public function loginform_do_login($form)
{
$name = $form->habari_username->value;
$pass = $form->habari_password->value;
if (null != $name || null != $pass) {
$user = User::authenticate($name, $pass);
if ($user instanceof User && $user != false) {
$userinfo = $user->info;
// if there's an unused password reset token, unset it to make sure there's no possibility of a compromise that way
if (isset($userinfo->password_reset)) {
unset($userinfo->password_reset);
}
/* Successfully authenticated. */
// Timestamp last login date and time.
$user->info->authenticate_time = DateTime::create()->format('Y-m-d H:i:s');
$user->update();
// Remove left over expired session error message.
if (Session::has_errors('expired_session')) {
Session::remove_error('expired_session');
}
$login_session = Session::get_set('login');
if (!empty($login_session)) {
/* Now that we know we're dealing with the same user, transfer the form data so he does not lose his request */
if (!empty($login_session['post_data'])) {
Session::add_to_set('last_form_data', $last_form_data['post'], 'post');
}
if (!empty($login_session['get_data'])) {
Session::add_to_set('last_form_data', $last_form_data['get'], 'get');
}
// don't bother parsing out the URL, we store the URI that was requested, so just append that to the hostname and we're done
$login_dest = Site::get_url('host') . $login_session['original'];
} else {
$login_session = null;
$login_dest = Site::get_url('admin');
}
// filter the destination
$login_dest = Plugins::filter('login_redirect_dest', $login_dest, $user, $login_session);
// finally, redirect to the destination
Utils::redirect($login_dest);
return true;
}
/* Authentication failed. */
// Remove submitted password, see, we're secure!
$form->habari_password->value = '';
$this->handler_vars['error'] = _t('Bad credentials');
}
}
<!-- commentsform -->
<h3 id="respond">Leave a Reply</h3>
<?php
if (Session::has_errors()) {
Session::messages_out();
}
$post->comment_form()->out();
?>
<!-- commentsform -->
/**
* Either just display the login form; or check a user's credentials, and
* create a session for them; or handle a password reset request.
*/
public function act_login()
{
// If we're a reset password request, do that.
if (isset($_POST['submit_button']) && $_POST['submit_button'] === _t('Reset password')) {
Utils::check_request_method(array('POST'));
$name = $this->handler_vars['habari_username'];
if ($name !== NULL) {
if (!is_numeric($name) && ($user = User::get($name))) {
$hash = Utils::random_password();
$user->info->password_reset = md5($hash);
$user->info->commit();
$message = _t('Please visit %1$s to reset your password.', array(URL::get('user', array('page' => 'password_reset', 'id' => $user->id, 'hash' => $hash))));
Utils::mail($user->email, _t('[%1$s] Password reset request for %2$s', array(Options::get('title'), $user->displayname)), $message);
}
// Moving this inside the check for user existence would allow attackers to test usernames, so don't
Session::notice(_t('A password reset request has been sent to the user.'));
}
} else {
Utils::check_request_method(array('GET', 'HEAD', 'POST'));
$name = $_POST['habari_username'];
$pass = $_POST['habari_password'];
if (NULL != $name || NULL != $pass) {
$user = User::authenticate($name, $pass);
if ($user instanceof User && FALSE != $user) {
/* Successfully authenticated. */
// Timestamp last login date and time.
$user->info->authenticate_time = date('Y-m-d H:i:s');
$user->update();
// Remove left over expired session error message.
if (Session::has_errors('expired_session')) {
Session::remove_error('expired_session');
}
$login_session = Session::get_set('login');
if (!empty($login_session)) {
/* Now that we know we're dealing with the same user, transfer the form data so he does not lose his request */
if (!empty($login_session['post_data'])) {
Session::add_to_set('last_form_data', $last_form_data['post'], 'post');
}
if (!empty($login_session['get_data'])) {
Session::add_to_set('last_form_data', $last_form_data['get'], 'get');
}
/* Redirect to the correct admin page */
$dest = explode('/', MultiByte::substr($login_session['original'], MultiByte::strpos($login_session['original'], 'admin/')));
if ('' == $dest[0]) {
$login_dest = Site::get_url('admin');
} else {
// Replace '?' with '&' in $dest[1] before call URL::get()
// Therefore calling URL::get() with a query string
$dest[1] = str_replace('?', '&', $dest[1]);
$login_dest = URL::get('admin', 'page=' . $dest[1]);
}
} else {
$login_session = null;
$login_dest = Site::get_url('admin');
}
// filter the destination
$login_dest = Plugins::filter('login_redirect_dest', $login_dest, $user, $login_session);
// finally, redirect to the destination
Utils::redirect($login_dest);
return TRUE;
}
/* Authentication failed. */
// Remove submitted password, see, we're secure!
$_POST['habari_password'] = '';
$this->handler_vars['error'] = _t('Bad credentials');
}
}
// Display the login form.
$this->login_form($name);
}
/**
* Add a comment to the site
*
* @param mixed $post A Post object instance or Post object id
* @param string $name The commenter's name
* @param string $email The commenter's email address
* @param string $url The commenter's website URL
* @param string $content The comment content
* @param array $extra An associative array of extra values that should be considered
*/
function add_comment($post, $name = null, $email = null, $url = null, $content = null, $extra = null)
{
if (is_numeric($post)) {
$post = Post::get(array('id' => $post));
}
if (!$post instanceof Post) {
// Not sure what you're trying to pull here, but that's no good
header('HTTP/1.1 403 Forbidden', true, 403);
die;
}
// let's do some basic sanity checking on the submission
if (1 == Options::get('comments_require_id') && (empty($name) || empty($email))) {
Session::error(_t('Both name and e-mail address must be provided.'));
}
if (empty($content)) {
Session::error(_t('You did not provide any content for your comment!'));
}
if (Session::has_errors()) {
// save whatever was provided in session data
Session::add_to_set('comment', $name, 'name');
Session::add_to_set('comment', $email, 'email');
Session::add_to_set('comment', $url, 'url');
Session::add_to_set('comment', $content, 'content');
// now send them back to the form
Utils::redirect($post->permalink . '#respond');
}
if ($post->info->comments_disabled) {
// comments are disabled, so let's just send
// them back to the post's permalink
Session::error(_t('Comments on this post are disabled!'));
Utils::redirect($post->permalink);
}
/* Sanitize data */
foreach (array('name', 'url', 'email', 'content') as $k) {
${$k} = InputFilter::filter(${$k});
}
/* Sanitize the URL */
if (!empty($url)) {
$parsed = InputFilter::parse_url($url);
if ($parsed['is_relative']) {
// guess if they meant to use an absolute link
$parsed = InputFilter::parse_url('http://' . $url);
if (!$parsed['is_error']) {
$url = InputFilter::glue_url($parsed);
} else {
// disallow relative URLs
$url = '';
}
}
if ($parsed['is_pseudo'] || $parsed['scheme'] !== 'http' && $parsed['scheme'] !== 'https') {
// allow only http(s) URLs
$url = '';
} else {
// reconstruct the URL from the error-tolerant parsing
// http:moeffju.net/blog/ -> http://moeffju.net/blog/
$url = InputFilter::glue_url($parsed);
}
}
if (preg_match('/^\\p{Z}*$/u', $content)) {
Session::error(_t('Comment contains only whitespace/empty comment'));
Utils::redirect($post->permalink);
}
/* Create comment object*/
$comment = new Comment(array('post_id' => $post->id, 'name' => $name, 'email' => $email, 'url' => $url, 'ip' => sprintf("%u", ip2long($_SERVER['REMOTE_ADDR'])), 'content' => $content, 'status' => Comment::STATUS_UNAPPROVED, 'date' => HabariDateTime::date_create(), 'type' => Comment::COMMENT));
// Should this really be here or in a default filter?
// In any case, we should let plugins modify the status after we set it here.
$user = User::identify();
if ($user->loggedin && $comment->email == $user->email) {
$comment->status = Comment::STATUS_APPROVED;
}
// Users need to have permission to add comments
if (!$user->can('comment')) {
Session::error(_t('You do not have permission to create comments.'));
Utils::redirect($post->permalink);
}
// Allow themes to work with comment hooks
Themes::create();
// Allow plugins to change comment data and add commentinfo based on plugin-added form fields
Plugins::act('comment_accepted', $comment, $this->handler_vars, $extra);
$spam_rating = 0;
$spam_rating = Plugins::filter('spam_filter', $spam_rating, $comment, $this->handler_vars, $extra);
$comment->insert();
$anchor = '';
// If the comment was saved
if ($comment->id && $comment->status != Comment::STATUS_SPAM) {
$anchor = '#comment-' . $comment->id;
// store in the user's session that this comment is pending moderation
if ($comment->status == Comment::STATUS_UNAPPROVED) {
Session::notice(_t('Your comment is pending moderation.'), 'comment_' . $comment->id);
}
// if no cookie exists, we should set one
// but only if the user provided some details
$cookie = 'comment_' . Options::get('GUID');
if (!User::identify()->loggedin && !isset($_COOKIE[$cookie]) && (!empty($name) || !empty($email) || !empty($url))) {
$cookie_content = $comment->name . '#' . $comment->email . '#' . $comment->url;
$site_url = Site::get_path('base', true);
setcookie($cookie, $cookie_content, time() + 31536000, $site_url);
}
}
// Return the commenter to the original page.
Utils::redirect($post->permalink . $anchor);
}
/**
* Handles POST requests from the Users listing (ie: creating a new user)
*/
public function post_users()
{
$this->fetch_users();
$extract = $this->handler_vars->filter_keys('newuser', 'delete', 'new_pass1', 'new_pass2', 'new_email', 'new_username');
foreach ($extract as $key => $value) {
${$key} = $value;
}
if (isset($newuser)) {
$action = 'newuser';
} elseif (isset($delete)) {
$action = 'delete';
}
$error = '';
if (isset($action) && 'newuser' == $action) {
if (!isset($new_pass1) || !isset($new_pass2) || empty($new_pass1) || empty($new_pass2)) {
Session::error(_t('Password is required.'), 'adduser');
} else {
if ($new_pass1 !== $new_pass2) {
Session::error(_t('Password mis-match.'), 'adduser');
}
}
if (!isset($new_email) || empty($new_email) || !strstr($new_email, '@')) {
Session::error(_t('Please supply a valid email address.'), 'adduser');
}
if (!isset($new_username) || empty($new_username)) {
Session::error(_t('Please supply a user name.'), 'adduser');
}
// safety check to make sure no such username exists
$user = User::get_by_name($new_username);
if (isset($user->id)) {
Session::error(_t('That username is already assigned.'), 'adduser');
}
if (!Session::has_errors('adduser')) {
$user = new User(array('username' => $new_username, 'email' => $new_email, 'password' => Utils::crypt($new_pass1)));
if ($user->insert()) {
Session::notice(sprintf(_t("Added user '%s'"), $new_username));
} else {
$dberror = DB::get_last_error();
Session::error($dberror[2], 'adduser');
}
} else {
$settings = array();
if (isset($username)) {
$settings['new_username'] = $new_username;
}
if (isset($new_email)) {
$settings['new_email'] = $new_email;
}
$this->theme->assign('settings', $settings);
}
} else {
if (isset($action) && 'delete' == $action) {
$this->update_users($this->handler_vars);
}
}
$this->theme->display('users');
}
/**
* function add_comment
* adds a comment to a post, if the comment content is not NULL
* @param array An associative array of content found in the $_POST array
*/
public function act_add_comment()
{
Utils::check_request_method(array('POST'));
$defaults = array('name' => '', 'email' => '', 'url' => '', 'content' => '');
// We need to get the post anyway to redirect back to the post page.
$post = Post::get(array('id' => $this->handler_vars['id']));
if (!$post) {
// trying to comment on a non-existent post? Weirdo.
header('HTTP/1.1 403 Forbidden', true, 403);
die;
}
// make sure all our default values are set so we don't throw undefined index errors
foreach ($defaults as $k => $v) {
if (!isset($this->handler_vars[$k])) {
$this->handler_vars[$k] = $v;
}
}
// let's do some basic sanity checking on the submission
if (1 == Options::get('comments_require_id') && (empty($this->handler_vars['name']) || empty($this->handler_vars['email']))) {
Session::error(_t('Both name and e-mail address must be provided.'));
}
if (empty($this->handler_vars['content'])) {
Session::error(_t('You did not provide any content for your comment!'));
}
if (Session::has_errors()) {
// save whatever was provided in session data
Session::add_to_set('comment', $this->handler_vars['name'], 'name');
Session::add_to_set('comment', $this->handler_vars['email'], 'email');
Session::add_to_set('comment', $this->handler_vars['url'], 'url');
Session::add_to_set('comment', $this->handler_vars['content'], 'content');
// now send them back to the form
Utils::redirect($post->permalink . '#respond');
}
if ($post->info->comments_disabled) {
// comments are disabled, so let's just send
// them back to the post's permalink
Session::error(_t('Comments on this post are disabled!'));
Utils::redirect($post->permalink);
}
/* Sanitize data */
foreach ($defaults as $k => $v) {
$this->handler_vars[$k] = InputFilter::filter($this->handler_vars[$k]);
}
/* Sanitize the URL */
if (!empty($this->handler_vars['url'])) {
$url = $this->handler_vars['url'];
$parsed = InputFilter::parse_url($url);
if ($parsed['is_relative']) {
// guess if they meant to use an absolute link
$parsed = InputFilter::parse_url('http://' . $url);
if (!$parsed['is_error']) {
$url = InputFilter::glue_url($parsed);
} else {
// disallow relative URLs
$url = '';
}
}
if ($parsed['is_pseudo'] || $parsed['scheme'] !== 'http' && $parsed['scheme'] !== 'https') {
// allow only http(s) URLs
$url = '';
} else {
// reconstruct the URL from the error-tolerant parsing
// http:moeffju.net/blog/ -> http://moeffju.net/blog/
$url = InputFilter::glue_url($parsed);
}
$this->handler_vars['url'] = $url;
}
if (preg_match('/^\\p{Z}*$/u', $this->handler_vars['content'])) {
Session::error(_t('Comment contains only whitespace/empty comment'));
Utils::redirect($post->permalink);
}
/* Create comment object*/
$comment = new Comment(array('post_id' => $this->handler_vars['id'], 'name' => $this->handler_vars['name'], 'email' => $this->handler_vars['email'], 'url' => $this->handler_vars['url'], 'ip' => sprintf("%u", ip2long($_SERVER['REMOTE_ADDR'])), 'content' => $this->handler_vars['content'], 'status' => Comment::STATUS_UNAPPROVED, 'date' => HabariDateTime::date_create(), 'type' => Comment::COMMENT));
// Should this really be here or in a default filter?
// In any case, we should let plugins modify the status after we set it here.
$user = User::identify();
if ($user->loggedin && $comment->email == $user->email) {
$comment->status = Comment::STATUS_APPROVED;
}
// Allow themes to work with comment hooks
Themes::create();
$spam_rating = 0;
$spam_rating = Plugins::filter('spam_filter', $spam_rating, $comment, $this->handler_vars);
$comment->insert();
$anchor = '';
// If the comment was saved
if ($comment->id) {
$anchor = '#comment-' . $comment->id;
// store in the user's session that this comment is pending moderation
if ($comment->status == Comment::STATUS_UNAPPROVED) {
Session::notice(_t('Your comment is pending moderation.'), 'comment_' . $comment->id);
}
// if no cookie exists, we should set one
// but only if the user provided some details
$cookie = 'comment_' . Options::get('GUID');
if (!isset($_COOKIE[$cookie]) && (!empty($this->handler_vars['name']) || !empty($this->handler_vars['email']) || !empty($this->handler_vars['url']))) {
$cookie_content = $comment->name . '#' . $comment->email . '#' . $comment->url;
$site_url = Site::get_path('base', true);
setcookie($cookie, $cookie_content, time() + 31536000, $site_url);
}
}
// Return the commenter to the original page.
Utils::redirect($post->permalink . $anchor);
}
<?php
$theme->display('header');
?>
<div id="content">
<?php
if (Session::has_errors('expired_session')) {
echo '<div class="alert">' . Session::get_error('expired_session', false) . '</div>';
}
if (Session::has_errors('expired_form_submission')) {
echo '<div class="alert">' . Session::get_error('expired_form_submission', false) . '</div><br>';
}
?>
<div id="primarycontent">
<?php
include 'loginform.php';
?>
</div>
<?php
$theme->display('sidebar');
?>
</div>
<?php
$theme->display('footer');
