function userLogin($Name, $Password, $SysAdminEmail = '', $db)
{
global $debug;
global $PathPrefix;
if (!isset($_SESSION['AccessLevel']) or $_SESSION['AccessLevel'] == '' or isset($Name) and $Name != '') {
/* if not logged in */
$_SESSION['AccessLevel'] = '';
$_SESSION['CustomerID'] = '';
$_SESSION['UserBranch'] = '';
$_SESSION['SalesmanLogin'] = '';
$_SESSION['Module'] = '';
$_SESSION['PageSize'] = '';
$_SESSION['UserStockLocation'] = '';
$_SESSION['AttemptsCounter']++;
// Show login screen
if (!isset($Name) or $Name == '') {
$_SESSION['DatabaseName'] = '';
$_SESSION['CompanyName'] = '';
return UL_SHOWLOGIN;
}
/* The SQL to get the user info must use the * syntax because the field name could change between versions if the fields are specifed directly then the sql fails and the db upgrade will fail */
$sql = "SELECT *\n\t\t\t\tFROM www_users\n\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$ErrMsg = _('Could not retrieve user details on login because');
$debug = 1;
$PasswordVerified = false;
$Auth_Result = DB_query($sql, $ErrMsg);
if (DB_num_rows($Auth_Result) > 0) {
$myrow = DB_fetch_array($Auth_Result);
if (VerifyPass($Password, $myrow['password'])) {
$PasswordVerified = true;
} elseif (isset($GLOBALS['CryptFunction'])) {
/*if the password stored in the DB was compiled the old way,
* the previous comparison will fail,
* try again with the old hashing algorithm,
* then re-hash the password using the new algorithm.
* The next version should not have $CryptFunction any more for new installs.
*/
switch ($GLOBALS['CryptFunction']) {
case 'sha1':
if ($myrow['password'] == sha1($Password)) {
$PasswordVerified = true;
}
break;
case 'md5':
if ($myrow['password'] == md5($Password)) {
$PasswordVerified = true;
}
break;
default:
if ($myrow['password'] == $Password) {
$PasswordVerified = true;
}
}
if ($PasswordVerified) {
$sql = "UPDATE www_users SET password = '******'" . " WHERE userid = '" . $Name . "';";
DB_query($sql);
}
}
}
// Populate session variables with data base results
if ($PasswordVerified) {
if ($myrow['blocked'] == 1) {
//the account is blocked
return UL_BLOCKED;
}
/*reset the attempts counter on successful login */
$_SESSION['UserID'] = $myrow['userid'];
$_SESSION['AttemptsCounter'] = 0;
$_SESSION['AccessLevel'] = $myrow['fullaccess'];
$_SESSION['CustomerID'] = $myrow['customerid'];
$_SESSION['UserBranch'] = $myrow['branchcode'];
$_SESSION['DefaultPageSize'] = $myrow['pagesize'];
$_SESSION['UserStockLocation'] = $myrow['defaultlocation'];
$_SESSION['UserEmail'] = $myrow['email'];
$_SESSION['ModulesEnabled'] = explode(",", $myrow['modulesallowed']);
$_SESSION['UsersRealName'] = $myrow['realname'];
$_SESSION['Theme'] = $myrow['theme'];
$_SESSION['Language'] = $myrow['language'];
$_SESSION['SalesmanLogin'] = $myrow['salesman'];
$_SESSION['CanCreateTender'] = $myrow['cancreatetender'];
$_SESSION['AllowedDepartment'] = $myrow['department'];
$_SESSION['ShowDashboard'] = $myrow['showdashboard'];
if (isset($myrow['pdflanguage'])) {
$_SESSION['PDFLanguage'] = $myrow['pdflanguage'];
} else {
$_SESSION['PDFLanguage'] = '0';
//default to latin western languages
}
if ($myrow['displayrecordsmax'] > 0) {
$_SESSION['DisplayRecordsMax'] = $myrow['displayrecordsmax'];
} else {
$_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax'];
// default comes from config.php
}
$sql = "UPDATE www_users SET lastvisitdate='" . date('Y-m-d H:i:s') . "'\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql);
/*get the security tokens that the user has access to */
$sql = "SELECT tokenid\n\t\t\t\t\tFROM securitygroups\n\t\t\t\t\tWHERE secroleid = '" . $_SESSION['AccessLevel'] . "'";
$Sec_Result = DB_query($sql);
$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result) == 0) {
return UL_CONFIGERR;
} else {
$i = 0;
$UserIsSysAdmin = FALSE;
while ($myrow = DB_fetch_row($Sec_Result)) {
if ($myrow[0] == 15) {
$UserIsSysAdmin = TRUE;
}
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}
/*User is logged in so get configuration parameters - save in session*/
include $PathPrefix . 'includes/GetConfig.php';
if (isset($_SESSION['DB_Maintenance'])) {
if ($_SESSION['DB_Maintenance'] > 0) {
//run the DB maintenance script
if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['DB_Maintenance_LastRun']), 'd') >= $_SESSION['DB_Maintenance']) {
/*Do the DB maintenance routing for the DB_type selected */
DB_Maintenance();
$_SESSION['DB_Maintenance_LastRun'] = Date('Y-m-d');
/* Audit trail purge only runs if DB_Maintenance is enabled */
if (isset($_SESSION['MonthsAuditTrail'])) {
$sql = "DELETE FROM audittrail\n\t\t\t\t\t\t\t\t\tWHERE transactiondate <= '" . Date('Y-m-d', mktime(0, 0, 0, Date('m') - $_SESSION['MonthsAuditTrail'])) . "'";
$ErrMsg = _('There was a problem deleting expired audit-trail history');
$result = DB_query($sql);
}
}
}
}
/*Check to see if currency rates need to be updated */
if (isset($_SESSION['UpdateCurrencyRatesDaily'])) {
if ($_SESSION['UpdateCurrencyRatesDaily'] != 0) {
/* Only run the update to currency rates if today is after the last update i.e. only runs once a day */
if (DateDiff(Date($_SESSION['DefaultDateFormat']), ConvertSQLDate($_SESSION['UpdateCurrencyRatesDaily']), 'd') > 0) {
if ($_SESSION['ExchangeRateFeed'] == 'ECB') {
$CurrencyRates = GetECBCurrencyRates();
// gets rates from ECB see includes/MiscFunctions.php
/*Loop around the defined currencies and get the rate from ECB */
if ($CurrencyRates != false) {
$CurrenciesResult = DB_query("SELECT currabrev FROM currencies");
while ($CurrencyRow = DB_fetch_row($CurrenciesResult)) {
if ($CurrencyRow[0] != $_SESSION['CompanyRecord']['currencydefault']) {
$UpdateCurrRateResult = DB_query("UPDATE currencies SET rate='" . GetCurrencyRate($CurrencyRow[0], $CurrencyRates) . "'\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE currabrev='" . $CurrencyRow[0] . "'", $db);
}
}
}
} else {
$CurrenciesResult = DB_query("SELECT currabrev FROM currencies");
while ($CurrencyRow = DB_fetch_row($CurrenciesResult)) {
if ($CurrencyRow[0] != $_SESSION['CompanyRecord']['currencydefault']) {
$UpdateCurrRateResult = DB_query("UPDATE currencies SET rate='" . google_currency_rate($CurrencyRow[0]) . "'\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE currabrev='" . $CurrencyRow[0] . "'", $db);
}
}
}
$_SESSION['UpdateCurrencyRatesDaily'] = Date('Y-m-d');
$UpdateConfigResult = DB_query("UPDATE config SET confvalue = '" . Date('Y-m-d') . "' WHERE confname='UpdateCurrencyRatesDaily'");
}
}
}
/* Set the logo if not yet set.
* will be done only once per session and each time
* we are not in session (i.e. before login)
*/
if (empty($_SESSION['LogoFile'])) {
/* find a logo in companies/CompanyDir */
if (file_exists($PathPrefix . 'companies/' . $_SESSION['DatabaseName'] . '/logo.png')) {
$_SESSION['LogoFile'] = 'companies/' . $_SESSION['DatabaseName'] . '/logo.png';
} elseif (file_exists($PathPrefix . 'companies/' . $_SESSION['DatabaseName'] . '/logo.jpg')) {
$_SESSION['LogoFile'] = 'companies/' . $_SESSION['DatabaseName'] . '/logo.jpg';
}
}
if (!isset($_SESSION['DB_Maintenance'])) {
return UL_CONFIGERR;
} else {
if ($_SESSION['DB_Maintenance'] == -1 and !in_array(15, $_SESSION['AllowedPageSecurityTokens'])) {
// the configuration setting has been set to -1 ==> Allow SysAdmin Access Only
// the user is NOT a SysAdmin
return UL_MAINTENANCE;
}
}
} else {
// Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 and isset($Name)) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users\n\t\t\t\t\t\t\tSET blocked=1\n\t\t\t\t\t\t\tWHERE www_users.userid='" . $Name . "'";
$Auth_Result = DB_query($sql);
if ($SysAdminEmail != '') {
$EmailSubject = _('User access blocked') . ' ' . $Name;
$EmailText = _('User ID') . ' ' . $Name . ' - ' . $Password . ' - ' . _('has been blocked access at') . ' ' . Date('Y-m-d H:i:s') . ' ' . _('from IP') . ' ' . $_SERVER["REMOTE_ADDR"] . ' ' . _('due to too many failed attempts.');
if ($_SESSION['SmtpSetting'] == 0) {
mail($SysAdminEmail, $EmailSubject, $EmailText);
} else {
include 'includes/htmlMimeMail.php';
$mail = new htmlMimeMail();
$mail->setSubject($EmailSubject);
$mail->setText($EmailText);
$result = SendmailBySmtp($mail, array($SysAdminEmail));
}
}
return UL_BLOCKED;
}
return UL_NOTVALID;
}
}
// End of userid/password check
// Run with debugging messages for the system administrator(s) but not anyone else
return UL_OK;
/* All is well */
}
function GetCurrencyRate($CurrCode, $CurrencyRates)
{
if ((!isset($CurrenciesArray[$CurrCode]) or !isset($CurrenciesArray[$_SESSION['CompanyRecord']['currencydefault']])) and $_SESSION['UpdateCurrencyRatesDaily'] != '0') {
return google_currency_rate($CurrCode);
} elseif ($CurrCode == 'EUR') {
if ($CurrencyRates[$_SESSION['CompanyRecord']['currencydefault']] == 0) {
return 0;
} else {
return 1 / $CurrencyRates[$_SESSION['CompanyRecord']['currencydefault']];
}
} else {
if (!isset($CurrencyRates[$_SESSION['CompanyRecord']['currencydefault']]) or $CurrencyRates[$_SESSION['CompanyRecord']['currencydefault']] == 0) {
return 0;
} else {
return $CurrencyRates[$CurrCode] / $CurrencyRates[$_SESSION['CompanyRecord']['currencydefault']];
}
}
}
