/**
For now we need to bring our own methods for Authentication handling
Returns false on success and an error message if something goes wrong.
This one already capable of handling bcryp so they are somewhat an
example for the new authentication coming soon.
*/
public function CheckPass($password = "", $userId = false)
{
global $MESSAGE, $database;
if (!defined('WB_PASS_LENGTH_MIN')) {
define('WB_PASS_LENGTH_MIN', 6);
}
if (!defined('WB_PASS_LENGTH_MAX')) {
define('WB_PASS_LENGTH_MAX', 50);
}
// empty
if (empty($password)) {
return $MESSAGE['USERS_PASSWORD_EMPTY'];
}
// too short
$regex = "/.{" . WB_PASS_LENGTH_MIN . ",}/su";
if (!preg_match($regex, $password)) {
return $MESSAGE['USERS_PASSWORD_TOO_SHORT'];
}
// too long
$regex = "/^.{1," . WB_PASS_LENGTH_MAX . "}\$/su";
if (!preg_match($regex, $password)) {
return $MESSAGE['USERS_PASSWORD_TOO_LONG'];
}
// Check password against DB only if a user is set
if (!$userId) {
return false;
}
if (WbAuth::CheckUser($password, (int) $userId)) {
return false;
} else {
return $MESSAGE['USERS_PASSWORD_INCORRECT'];
}
}
public function __construct($config_array)
{
// Get language vars
global $MESSAGE, $database;
// use admin class constructor
parent::__construct();
// Get configuration values, and set them as class vars
while (list($key, $value) = each($config_array)) {
$this->{strtolower($key)} = $value;
}
// set Redirect url ..
if (!isset($this->redirect_url)) {
$this->redirect_url = '';
}
// Get the supplied username and passwordfield if set.
// manually set by configuration array
if ($this->username_fieldname != "" and $this->password_fieldname != "") {
// all ok
} elseif ($this->get_post('username_fieldname') != '' and $this->get_post('password_fieldname' != '')) {
$this->username_fieldname = $this->get_post('username_fieldname');
$this->password_fieldname = $this->get_post('password_fieldname');
} else {
$this->username_fieldname = 'username';
$this->password_fieldname = 'password';
}
// fetch username and Password
$this->username = $this->get_post($this->username_fieldname);
$this->password = $this->get_post($this->password_fieldname);
// If the url is blank, set it to the default url
// We got a posted url here , dont think this is a good idea...
$this->url = $this->get_post('url');
if ($this->redirect_url != '') {
$this->url = $this->redirect_url;
}
if (strlen($this->url) < 2) {
$this->url = $config_array['DEFAULT_URL'];
}
// Already logged in ... but we are not sure at all the user is allowed that place ...
// does not feel good
// Hey no input ok just display login
if ($this->username == '' and $this->password == '') {
$this->message = $MESSAGE['LOGIN_BOTH_BLANK'];
$this->display_login();
} else {
// Check if the user exists
// (authenticate them, load session vars and more this does all the work)
$uUserOk = WbAuth::Authenticate($this->password, $this->username);
// Authentication successful
if ($uUserOk === false) {
//User logged-in, so redirect to default $this->url whatever it is
header("Location: " . $this->url);
exit(0);
} else {
$this->message = $uUserOk;
$this->increase_attemps();
}
}
}
$email = '';
} else {
// Check if the email exists in the database
$sql = 'SELECT `user_id`,`username`,`display_name`,`email`,`last_reset`,`password` ' . 'FROM `' . TABLE_PREFIX . 'users` ' . 'WHERE `email`=\'' . $wb->add_slashes($_POST['email']) . '\'';
if ($results = $database->query($sql)) {
if ($results_array = $results->fetchRow()) {
// Get the id, username, email, and last_reset from the above db query
// Check if the password has been reset in the last 2 hours
if (time() - (int) $results_array['last_reset'] < 2 * 3600) {
// Tell the user that their password cannot be reset more than once per hour
$errMsg = $MESSAGE['FORGOT_PASS_ALREADY_RESET'];
} else {
$old_pass = $results_array['password'];
// Generate a random password then update the database with it
$new_pass = WbAuth::GenerateRandomPassword();
$sql = 'UPDATE `' . TABLE_PREFIX . 'users` ' . 'SET `password`=\'' . WbAuth::Hash($new_pass) . '\', ' . '`last_reset`=' . time() . ' ' . 'WHERE `user_id`=' . (int) $results_array['user_id'];
unset($pwh);
// destroy $pwh-Object
if ($database->query($sql)) {
// Setup email to send
$mail_to = $email;
$mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
// Replace placeholders from language variable with values
$search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
$replace = array($results_array['display_name'], WEBSITE_TITLE, $results_array['username'], $new_pass);
$mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT']);
// Try sending the email
if ($wb->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) {
$message = $MESSAGE['FORGOT_PASS_PASSWORD_RESET'];
$display_form = false;
} else {
// Check if the email already exists
$results = $database->query("SELECT user_id FROM " . TABLE_PREFIX . "users WHERE email = '" . $admin->add_slashes($_POST['email']) . "' AND user_id <> '" . $user_id . "' ");
if ($results->numRows() > 0) {
if (isset($MESSAGE['USERS_EMAIL_TAKEN'])) {
$admin->print_error($MESSAGE['USERS_EMAIL_TAKEN'], $js_back);
} else {
$admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back);
}
}
// Prevent from renaming user to "admin"
if ($username != 'admin') {
$username_code = ", username = '******'";
} else {
$username_code = '';
}
// Update the database
if ($password == "") {
$query = "UPDATE " . TABLE_PREFIX . "users SET groups_id = '{$groups_id}', group_id = '{$group_id}', active = '{$active}'{$username_code}, display_name = '{$display_name}', home_folder = '{$home_folder}', email = '{$email}' WHERE user_id = '{$user_id}'";
} else {
// MD5 supplied password
$md5_password = WbAuth::Hash($password);
$query = "UPDATE " . TABLE_PREFIX . "users SET groups_id = '{$groups_id}', group_id = '{$group_id}', active = '{$active}'{$username_code}, display_name = '{$display_name}', home_folder = '{$home_folder}', email = '{$email}', password = '******' WHERE user_id = '{$user_id}'";
}
$database->query($query);
if ($database->is_error()) {
$admin->print_error($database->get_error(), $js_back);
} else {
$admin->print_success($MESSAGE['USERS_SAVED']);
}
// Print admin footer
$admin->print_footer();
// Get the id, username, email, and last_reset from the above db query
$results_array = $results->fetchRow();
// Check if the password has been reset in the last 2 hours
$last_reset = $results_array['last_reset'];
$time_diff = time() - $last_reset;
// Time since last reset in seconds
$time_diff = $time_diff / 60 / 60;
// Time since last reset in hours
if ($time_diff < 2) {
// Tell the user that their password cannot be reset more than once per hour
$message = $MESSAGE['FORGOT_PASS_ALREADY_RESET'];
} else {
$old_pass = $results_array['password'];
// Generate a random password then update the database with it
$new_pass = WbAuth::GenerateRandomPassword();
$database->query("UPDATE " . TABLE_PREFIX . "users SET password = '******', last_reset = '" . time() . "' WHERE user_id = '" . $results_array['user_id'] . "'");
if ($database->is_error()) {
// Error updating database
$message = $database->get_error();
} else {
// Setup email to send
$mail_to = $email;
$mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
// Replace placeholders from language variable with values
$search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
$replace = array($results_array['display_name'], WEBSITE_TITLE, $results_array['username'], $new_pass);
$mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT']);
// Try sending the email
if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) {
$message = $MESSAGE['FORGOT_PASS_PASSWORD_RESET'];
$display_form = false;
$sql = 'SELECT `user_id` FROM `' . TABLE_PREFIX . 'users` WHERE `email` = \'' . $wb->add_slashes($email) . '\'';
$results = $database->query($sql);
if ($results->numRows() > 0) {
if (isset($MESSAGE['USERS_EMAIL_TAKEN'])) {
$wb->print_error($MESSAGE['USERS_EMAIL_TAKEN'], $js_back, false);
$bSignError = true;
} else {
$wb->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back, false);
$bSignError = true;
}
}
if ($bSignError === false) {
// Generate a random password then update the database with it
$new_pass = WbAuth::GenerateRandomPassword();
// hash it
$md5_password = WbAuth::Hash($new_pass);
// Inser the user into the database
$sql = '';
$query = "INSERT INTO " . TABLE_PREFIX . "users (group_id,groups_id,active,username,password,display_name,email) VALUES ('{$groups_id}', '{$groups_id}', '{$active}', '{$username}','{$md5_password}','{$display_name}','{$email}')";
$database->query($query);
if ($database->is_error()) {
// Error updating database
$message = $database->get_error();
} else {
// Setup email to send
$mail_to = $email;
$mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
// Replace placeholders from language variable with values
$search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
$replace = array($display_name, WEBSITE_TITLE, $username, $new_pass);
$mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_INFO']);
