function csrf_protect() { if (count($_POST) > 0) { if (isset($_POST['csrf_name'], $_POST['csrf_token'])) { $valid = csrf_verify($_POST['csrf_name'], $_POST['csrf_token']); unset($_POST['csrf_name'], $_POST['csrf_token']); if (!$valid) { if (is_ajax()) { print json_encode(array('success' => false, 'message' => 'You are not authorized!')); exit; } else { trigger_error("You are not authorized", E_USER_ERROR); } } } } }
function shutdown() { $error = error_get_last(); if ($error['type'] === E_ERROR) { echo json_encode(array('error' => sprintf(__('<strong>PHP Error</strong> line %s: %s'), $error['line'], $error['message']))); } } /* |-------------------------------------------------------------------------- | Prepare |-------------------------------------------------------------------------- | */ header('Content-type: application/json'); $return = array(); if (!csrf_verify()) { $return['error'] = __('Please refresh the page.'); echo json_encode($return); die; } /* |-------------------------------------------------------------------------- | Actions |-------------------------------------------------------------------------- | */ switch (@$_POST['action']) { /* |-------------------------------------------------------------------------- | Change password |--------------------------------------------------------------------------
/** * Manage login * * @param array $files the files configuration * * @return [type] [description] */ public static function attempt($files = false) { if (self::isAuthSet()) { // authentication is enabled on this instance $user = self::getCurrentUsername(); if (is_null($user)) { // no logged in user if (isset($_POST['attempt'])) { // form is posted if (!csrf_verify()) { $attempt = $_POST['attempt']; $error = 2; include_once PML_BASE . '/inc/login.inc.php'; self::release(); die; } $loggedin = self::signIn($_POST['username'], $_POST['password']); if (is_array($loggedin)) { // signed in header("Location: " . $_POST['attempt']); die; } else { // error while signing in $attempt = $_POST['attempt']; $error = 1; include_once PML_BASE . '/inc/login.inc.php'; self::release(); die; } } else { if (isset($_GET['signin'])) { // sign in page when anonymous access is enabled $attempt = isset($_GET['attempt']) ? $_GET['attempt'] : $_SERVER['REQUEST_URI'] . '?' . $_SERVER['QUERY_STRING']; $error = 0; include_once PML_BASE . '/inc/login.inc.php'; self::release(); die; } else { if (self::isAnonymousEnabled($files)) { // Anonymous access is enabled, simply return to let anonymosu users to parse logs return null; } else { // send form $attempt = $_SERVER['REQUEST_URI'] . '?' . $_SERVER['QUERY_STRING']; $error = 0; include_once PML_BASE . '/inc/login.inc.php'; self::release(); die; } } } } else { if (isset($_GET['signout'])) { self::signOut(); self::release(); if (self::isAnonymousEnabled($files)) { // Anonymous access, redirect to normal page header('Location: ' . $_SERVER['PHP_SELF']); } else { // No anonymous access, redirect to login page $error = 3; $attempt = '?'; include_once PML_BASE . '/inc/login.inc.php'; } die; } return $user; } } return null; }