/** * Displays the login page */ public function actionLogin() { $this->pageTitle = 'Login | ' . Yii::app()->name; $this->layout = '//layouts/accession'; $LoginForm = new LoginForm(); // if it is ajax validation request if (isset($_POST['ajax']) && $_POST['ajax'] === 'login-form') { echo CActiveForm::validate($LoginForm); Yii::app()->end(); } // collect user input data if (isset($_POST['LoginForm'])) { if (Login::model()->IPBanned()) { // this IP is banned $LoginForm->addError('email', Yii::app()->params['ipBanMessage']); } else { $LoginForm->attributes = $_POST['LoginForm']; // validate user input and redirect to the previous page if valid if ($LoginForm->validate() && $LoginForm->login()) { $User = User::model()->getUser(); if (!is_null($User)) { // Admin user $User->reset_hash = null; $User->save(); $login = new Login(); $login->success = 1; $login->user_id = $User->id; $login->date = date('Y-m-d H:i:s'); $login->ip = $_SERVER['REMOTE_ADDR']; $login->save(); $this->redirect(array('site/dashboard')); } else { // Accession user // Go straight to their details page $this->redirect(array('accession/updateDetails')); } } else { // Failed login $login = new Login(); $login->success = 0; $login->date = date('Y-m-d H:i:s'); $login->ip = $_SERVER['REMOTE_ADDR']; // See if we can find the user $User = User::model()->findByAttributes(array('email' => $_POST['LoginForm']['email'])); if ($User) { $login->user_id = $User->id; } $login->save(); // Check how many failed logins we have in last hour // If 5, we ban the IP if (!in_array($_SERVER['REMOTE_ADDR'], Yii::app()->params['ipWhiteList'])) { $criteria = new CDbCriteria(); $criteria->condition = "date > :date AND success = 0 AND ip = :ip"; $criteria->params = array(':ip' => $_SERVER['REMOTE_ADDR'], ':date' => date('Y-m-d H:i:s', strtotime('1 hour ago'))); $logins = Login::model()->findAll($criteria); if (sizeof($logins) >= 5 && !in_array($_SERVER['REMOTE_ADDR'], Yii::app()->params['ipWhiteList'])) { // Ban the ip $ipBan = new IpBan(); $ipBan->ip = $_SERVER['REMOTE_ADDR']; $ipBan->save(); $LoginForm->clearErrors(); $LoginForm->addError('email', 'Your IP has been banned for repeated failed login attempts. Please contact the site administrator.'); } elseif (sizeof($logins) == 4) { // Show warning $LoginForm->addError('password', 'You only have 1 login attempt remaining in this hour period. Another failed attempt within an hour and your IP will be banned.'); } } } } } // display the login form $this->render('login', array('LoginForm' => $LoginForm)); }