} else { // See if the temporary cookie was found. If yes, then the // browser does support cookies. If not, then we disable // the use of cookies. if (!isset($_COOKIE['phorum_tmp_cookie'])) { $PHORUM['use_cookies'] = PHORUM_NO_COOKIES; } // Check if the login credentials are right. $user_id = phorum_api_user_authenticate(PHORUM_FORUM_SESSION, $_POST['username'], $_POST['password']); // They are. Setup the active user and start a Phorum session. if ($user_id) { // Make the authenticated user the active Phorum user // and start a Phorum user session. Because this is a fresh // login, we can enable the short term session and we request // refreshing of the session id(s). if (phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $user_id, PHORUM_FLAG_SESSION_ST) && phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_LOGIN)) { // Destroy the temporary cookie that is used for testing // for cookie compatibility. if (isset($_COOKIE['phorum_tmp_cookie'])) { setcookie('phorum_tmp_cookie', '', 0, $PHORUM['session_path'], $PHORUM['session_domain']); } // Determine the URL to redirect the user to. // If redir is a number, it is a URL constant. $php = PHORUM_FILE_EXTENSION; if (is_numeric($_POST['redir'])) { $redir = phorum_api_url((int) $_POST['redir']); } elseif (!empty($PHORUM['use_cookies']) && !strstr($_POST['redir'], "register.{$php}") && !strstr($_POST['redir'], "login.{$php}")) { $redir = $_POST['redir']; } else { $redir = phorum_api_url(PHORUM_LIST_URL); }
$PHORUM["DATA"]["HTML_TITLE"] = htmlspecialchars(strip_tags($PHORUM["DATA"]["HTML_TITLE"]), ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]); // For non-admin users, check if the forum is set to // read-only or administrator-only mode. if (empty($PHORUM["user"]["admin"]) && isset($PHORUM['status'])) { if ($PHORUM["status"] == PHORUM_MASTER_STATUS_ADMIN_ONLY && phorum_page != 'css' && phorum_page != 'javascript' && phorum_page != 'login') { phorum_build_common_urls(); $PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["AdminOnlyMessage"]; phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, NULL); /** * @todo Not compatible with portable / embedded Phorum setups. */ phorum_api_output('message'); exit; } elseif ($PHORUM['status'] == PHORUM_MASTER_STATUS_READ_ONLY) { $PHORUM['DATA']['GLOBAL_ERROR'] = $PHORUM['DATA']['LANG']['ReadOnlyMessage']; phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, NULL); } } // If moderator notifications are on and the person is a mod, // lets find out if anything needs attention. $PHORUM["user"]["NOTICE"]["MESSAGES"] = FALSE; $PHORUM["user"]["NOTICE"]["USERS"] = FALSE; $PHORUM["user"]["NOTICE"]["GROUPS"] = FALSE; if ($PHORUM["DATA"]["LOGGEDIN"]) { // By default, only bug the user on the list, index and cc pages. // The template can override this behaviour by setting a comma // separated list of phorum_page names in a template define statement // like this: {DEFINE show_notify_for_pages "page 1,page 2,..,page n"} if (isset($PHORUM["TMP"]["show_notify_for_pages"])) { $show_notify_for_pages = explode(",", $PHORUM["TMP"]["show_notify_for_pages"]); } else {
/** * Destroy a Phorum user session. * * This will destroy a Phorum user session and set the active * Phorum user to the anonymous user. * * @param string $type * The type of session to destroy. This must be one of * {@link PHORUM_FORUM_SESSION} or {@link PHORUM_ADMIN_SESSION}. * See the documentation for {@link phorum_api_user_session_create()} * for more information on Phorum user sessions. */ function phorum_api_user_session_destroy($type) { $PHORUM = $GLOBALS['PHORUM']; /** * [hook] * user_session_destroy * * [description] * Allow modules to override Phorum's session destroy management or * to even fully omit destroying a session (for example useful * if the hook <hook>user_session_restore</hook> is used * to inherit an external session from some 3rd party application). * * [category] * User authentication and session handling * * [when] * Just before Phorum runs its own session destroy code * in the user API function * <literal>phorum_api_user_session_destroy()</literal>. * * [input] * The session type for which a session must be destroyed. * This can be either <literal>PHORUM_FORUM_SESSION</literal> * or <literal>PHORUM_ADMIN_SESSION</literal>. * * [output] * Same as input if Phorum has to run its standard session * destroy code or NULL if that code should be fully skipped. * * [example] * See the <hook>user_session_create</hook> hook for an example * of how to let Phorum setup the PHP session that is destroyed * in this example hook. * <hookcode> * function phorum_mod_foo_user_session_destroy($type) * { * // Let Phorum handle destroying of admin sessions on its own. * if ($type == PHORUM_ADMIN_SESSION) return $type; * * // Override the session handling for front end forum sessions. * // We could for example have stored the session in a standard * // PHP session. First, we start a PHP session if that was * // not done yet. * if (!session_id()) session_start(); * * // After starting the PHP session, we can clear the session * // data for the Phorum user. In the user_session_create hook * // example code, we stored the user_id for the active user * // in the session. Here we clear that data. We could also * // have destroyed the full PHP session, but in that case we * // would risk destroying session data that was setup by * // other PHP scripts. * unset($_SESSION['phorum_user_id']); * * // Tell Phorum not to run its own session destroy code. * return NULL; * } * </hookcode> */ $do_phorum_destroy_session = TRUE; if (isset($PHORUM['hooks']['user_session_destroy'])) { if (phorum_hook('user_session_destroy', $type) === NULL) { $do_phorum_destroy_session = FALSE; } } if ($do_phorum_destroy_session) { // Destroy session cookie(s). We do not care here if use_cookies is // enabled or not. We just want to clean out all that we have here. if ($type == PHORUM_FORUM_SESSION) { setcookie(PHORUM_SESSION_SHORT_TERM, '', time() - 86400, $PHORUM['session_path'], $PHORUM['session_domain']); setcookie(PHORUM_SESSION_LONG_TERM, '', time() - 86400, $PHORUM['session_path'], $PHORUM['session_domain']); } elseif ($type == PHORUM_ADMIN_SESSION) { setcookie(PHORUM_SESSION_ADMIN, '', time() - 86400, $PHORUM['session_path'], $PHORUM['session_domain']); } else { trigger_error('phorum_api_user_session_destroy(): Illegal session type: ' . htmlspecialchars($type), E_USER_ERROR); return NULL; } // If cookies are not in use, then the long term session is reset // to a new value. That way we fully invalidate URI authentication // data, so that old URL's won't work anymore. We can only do this // if we have an active Phorum user. if ($PHORUM['use_cookies'] == PHORUM_NO_COOKIES && $type == PHORUM_FORUM_SESSION && !empty($PHORUM['user']) && !empty($PHORUM['user']['user_id'])) { $user = $PHORUM['user']; $sessid_lt = md5($user['username'] . microtime() . $user['password']); phorum_api_user_save_raw(array('user_id' => $user['user_id'], 'sessid_lt' => $sessid_lt)); } } // Force Phorum to see the anonymous user from here on. phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, NULL); }
/** * A common function which is used to save the userdata from the post-data. * @param panel - The panel for which to save data. * @return array - An array containing $error and $okmsg. */ function phorum_controlcenter_user_save($panel) { $PHORUM = $GLOBALS['PHORUM']; $error = ""; $okmsg = ""; // Setup the default userdata fields that can be changed // from the control panel interface. $userdata = array('signature' => NULL, 'hide_email' => NULL, 'hide_activity' => NULL, 'password' => NULL, 'password_temp' => NULL, 'tz_offset' => NULL, 'is_dst' => NULL, 'user_language' => NULL, 'threaded_list' => NULL, 'threaded_read' => NULL, 'email_notify' => NULL, 'show_signature' => NULL, 'pm_email_notify' => NULL, 'email' => NULL, 'email_temp' => NULL, 'user_template' => NULL, 'moderation_email' => NULL, 'real_name' => NULL); // Add custom profile fields as acceptable fields. foreach ($PHORUM["PROFILE_FIELDS"] as $id => $field) { if ($id === "num_fields" || !empty($field['deleted'])) { continue; } $userdata[$field["name"]] = NULL; } // Update userdata with $_POST information. foreach ($_POST as $key => $val) { if (array_key_exists($key, $userdata)) { $userdata[$key] = $val; } } // Remove unused profile fields. foreach ($userdata as $key => $val) { if (is_null($val)) { unset($userdata[$key]); } } // Set static userdata. $userdata["user_id"] = $PHORUM["user"]["user_id"]; /** * [hook] * cc_save_user * * [description] * This hook works the same way as the <hook>before_register</hook> * hook, so you can also use it for changing and checking the user data * that will be saved in the database. There's one difference. If you * want to check a custom field, you'll also need to check the panel * which you are on, because this hook is called from multiple panels. * The panel that you are on will be stored in the * <literal>panel</literal> field of the user data.<sbr/> * <sbr/> * The example hook belows demonstrates code which could be used if you * have added a custom field to the template for the option * <literal>Edit My Profile</literal> in the control panel. * * [category] * Control center * * [when] * In <filename>control.php</filename>, right before data for a user is * saved in the control panel. * * [input] * An array containing the user data to save. * <ul> * <li>error: * modules can fill this field with an error message to show.</li> * </ul> * * [output] * The same array as the one that was used for the hook call * argument, possibly with the "error" field updated in it. * * [example] * <hookcode> * function phorum_mod_foo_cc_save_user ($data) * { * // Only check data for the panel "user". * if ($data['panel'] != "user") return $data; * * $myfield = trim($data['your_custom_field']); * if (empty($myfield)) { * $data['error'] = 'You need to fill in my custom field'; * } * * return $data; * } * </hookcode> */ if (isset($PHORUM["hooks"]["cc_save_user"])) { $userdata = phorum_hook("cc_save_user", $userdata); } // Set $error, in case the cc_save_user hook did set an error. if (isset($userdata['error'])) { $error = $userdata['error']; unset($userdata['error']); // Try to update the userdata in the database. } elseif (!phorum_api_user_save($userdata)) { // Updating the user failed. $error = $PHORUM["DATA"]["LANG"]["ErrUserAddUpdate"]; } else { // Updating the user was successful. $okmsg = $PHORUM["DATA"]["LANG"]["ProfileUpdatedOk"]; // Let the userdata be reloaded. phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $userdata["user_id"]); // If a new password was set, then reset all session id(s), so // other computers or browser will lose any active session that // they are running. if (isset($userdata["password"]) && $userdata["password"] != '') { phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_ALL); } // Copy data from the updated user back into the user template data. $formatted = phorum_api_user_format(array($GLOBALS['PHORUM']['user'])); foreach ($formatted[0] as $key => $val) { $GLOBALS['PHORUM']['DATA']['USER'][$key] = $val; } // Copy data from the updated user back into the template data. // Leave PANEL and forum_id alone (these are injected into the // userdata in the template from this script). foreach ($GLOBALS["PHORUM"]["DATA"]["PROFILE"] as $key => $val) { if ($key == "PANEL" || $key == "forum_id") { continue; } if (isset($GLOBALS["PHORUM"]["user"][$key])) { $GLOBALS["PHORUM"]["DATA"]["PROFILE"][$key] = $GLOBALS["PHORUM"]["user"][$key]; } else { $GLOBALS["PHORUM"]["DATA"]["PROFILE"][$key] = ""; } } } return array($error, $okmsg); }
function testUserApiSetActiveUser() { $user_id = phorum_api_user_search('username', 'testuser' . $this->sharedFixture, '='); $ret = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $user_id); $this->assertTrue($ret, 'Setting given user_id active again.'); $ret = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, array('foo' => 'bar')); $this->assertFalse($ret, 'set_active_user with invalid array given.'); $ret = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, array('foo')); $this->assertFalse($ret, 'set_active_user with invalid user-input.'); // set active user $GLOBALS['PHORUM']['user'] = phorum_api_user_get($user_id); // create session $ret = phorum_api_user_session_create(PHORUM_FORUM_SESSION); $this->assertTrue($ret, 'Creating user-session'); }
// but WITHOUT ANY WARRANTY, without even the implied warranty of // // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // // // // You should have received a copy of the Phorum License // // along with this program. // // // //////////////////////////////////////////////////////////////////////////////// // don't allow this page to be loaded directly if (!defined("PHORUM_ADMIN")) { exit; } require_once PHORUM_PATH . '/include/api/user.php'; require_once PHORUM_PATH . '/include/api/sign.php'; if (isset($_POST["username"]) && isset($_POST["password"])) { $user_id = phorum_api_user_authenticate(PHORUM_ADMIN_SESSION, trim($_POST["username"]), trim($_POST["password"])); if ($user_id && phorum_api_user_set_active_user(PHORUM_ADMIN_SESSION, $user_id) && phorum_api_user_session_create(PHORUM_ADMIN_SESSION)) { // update the token and time $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token_time'] = time(); $sig_data = $GLOBALS["PHORUM"]["user"]['user_id'] . time() . $GLOBALS["PHORUM"]["user"]['username']; $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token'] = phorum_api_sign($sig_data); $GLOBALS["PHORUM"]['admin_token'] = $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token']; $tmp_user = array('user_id' => $GLOBALS["PHORUM"]["user"]['user_id'], 'settings_data' => $GLOBALS["PHORUM"]["user"]['settings_data']); phorum_api_user_save($tmp_user); if (!empty($_POST["target"])) { $target_url = phorum_admin_build_url($_POST['target'], TRUE); phorum_api_redirect($target_url); } else { $redir_url = phorum_admin_build_url(NULL, TRUE); phorum_api_redirect($redir_url); } exit;
/** * A common function which is used to save the userdata from the post-data. * @param panel - The panel for which to save data. * @return array - An array containing $error and $okmsg. */ function phorum_controlcenter_user_save($panel) { global $PHORUM; $error = ""; $okmsg = ""; // Setup the default userdata fields that can be changed // from the control panel interface. $userdata = array('signature' => NULL, 'hide_email' => NULL, 'hide_activity' => NULL, 'tz_offset' => NULL, 'is_dst' => NULL, 'user_language' => NULL, 'threaded_list' => NULL, 'threaded_read' => NULL, 'email_notify' => NULL, 'show_signature' => NULL, 'pm_email_notify' => NULL, 'user_template' => NULL, 'moderation_email' => NULL, 'real_name' => NULL); // Password related fields can only be updated from the password panel. if ($panel == 'password') { $userdata['password'] = NULL; $userdata['password_temp'] = NULL; } // E-mail address related fields can only be updated from the email panel. if ($panel == 'email') { $userdata['email'] = NULL; $userdata['email_temp'] = NULL; } // E-mail address related fields can only be updated from the email panel. if ($panel == 'email') { $userdata['email'] = NULL; $userdata['email_temp'] = NULL; } // Add custom profile fields as acceptable fields. foreach ($PHORUM["CUSTOM_FIELDS"][PHORUM_CUSTOM_FIELD_USER] as $id => $field) { if ($id === "num_fields" || !empty($field['deleted'])) { continue; } $userdata[$field["name"]] = NULL; } // Update userdata with $_POST information. foreach ($_POST as $key => $val) { if (array_key_exists($key, $userdata)) { $userdata[$key] = $val; } } // Remove unused profile fields. foreach ($userdata as $key => $val) { if (is_null($val)) { unset($userdata[$key]); } } // Set static userdata. $userdata["user_id"] = $PHORUM["user"]["user_id"]; // Run a hook, so module writers can update and check the userdata. if (isset($PHORUM["hooks"]["cc_save_user"])) { $userdata = phorum_api_hook("cc_save_user", $userdata); } // Set $error, in case the cc_save_user hook did set an error. if (isset($userdata['error'])) { $error = $userdata['error']; unset($userdata['error']); // Try to update the userdata in the database. } elseif (!phorum_api_user_save($userdata)) { // Updating the user failed. $error = $PHORUM["DATA"]["LANG"]["ErrUserAddUpdate"]; } else { // Updating the user was successful. $okmsg = $PHORUM["DATA"]["LANG"]["ProfileUpdatedOk"]; // Let the userdata be reloaded. phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $userdata["user_id"]); // If a new password was set, then reset all session id(s), so // other computers or browser will lose any active session that // they are running. if (isset($userdata["password"]) && $userdata["password"] != '') { phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_ALL); } // Copy data from the updated user back into the user template data. $formatted = phorum_api_format_users(array($PHORUM['user'])); foreach ($formatted[0] as $key => $val) { $PHORUM['DATA']['USER'][$key] = $val; } // Copy data from the updated user back into the template data. // Leave PANEL and forum_id alone (these are injected into the // userdata in the template from this script). foreach ($PHORUM["DATA"]["PROFILE"] as $key => $val) { if ($key == "PANEL" || $key == "forum_id") { continue; } if (isset($PHORUM["user"][$key])) { if (is_array($val)) { // array-data would be (most often) broken when html encoded $PHORUM["DATA"]["PROFILE"][$key] = $PHORUM["user"][$key]; } elseif (substr($key, 0, 9) == 'signature') { // the signature needs special care - e.g. for the formatted sig // Fake a message here so we can run the sig through format_message. $fake_messages = array(array("author" => "", "email" => "", "subject" => "", "body" => $PHORUM["user"]["signature"])); $fake_messages = phorum_format_messages($fake_messages); $PHORUM["DATA"]["PROFILE"]["signature_formatted"] = $fake_messages[0]["body"]; // Format the user signature using standard message body formatting // or HTML escape it $PHORUM["DATA"]["PROFILE"]["signature"] = htmlspecialchars($PHORUM["user"]["signature"], ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]); } else { // same handling as when loading the page for the first time $PHORUM["DATA"]["PROFILE"][$key] = htmlspecialchars($PHORUM["user"][$key], ENT_COMPAT, $PHORUM['DATA']['HCHARSET']); } } else { $PHORUM["DATA"]["PROFILE"][$key] = ""; } } } return array($error, $okmsg); }
<?php # Handle a user forum login if (!defined('PHORUM')) { return; } require_once "./include/api/base.php"; require_once "./include/api/user.php"; // Check the username and password. $user_id = phorum_api_user_authenticate(PHORUM_FORUM_SESSION, "username", "password"); if (!$user_id) { die("Username or password incorrect!\n"); } // Make the authenticated user the active user for Phorum. This is all // that is needed to tell Phorum that this user is logged in. $set_active = phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, $user_id, PHORUM_FLAG_SESSION_ST); if (!$set_active) { die("Setting user_id {$user_id} as the active user failed!\n"); } // Create a session for the active user, so the user will be remembered // on subsequent requests. phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_LOGIN); // appropriate at login time