Example #1
0
 function checkFields($aData, $zData = false)
 {
     // Checks fields before submission of data.
     global $_AUTH, $_DB, $_PE, $_SETT;
     // Mandatory fields.
     $this->aCheckMandatory = array('name', 'institute', 'address', 'city', 'countryid', 'email', 'username');
     // These password fields are only not mandatory when we're editing.
     if (ACTION != 'edit') {
         $this->aCheckMandatory[] = 'password_1';
         $this->aCheckMandatory[] = 'password_2';
     }
     parent::checkFields($aData);
     // Email address.
     if (!empty($aData['email'])) {
         $aEmail = explode("\r\n", $aData['email']);
         foreach ($aEmail as $sEmail) {
             if (!lovd_matchEmail($sEmail)) {
                 lovd_errorAdd('email', 'Email "' . htmlspecialchars($sEmail) . '" is not a correct email address' . ($sEmail && $sEmail == trim($sEmail) ? '' : '. Make sure there are no spaces or empty lines left in the email field') . '.');
             }
         }
     }
     if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'create') {
         // Check username format.
         if ($aData['username'] && !lovd_matchUsername($aData['username'])) {
             lovd_errorAdd('username', 'Please fill in a correct username; 4 to 20 characters and starting with a letter followed by letters, numbers, dots, underscores and dashes only.');
         }
     }
     if (in_array(ACTION, array('create', 'register'))) {
         // Does the username exist already?
         if ($aData['username']) {
             if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_USERS . ' WHERE username = ?', array($aData['username']))->fetchColumn()) {
                 lovd_errorAdd('username', 'There is already a user with this username. Please choose another one.');
             }
         }
     }
     // One of two password fields entered... check 'em.
     if ($aData['password_1'] || $aData['password_2']) {
         if ($aData['password_1'] && $aData['password_2']) {
             // Both entered.
             if ($aData['password_1'] != $aData['password_2']) {
                 lovd_errorAdd('password_2', 'The \'' . (in_array(ACTION, array('edit', 'change_password')) ? 'New p' : 'P') . 'assword\' fields are not equal. Please try again.');
             } else {
                 // Password quality.
                 if (!lovd_matchPassword($aData['password_1'])) {
                     lovd_errorAdd('password_1', 'Your password is found too weak. Please fill in a proper password; at least 4 characters long and containing at least one number or special character.');
                 }
             }
         } else {
             if (in_array(ACTION, array('edit', 'change_password'))) {
                 lovd_errorAdd('password_2', 'If you want to change the current password, please fill in both \'New password\' fields.');
             } else {
                 lovd_errorAdd('password_2', 'Please fill in both \'Password\' fields.');
             }
         }
     }
     // Check given security IP range.
     if (!empty($aData['allowed_ip'])) {
         // This function will throw an error itself (second argument).
         $bIP = lovd_matchIPRange($aData['allowed_ip'], 'allowed_ip');
         if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'edit' && $_PE[1] == $_AUTH['id']) {
             // Check given security IP range.
             if ($bIP && !lovd_validateIP($aData['allowed_ip'], $_SERVER['REMOTE_ADDR'])) {
                 // This IP range is not allowing the current IP to connect. This ain't right.
                 // If IP address is actually IPv6, then complain that we can't restrict at all.
                 // Otherwise, be clear the current setting just doesn't match.
                 if (strpos($_SERVER['REMOTE_ADDR'], ':') !== false) {
                     // IPv6...
                     lovd_errorAdd('allowed_ip', 'Your current IP address is IPv6 (' . $_SERVER['REMOTE_ADDR'] . '), which is not supported by LOVD to restrict access to your account.');
                 } else {
                     lovd_errorAdd('allowed_ip', 'Your current IP address is not matched by the given IP range. This would mean you would not be able to get access to LOVD with this IP range.');
                 }
             }
         }
     } else {
         // We're not sure if $aData == $_POST. But we'll just do this. It can't harm I guess.
         $_POST['allowed_ip'] = '*';
     }
     // Level can't be higher or equal than the current user.
     if (!empty($aData['level']) && $aData['level'] >= $_AUTH['level']) {
         lovd_writeLog('Error', 'HackAttempt', 'Tried to upgrade user ID ' . $_PE[1] . ' to level ' . $_SETT['user_levels'][$aData['level']] . ')');
         lovd_errorAdd('level', 'User level is not permitted. Hack attempt.');
     }
     // XSS attack prevention. Deny input of HTML.
     lovd_checkXSS();
 }
Example #2
0
        $_AUTH['saved_work'] = !empty($_AUTH['saved_work']) ? $_AUTH['saved_work'][0] == 'a' ? unserialize($_AUTH['saved_work']) : json_decode($_AUTH['saved_work']) : array();
        // Get an array of IDs of users that share their permissions with current user.
        $q = $_DB->query('SELECT userid_from, allow_edit FROM ' . TABLE_COLLEAGUES . ' WHERE userid_to = ?', array($_AUTH['id']), false);
        if ($q === false) {
            // Query to TABLE_COLLEAGUES failed (note: this table was introduced in 3.0-14e).
            // FIXME: This if can be removed (and the above query made required)
            // when we stop supporting upgrading from 3.0-15 or before.
            $_AUTH['colleagues_from'] = array();
        } else {
            $_AUTH['colleagues_from'] = $q->fetchAllCombine();
        }
    }
}
// IP based blocking.
if ($_AUTH && $_AUTH['allowed_ip']) {
    if (!lovd_validateIP($_AUTH['allowed_ip'], $_SERVER['REMOTE_ADDR'])) {
        // Log the user out.
        session_destroy();
        $_AUTH = false;
        $_SESSION['currdb'] = false;
        $_T->printHeader();
        $_T->printTitle('Access denied');
        lovd_showInfoTable('Your current IP address does not allow you access using this username.', 'stop');
        $_T->printFooter();
        exit;
    }
}
if (!$_AUTH) {
    // We need to check for cookies, so set whatever and check whether it's there later...
    if (!isset($_COOKIE['lovd_cookie_check'])) {
        // @ is to suppress errors in Travis test.
Example #3
0
    $_POST['referer'] = '';
}
// Force use of cookies!
if (!empty($_POST)) {
    if (!isset($_COOKIE['lovd_cookie_check'])) {
        // We might not have that checking cookie if this is the first page. So we want to complain only if the form has been submitted.
        lovd_errorAdd('', 'Cookies must be enabled before you can log in. Please enable cookies or lower your browser\'s security settings.');
    } else {
        // We're now also accepting unlocking accounts.
        if (!empty($_POST['username']) && !empty($_POST['password'])) {
            // First, retrieve account information.
            $zUser = $_DB->query('SELECT * FROM ' . TABLE_USERS . ' WHERE username = ?', array($_POST['username']))->fetchAssoc();
            if ($zUser) {
                // The user exists, now check account unlocking, locked accounts, successful and unsuccessful logins.
                // Instead of having inc-auth.php stop the user when his IP is not allowed to log in, it's better to do that here.
                if ($zUser['allowed_ip'] && !lovd_validateIP($zUser['allowed_ip'], $_SERVER['REMOTE_ADDR'])) {
                    lovd_writeLog('Auth', 'AuthError', $_SERVER['REMOTE_ADDR'] . ' (' . gethostbyaddr($_SERVER['REMOTE_ADDR']) . ') is not in IP allow list for ' . $_POST['username'] . ': "' . $zUser['allowed_ip'] . '"');
                    // Provide manager information, so that the user knows where to go for help.
                    $aManagers = $_DB->query('SELECT name, email FROM ' . TABLE_USERS . ' WHERE level = ? ORDER BY name', array(LEVEL_MANAGER))->fetchAllAssoc();
                    if (!$aManagers) {
                        $aManagers = array($_SETT['admin']);
                    }
                    $sManagers = 'For technical assistance, please contact ' . (count($aManagers) == 1 ? 'the system\'s manager' : 'one of the system\'s managers') . ':';
                    foreach ($aManagers as $aManager) {
                        $sManagers .= '<BR><A href="mailto:' . str_replace(array("\r\n", "\r", "\n"), ', ', trim($aManager['email'])) . '">' . $aManager['name'] . '</A>';
                    }
                    lovd_errorAdd('', 'Your current IP address does not allow you access using this username. ' . $sManagers);
                } elseif ($zUser['password_autogen'] && lovd_verifyPassword($_POST['password'], $zUser['password_autogen']) && $_CONF['allow_unlock_accounts']) {
                    // Successfully unlocking an account! Log user in.
                    $_SESSION['auth'] = $zUser;
                    $_AUTH =& $_SESSION['auth'];