/** * handle user login **/ public static function handleLogin($output = true) { global $parser; if (!is_object($parser)) { $parser = CAT_Helper_Template::getInstance('Dwoo'); } CAT_Backend::initPaths(); $val = CAT_Helper_Validate::getInstance(); $lang = CAT_Helper_I18n::getInstance(); $self = self::getInstance(); $redirect_url = $val->sanitizePost('redirect'); if (!self::is_authenticated()) { // --- login attempt --- if ($val->sanitizePost('username_fieldname')) { // get input data $user = htmlspecialchars($val->sanitizePost($val->sanitizePost('username_fieldname')), ENT_QUOTES); $pw = $val->sanitizePost($val->sanitizePost('password_fieldname')); $name = preg_match('/[\\;\\=\\&\\|\\<\\> ]/', $user) ? '' : $user; $min_length = CAT_Registry::exists('AUTH_MIN_LOGIN_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_LOGIN_LENGTH') : 5; $min_pass_length = CAT_Registry::exists('AUTH_MIN_PASS_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_PASS_LENGTH') : 5; // check common issues // we do not check for too long and don't give too much hints! if (!$name) { self::setLoginError($lang->translate('Invalid credentials')); } if (!self::$loginerror && $user == '' || $pw == '') { self::setLoginError($lang->translate('Please enter your username and password.')); } if (!self::$loginerror && strlen($user) < $min_length) { self::setLoginError($lang->translate('Invalid credentials')); } if (!self::$loginerror && !CAT_Registry::defined('ALLOW_SHORT_PASSWORDS') && strlen($pw) < $min_pass_length) { self::setLoginError($lang->translate('Invalid credentials')); } if (!self::$loginerror) { $query = 'SELECT * FROM `:prefix:users` WHERE `username`=:name AND `password`=:pw'; $qAct = 'SELECT `active` FROM `:prefix:users` WHERE `username` = :name AND `password` = :pw'; $result = $self->db()->query($query, array('name' => $name, 'pw' => md5($pw))); $active = $self->db()->query($qAct, array('name' => $name, 'pw' => md5($pw))); if ($active && $result->rowCount() == 1) { // get default user preferences $prefs = self::getDefaultUserOptions(); // get basic user data $user = $result->fetchRow(MYSQL_ASSOC); // add this user's options $prefs = array_merge($prefs, self::getUserOptions($user['user_id'])); foreach (self::$sessioncols as $key) { $_SESSION[strtoupper($key)] = $user[$key]; } // ----- preferences ----- $_SESSION['LANGUAGE'] = $user['language'] != '' ? $user['language'] : (isset($prefs['language']) ? $prefs['language'] : 'DE'); $_SESSION['TIMEZONE_STRING'] = isset($prefs['timezone_string']) && $prefs['timezone_string'] != '' ? $prefs['timezone_string'] : CAT_Registry::get('DEFAULT_TIMEZONE_STRING'); $_SESSION['CAT_DATE_FORMAT'] = isset($prefs['date_format']) && $prefs['date_format'] != '' ? $prefs['date_format'] : CAT_Registry::get('CAT_DEFAULT_DATE_FORMAT'); $_SESSION['CAT_TIME_FORMAT'] = isset($prefs['time_format']) && $prefs['time_format'] != '' ? $prefs['time_format'] : CAT_Registry::get('CAT_DEFAULT_TIME_FORMAT'); if (defined('WB2COMPAT') && WB2COMPAT === true) { $wb2compat_format_map = CAT_Registry::get('WB2COMPAT_FORMAT_MAP'); $_SESSION['DATE_FORMAT'] = isset($_SESSION['CAT_DATE_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_DATE_FORMAT']] : ''; $_SESSION['TIME_FORMAT'] = isset($_SESSION['CAT_TIME_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_TIME_FORMAT']] : ''; } date_default_timezone_set($_SESSION['TIMEZONE_STRING']); $_SESSION['SYSTEM_PERMISSIONS'] = 0; $_SESSION['MODULE_PERMISSIONS'] = array(); $_SESSION['TEMPLATE_PERMISSIONS'] = array(); $_SESSION['GROUP_NAME'] = array(); $first_group = true; foreach (explode(",", $user['groups_id']) as $cur_group_id) { $query = "SELECT * FROM `:prefix:groups` WHERE group_id=:id"; $result = $self->db()->query($query, array('id' => $cur_group_id)); $results = $result->fetch(); $_SESSION['GROUP_NAME'][$cur_group_id] = $results['name']; // Set system permissions if ($results['system_permissions'] != '') { $_SESSION['SYSTEM_PERMISSIONS'] = $results['system_permissions']; } // Set module permissions if ($results['module_permissions'] != '') { if ($first_group) { $_SESSION['MODULE_PERMISSIONS'] = explode(',', $results['module_permissions']); } else { $_SESSION['MODULE_PERMISSIONS'] = array_intersect($_SESSION['MODULE_PERMISSIONS'], explode(',', $results['module_permissions'])); } } // Set template permissions if ($results['template_permissions'] != '') { if ($first_group) { $_SESSION['TEMPLATE_PERMISSIONS'] = explode(',', $results['template_permissions']); } else { $_SESSION['TEMPLATE_PERMISSIONS'] = array_intersect($_SESSION['TEMPLATE_PERMISSIONS'], explode(',', $results['template_permissions'])); } } $first_group = false; } // foreach ( explode(",",$user['groups_id']) as $cur_group_id ) // Update the users table with current ip and timestamp $get_ts = time(); $get_ip = $_SERVER['REMOTE_ADDR']; $query = "UPDATE `:prefix:users` SET login_when=:when, login_ip=:ip WHERE user_id=:id"; $self->db()->query($query, array('when' => $get_ts, 'ip' => $get_ip, 'id' => $user['user_id'])); if ($redirect_url) { return $redirect_url; } if (self::getInstance()->checkPermission('start', 'start')) { return CAT_ADMIN_URL . '/start/index.php?initial=true'; } else { return CAT_URL . '/index.php'; } } else { if (!$active && $result->rowCount() == 1) { self::setLoginError($lang->translate('Your account has been disabled. Please contact the administrator.')); } else { self::setLoginError($lang->translate('Invalid credentials')); } } } if ($val->fromSession('ATTEMPTS') > CAT_Registry::get('MAX_ATTEMPTS') && CAT_Registry::exists('AUTO_DISABLE_USERS') && CAT_Registry::get('AUTO_DISABLE_USERS') === true) { // if we have a user name if ($name) { self::disableAccount($name); } return CAT_THEME_URL . '/templates/warning.html'; } return false; } if (!$output) { return false; } $username_fieldname = $val->createFieldname('username_'); $tpl_data = array('USERNAME_FIELDNAME' => $username_fieldname, 'PASSWORD_FIELDNAME' => $val->createFieldname('password_'), 'USERNAME' => $val->sanitizePost($username_fieldname), 'ACTION_URL' => CAT_ADMIN_URL . '/login/index.php', 'LOGIN_URL' => CAT_ADMIN_URL . '/login/index.php', 'DEFAULT_URL' => CAT_ADMIN_URL . '/start/index.php', 'WARNING_URL' => CAT_THEME_URL . '/templates/warning.html', 'REDIRECT_URL' => ADMIN_URL . '/start/index.php', 'FORGOTTEN_DETAILS_APP' => ADMIN_URL . '/login/forgot/index.php', 'MIN_USERNAME_LEN' => AUTH_MIN_LOGIN_LENGTH, 'MAX_USERNAME_LEN' => AUTH_MAX_LOGIN_LENGTH, 'MIN_PASSWORD_LEN' => AUTH_MIN_PASS_LENGTH, 'MAX_PASSWORD_LEN' => AUTH_MAX_PASS_LENGTH, 'PAGES_DIRECTORY' => PAGES_DIRECTORY, 'ATTEMPTS' => $val->fromSession('ATTEMTPS'), 'MESSAGE' => self::$loginerror); $tpl_data['meta']['LANGUAGE'] = strtolower(LANGUAGE); $tpl_data['meta']['CHARSET'] = defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : "utf-8"; $parser->output('login', $tpl_data); } else { if ($redirect_url) { header('Location: ' . $redirect_url); } if (self::getInstance()->checkPermission('start', 'start')) { header('Location: ' . CAT_ADMIN_URL . '/start/index.php'); } else { header('Location: ' . CAT_URL . '/index.php'); } } }