function hesk_autoLogin($noredirect = 0) { global $hesk_settings, $hesklang, $hesk_db_link; if (!$hesk_settings['autologin']) { return false; } $user = hesk_htmlspecialchars(hesk_COOKIE('hesk_username')); $hash = hesk_htmlspecialchars(hesk_COOKIE('hesk_p')); define('HESK_USER', $user); if (empty($user) || empty($hash)) { return false; } /* Login cookies exist, now lets limit brute force attempts */ hesk_limitBfAttempts(); /* Check username */ $result = hesk_dbQuery('SELECT * FROM `' . $hesk_settings['db_pfix'] . "users` WHERE `user` = '" . hesk_dbEscape($user) . "' LIMIT 1"); if (hesk_dbNumRows($result) != 1) { setcookie('hesk_username', ''); setcookie('hesk_p', ''); header('Location: index.php?a=login¬ice=1'); exit; } $res = hesk_dbFetchAssoc($result); /* Check password */ if ($hash != hesk_Pass2Hash($res['pass'] . strtolower($user) . $res['pass'])) { setcookie('hesk_username', ''); setcookie('hesk_p', ''); header('Location: index.php?a=login¬ice=1'); exit; } // Set user details foreach ($res as $k => $v) { $_SESSION[$k] = $v; } /* Check if default password */ if ($_SESSION['pass'] == '499d74967b28a841c98bb4baaabaad699ff3c079') { hesk_process_messages($hesklang['chdp'], 'NOREDIRECT', 'NOTICE'); } // Set a tag that will be used to expire sessions after username or password change $_SESSION['session_verify'] = hesk_activeSessionCreateTag($user, $_SESSION['pass']); // We don't need the password hash anymore unset($_SESSION['pass']); /* Login successful, clean brute force attempts */ hesk_cleanBfAttempts(); /* Regenerate session ID (security) */ hesk_session_regenerate_id(); /* Get allowed categories */ if (empty($_SESSION['isadmin'])) { $_SESSION['categories'] = explode(',', $_SESSION['categories']); } /* Renew cookies */ setcookie('hesk_username', "{$user}", strtotime('+1 year')); setcookie('hesk_p', "{$hash}", strtotime('+1 year')); /* Close any old tickets here so Cron jobs aren't necessary */ if ($hesk_settings['autoclose']) { $revision = sprintf($hesklang['thist3'], hesk_date(), $hesklang['auto']); $dt = date('Y-m-d H:i:s', time() - $hesk_settings['autoclose'] * 86400); // Notify customer of closed ticket? if ($hesk_settings['notify_closed']) { // Get list of tickets $result = hesk_dbQuery("SELECT * FROM `" . $hesk_settings['db_pfix'] . "tickets` WHERE `status` = '2' AND `lastchange` <= '" . hesk_dbEscape($dt) . "' "); if (hesk_dbNumRows($result) > 0) { global $ticket; // Load required functions? if (!function_exists('hesk_notifyCustomer')) { require HESK_PATH . 'inc/email_functions.inc.php'; } while ($ticket = hesk_dbFetchAssoc($result)) { $ticket['dt'] = hesk_date($ticket['dt'], true); $ticket['lastchange'] = hesk_date($ticket['lastchange'], true); $ticket = hesk_ticketToPlain($ticket, 1, 0); hesk_notifyCustomer('ticket_closed'); } } } // Update ticket statuses and history in database hesk_dbQuery("UPDATE `" . $hesk_settings['db_pfix'] . "tickets` SET `status`='3', `closedat`=NOW(), `closedby`='-1', `history`=CONCAT(`history`,'" . hesk_dbEscape($revision) . "') WHERE `status` = '2' AND `lastchange` <= '" . hesk_dbEscape($dt) . "' "); } /* If session expired while a HESK page is open just continue using it, don't redirect */ if ($noredirect) { return true; } /* Redirect to the destination page */ header('Location: ' . hesk_verifyGoto()); exit; }
function do_login() { global $hesk_settings, $hesklang; $hesk_error_buffer = array(); $user = hesk_input(hesk_POST('user')); if (empty($user)) { $myerror = $hesk_settings['list_users'] ? $hesklang['select_username'] : $hesklang['enter_username']; $hesk_error_buffer['user'] = $myerror; } define('HESK_USER', $user); $pass = hesk_input(hesk_POST('pass')); if (empty($pass)) { $hesk_error_buffer['pass'] = $hesklang['enter_pass']; } if ($hesk_settings['secimg_use'] == 2 && !isset($_SESSION['img_a_verified'])) { // Using ReCaptcha? if ($hesk_settings['recaptcha_use'] == 1) { require_once HESK_PATH . 'inc/recaptcha/recaptchalib.php'; $resp = recaptcha_check_answer($hesk_settings['recaptcha_private_key'], $_SERVER['REMOTE_ADDR'], hesk_POST('recaptcha_challenge_field', ''), hesk_POST('recaptcha_response_field', '')); if ($resp->is_valid) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error']; } } elseif ($hesk_settings['recaptcha_use'] == 2) { require HESK_PATH . 'inc/recaptcha/recaptchalib_v2.php'; $resp = null; $reCaptcha = new ReCaptcha($hesk_settings['recaptcha_private_key']); // Was there a reCAPTCHA response? if (isset($_POST["g-recaptcha-response"])) { $resp = $reCaptcha->verifyResponse($_SERVER["REMOTE_ADDR"], hesk_POST("g-recaptcha-response")); } if ($resp != null && $resp->success) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error']; } } else { $mysecnum = intval(hesk_POST('mysecnum', 0)); if (empty($mysecnum)) { $hesk_error_buffer['mysecnum'] = $hesklang['sec_miss']; } else { require HESK_PATH . 'inc/secimg.inc.php'; $sc = new PJ_SecurityImage($hesk_settings['secimg_sum']); if (isset($_SESSION['checksum']) && $sc->checkCode($mysecnum, $_SESSION['checksum'])) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['sec_wrng']; } } } } /* Any missing fields? */ if (count($hesk_error_buffer) != 0) { $_SESSION['a_iserror'] = array_keys($hesk_error_buffer); $tmp = ''; foreach ($hesk_error_buffer as $error) { $tmp .= "<li>{$error}</li>\n"; } $hesk_error_buffer = $tmp; $hesk_error_buffer = $hesklang['pcer'] . '<br /><br /><ul>' . $hesk_error_buffer . '</ul>'; hesk_process_messages($hesk_error_buffer, 'NOREDIRECT'); print_login(); exit; } elseif (isset($_SESSION['img_a_verified'])) { unset($_SESSION['img_a_verified']); } /* User entered all required info, now lets limit brute force attempts */ hesk_limitBfAttempts(); $result = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `user` = '" . hesk_dbEscape($user) . "' LIMIT 1"); if (hesk_dbNumRows($result) != 1) { hesk_session_stop(); $_SESSION['a_iserror'] = array('user', 'pass'); hesk_process_messages($hesklang['wrong_user'], 'NOREDIRECT'); print_login(); exit; } $res = hesk_dbFetchAssoc($result); foreach ($res as $k => $v) { $_SESSION[$k] = $v; } /* Check password */ if (hesk_Pass2Hash($pass) != $_SESSION['pass']) { hesk_session_stop(); $_SESSION['a_iserror'] = array('pass'); hesk_process_messages($hesklang['wrong_pass'], 'NOREDIRECT'); print_login(); exit; } $pass_enc = hesk_Pass2Hash($_SESSION['pass'] . strtolower($user) . $_SESSION['pass']); /* Check if default password */ if ($_SESSION['pass'] == '499d74967b28a841c98bb4baaabaad699ff3c079') { hesk_process_messages($hesklang['chdp'], 'NOREDIRECT', 'NOTICE'); } // Set a tag that will be used to expire sessions after username or password change $_SESSION['session_verify'] = hesk_activeSessionCreateTag($user, $_SESSION['pass']); // We don't need the password hash anymore unset($_SESSION['pass']); /* Login successful, clean brute force attempts */ hesk_cleanBfAttempts(); /* Make sure our user is active */ if (!$_SESSION['active']) { hesk_session_stop(); $_SESSION['a_iserror'] = array('active'); hesk_process_messages($hesklang['inactive_user'], 'NOREDIRECT'); print_login(); exit; } /* Regenerate session ID (security) */ hesk_session_regenerate_id(); /* Remember username? */ if ($hesk_settings['autologin'] && hesk_POST('remember_user') == 'AUTOLOGIN') { setcookie('hesk_username', "{$user}", strtotime('+1 year')); setcookie('hesk_p', "{$pass_enc}", strtotime('+1 year')); } elseif (hesk_POST('remember_user') == 'JUSTUSER') { setcookie('hesk_username', "{$user}", strtotime('+1 year')); setcookie('hesk_p', ''); } else { // Expire cookie if set otherwise setcookie('hesk_username', ''); setcookie('hesk_p', ''); } /* Close any old tickets here so Cron jobs aren't necessary */ if ($hesk_settings['autoclose']) { $revision = sprintf($hesklang['thist3'], hesk_date(), $hesklang['auto']); $dt = date('Y-m-d H:i:s', time() - $hesk_settings['autoclose'] * 86400); $closedStatusRs = hesk_dbQuery('SELECT `ID`, `Closable` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `IsDefaultStaffReplyStatus` = 1'); $closedStatus = hesk_dbFetchAssoc($closedStatusRs); // Are we allowed to close tickets in this status? if ($closedStatus['Closable'] == 'yes' || $closedStatus['Closable'] == 'sonly') { // Notify customer of closed ticket? if ($hesk_settings['notify_closed']) { // Get list of tickets $result = hesk_dbQuery("SELECT * FROM `" . $hesk_settings['db_pfix'] . "tickets` WHERE `status` = " . $closedStatus['ID'] . " AND `lastchange` <= '" . hesk_dbEscape($dt) . "' "); if (hesk_dbNumRows($result) > 0) { global $ticket; // Load required functions? if (!function_exists('hesk_notifyCustomer')) { require HESK_PATH . 'inc/email_functions.inc.php'; } while ($ticket = hesk_dbFetchAssoc($result)) { $ticket['dt'] = hesk_date($ticket['dt'], true); $ticket['lastchange'] = hesk_date($ticket['lastchange'], true); $ticket = hesk_ticketToPlain($ticket, 1, 0); hesk_notifyCustomer('ticket_closed'); } } } // Update ticket statuses and history in database if we're allowed to do so $defaultCloseRs = hesk_dbQuery('SELECT `ID` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `IsAutocloseOption` = 1'); $defaultCloseStatus = hesk_dbFetchAssoc($defaultCloseRs); hesk_dbQuery("UPDATE `" . $hesk_settings['db_pfix'] . "tickets` SET `status`=" . intval($defaultCloseStatus['ID']) . ", `closedat`=NOW(), `closedby`='-1', `history`=CONCAT(`history`,'" . hesk_dbEscape($revision) . "') WHERE `status` = '" . $closedStatus['ID'] . "' AND `lastchange` <= '" . hesk_dbEscape($dt) . "' "); } } /* Redirect to the destination page */ header('Location: ' . hesk_verifyGoto()); exit; }
if ($row['ip'] != $_SERVER['REMOTE_ADDR']) { hesk_limitBfAttempts(); hesk_process_messages($hesklang['ehaip'], 'NOREDIRECT'); } else { // Expire all verification hashes for this user hesk_dbQuery("DELETE FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "reset_password` WHERE `user`=" . intval($row['user'])); // Load additional required functions require HESK_PATH . 'inc/admin_functions.inc.php'; // Get user details $res = hesk_dbQuery('SELECT * FROM `' . $hesk_settings['db_pfix'] . "users` WHERE `id`=" . intval($row['user']) . " LIMIT 1"); $row = hesk_dbFetchAssoc($res); foreach ($row as $k => $v) { $_SESSION[$k] = $v; } // Set a tag that will be used to expire sessions after username or password change $_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['user'], $_SESSION['pass']); // We don't need the password hash anymore unset($_SESSION['pass']); // Clean brute force attempts hesk_cleanBfAttempts(); // Regenerate session ID (security) hesk_session_regenerate_id(); // Get allowed categories if (empty($_SESSION['isadmin'])) { $_SESSION['categories'] = explode(',', $_SESSION['categories']); } // Redirect to the profile page hesk_process_messages($hesklang['resim'], 'profile.php', 'NOTICE'); exit; } // End IP matches
function update_profile() { global $hesk_settings, $hesklang, $can_view_unassigned; /* A security check */ hesk_token_check('POST'); $sql_pass = ''; $sql_username = ''; $hesk_error_buffer = ''; $_SESSION['new']['name'] = hesk_input(hesk_POST('name')) or $hesk_error_buffer .= '<li>' . $hesklang['enter_your_name'] . '</li>'; $_SESSION['new']['email'] = hesk_validateEmail(hesk_POST('email'), 'ERR', 0) or $hesk_error_buffer = '<li>' . $hesklang['enter_valid_email'] . '</li>'; $_SESSION['new']['signature'] = hesk_input(hesk_POST('signature')); /* Signature */ if (strlen($_SESSION['new']['signature']) > 1000) { $hesk_error_buffer .= '<li>' . $hesklang['signature_long'] . '</li>'; } /* Admins can change username */ if ($_SESSION['isadmin']) { $_SESSION['new']['user'] = hesk_input(hesk_POST('user')) or $hesk_error_buffer .= '<li>' . $hesklang['enter_username'] . '</li>'; /* Check for duplicate usernames */ $result = hesk_dbQuery("SELECT `id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `user`='" . hesk_dbEscape($_SESSION['new']['user']) . "' AND `id`!='" . intval($_SESSION['id']) . "' LIMIT 1"); if (hesk_dbNumRows($result) != 0) { $hesk_error_buffer .= '<li>' . $hesklang['duplicate_user'] . '</li>'; } else { $sql_username = "******" . hesk_dbEscape($_SESSION['new']['user']) . "'"; } } /* Change password? */ $newpass = hesk_input(hesk_POST('newpass')); $passlen = strlen($newpass); if ($passlen > 0) { /* At least 5 chars? */ if ($passlen < 5) { $hesk_error_buffer .= '<li>' . $hesklang['password_not_valid'] . '</li>'; } else { $newpass2 = hesk_input(hesk_POST('newpass2')); if ($newpass != $newpass2) { $hesk_error_buffer .= '<li>' . $hesklang['passwords_not_same'] . '</li>'; } else { $newpass_hash = hesk_Pass2Hash($newpass); if ($newpass_hash == '499d74967b28a841c98bb4baaabaad699ff3c079') { define('WARN_PASSWORD', true); } $sql_pass = '******'' . $newpass_hash . '\''; } } } /* After reply */ $_SESSION['new']['afterreply'] = intval(hesk_POST('afterreply')); if ($_SESSION['new']['afterreply'] != 1 && $_SESSION['new']['afterreply'] != 2) { $_SESSION['new']['afterreply'] = 0; } // Defaults $_SESSION['new']['autostart'] = isset($_POST['autostart']) ? 1 : 0; $_SESSION['new']['notify_customer_new'] = isset($_POST['notify_customer_new']) ? 1 : 0; $_SESSION['new']['notify_customer_reply'] = isset($_POST['notify_customer_reply']) ? 1 : 0; $_SESSION['new']['show_suggested'] = isset($_POST['show_suggested']) ? 1 : 0; /* Notifications */ $_SESSION['new']['notify_new_unassigned'] = empty($_POST['notify_new_unassigned']) || !$can_view_unassigned ? 0 : 1; $_SESSION['new']['notify_new_my'] = empty($_POST['notify_new_my']) ? 0 : 1; $_SESSION['new']['notify_reply_unassigned'] = empty($_POST['notify_reply_unassigned']) || !$can_view_unassigned ? 0 : 1; $_SESSION['new']['notify_reply_my'] = empty($_POST['notify_reply_my']) ? 0 : 1; $_SESSION['new']['notify_assigned'] = empty($_POST['notify_assigned']) ? 0 : 1; $_SESSION['new']['notify_note'] = empty($_POST['notify_note']) ? 0 : 1; $_SESSION['new']['notify_pm'] = empty($_POST['notify_pm']) ? 0 : 1; /* Any errors? */ if (strlen($hesk_error_buffer)) { /* Process the session variables */ $_SESSION['new'] = hesk_stripArray($_SESSION['new']); $hesk_error_buffer = $hesklang['rfm'] . '<br /><br /><ul>' . $hesk_error_buffer . '</ul>'; hesk_process_messages($hesk_error_buffer, 'NOREDIRECT'); } else { /* Update database */ hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` SET\n\t\t`name`='" . hesk_dbEscape($_SESSION['new']['name']) . "',\n\t\t`email`='" . hesk_dbEscape($_SESSION['new']['email']) . "',\n\t\t`signature`='" . hesk_dbEscape($_SESSION['new']['signature']) . "'\n\t\t{$sql_username}\n\t\t{$sql_pass} ,\n\t\t`afterreply`='" . $_SESSION['new']['afterreply'] . "' ,\n\t\t" . ($hesk_settings['time_worked'] ? "`autostart`='" . $_SESSION['new']['autostart'] . "'," : '') . "\n\t\t`notify_customer_new`='" . $_SESSION['new']['notify_customer_new'] . "' ,\n\t\t`notify_customer_reply`='" . $_SESSION['new']['notify_customer_reply'] . "' ,\n\t\t`show_suggested`='" . $_SESSION['new']['show_suggested'] . "' ,\n\t\t`notify_new_unassigned`='" . $_SESSION['new']['notify_new_unassigned'] . "' ,\n\t\t`notify_new_my`='" . $_SESSION['new']['notify_new_my'] . "' ,\n\t\t`notify_reply_unassigned`='" . $_SESSION['new']['notify_reply_unassigned'] . "' ,\n\t\t`notify_reply_my`='" . $_SESSION['new']['notify_reply_my'] . "' ,\n\t\t`notify_assigned`='" . $_SESSION['new']['notify_assigned'] . "' ,\n\t\t`notify_pm`='" . $_SESSION['new']['notify_pm'] . "',\n\t\t`notify_note`='" . $_SESSION['new']['notify_note'] . "'\n\t\tWHERE `id`='" . intval($_SESSION['id']) . "' LIMIT 1"); /* Process the session variables */ $_SESSION['new'] = hesk_stripArray($_SESSION['new']); // Do we need a new session_veify tag? if (strlen($sql_username) && strlen($sql_pass)) { $_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['new']['user'], $newpass_hash); } elseif (strlen($sql_pass)) { $_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['user'], $newpass_hash); } elseif (strlen($sql_username)) { $res = hesk_dbQuery('SELECT `pass` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `id` = '" . intval($_SESSION['id']) . "' LIMIT 1"); $_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['new']['user'], hesk_dbResult($res)); } /* Update session variables */ foreach ($_SESSION['new'] as $k => $v) { $_SESSION[$k] = $v; } unset($_SESSION['new']); hesk_cleanSessionVars('as_notify'); hesk_process_messages($hesklang['profile_updated_success'], 'profile.php', 'SUCCESS'); } }