "uid=" . $creds["username"]);
if (ldap_count_entries($ds, $res) == 1) {
$dn = ldap_get_dn($ds, ldap_first_entry($ds, $res));
if (@ldap_bind($ds, $dn, $creds["password"])) {
sys_warning(sprintf("{t}Login failed from %s.{/t} (ldap) (%s)\n{t}(for active directory username must be: username@domain){/t}", _login_get_remoteaddr(), ldap_error($ds)));
return false;
}
}
}
$cache[$mfolder] = $ds;
}
return $cache[$mfolder];
}
