/**
* @param LoginDataHandler $login
*/
function loginconvert_convert(&$login)
{
global $mybb, $valid_login_types, $utf8_recheck, $db, $settings;
$options = array("fields" => array('username', "password", "salt", 'loginkey', 'coppauser', 'usergroup', "passwordconvert", "passwordconverttype", "passwordconvertsalt"), "username_method" => (int) $settings['username_method']);
if ($login->username_method !== null) {
$options['username_method'] = (int) $login->username_method;
}
$user = get_user_by_username($login->data['username'], $options);
// There's nothing to check for, let MyBB do everything
// This fails also when no user was found above, so no need for an extra check
if (!isset($user['passwordconvert']) || $user['passwordconvert'] == '') {
return;
}
// This user has already a mybb generated hash, delete the merge system data
// Happens eg after resetting password or getting a new one via the acp
if (!empty($user['password'])) {
$update = array("passwordconvert" => "", "passwordconverttype" => "", "passwordconvertsalt" => "");
$db->update_query("users", $update, "uid={$user['uid']}");
return;
}
if (!array_key_exists($user['passwordconverttype'], $valid_login_types)) {
// TODO: Is there an easy way to make the error translatable without adding a new language file?
redirect($mybb->settings['bburl'] . "/member.php?action=lostpw", "We're sorry but we couldn't convert your old password. Please select a new one", "", true);
} else {
$login_type = $valid_login_types[$user['passwordconverttype']];
$function = "check_{$login_type}";
$check = $function($login->data['password'], $user);
// If the password was wrong, an utf8 password and we want to check utf8 passwords we call the function again
if (!$check && in_array($login_type, $utf8_recheck) && utf8_decode($login->data['password']) != $login->data['password']) {
$check = $function(utf8_decode($login->data['password']), $user);
}
if (!$check) {
// Make sure the password isn't tested again
unset($login->data['password']);
// Yeah, that function is called later too, but we need to know whether the captcha is right
// If we wouldn't call that function the error would always be shown
$login->verify_attempts($mybb->settings['captchaimage']);
$login->invalid_combination(true);
} else {
// The password was correct, so use MyBB's method the next time (even if the captcha was wrong we can update the password)
$salt = generate_salt();
$update = array("salt" => $salt, "password" => salt_password(md5($login->data['password']), $salt), "loginkey" => generate_loginkey(), "passwordconverttype" => "", "passwordconvert" => "", "passwordconvertsalt" => "");
$db->update_query("users", $update, "uid='{$user['uid']}'");
// Make sure the password isn't tested again
unset($login->data['password']);
// Also make sure all data is available when creating the session (otherwise SQL errors -.-)
$login->login_data = array_merge($user, $update);
}
}
}
if (!isset($user['username'])) {
$user['username'] = '';
}
eval("\$activate = \"" . $templates->get("member_resetpassword") . "\";");
output_page($activate);
}
}
$do_captcha = $correct = false;
$inline_errors = "";
if ($mybb->input['action'] == "do_login" && $mybb->request_method == "post") {
$plugins->run_hooks("member_do_login_start");
// Is a fatal call if user has had too many tries
$errors = array();
$logins = login_attempt_check();
require_once MYBB_ROOT . "inc/datahandlers/login.php";
$loginhandler = new LoginDataHandler("get");
if ($mybb->get_input('quick_password') && $mybb->get_input('quick_username')) {
$mybb->input['password'] = $mybb->get_input('quick_password');
$mybb->input['username'] = $mybb->get_input('quick_username');
$mybb->input['remember'] = $mybb->get_input('quick_remember');
}
$user = array('username' => $mybb->get_input('username'), 'password' => $mybb->get_input('password'), 'remember' => $mybb->get_input('remember'), 'imagestring' => $mybb->get_input('imagestring'));
$options = array('fields' => 'loginattempts', 'username_method' => (int) $mybb->settings['username_method']);
$user_loginattempts = get_user_by_username($user['username'], $options);
$user['loginattempts'] = (int) $user_loginattempts['loginattempts'];
$loginhandler->set_data($user);
$validated = $loginhandler->validate_login();
if (!$validated) {
$mybb->input['action'] = "login";
$mybb->request_method = "get";
my_setcookie('loginattempts', $logins + 1);
}
}
$default_page->show_lockout_unlock($error, 'error');
} elseif ($mybb->input['do'] == "login") {
// We have an adminsid cookie?
if (isset($mybb->cookies['adminsid'])) {
// Check admin session
$query = $db->simple_select("adminsessions", "sid", "sid='" . $db->escape_string($mybb->cookies['adminsid']) . "'");
$admin_session = $db->fetch_field($query, 'sid');
// Session found: redirect to index
if ($admin_session) {
admin_redirect("index.php");
}
}
require_once MYBB_ROOT . "inc/datahandlers/login.php";
$loginhandler = new LoginDataHandler("get");
// Validate PIN first
if (!empty($config['secret_pin']) && (empty($mybb->input['pin']) || $mybb->input['pin'] != $config['secret_pin'])) {
$login_user = get_user_by_username($mybb->input['username'], array('fields' => array('email', 'username')));
if ($login_user['uid'] > 0) {
$db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='" . (int) $login_user['uid'] . "'", '', true);
}
$loginattempts = login_attempt_check_acp($login_user['uid'], true);
// Have we attempted too many times?
if ($loginattempts['loginattempts'] > 0) {
// Have we set an expiry yet?
if ($loginattempts['loginlockoutexpiry'] == 0) {
$db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW + (int) $mybb->settings['loginattemptstimeout'] * 60), "uid='" . (int) $login_user['uid'] . "'");
}
// Did we hit lockout for the first time? Send the unlock email to the administrator
if ($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) {
// Do we have the token? If so let's process it
if ($mybb->input['token'] && $user['uid']) {
$query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='" . (int) $user['uid'] . "' AND code='" . $db->escape_string($mybb->input['token']) . "' AND type='l'");
// If we're good to go
if ($db->fetch_field($query, "num") > 0) {
$db->delete_query("awaitingactivation", "uid='" . (int) $user['uid'] . "' AND code='" . $db->escape_string($mybb->input['token']) . "' AND type='l'");
$db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='" . (int) $user['uid'] . "'");
admin_redirect("index.php");
} else {
$error = $lang->error_invalid_token;
}
}
$default_page->show_lockout_unlock($error, 'error');
} elseif ($mybb->input['do'] == "login") {
require_once MYBB_ROOT . "inc/datahandlers/login.php";
$loginhandler = new LoginDataHandler("get");
// Validate PIN first
if (!empty($config['secret_pin']) && (empty($mybb->input['pin']) || $mybb->input['pin'] != $config['secret_pin'])) {
$default_page->show_login($lang->error_invalid_secret_pin, "error");
}
$loginhandler->set_data(array('username' => $mybb->input['username'], 'password' => $mybb->input['password']));
if ($loginhandler->verify_username() !== false && $loginhandler->verify_password() !== false) {
$mybb->user = get_user($loginhandler->login_data['uid']);
}
if ($mybb->user['uid']) {
if (login_attempt_check_acp($mybb->user['uid']) == true) {
log_admin_action(array('type' => 'admin_locked_out', 'uid' => (int) $mybb->user['uid'], 'username' => $mybb->user['username']));
$default_page->show_lockedout();
}
$db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'");
$sid = md5(uniqid(microtime(true), true));
// Update username
$query = $db->update_query("users", array('username' => $details['displayName']), 'uid=' . $mybb_user['uid']);
}
// Update usergroup if not match
if ($mybb_user['usergroup'] != $mybb_group['gid']) {
// TODO: Change this in order to preserve list information!
// Update user group
$query = $db->update_query("users", array('usergroup' => $mybb_group['gid']), 'uid=' . $mybb_user['uid']);
// Update group in user_group
$mybb_user['usergroup'] = $mybb_group['gid'];
// Update usergroups cache
$cache->update_usergroups();
}
// Log user in
require_once MYBB_ROOT . "inc/datahandlers/login.php";
$loginhandler = new LoginDataHandler("get");
$loginhandler->login_data = $mybb_user;
if (!$loginhandler->complete_login()) {
die("ERROR: Could not log user in!");
}
////////////////////////////////////////////////////////////
// Handle requests
////////////////////////////////////////////////////////////
if (isset($_GET['term'])) {
// Explain the specified term
$term = mysql_escape_string($_GET['term']);
// Get scope (parent forum)
if ($_GET['scope'] == 'public') {
// Create thread in the public forum
$pid = FORUM_PARENT_PUBLIC;
} else {
$code = $mybb->get_input('code');
if (!isset($user['username'])) {
$user['username'] = '';
}
eval("\$activate = \"" . $templates->get("member_resetpassword") . "\";");
output_page($activate);
}
}
$do_captcha = $correct = false;
$inline_errors = "";
if ($mybb->input['action'] == "do_login" && $mybb->request_method == "post") {
$plugins->run_hooks("member_do_login_start");
// Is a fatal call if user has had too many tries
$errors = array();
$logins = login_attempt_check();
$loginhandler = new LoginDataHandler("get");
if ($mybb->get_input('quick_password') && $mybb->get_input('quick_username')) {
$mybb->input['password'] = $mybb->get_input('quick_password');
$mybb->input['username'] = $mybb->get_input('quick_username');
$mybb->input['remember'] = $mybb->get_input('quick_remember');
}
$user = array('username' => $mybb->get_input('username'), 'password' => $mybb->get_input('password'), 'remember' => $mybb->get_input('remember'), 'imagestring' => $mybb->get_input('imagestring'));
$options = array('fields' => 'loginattempts', 'username_method' => (int) $mybb->settings['username_method']);
$user_loginattempts = get_user_by_username($user['username'], $options);
$user['loginattempts'] = (int) $user_loginattempts['loginattempts'];
$loginhandler->set_data($user);
$validated = $loginhandler->validate_login();
if (!$validated) {
$mybb->input['action'] = "login";
$mybb->request_method = "get";
my_setcookie('loginattempts', $logins + 1);
/**
* Login procedure for a user + password
* Possible ToDo: Return error messages / array / whatever
*
* @param string $username Username
* @param string $password Password of User
* @return boolean
*/
public function login($username, $password)
{
$this->plugins->run_hooks("member_do_login_start");
/**
* If we are already logged in, we do not have to perform the login procedure
*/
if ($this->isLoggedIn()) {
return true;
}
// Is a fatal call if user has had too many tries
$errors = array();
$logins = login_attempt_check();
require_once MYBB_ROOT . "inc/datahandlers/login.php";
$loginhandler = new LoginDataHandler("get");
$user = array('username' => $username, 'password' => $password, 'remember' => "yes", 'imagestring' => $captcha_string);
$options = array('fields' => 'loginattempts', 'username_method' => (int) $this->mybb->settings['username_method']);
$user_loginattempts = get_user_by_username($user['username'], $options);
$user['loginattempts'] = (int) $user_loginattempts['loginattempts'];
$loginhandler->set_data($user);
$validated = $loginhandler->validate_login();
if (!$validated) {
$this->mybb->input['action'] = "login";
$this->mybb->request_method = "get";
my_setcookie('loginattempts', $logins + 1);
$this->db->update_query("users", array('loginattempts' => 'loginattempts+1'), "uid='" . (int) $loginhandler->login_data['uid'] . "'", 1, true);
$errors = $loginhandler->get_friendly_errors();
$user['loginattempts'] = (int) $loginhandler->login_data['loginattempts'];
// TODO: Force Captchas
return false;
} else {
if ($validated && $loginhandler->captcha_verified == true) {
// Successful login but requires captcha
if ($loginhandler->login_data['coppauser']) {
//error($this->lang->error_awaitingcoppa);
return false;
}
$loginhandler->complete_login();
$this->plugins->run_hooks("member_do_login_end");
$this->mybb->session->init();
// Saving login data in user, so isLoggedIn works without having to reload the page
//$this->mybb->user = $loginhandler->login_data;
//$this->mybb->user = get_user($loginhandler->login_data['uid']);
// Required to be able to logout immediately after logging in
// This line is located in class_session.php of mybb
//$this->mybb->user['logoutkey'] = md5($this->mybb->user['loginkey']);
}
}
$this->plugins->run_hooks("member_do_login_end");
return true;
}
/**
* The switch function deletes the mybbuser cookie, sets a new cookie for the selected account and starts a new session.
* Function is called by ajax request and sends the new users post key.
*
*/
function accountswitcher_switch()
{
global $db, $mybb, $lang, $charset, $cache, $templates;
if ($mybb->user['uid'] != 0 && isset($mybb->input['switchuser']) && $mybb->input['switchuser'] == 1 && $mybb->request_method == "post") {
require_once MYBB_ROOT . "/inc/plugins/accountswitcher/class_accountswitcher.php";
$eas = new AccountSwitcher($mybb, $db, $cache, $templates);
// Get permissions for this user
$userPermission = user_permissions($mybb->user['uid']);
// Get permissions for the master. First get the master
$master = get_user((int) $mybb->user['as_uid']);
// Get his permissions
$masterPermission = user_permissions($master['uid']);
// If one of both has the permission allow to switch
if ($userPermission['as_canswitch'] == 1 || $masterPermission['as_canswitch'] == 1) {
if (!isset($lang->as_invaliduser)) {
$lang->load("accountswitcher");
}
verify_post_check($mybb->get_input('my_post_key'));
// Get user info
$user = get_user($mybb->get_input('uid', MyBB::INPUT_INT));
// Check if user exists
if (!$user) {
error($lang->as_invaliduser);
}
// Can the new account be shared?
if ($user['as_share'] != 0 && $mybb->settings['aj_shareuser'] == 1) {
// Account already used by another user?
if ($user['as_shareuid'] != 0) {
log_moderator_action(array('uid' => $user['uid'], 'username' => $user['username']), $lang->aj_switch_invalid_log);
return;
}
// Account only shared by buddies?
if ($user['as_buddyshare'] != 0) {
// No buddy - no switch
if ($user['buddylist'] != '') {
$buddylist = explode(",", $user['buddylist']);
}
if (empty($buddylist) || !empty($buddylist) && !in_array($mybb->user['uid'], $buddylist)) {
log_moderator_action(array('uid' => $user['uid'], 'username' => $user['username']), $lang->aj_switch_invalid_log);
return;
}
}
// Shared account is free - set share uid
if ($user['as_shareuid'] == 0) {
$updated_shareuid = array("as_shareuid" => (int) $mybb->user['uid']);
$db->update_query("users", $updated_shareuid, "uid='" . (int) $user['uid'] . "'");
$eas->update_accountswitcher_cache();
$user['as_shareuid'] = (int) $mybb->user['uid'];
}
}
// Make sure you can switch to an attached account only
if ($user['as_uid'] == $mybb->user['uid'] || $user['as_uid'] != 0 && $user['as_uid'] == $mybb->user['as_uid'] || $user['uid'] == $mybb->user['as_uid'] || $user['as_shareuid'] == $mybb->user['uid'] || $user['uid'] == $mybb->user['as_shareuid']) {
// Is the current account shared?
if ($mybb->user['as_share'] != 0) {
// Account used by another user?
if ($mybb->user['as_shareuid'] == 0) {
log_moderator_action(array('uid' => $user['uid'], 'username' => $user['username']), $lang->aj_switch_invalid_log);
return;
}
// Reset share uid
if ($mybb->user['as_shareuid'] != 0) {
$updated_shareuid = array("as_shareuid" => 0);
$db->update_query("users", $updated_shareuid, "uid='" . (int) $mybb->user['uid'] . "'");
$eas->update_accountswitcher_cache();
}
}
// Log the old user out
my_unsetcookie("mybbuser");
my_unsetcookie("sid");
if ($mybb->user['uid']) {
$time = TIME_NOW;
// Run this after the shutdown query from session system
$db->shutdown_query("UPDATE " . TABLE_PREFIX . "users SET lastvisit='{$time}', lastactive='{$time}' WHERE uid='{$mybb->user['uid']}'");
$db->delete_query("sessions", "sid = '{$session->sid}'");
}
// Now let the login datahandler do the work
require_once MYBB_ROOT . "inc/datahandlers/login.php";
$loginhandler = new LoginDataHandler("get");
$mybb->input['remember'] = "yes";
$loginhandler->set_data($user);
$validated = $loginhandler->validate_login();
$loginhandler->complete_login();
// Create session for this user
require_once MYBB_ROOT . "inc/class_session.php";
$session = new session();
$session->init();
$mybb->session =& $session;
$mybb->post_code = generate_post_check();
// Send new users post code
header("Content-type: text/plain; charset={$charset}");
echo $mybb->post_code;
exit;
} else {
log_moderator_action(array('uid' => $user['uid'], 'username' => $user['username']), $lang->aj_switch_invalid_log);
error($lang->as_notattacheduser);
}
}
}
}
