/** * checks password posting * * @param string $authType override of athorization type */ function zp_handle_password($authType = NULL, $check_auth = NULL, $check_user = NULL) { global $_zp_loggedin, $_zp_login_error, $_zp_current_album, $_zp_current_zenpage_page, $_zp_gallery; if (empty($authType)) { // not supplied by caller $check_auth = ''; if (isset($_GET['z']) && @$_GET['p'] == 'full-image' || isset($_GET['p']) && $_GET['p'] == '*full-image') { $authType = 'zp_image_auth'; $check_auth = getOption('protected_image_password'); $check_user = getOption('protected_image_user'); } else { if (in_context(ZP_SEARCH)) { // search page $authType = 'zp_search_auth'; $check_auth = getOption('search_password'); $check_user = getOption('search_user'); } else { if (in_context(ZP_ALBUM)) { // album page $authType = "zp_album_auth_" . $_zp_current_album->getID(); $check_auth = $_zp_current_album->getPassword(); $check_user = $_zp_current_album->getUser(); if (empty($check_auth)) { $parent = $_zp_current_album->getParent(); while (!is_null($parent)) { $check_auth = $parent->getPassword(); $check_user = $parent->getUser(); $authType = "zp_album_auth_" . $parent->getID(); if (!empty($check_auth)) { break; } $parent = $parent->getParent(); } } } else { if (in_context(ZP_ZENPAGE_PAGE)) { $authType = "zp_page_auth_" . $_zp_current_zenpage_page->getID(); $check_auth = $_zp_current_zenpage_page->getPassword(); $check_user = $_zp_current_zenpage_page->getUser(); if (empty($check_auth)) { $pageobj = $_zp_current_zenpage_page; while (empty($check_auth)) { $parentID = $pageobj->getParentID(); if ($parentID == 0) { break; } $sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID; $result = query_single_row($sql); $pageobj = new ZenpagePage($result['titlelink']); $authType = "zp_page_auth_" . $pageobj->getID(); $check_auth = $pageobj->getPassword(); $check_user = $pageobj->getUser(); } } } } } } if (empty($check_auth)) { // anything else is controlled by the gallery credentials $authType = 'zp_gallery_auth'; $check_auth = $_zp_gallery->getPassword(); $check_user = $_zp_gallery->getUser(); } } // Handle the login form. if (DEBUG_LOGIN) { debugLog("zp_handle_password: \$authType={$authType}; \$check_auth={$check_auth}; \$check_user={$check_user}; "); } if (isset($_POST['password']) && isset($_POST['pass'])) { // process login form if (isset($_POST['user'])) { $post_user = sanitize($_POST['user']); } else { $post_user = ''; } $post_pass = $_POST['pass']; // We should not sanitize the password foreach (Zenphoto_Authority::$hashList as $hash => $hi) { $auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi); $success = $auth == $check_auth && $post_user == $check_user; if (DEBUG_LOGIN) { debugLog("zp_handle_password({$success}): \$post_user={$post_user}; \$post_pass={$post_pass}; \$check_auth={$check_auth}; \$auth={$auth}; \$hash={$hash};"); } if ($success) { break; } } $success = zp_apply_filter('guest_login_attempt', $success, $post_user, $post_pass, $authType); if ($success) { // Correct auth info. Set the cookie. if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid credentials"); } zp_setCookie($authType, $auth); if (isset($_POST['redirect'])) { $redirect_to = sanitizeRedirect($_POST['redirect'], true); if (!empty($redirect_to)) { header("Location: " . $redirect_to); exitZP(); } } } else { // Clear the cookie, just in case if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid credentials"); } zp_clearCookie($authType); $_zp_login_error = true; } return; } if (empty($check_auth)) { //no password on record or admin logged in return; } if (($saved_auth = zp_getCookie($authType)) != '') { if ($saved_auth == $check_auth) { if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid cookie"); } return; } else { // Clear the cookie if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid cookie"); } zp_clearCookie($authType); } } }
/** * Checks if user is allowed to access the page * @param $hint * @param $show */ function checkforGuest(&$hint = NULL, &$show = NULL) { if (!parent::checkForGuest()) { return false; } $pageobj = $this; $hash = $pageobj->getPassword(); while (empty($hash) && !is_null($pageobj)) { $parentID = $pageobj->getParentID(); if (empty($parentID)) { $pageobj = NULL; } else { $sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID; $result = query_single_row($sql); $pageobj = new ZenpagePage($result['titlelink']); $hash = $pageobj->getPassword(); } } if (empty($hash)) { // no password required return 'zp_public_access'; } else { $authType = "zp_page_auth_" . $pageobj->get('id'); $saved_auth = zp_getCookie($authType); if ($saved_auth == $hash) { return $authType; } else { $user = $pageobj->getUser(); $show = !empty($user); $hint = $pageobj->getPasswordHint(); return false; } } }