public function add()
{
$gump = new GUMP();
$gump->validation_rules(array('ip' => 'required|valid_ipv4', 'length' => 'required|integer', 'reason' => 'required'));
$gump->filter_rules(array('ip' => 'trim', 'length' => 'trim|whole_number', 'reason' => 'trim|sanitize_string'));
$valid_data = $gump->run($_POST);
if ($valid_data === false) {
return new ActionResult($this, '/admin/core/ipblock_add', 0, 'Failed to add block!<br />Error: <code>Please check you have completed all fields as instructed.</code>', B_T_FAIL);
}
$ipblock = new IpBan($this->parent->parent);
if ($ipblock->ban($valid_data['reason'], $valid_data['length'], $valid_data['ip'])) {
return new ActionResult($this, '/admin/core/ipblock_view', 1, 'Succeesfully added block!', B_T_SUCCESS);
} else {
return new ActionResult($this, '/admin/core/ipblock_add', 0, 'Failed to add block!', B_T_FAIL);
}
}
public function IPBanned()
{
if (Yii::app()->params['ipLoginFiltering']) {
// Check IP isn't banned
$ip = IpBan::model()->findByAttributes(array('ip' => $_SERVER['REMOTE_ADDR']));
if (sizeof($ip)) {
// this IP is banned
return true;
} else {
return false;
}
} else {
return false;
}
}
public function login()
{
if (Session::get($this::name_space, 'login_attempts') >= 10) {
$ipBan = new IpBan($this->parent->parent);
if ($ipBan->ban('Too many authentication failures', 15)) {
Session::del($this::name_space, 'login_attempts');
return new ActionResult($this, '/', 1, '', B_T_FAIL);
}
}
$user = WebApp::post('user');
$pass = WebApp::post('pwd');
$this->parent->parent->debug($this::name_space . ': Logging in user...');
$user_query = $this->mySQL_r->prepare("SELECT `id`, `username`, `act_b`, `chgPwd`, `en` FROM `core_users` WHERE `username`=? OR `email`=?");
$user_query->bind_param('ss', $user, $user);
$user_query->execute();
$user_query->bind_result($id, $username, $activated, $chgPwd, $enabled);
$user_query->store_result();
// Check we have a user to log into
if ($user_query->num_rows != 1) {
$login_attempts = Session::get($this::name_space, 'login_attempts') === NULL ? 0 : Session::get($this::name_space, 'login_attempts');
$this->parent->parent->logEvent($this::name_space, 'Someone tried to login to user "' . $user . '" except they don\'t exist');
$this->parent->parent->debug($this::name_space . ': Someone tried to login to user "' . $user . '" except they don\'t exist!');
$this->parent->parent->debug($this::name_space . ': Number of attempts ' . $login_attempts);
Session::set($this::name_space, 'login_attempts', $login_attempts + 1);
return new ActionResult($this, '/user/login', 0, 'Invalid username or password!<br />' . PHP_EOL . 'Usernames and passwords are case sensitive.', B_T_FAIL, array('form' => array('pwd' => '')));
}
while ($user_query->fetch()) {
$active = intval($activated);
$changePassword = intval($chgPwd);
$enabled = intval($enabled);
$id = $id;
}
// Have they activated their account?
if (!$active) {
$this->parent->parent->logEvent($this::name_space, 'Unactivated user "' . $username . '" tried to log in');
return new ActionResult($this, '/user/activate', 1, '');
}
// Has the user been disabled?
if (!$enabled) {
$this->parent->parent->logEvent($this::name_space, 'Disabled user "' . $username . '" tried to log in');
return new ActionResult($this, '/user/login', 0, 'Your account has been disabled. Contact the webmaster for further information.', B_T_FAIL, array('form' => array('user' => '', 'pwd' => '')));
}
// Now we can see if they got the password correct
if (!$this->parent->parent->user->authenticate($pass, $id, $username)) {
$login_attempts = Session::get($this::name_space, 'login_attempts') === NULL ? 0 : Session::get($this::name_space, 'login_attempts');
$this->parent->parent->logEvent($this::name_space, $username . ' failed to log in');
$this->parent->parent->debug($this::name_space . ': ' . $username . ' failed to log in');
$this->parent->parent->debug($this::name_space . ': Number of attempts ' . $login_attempts);
Session::set($this::name_space, 'login_attempts', $login_attempts + 1);
return new ActionResult($this, '/user/login', 0, 'Invalid username or password!<br />' . PHP_EOL . 'Usernames and passwords are case sensitive.', B_T_FAIL, array('form' => array('pwd' => '')));
}
// Now we can log them in
Session::del($this::name_space, 'login_attempts');
$this->parent->parent->logEvent($this::name_space, $username . ' logged in');
//Session::regen();
if (!$this->parent->parent->user->session->create($id)) {
$this->parent->parent->logEvent($this::name_space, 'Failed to create token!');
return new ActionResult($this, '/user/login', 0, 'Login failed, please speak to webmaster', B_T_FAIL);
}
Session::set('WebApp.User', 'loggedIn', true);
Session::set('WebApp.User', 'username', $username);
Session::set('WebApp.User', 'userID', $id);
if ($changePassword == 1) {
return new ActionResult($this, '/user/profile/password', 1, '');
}
if (WebApp::post('r') !== NULL && WebApp::post('r') !== '') {
$url = urldecode(WebApp::post('r'));
} else {
$url = '/user';
}
return new ActionResult($this, $url, 1, '');
}
/**
* Displays the login page
*/
public function actionLogin()
{
$this->pageTitle = 'Login | ' . Yii::app()->name;
$this->layout = '//layouts/accession';
$LoginForm = new LoginForm();
// if it is ajax validation request
if (isset($_POST['ajax']) && $_POST['ajax'] === 'login-form') {
echo CActiveForm::validate($LoginForm);
Yii::app()->end();
}
// collect user input data
if (isset($_POST['LoginForm'])) {
if (Login::model()->IPBanned()) {
// this IP is banned
$LoginForm->addError('email', Yii::app()->params['ipBanMessage']);
} else {
$LoginForm->attributes = $_POST['LoginForm'];
// validate user input and redirect to the previous page if valid
if ($LoginForm->validate() && $LoginForm->login()) {
$User = User::model()->getUser();
if (!is_null($User)) {
// Admin user
$User->reset_hash = null;
$User->save();
$login = new Login();
$login->success = 1;
$login->user_id = $User->id;
$login->date = date('Y-m-d H:i:s');
$login->ip = $_SERVER['REMOTE_ADDR'];
$login->save();
$this->redirect(array('site/dashboard'));
} else {
// Accession user
// Go straight to their details page
$this->redirect(array('accession/updateDetails'));
}
} else {
// Failed login
$login = new Login();
$login->success = 0;
$login->date = date('Y-m-d H:i:s');
$login->ip = $_SERVER['REMOTE_ADDR'];
// See if we can find the user
$User = User::model()->findByAttributes(array('email' => $_POST['LoginForm']['email']));
if ($User) {
$login->user_id = $User->id;
}
$login->save();
// Check how many failed logins we have in last hour
// If 5, we ban the IP
if (!in_array($_SERVER['REMOTE_ADDR'], Yii::app()->params['ipWhiteList'])) {
$criteria = new CDbCriteria();
$criteria->condition = "date > :date AND success = 0 AND ip = :ip";
$criteria->params = array(':ip' => $_SERVER['REMOTE_ADDR'], ':date' => date('Y-m-d H:i:s', strtotime('1 hour ago')));
$logins = Login::model()->findAll($criteria);
if (sizeof($logins) >= 5 && !in_array($_SERVER['REMOTE_ADDR'], Yii::app()->params['ipWhiteList'])) {
// Ban the ip
$ipBan = new IpBan();
$ipBan->ip = $_SERVER['REMOTE_ADDR'];
$ipBan->save();
$LoginForm->clearErrors();
$LoginForm->addError('email', 'Your IP has been banned for repeated failed login attempts. Please contact the site administrator.');
} elseif (sizeof($logins) == 4) {
// Show warning
$LoginForm->addError('password', 'You only have 1 login attempt remaining in this hour period. Another failed attempt within an hour and your IP will be banned.');
}
}
}
}
}
// display the login form
$this->render('login', array('LoginForm' => $LoginForm));
}
public function Web()
{
$this->debug($this::name_space . ': Checking for IP block...');
$ipBan = new IpBan($this);
if (!$ipBan->check()) {
$this->_ipBlock();
}
$this->debug($this::name_space . ': Sanitising input...');
$this->_sanitise();
$this->debug($this::name_space . ': Generating catagories...');
$this->_genPageCats();
$this->debug($this::name_space . ': Setting HTTPS status');
$this->_setHTTPS();
$file_size_max = $this->config->getOption('file_size_max');
ini_set('upload_max_filesize', $file_size_max);
ini_set('post_max_size', $file_size_max);
$this->debug($this::name_space . ': Selecting Mode...');
$class = 'Page';
switch ($this::get('cat1')) {
case 'fonts':
case 'js':
case 'css':
$class = 'File';
break;
case 'images':
$class = 'Image';
break;
case 'action':
$class = 'Action';
break;
case 'ajax':
$class = 'Ajax';
break;
case 'feed':
$class = 'Feed';
break;
}
$method = 'set' . $class;
$this->debug($this::name_space . ': MODE: ' . strtoupper($class));
$this->ctrl = new $class($this);
$this->ctrl->{$method}();
$this->ctrl->execute();
$this->output();
}
