function perform_newpassword($HTTP_VARS, &$errors) { if (!is_user_valid($HTTP_VARS['uid'])) { opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User does not exist', array($HTTP_VARS['uid'])); // make user look successful to prevent mining for valid userids return TRUE; } else { if (!is_user_active($HTTP_VARS['uid'])) { // Do not allow new password operation for 'deactivated' user. opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User is not active', array($HTTP_VARS['uid'])); return FALSE; } else { if (!is_user_granted_permission(PERM_CHANGE_PASSWORD, $HTTP_VARS['uid'])) { opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User does not have permission to change password', array($HTTP_VARS['uid'])); return FALSE; } else { if (get_opendb_config_var('user_admin', 'user_passwd_change_allowed') === FALSE && !is_user_granted_permission(PERM_ADMIN_CHANGE_PASSWORD)) { opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: Password change is disabled', array($HTTP_VARS['uid'])); return FALSE; } else { opendb_logger(OPENDB_LOG_INFO, __FILE__, __FUNCTION__, 'User requested to be emailed a new password', array($HTTP_VARS['uid'])); $user_r = fetch_user_r($HTTP_VARS['uid']); $user_passwd = generate_password(8); // only send if valid user (email) if (strlen($user_r['email_addr']) > 0) { $pass_result = update_user_passwd($HTTP_VARS['uid'], $user_passwd); if ($pass_result === TRUE) { $subject = get_opendb_lang_var('lost_password'); $message = get_opendb_lang_var('to_user_email_intro', 'fullname', $user_r['fullname']) . "\n\n" . get_opendb_lang_var('new_passwd_email') . "\n\n" . get_opendb_lang_var('userid') . ": " . $HTTP_VARS['uid'] . "\n" . get_opendb_lang_var('password') . ": " . $user_passwd; if (opendb_user_email($user_r['user_id'], NULL, $subject, $message, $errors)) { return TRUE; } else { return "EMAIL_NOT_SENT"; } } } else { $errors[] = "User '" . $HTTP_VARS['uid'] . "' does not have a valid email address."; return FALSE; } } } } } }
/** * @param $op is 'edit' or 'new' */ function get_user_input_form($user_r, $HTTP_VARS) { global $PHP_SELF; $buffer .= "<form action=\"{$PHP_SELF}\" method=\"POST\">"; $buffer .= "<table class=\"userInputForm\">"; if (is_not_empty_array($user_r)) { $buffer .= get_input_field("user_id", NULL, get_opendb_lang_var('userid'), "readonly", "", $user_r['user_id'], TRUE); } else { $buffer .= get_input_field("user_id", NULL, get_opendb_lang_var('userid'), "filtered(20,20,a-zA-Z0-9_.)", "Y", $HTTP_VARS['user_id'], TRUE); } if (is_not_empty_array($user_r) && !is_user_granted_permission(PERM_ADMIN_USER_PROFILE)) { $role_r = fetch_role_r($user_r['user_role']); $buffer .= get_input_field("user_role", NULL, get_opendb_lang_var('user_role'), "readonly", "", $role_r['description'], TRUE); } else { $buffer .= format_field(get_opendb_lang_var('user_role'), custom_select('user_role', fetch_user_role_rs($HTTP_VARS['op'] == 'signup' ? EXCLUDE_SIGNUP_UNAVAILABLE_USER : INCLUDE_SIGNUP_UNAVAILABLE_USER), "%description%", '1', ifempty($user_r['user_role'], $HTTP_VARS['user_role']), 'role_name')); } $buffer .= get_input_field("fullname", NULL, get_opendb_lang_var('fullname'), "text(30,100)", "Y", ifempty($HTTP_VARS['fullname'], $user_r['fullname']), TRUE); $buffer .= get_input_field("email_addr", NULL, get_opendb_lang_var('email'), "email(30,100)", "Y", ifempty($HTTP_VARS['email_addr'], $user_r['email_addr']), TRUE); if (get_opendb_config_var('user_admin', 'user_themes_support') !== FALSE) { $uid_theme = ifempty($HTTP_VARS['uid_theme'], $user_r['theme']); $buffer .= format_field(get_opendb_lang_var('user_theme'), custom_select("uid_theme", get_user_theme_r(), "%value%", 1, is_exists_theme($uid_theme) ? $uid_theme : get_opendb_config_var('site', 'theme'))); // If theme no longer exists, then set to default! } if (get_opendb_config_var('user_admin', 'user_language_support') !== FALSE) { // Do not bother with language input field if only one language pack available. if (fetch_language_cnt() > 1) { $uid_language = ifempty($HTTP_VARS['uid_language'], $user_r['language']); $buffer .= format_field(get_opendb_lang_var('user_language'), custom_select('uid_language', fetch_language_rs(), "%language%", 1, is_exists_language($uid_language) ? $uid_language : get_opendb_config_var('site', 'language'), 'language', NULL, 'default_ind')); // If language no longer exists, then set to default! } } $buffer .= "</table>"; // Now do the addresses if (is_not_empty_array($user_r)) { $addr_results = fetch_user_address_type_rs($user_r['user_id'], TRUE); } else { $addr_results = fetch_address_type_rs(TRUE); } if ($addr_results) { while ($address_type_r = db_fetch_assoc($addr_results)) { $v_address_type = strtolower($address_type_r['s_address_type']); if (is_not_empty_array($user_r)) { $attr_results = fetch_address_type_attribute_type_rs($address_type_r['s_address_type'], 'update', TRUE); } else { $attr_results = fetch_address_type_attribute_type_rs($address_type_r['s_address_type'], 'update', TRUE); } if ($attr_results) { $buffer .= '<h3>' . $address_type_r['description'] . '</h3>'; $buffer .= "<ul class=\"addressIndicators\">"; $buffer .= '<li><input type="checkbox" class="checkbox" name="' . $v_address_type . '[public_address_ind]" value="Y"' . (ifempty($address_type_r['public_address_ind'], $HTTP_VARS[$v_address_type]['public_address_ind']) == 'Y' ? ' CHECKED' : '') . '">' . get_opendb_lang_var('public_address_indicator') . '</li>'; $buffer .= '<li><input type="checkbox" class="checkbox" name="' . $v_address_type . '[borrow_address_ind]" value="Y"' . (ifempty($address_type_r['borrow_address_ind'], $HTTP_VARS[$v_address_type]['borrow_address_ind']) == 'Y' ? ' CHECKED' : '') . '">' . get_opendb_lang_var('borrow_address_indicator') . '</li>'; $buffer .= "</ul>"; $buffer .= "<table class=\"addressInputForm\">"; while ($addr_attribute_type_r = db_fetch_assoc($attr_results)) { $fieldname = get_field_name($addr_attribute_type_r['s_attribute_type'], $addr_attribute_type_r['order_no']); $value = NULL; if ($address_type_r['sequence_number'] !== NULL) { if (is_lookup_attribute_type($addr_attribute_type_r['s_attribute_type'])) { $value = fetch_user_address_lookup_attribute_val($address_type_r['sequence_number'], $addr_attribute_type_r['s_attribute_type'], $addr_attribute_type_r['order_no']); } else { $value = fetch_user_address_attribute_val($address_type_r['sequence_number'], $addr_attribute_type_r['s_attribute_type'], $addr_attribute_type_r['order_no']); } $value = ifempty(filter_item_input_field($addr_attribute_type_r, $HTTP_VARS[$v_address_type][$fieldname]), $value); } else { $value = filter_item_input_field($addr_attribute_type_r, $HTTP_VARS[$v_address_type][$fieldname]); } // If this is an edit operation - the value must be NOT NULL // for some widgets to work properly. if ($address_type_r['sequence_number'] !== NULL && $value === NULL) { $value = ''; } $buffer .= get_item_input_field($v_address_type . '[' . $fieldname . ']', $addr_attribute_type_r, NULL, $value); } //while db_free_result($attr_results); $buffer .= "</table>"; } //if($attr_results) } //while db_free_result($addr_results); } //if($addr_results) $buffer .= format_help_block(array('img' => 'compulsory.gif', 'text' => get_opendb_lang_var('compulsory_field'), id => 'compulsory')); if ($HTTP_VARS['op'] == 'new_user') { $buffer .= "<h3>" . get_opendb_lang_var('password') . "</h3>"; if (get_opendb_config_var('user_admin', 'user_passwd_change_allowed') !== FALSE || is_user_granted_permission(PERM_ADMIN_CHANGE_PASSWORD)) { $buffer .= "<table class=\"changePasswordForm\">"; if (is_valid_opendb_mailer()) { $compulsory_ind = 'N'; } else { $compulsory_ind = 'Y'; } $buffer .= get_input_field("pwd", NULL, get_opendb_lang_var('new_passwd'), "password(30,40)", $compulsory_ind, "", TRUE); $buffer .= get_input_field("confirmpwd", NULL, get_opendb_lang_var('confirm_passwd'), "password(30,40)", $compulsory_ind, "", TRUE, NULL, get_opendb_config_var('widgets', 'enable_javascript_validation') !== FALSE ? "if( (this.form.pwd.value.length!=0 || this.form.confirmpwd.value.length!=0) && this.form.pwd.value!=this.form.confirmpwd.value){alert('" . get_opendb_lang_var('passwds_do_not_match') . "'); this.focus(); return false;}" : ""); $buffer .= "\n</table>"; if ($compulsory_ind == 'N') { $buffer .= format_help_block(get_opendb_lang_var('new_passwd_will_be_autogenerated_if_not_specified')); } } } if ($HTTP_VARS['op'] == 'signup' && get_opendb_config_var('login.signup', 'disable_captcha') !== TRUE) { $buffer .= render_secret_image_form_field(); } if (get_opendb_config_var('widgets', 'enable_javascript_validation') !== FALSE) { $onclick_event = "if(!checkForm(this.form)){return false;}else{this.form.submit();}"; } else { $onclick_event = "this.form.submit();"; } if (is_not_empty_array($user_r)) { $buffer .= "\n<input type=\"hidden\" name=\"op\" value=\"update\">"; if ($HTTP_VARS['user_id'] != get_opendb_session_var('user_id')) { $buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='update'; {$onclick_event}\" value=\"" . get_opendb_lang_var('update_user') . "\">"; if (is_user_not_activated($HTTP_VARS['user_id'])) { $buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='delete'; this.form.submit();\" value=\"" . get_opendb_lang_var('delete_user') . "\">"; } else { if (is_user_active($HTTP_VARS['user_id'])) { $buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='deactivate'; this.form.submit();\" value=\"" . get_opendb_lang_var('deactivate_user') . "\">"; } } if (!is_user_active($HTTP_VARS['user_id'])) { $buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='activate'; this.form.submit();\" value=\"" . get_opendb_lang_var('activate_user') . "\">"; } } else { $buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"{$onclick_event}\" value=\"" . get_opendb_lang_var('update_details') . "\">"; } } else { if ($HTTP_VARS['op'] != 'signup') { if (is_valid_opendb_mailer()) { if ($HTTP_VARS['op'] == 'new_user') { if ($HTTP_VARS['email_user'] == 'Y') { $checked = "CHECKED"; } else { $checked = ""; } } else { $checked = "CHECKED"; } $buffer .= "<p><input type=\"checkbox\" class=\"checkbox\" id=\"email_user\" name=\"email_user\" value=\"Y\" {$checked}>" . get_opendb_lang_var('send_welcome_email') . "</p>"; } $buffer .= "\n<input type=\"hidden\" name=\"op\" value=\"insert\">" . "\n<input type=\"button\" class=\"button\" onclick=\"{$onclick_event}\" value=\"" . get_opendb_lang_var('add_user') . "\">"; } else { $buffer .= "\n<input type=\"hidden\" name=\"op\" value=\"signup\">" . "<input type=\"hidden\" name=\"op2\" value=\"send_info\">" . "<input type=\"button\" class=\"button\" onclick=\"{$onclick_event}\" value=\"" . get_opendb_lang_var('submit') . "\">"; } } $buffer .= "\n</form>"; return $buffer; }
require_once "./include/begin.inc.php"; include_once "./lib/JsonRpcServer.class.php"; // TODO - enable a plugin layer include_once "./lib/jsonrpc/ItemSearch.class.php"; function request_http_basic_auth() { header('WWW-Authenticate: Basic realm="' . htmlspecialchars(get_opendb_title()) . '"'); header('HTTP/1.0 401 Unauthorized'); } if (is_site_enabled()) { if (!isset($_SERVER['PHP_AUTH_USER'])) { request_http_basic_auth(); } else { $userId = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if (is_user_active($userId) && validate_user_passwd($userId, $password)) { $server = new JsonRpcServer(); // TODO - currently no role based permissions are being performed for these services. $server->registerClass(new ItemSearch()); $server->handle(); } else { request_http_basic_auth(); } } } else { header('HTTP/1.0 503 Service Unavailable'); echo "<h1>" . get_opendb_lang_var('site_is_disabled') . "</h1>"; echo get_opendb_lang_var('site_is_disabled'); } // Cleanup after begin.inc.php require_once "./include/end.inc.php";
function validate_borrower_id($borrower_id, &$errors) { if (strlen($borrower_id) > 0) { if (!is_user_active($borrower_id)) { $errors[] = get_opendb_lang_var('invalid_borrower_user', 'user_id', $HTTP_VARS['borrower_id']); return FALSE; } else { if (!is_user_granted_permission(PERM_USER_BORROWER, $borrower_id)) { $errors[] = get_opendb_lang_var('user_must_be_borrower', 'user_id', $HTTP_VARS['borrower_id']); return FALSE; } else { return TRUE; } } } else { return FALSE; } }
function is_opendb_valid_session() { if (is_opendb_configured()) { if (get_opendb_session_var('login_time') != NULL && get_opendb_session_var('last_access_time') != NULL && get_opendb_session_var('user_id') != NULL && get_opendb_session_var('hash_check') != NULL) { $site_r = get_opendb_config_var('site'); // A valid session as far as the variables go at least. if ($site_r['security_hash'] == get_opendb_session_var('hash_check')) { // idle_timeout is how long between requests a login session // can remain valid. If login_timeout is set, then this controls // how long a session can remain active overall. $current_time = time(); if (!is_numeric($site_r['login_timeout']) || $current_time - get_opendb_session_var('login_time') < $site_r['login_timeout']) { if (!is_numeric($site_r['idle_timeout']) || $current_time - get_opendb_session_var('last_access_time') < $site_r['idle_timeout']) { if (is_user_active(get_opendb_session_var('user_id'))) { // reset the time, as we are only interested in idle session tests. $_SESSION['last_access_time'] = $current_time; return TRUE; } else { opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'Invalid user encountered'); return FALSE; } } } } else { //if($site_r['security_hash'] == get_opendb_session_var('hash_check')) opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'Invalid security-hash login invalidated'); return FALSE; } } } //if(is_opendb_configured()) //else return FALSE; }
<?php include 'core/init.php'; if (empty($_POST) === false) { $username = $_POST['username']; $password = $_POST['password']; if (empty($username) === true || empty($password) === true) { $errors[] = 'You need to enter a user name and password'; } else { if (user_exists($username) === false) { $errors[] = 'That user name does not exist. Please click Register below.'; } else { if (is_user_active($username) === false) { $errors[] = 'Please check your email to activate your account'; } else { if (strlen($password) > 32) { //remove $errors[] = 'Password too long'; //remove } //remove $login = login($username, $password); if ($login === false) { $errors[] = 'That username and password combination is incorrect.'; } else { $_SESSION['user_id'] = $login; //set the user session header("Location: index.php"); //redirect to home exit; }
function is_user_permitted_to_receive_email($user_id) { return is_user_valid($user_id) && is_user_active($user_id) && is_user_granted_permission(PERM_RECEIVE_EMAIL, $user_id); }
session_start(); //error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE); require 'database.php'; require 'site_config.php'; require 'functions/password.php'; // BCRYPT hashing library require 'functions/general.php'; require 'functions/users.php'; require 'functions/project.php'; $current_file = explode('/', $_SERVER['SCRIPT_NAME']); $current_file = end($current_file); if (is_logged_in() === true) { $session_user_id = $_SESSION['user_id']; $user_data = get_user_data($session_user_id, 'user_id', 'username', 'password', 'first_name', 'last_name', 'email', 'password_recover', 'type', 'allow_email', 'profile', 'beta', 'active_project', 'viewed_tutorial'); //lets me use the user data in other functions if (is_user_active($user_data['username']) === false) { //logs a user out if their account is disabled, even if they are browsing at the time session_destroy(); echo '<meta HTTP-EQUIV="REFRESH" content="0; url=index.php">'; exit; } else { if ($current_file !== 'change_password.php' && $current_file !== 'logout.php' && $user_data['password_recover'] == 1) { echo '<meta HTTP-EQUIV="REFRESH" content="0; url=change_password.php?force">'; } } } if (!empty($user_data['active_project'])) { $activeProject = get_project($user_data['active_project']); } $errors = array();
//$include_deactivated_users } $listingObject->addHeaderColumn(NULL, 'user_id_rs', FALSE, 'checkbox'); $listingObject->addHeaderColumn(get_opendb_lang_var('user'), 'user_id'); $listingObject->addHeaderColumn(get_opendb_lang_var('action')); $listingObject->addHeaderColumn(get_opendb_lang_var('user_role'), 'role'); if ($HTTP_VARS['restrict_active_ind'] != 'X') { $listingObject->addHeaderColumn(get_opendb_lang_var('last_visit'), 'lastvisit'); } if ($result) { $v_listing_url_vars = $HTTP_VARS; $v_listing_url_vars['mode'] = NULL; unset($v_listing_url_vars['show_deactivated_users_cbox']); register_opendb_session_var('user_listing_url_vars', $v_listing_url_vars); while ($user_r = db_fetch_assoc($result)) { $user_is_active = is_user_active($user_r['user_id']); $listingObject->startRow(); // todo - consider disabling for guest users! if ($HTTP_VARS['restrict_active_ind'] != 'X' ? $user_is_active : TRUE) { $listingObject->addCheckboxColumn($user_r['user_id'], FALSE); } else { $listingObject->addColumn(); } $user_name = get_opendb_lang_var('user_name', array('fullname' => $user_r['fullname'], 'user_id' => $user_r['user_id'])); $listingObject->addColumn('<a href="user_profile.php?uid=' . $user_r['user_id'] . '" title="' . get_opendb_lang_var('user_profile') . '">' . $user_name . '</a>'); $action_links_rs = NULL; $action_links_rs[] = array(url => 'user_admin.php?op=edit&user_id=' . $user_r['user_id'], img => 'edit_user.gif', text => get_opendb_lang_var('edit')); if ($user_r['user_id'] != get_opendb_session_var('user_id')) { if ($user_r['active_ind'] == 'X') { $action_links_rs[] = array(url => 'user_admin.php?op=delete&user_id=' . $user_r['user_id'], img => 'delete_user.gif', text => get_opendb_lang_var('delete_user')); } else {