function do_login($auto_login = 0)
{
global $GO;
global $ROW;
// Are we already logged in?
do_logout();
// Everybody goes home after login
$GO = "Home";
// Auto login?
if ($auto_login) {
// Happens after registration
session_regenerate_id(true);
$_SESSION['logged_in'] = 1;
$_SESSION['user_id'] = $auto_login;
$_SESSION['fname'] = $ROW["fname"];
// This is the row used for registration
$_SESSION['email_id'] = $ROW["email_id"];
} else {
if (get_arg($_POST, "lemail_id") && get_arg($_POST, "lpassword")) {
// Get parameters
$_email_id = get_arg($_POST, "lemail_id");
$_password = get_arg($_POST, "lpassword");
// Validate ALL parameters
if (!validate("Email ID", $_email_id, 5, 100, "EMAIL") || !validate("Password", $_password, 5, 100, "PASSWORD")) {
add_msg('ERROR', "The email ID or password you entered is incorrect</br>");
return;
}
##################################################
# DB LOGIN #
##################################################
$ROW = db_do_login($_email_id, $_password);
if ($ROW[0]['STATUS'] == "OK" && $ROW[0]["NROWS"] == 1) {
session_regenerate_id(true);
$_SESSION['email_id'] = $_email_id;
$_SESSION['logged_in'] = 1;
$_SESSION['user_id'] = $ROW[0]["user_id"];
$_SESSION['fname'] = $ROW[0]["fname"];
add_msg('SUCCESS', "Welcome " . $ROW[0]["fname"] . "! </br>");
if ($ROW[0]["type"] == "E") {
$_SESSION['employee'] = 1;
// For employees store a backup of their details since they
// switch roles often
$_SESSION['e_user_id'] = $ROW[0]["user_id"];
$_SESSION['e_fname'] = $ROW[0]["fname"];
$_SESSION['e_email_id'] = $_email_id;
}
}
}
}
// logged_in will not be set if we failed anywhere above
if (!isset($_SESSION['logged_in']) || !$_SESSION['logged_in']) {
add_msg('ERROR', "1The email ID or password you entered is incorrect</br>");
}
}
function do_login()
{
global $conn;
$login_error = false;
if (isset($_GET['logout'])) {
$logout = parse($_GET['logout'], 'int');
if ($logout == 1) {
do_logout();
}
}
if (isset($_POST['cmt_login'])) {
$username = parse($_POST['login_username'], 'string');
$password = parse($_POST['login_password'], 'string');
$sql = "SELECT password, password_salt, id FROM " . $_SESSION['TABLE_PREFIX'] . "cmt_accounts WHERE username = '******' AND c_active = '1'";
$result = db_mysql_query($sql, $conn);
if (db_mysql_num_rows($result)) {
if (!$username) {
$login_error = true;
}
if (!$password) {
$login_error = true;
}
$arr = db_mysql_fetch_array($result);
if ($arr['password'] == md5($arr['password_salt'] . $password)) {
$_SESSION['cmt_login'] = true;
$_SESSION['cmt_id'] = $arr['id'];
} else {
$login_error = true;
}
if ($login_error) {
$_SESSION['cmt_login'] = false;
return print_alert('error', v('CMT_HEADLINE_LOGIN_ERROR'), v('CMT_TEXT_LOGIN_ERROR'));
}
} else {
$_SESSION['cmt_login'] = false;
return print_alert('error', v('CMT_HEADLINE_LOGIN_ERROR'), v('CMT_TEXT_LOGIN_ERROR'));
}
}
}
require_once 'db/_user.php';
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
if ($auth = user_authenticate($username, $password)) {
//authentifié
do_login($username);
// Connecté
} else {
//( ! array_key_exists($_POST['username'] && array_key_exists($_POST['password'])));
echo "Vous devez entrer un indentifiant et mot de passe valide";
// TODO Gérer le bla bla de authentification invalide ici
}
// var_dump($auth);exit();
} elseif (array_key_exists('dologout', $_POST)) {
// User cherche à se déconnecter
do_logout();
// On le déconnecte
header('Location:' . HOME_PAGE);
}
//
?>
<?php
if (!check_login()) {
// Si l'utilisateur n'est pas connecté
?>
<form id="login" name="login" method="post">
<label for="username">Pseudo : </label>
<input type="text" name="username" id="username" value="" />
<label for="password">Mot de passe : </label>
<input type="password" name="password" id="password" />
/**
* proccess_request
* Process the request for the public area
*/
private function proccess_request()
{
global $lang;
$this->template = 404;
// Default template
$this->pages = $this->get_pages();
// get theme pages
// Prepare te request array to use the legacy request (?v=file.ext)
if (check_value($_GET['v']) && preg_match("/^\\w*\\.jpg|png|gif\$/", $_GET['v'])) {
$this->base_request = '?' . $this->request_array[1];
unset($this->request_array[1]);
}
@session_start();
if (count($_SESSION['ImagesUp']) > 0) {
$_SESSION['ImagesUp'] = array_values($_SESSION['ImagesUp']);
self::$uploaded = true;
}
if (chevereto_config('maintenance')) {
$this->base_request = 'maintenance';
}
// Switch according the request
switch ($this->base_request) {
case '':
case 'index.php':
@session_start();
$_SESSION['last_upload_request'] = time();
$this->template = 'index';
break;
case 'json':
json_prepare();
// Do a special trick for the json action=login
if ($_REQUEST['action'] == 'login') {
// Check for user match...
$login_user = login_user($_REQUEST['password'], $_REQUEST['keep']);
if ($login_user !== false) {
$json_array = array('status_code' => 200, 'status_txt' => 'logged in');
} else {
$json_array = array('status_code' => 403, 'status_txt' => 'invalid login');
}
} elseif ($_REQUEST['action'] == 'logout') {
do_logout();
$json_array = array('status_code' => 200, 'status_txt' => 'logged out');
}
$json_array = check_value($json_array) ? $json_array : array('status' => 403, 'status_txt' => 'unauthorized');
session_write_close();
die(json_output($json_array));
break;
case __CHV_VIRTUALFOLDER_IMAGE__:
// View request
$id_public = $this->request_array[1];
$this->template = !is_upload_result() ? 'view' : 'uploaded';
self::$is_viewer = true;
break;
case __CHV_VIRTUALFOLDER_UPLOADED__:
@session_start();
if (count($_SESSION['ImagesUp']) > 0) {
$this->template = 'uploaded';
self::$doctitle = $lang['doctitle_upload_complete'];
} else {
$this->redirect(__CHV_BASE_URL__, 400);
}
break;
case 'error-javascript':
chevereto_die(array(get_lang_txt('critical_js_step_1'), get_lang_txt('critical_js_step_2')), 'JavaScript', array(get_lang_txt('critical_js')));
break;
case '?chevereto':
$this->template = 'bool';
break;
// Legacy viewer
// Legacy viewer
case '?v=' . $_GET['v']:
// View request
$id_public = $_GET['v'];
$this->legacy_redirect = true;
break;
case 'delete':
case 'delete-confirm':
//$delete_what = $this->request_array[1];
$id_public = $this->request_array[2];
$deleteHash = $this->request_array[3];
$this->template = $this->base_request;
self::$is_viewer = true;
break;
case 'maintenance':
$this->template = 'maintenance';
self::$doctitle = chevereto_config('doctitle');
break;
default:
// Pages request
require_once $this->path_theme . 'pages/pages_config.php';
// We load the special pages config
if (in_array($this->base_request . '.php', $this->pages) and $this->request_array[1] == '' and $pages_config[$this->base_request]['live']) {
$this->template = 'pages/' . $this->base_request;
self::$doctitle = $pages_config[$this->base_request]['title'];
} else {
$this->template = 'shorturl';
$id_public = $this->base_request;
self::$is_viewer = true;
}
break;
}
// Ask for the login on index and pages
if ($this->template == 'index' || $this->template == 'pages/' . $this->base_request) {
if (conditional_config('private_mode')) {
if (!is_logged_user()) {
$doctitle = get_lang_txt('txt_enter_password') . ' - ' . chevereto_config('doctitle');
include __CHV_PATH_SYSTEM__ . 'login.php';
die;
}
}
}
if ($this->template == 'uploaded') {
self::$doctitle = get_lang_txt('doctitle_upload_complete');
self::$image_info = $_SESSION['ImagesUp'][0];
self::$uploaded_images = $_SESSION['ImagesUp'];
$_SESSION['ImagesUp'] = NULL;
unset($_SESSION['ImagesUp']);
}
if (preg_match('/view|shorturl|delete/', $this->template) || $this->legacy_redirect) {
// Test connection
if ($this->dB->dead) {
self::$doctitle = 'dB connection error';
$this->template = 404;
} else {
// get image info
$imageID = $this->legacy_redirect ? $id_public : decodeID($id_public);
self::$image_info = $this->dB->image_info($imageID);
self::$id_public = $id_public;
if (!is_array(self::$image_info)) {
// Record?
if ($this->template == 'delete-confirm') {
json_output(array('status_code' => 403, 'status_txt' => 'target image doesn\'t exists'));
} else {
$this->template = 404;
}
} else {
if ($this->legacy_redirect) {
$this->redirect(__CHV_BASE_URL__ . __CHV_VIRTUALFOLDER_IMAGE__ . '/' . encodeID(self::$image_info['image_id']), 301);
}
$target = get_image_target(self::$image_info);
self::$image_target = $target['image_path'];
self::$image_thumb_target = $target['image_thumb_path'];
self::$image_url = absolute_to_url($target['image_path']);
self::$image_thumb_url = absolute_to_url($target['image_thumb_path']);
self::$image_filename = self::$image_info['image_filename'];
self::$image_viewer = __CHV_BASE_URL__ . __CHV_VIRTUALFOLDER_IMAGE__ . '/' . $id_public;
self::$delete_image_url = __CHV_BASE_URL__ . 'delete/image/' . self::$id_public . '/' . self::$image_info['image_delete_hash'];
$image_delete_proceed = !empty(self::$image_info['image_delete_hash']) && $deleteHash === self::$image_info['image_delete_hash'] ? true : false;
switch ($this->template) {
case 'delete':
if (!$image_delete_proceed) {
$this->redirect(__CHV_BASE_URL__ . __CHV_VIRTUALFOLDER_IMAGE__ . '/' . self::$id_public, 301);
}
self::$delete_image_confirm_url = __CHV_BASE_URL__ . 'delete-confirm/image/' . self::$id_public . '/' . self::$image_info['image_delete_hash'];
self::$doctitle = get_lang_txt('doctitle_delete_confirm') . ' ' . self::$image_info['image_filename'];
break;
case 'delete-confirm':
if (!$image_delete_proceed) {
json_output(array('status_code' => 403, 'status_txt' => 'invalid delete hash'));
} else {
require_once __CHV_PATH_ADMIN_CLASSES__ . 'class.manage.php';
$manage = new Manage(array('id' => self::$image_info['image_id'], 'action' => 'delete'));
if ($manage->dead) {
$json_array = array('status_code' => 403, 'status_txt' => $manage->error);
} else {
$json_array = $manage->process();
}
}
// Make the status_txt more readable...
switch ($json_array['status_code']) {
case 200:
$json_array['status_txt'] = get_lang_txt('txt_image_deleted');
break;
default:
case 403:
$json_array['status_txt'] = get_lang_txt('txt_error_deleting_image');
break;
}
json_output($json_array);
break;
default:
self::$doctitle = get_lang_txt('doctitle_viewing_image') . ' ' . self::$image_info['image_filename'];
break;
}
}
}
}
if ($this->template == 404) {
status_header(404);
self::$doctitle = check_value(self::$doctitle) ? self::$doctitle : get_lang_txt('txt_404_title');
} else {
status_header(200);
}
// We load the template
if ($this->template == 'bool') {
exit(json_encode(true));
} else {
$this->load_template();
}
}
function process($user, $msg)
{
$action = unwrap($msg);
say("< " . $action);
$request_body = json_decode($action, true);
if (empty($request_body)) {
say("ERROR: invalid request body");
return;
}
if (!array_key_exists("method", $request_body) || !array_key_exists("resource", $request_body) || !array_key_exists("msg_id", $request_body)) {
say("ERROR: missing mandatory property");
return;
}
$method = $request_body["method"];
$resource = $request_body["resource"];
$result = NULL;
if ($method == "POST" && $resource == "/user") {
$result = do_signup($request_body);
} else {
if ($method == "POST" && $resource == "/contact") {
say("process login");
$result = do_login($request_body, $user);
} else {
if ($method == "GET" && $resource == "/contact") {
say("process whoisonline");
$result = do_whoisonline($user);
} else {
if ($method == "DELETE" && $resource == "/contact") {
say("process logout");
$result = do_logout($user);
} else {
if ($method == "NOTIFY" && $resource == "/contact") {
say("process notify");
$result = do_notify($request_body, $user);
} else {
if ($resource != "/user" && $resource != "/contact") {
if ($method == "POST") {
$result = do_post_resource($request_body, $user);
} else {
if ($method == "PUT") {
$result = do_put_resource($request_body, $user);
} else {
if ($method == "GET") {
$result = do_get_resource($request_body, $user);
} else {
if ($method == "DELETE") {
$result = do_delete_resource($request_body, $user);
} else {
if ($method == "SUBSCRIBE") {
$result = do_subscribe_resource($request_body, $user);
} else {
if ($method == "NOTIFY") {
$result = do_publish_resource($request_body, $user);
}
}
}
}
}
}
} else {
// this is an unknown request
$result = array("code" => "failed", "reason" => "unknown command " . $method . " " . $resource);
}
}
}
}
}
}
$result['msg_id'] = $request_body['msg_id'];
header("Content-type: application/json");
$param = json_encode($result);
send($user->socket, $param);
}
function do_login($auto_login = 0)
{
global $GO;
global $ROW;
global $DOMAIN;
// Are we already logged in?
do_logout();
// Auto login?
if ($auto_login) {
// Happens after registration
session_regenerate_id(true);
$_SESSION['logged_in'] = 1;
$_SESSION['user_id'] = $auto_login;
$_SESSION['name'] = $ROW["name"];
// This is the row used for registration
$_SESSION['email_id'] = $ROW["email_id"];
} else {
if (get_arg($_POST, "lemail_id") && get_arg($_POST, "lpassword")) {
// Get parameters
$_email_id = get_arg($_POST, "lemail_id");
$_password = get_arg($_POST, "lpassword");
// Validate ALL parameters
if (!validate("Email ID", $_email_id, 5, 100, "EMAIL") || !validate("Password", $_password, 5, 100, "PASSWORD")) {
add_msg('ERROR', "The email ID or password you entered is incorrect</br>");
return;
}
##################################################
# DB LOGIN #
##################################################
$ROW = db_do_login($_email_id, $_password, $DOMAIN);
LOG_ARR("INFO", "ROW", $ROW);
if ($ROW[0]['STATUS'] == "OK" && $ROW[0]["NROWS"] == 1) {
session_regenerate_id(true);
$_SESSION['email_id'] = $_email_id;
$_SESSION['logged_in'] = 1;
$_SESSION['user_id'] = $ROW[0]["user_id"];
$_SESSION['name'] = $ROW[0]["name"];
$_SESSION['is_admin'] = 0;
$_SESSION['is_supervisor'] = 0;
$_SESSION['is_superuser'] = 0;
$_SESSION['is_viewer'] = 0;
$_SESSION['travel_id'] = $ROW[0]["travel_id"];
$_SESSION['domain'] = $ROW[0]["domain"];
$_SESSION['travel_name'] = $ROW[0]["travel_name"];
if ($ROW[0]["type"] == "ADMIN") {
$_SESSION['is_admin'] = 1;
}
if ($ROW[0]["type"] == "VIEWER") {
$_SESSION['is_viewer'] = 1;
}
if ($ROW[0]["type"] == "SUPERVISOR") {
$_SESSION['is_supervisor'] = 1;
$_SESSION['supervisor_id'] = $ROW[0]["supervisor_id"];
}
if ($ROW[0]["type"] == "SUPERUSER") {
$_SESSION['is_superuser'] = 1;
}
add_msg('SUCCESS', "Welcome " . $ROW[0]["name"] . "! </br>");
}
}
}
// logged_in will not be set if we failed anywhere above
if (!isset($_SESSION['logged_in']) || !$_SESSION['logged_in']) {
add_msg('ERROR', "The email ID or password you entered is incorrect</br>");
}
LOG_ARR("INFO", "SESSION", $_SESSION);
}
function __construct($valid_request)
{
global $lang, $Login, $dB;
@session_start();
// Redirect plain /admin/index.php access
if (preg_match('/index\\.php/', $_SERVER['REQUEST_URI'])) {
$this->redirect($this->base_redirection($this->root_url), 301);
}
$admin_request = sanitize_path(str_replace(sanitize_path(__CHV_FOLDER_ADMIN__), "", str_replace(sanitize_path(__CHV_RELATIVE_ROOT__) . '/', "", $valid_request)));
// json?blabla instead of (folder?)/admin/json?blabla
$this->request_array = explode('/', $admin_request);
$request_file = str_replace('//', '/', __CHV_ROOT_DIR__ . str_replace(__CHV_RELATIVE_ROOT__ == '/' ? '' : __CHV_RELATIVE_ROOT__, '', $_SERVER['REQUEST_URI']));
// Serve the static file or call the handler?
if (file_exists($request_file) and !is_dir($request_file) and !preg_match('/php/', get_mime($request_file)) and trim($_SERVER['REQUEST_URI'], '/') !== trim(dirname($_SERVER['SCRIPT_NAME']), '/')) {
error_reporting(0);
header('Content-Type: ' . get_mime($request_file) . '; Cache-Control: no-cache; Pragma: no-cache');
die(readfile($request_file));
}
// Now, deny all direct access to the other resources
if ((file_exists($request_file) or is_dir($request_file)) and trim($_SERVER['REQUEST_URI'], '/') !== trim(dirname($_SERVER['SCRIPT_NAME']), '/') and !$Login->is_admin()) {
status_header(403);
die('Forbidden');
}
// Organize the source request
$request_array_explode = explode('?', $this->request_array[0]);
$request_base = $request_array_explode[0];
// Now, lets do sub request according to the base request
switch ($request_base) {
case '':
break;
// admin main
// admin main
case 'json':
json_prepare();
// Do a special trick for the json action=login
if ($_REQUEST['action'] !== 'login' and !is_admin()) {
$json_array = array('status_code' => 401, 'status_txt' => 'unauthorized');
} elseif ($_REQUEST['action'] == 'login') {
// Check for admin match...
$login_user = login_user($_REQUEST['password'], $_REQUEST['keep']);
if ($login_user == 'admin') {
$json_array = array('status_code' => 200, 'status_txt' => 'logged in');
} else {
$json_array = array('status_code' => 403, 'status_txt' => 'invalid login');
}
} elseif ($_REQUEST['action'] == 'logout') {
do_logout();
$json_array = array('status_code' => 200, 'status_txt' => 'logged out');
} elseif ($_REQUEST['action'] == 'filelist') {
require_once __CHV_PATH_CLASSES__ . 'class.filelist.php';
$filelist = new FileList($_REQUEST['type'], $_REQUEST['sort'], $_REQUEST['limit'], $_REQUEST['keyword']);
$json_array = $filelist->filelist;
} elseif ($_REQUEST['action'] == 'uploaded') {
// In some point there will be a stats class that will help us to output all the stats. This is just the number of uploaded files now.
$json_array = array('total' => total_images_uploaded());
// The rest of the actions are for the manage class (delete|rename|resize)
} else {
require_once __CHV_PATH_ADMIN_CLASSES__ . 'class.manage.php';
$manage = new Manage($_REQUEST);
if ($manage->dead) {
$json_array = array('status_code' => 403, 'status_txt' => $manage->error);
} else {
$json_array = $manage->process();
}
}
$json_array = check_value($json_array) ? $json_array : array('status_code' => 403, 'status_txt' => 'empty json');
die(json_output($json_array));
break;
// json
// json
default:
if (is_admin()) {
status_header(404);
die('Not found');
} else {
status_header(403);
die('Forbidden');
}
break;
}
// Send the OK status header
status_header(200);
if (!is_admin()) {
$doctitle = get_lang_txt('txt_enter_password') . ' - Chevereto File Manager';
require_once __CHV_PATH_SYSTEM__ . 'login.php';
} else {
require_once __CHV_PATH_ADMIN_SYSTEM__ . 'header.php';
require_once __CHV_PATH_ADMIN_SYSTEM__ . 'filemanager.php';
}
}
