public static function checkRemoteAPIUser($remote_ip, $api_user, $api_user_pass) { $username = $api_user; $password = Core_AuthService::getHash($api_user_pass); $dbh = Core_DBH::getDBH(); try { $sth = $dbh->prepare("\n\t\t\t\tSELECT user_id\n\t\t\t\tFROM " . DB_PREFIX . "user\n\t\t\t\tWHERE\n\t\t\t\t\tusername = :username AND\n\t\t\t\t\tpassword = :password AND\n\t\t\t\t\tstatus = 'Active'\n\t\t\t\t;"); $sth->bindParam(':username', $username); $sth->bindParam(':password', $password); $sth->execute(); $result = $sth->fetchAll(PDO::FETCH_ASSOC); } catch (PDOException $e) { echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine(); die; } if (!empty($result)) { $user_id = $result[0]['user_id']; // NIST Level 2 Standard Role Based Access Control Library $rbac = new PhpRbac\Rbac(); // Verify API Role if ($rbac->Users->hasRole('api', $user_id)) { // Update User Activity try { $sth = $dbh->prepare("\n\t\t\t\t\t\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\tSET\n\t\t\t\t\t\t\tlast_login\t\t= :last_login,\n\t\t\t\t\t\t\tlast_activity\t= :last_activity,\n\t\t\t\t\t\t\tlast_ip \t\t= :last_ip,\n\t\t\t\t\t\t\tlast_host\t\t= :last_host\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id\t\t\t= :user_id\n\t\t\t\t\t\t;"); $last_login = date('Y-m-d H:i:s'); $last_activity = date('Y-m-d H:i:s'); $last_host = gethostbyaddr($remote_ip); $sth->bindParam(':last_login', $last_login); $sth->bindParam(':last_activity', $last_activity); $sth->bindParam(':last_ip', $remote_ip); $sth->bindParam(':last_host', $last_host); $sth->bindParam(':user_id', $user_id); $sth->execute(); } catch (PDOException $e) { echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine(); die; } // Update $_SERVER $_SERVER['PHP_AUTH_USER'] = $user_id; return TRUE; } } return FALSE; }
*/ $gui = new Core_GUI($module); /** * Javascript Generator */ $js = new Core_GUI_JS($module); /** * Build Page Header */ $gui->getHeader(); /** * PAGE BODY */ //------------------------------------------------------------------------------------------------------------+ // Call security component $authService = Core_AuthService::getAuthService(); if ($authService->isBanned()) { ?> <!-- BAN MSG --> <div id="banmsg" class="alert alert-warning" role="alert"> <strong><?php echo T_('Too many incorrect login attempts'); ?> </strong> <?php echo T_('Please wait'); echo ' ' . CONF_SEC_BAN_DURATION . ' '; echo T_('seconds before trying again.'); ?> </div> <!-- END: BAN MSG -->
/** * Check If The Current Session Is Legit * * @param none * @return bool * @access public */ public function getSessionValidity() { if (!empty($this->username)) { $credentials = $this->decryptSessionCredentials(); // Level 1 if ($credentials['username'] == $this->username && $credentials['key'] == $this->auth_key && $credentials['token'] == session_id()) { // Level 2 $dbh = Core_DBH::getDBH(); // Fetch information from the database $sth = $dbh->prepare("\n\t\t\t\t\tSELECT username, last_ip, token\n\t\t\t\t\tFROM " . DB_PREFIX . "user\n\t\t\t\t\tWHERE\n\t\t\t\t\t\tuser_id = :user_id\n\t\t\t\t\t;"); $sth->bindParam(':user_id', $this->session['INFORMATION']['id']); $sth->execute(); $userResult = $sth->fetchAll(PDO::FETCH_ASSOC); // Verify if ($userResult[0]['username'] == $this->username && $userResult[0]['last_ip'] == $_SERVER['REMOTE_ADDR'] && $userResult[0]['token'] == session_id()) { // Update User Activity on page request $last_activity = date('Y-m-d H:i:s'); $sth = $dbh->prepare("\n\t\t\t\t\t\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\tSET\n\t\t\t\t\t\t\tlast_activity\t= :last_activity\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id\t\t\t= :user_id\n\t\t\t\t\t\t;"); $uid = Core_AuthService::getSessionInfo('ID'); $sth->bindParam(':last_activity', $last_activity); $sth->bindParam(':user_id', $uid); $sth->execute(); return TRUE; } else { return FALSE; } } } return FALSE; }
if (!empty($module)) { // NIST Level 2 Standard Role Based Access Control Library $rbac = new PhpRbac\Rbac(); $resource = ucfirst($module) . '/'; if (!empty($page)) { $resource = ucfirst($module) . '/' . $page . '/'; } $resource = preg_replace('#(\\/+)#', '/', $resource); // MAINTENANCE CHECK if (BGP_MAINTENANCE_MODE == 1 && $rbac->Users->hasRole('root', $authService->getSessionInfo('ID')) === FALSE) { Core_AuthService::logout(); Flight::redirect('/503'); } // DROP API USERS if ($rbac->Users->hasRole('api', $authService->getSessionInfo('ID')) && $rbac->Users->hasRole('root', $authService->getSessionInfo('ID')) === FALSE) { Core_AuthService::logout(); Flight::redirect('/403'); } // Verify User Authorization On The Requested Resource // Root Users Can Bypass if ($rbac->Users->hasRole('root', $authService->getSessionInfo('ID')) || $rbac->check($resource, $authService->getSessionInfo('ID'))) { switch (Flight::request()->method) { case 'GET': // Process Task Query Parameter $task = Flight::request()->query['task']; // Page if (!empty($page)) { bgp_safe_require(MODS_DIR . '/' . $module . '/' . $module . '.' . $page . '.php'); } else { if (!empty($page) && $page == 'process' && !empty($task)) { // Verify User Authorization On The Called Method
/** * User Password Renewal * * @param string $username * @param string $email * @param optional bool $captcha_validation * * @author Nikita Rousseau */ public function sendNewPassword($username, $email, $captcha_validation = TRUE) { $form = array('username' => $username, 'email' => $email); $errors = array(); // array to hold validation errors $data = array(); // array to pass back data $dbh = Core_DBH::getDBH(); // Get Database Handle // validate the variables ====================================================== $v = new Valitron\Validator($form); $rules = ['required' => [['username'], ['email']], 'alphaNum' => [['username']], 'email' => [['email']]]; $v->rules($rules); $v->validate(); $errors = $v->errors(); // Verify the form ============================================================= if (empty($errors)) { $username = $form['username']; $email = $form['email']; try { $sth = $dbh->prepare("\n\t\t\t\t\tSELECT user_id, email\n\t\t\t\t\tFROM " . DB_PREFIX . "user\n\t\t\t\t\tWHERE\n\t\t\t\t\t\tusername = :username AND\n\t\t\t\t\t\temail \t = :email AND\n\t\t\t\t\t\tstatus = 'active'\n\t\t\t\t\t;"); $sth->bindParam(':username', $username); $sth->bindParam(':email', $email); $sth->execute(); $result = $sth->fetchAll(); } catch (PDOException $e) { echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine(); die; } if (!empty($result) && $captcha_validation == TRUE) { $authService = Core_AuthService::getAuthService(); // Reset Login Attempts $authService->rsSecCount(); // Reset User Passwd $plainTextPasswd = bgp_create_random_password(13); $digestPasswd = Core_AuthService::getHash($plainTextPasswd); try { // Update User Passwd $sth = $dbh->prepare("\n\t\t\t\t\t\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\tSET\n\t\t\t\t\t\t\tpassword \t= :password\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id\t\t= :user_id\n\t\t\t\t\t\t;"); $sth->bindParam(':password', $digestPasswd); $sth->bindParam(':user_id', $result[0]['user_id']); $sth->execute(); } catch (PDOException $e) { echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine(); die; } // Send Email $to = htmlentities($result[0]['email'], ENT_QUOTES); $subject = T_('Reset Password'); $message = T_('Your password has been reset to:'); $message .= "<br /><br />" . $plainTextPasswd . "<br /><br />"; $message .= T_('With IP') . ': '; $message .= $_SERVER['REMOTE_ADDR']; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $headers .= 'From: Bright Game Panel System <root@' . $_SERVER['SERVER_NAME'] . '>' . "\r\n"; $headers .= 'X-Mailer: PHP/' . phpversion(); $mail = mail($to, $subject, $message, $headers); // Log Event $logger = self::getLogger(); $logger->info('Password reset.'); } else { // Call security component $authService = Core_AuthService::getAuthService(); $authService->incrementSecCount(); // Log Event $logger = self::getLogger(); $logger->info('Bad password reset.'); // Messages if (empty($result)) { $errors['username'] = T_('Wrong information.'); $errors['email'] = T_('Wrong information.'); } if ($captcha_validation == FALSE) { $errors['captcha'] = T_('Wrong CAPTCHA Code.'); } } } // return a response =========================================================== // response if there are errors if (!empty($errors)) { // if there are items in our errors array, return those errors $data['success'] = false; $data['errors'] = $errors; // notification $authService = Core_AuthService::getAuthService(); if ($authService->isBanned()) { $data['msgType'] = 'warning'; $data['msg'] = T_('You have been banned') . ' ' . CONF_SEC_BAN_DURATION . ' ' . T_('seconds!'); } else { $data['msgType'] = 'warning'; $data['msg'] = T_('Invalid information provided!'); } } else { if (!$mail) { // mail delivery error $data['success'] = false; // notification $data['msgType'] = 'danger'; $data['msg'] = T_('An error has occured while sending the email. Contact your system administrator.'); } else { $data['success'] = true; } } // return all our data to an AJAX call return $data; }
/** * Update User Configuration * * @param string $username * @param string $password0 * @param string $password1 * @param string $email * @param string $language * @param optional string $firstname * @param optional string $lastname * @param optional string $template * * @author Nikita Rousseau */ public function updateUserConfig($username, $password0, $password1, $email, $language, $firstname = '', $lastname = '', $template = 'bootstrap.min.css') { $form = array('username' => $username, 'password0' => $password0, 'password1' => $password1, 'email' => $email, 'language' => $language, 'template' => $template); $errors = array(); // array to hold validation errors $data = array(); // array to pass back data $dbh = Core_DBH::getDBH(); // Get Database Handle // Get languages $languages = parse_ini_file(CONF_LANG_INI); $languages = array_flip(array_values($languages)); // Get templates $templates = parse_ini_file(CONF_TEMPLATES_INI); $templates = array_flip(array_values($templates)); // validate the variables ====================================================== $v = new Valitron\Validator($form); $rules = ['required' => [['username'], ['password0'], ['password1'], ['email'], ['language']], 'alphaNum' => [['username']], 'lengthMin' => [['username', 4], ['password0', 8]], 'equals' => [['password0', 'password1']], 'email' => [['email']], 'in' => [['language', $languages], ['template', $templates]]]; $labels = array('username' => T_('Username'), 'password0' => T_('Password'), 'password1' => T_('Confirmation Password'), 'email' => T_('Email'), 'language' => T_('Language'), 'template' => T_('Template')); $v->rules($rules); $v->labels($labels); $v->validate(); $errors = $v->errors(); // Apply ======================================================================= if (empty($errors)) { // Database update $db_data['username'] = $form['username']; $db_data['password'] = Core_AuthService::getHash($form['password0']); $db_data['email'] = $form['email']; $db_data['lang'] = $form['language']; if (!empty($firstname)) { $db_data['firstname'] = $firstname; } if (!empty($lastname)) { $db_data['lastname'] = $lastname; } if ($template != 'bootstrap.min.css') { $db_data['template'] = $template; } $authService = Core_AuthService::getAuthService(); $uid = Core_AuthService::getSessionInfo('ID'); foreach ($db_data as $key => $value) { try { $sth = $dbh->prepare("\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\t\t\t\t\t\tSET " . $key . " = :" . $key . "\n\t\t\t\t\t\t\t\t\t\t\tWHERE user_id = '" . $uid . "';"); $sth->bindParam(':' . $key, $value); $sth->execute(); } catch (PDOException $e) { echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine(); die; } } // Reload Session $authService->rmSessionInfo(); $authService->setSessionInfo($uid, $db_data['username'], $db_data['firstname'], $db_data['lastname'], $db_data['lang'], $db_data['template']); $authService->setSessionPerms(); $this->rmCookie('LANG'); } // return a response and log =================================================== $logger = self::getLogger(); // response if there are errors if (!empty($errors)) { // if there are items in our errors array, return those errors $data['success'] = false; $data['errors'] = $errors; $data['msgType'] = 'warning'; $data['msg'] = T_('Bad Settings!'); $logger->info('Failed to update user configuration.'); } else { $data['success'] = true; $logger->info('Updated user configuration.'); } // return all our data to an AJAX call return $data; }
<!-- SCRIPT --> <?php /** * Generate AngularJS Code * * @param String $task * @param String $schema * @param String $form * @param String $model * @param String $redirect */ // Schema Definition $schema = "\n{\n\ttype: 'object',\n\tproperties: {\n\t\tusername: {\n\t\t\ttitle: '" . T_('Login') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tpassword0: {\n\t\t\ttitle: '" . T_('Password') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tpassword1: {\n\t\t\ttitle: '" . T_('Confirm Password') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tfirstname: {\n\t\t\ttitle: '" . T_('First Name') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tlastname: {\n\t\t\ttitle: '" . T_('Last Name') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\temail: {\n\t\t\ttitle: '" . T_('Email') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tlanguage: {\n\t\t\ttitle: '" . T_('Language') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\ttemplate: {\n\t\t\ttitle: '" . T_('Template') . "',\n\t\t\ttype: 'string'\n\t\t}\n\t},\n\t'required': [\n\t\t'username',\n\t\t'password0',\n\t\t'password1',\n\t\t'email',\n\t\t'language'\n\t]\n}"; // Form Definition $form = "\n[\n\t{\n\t\t'key': 'username',\n\t\t'type': 'text',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-user\"></span>',\n\t\tplaceholder: '" . T_('Login') . "'\n\t},\n\t{\n\t\t'key': 'password0',\n\t\t'type': 'password',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-lock\"></span>',\n\t\tplaceholder: '" . T_('Password') . "'\n\t},\n\t{\n\t\t'key': 'password1',\n\t\t'type': 'password',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-lock\"></span>',\n\t\tplaceholder: '" . T_('Password') . "'\n\t},\n\t{\n\t\t'key': 'firstname',\n\t\t'type': 'text',\n\t\tfieldAddonLeft: 'Optional'\n\t},\n\t{\n\t\t'key': 'lastname',\n\t\t'type': 'text',\n\t\tfieldAddonLeft: 'Optional'\n\t},\n\t{\n\t\t'key': 'email',\n\t\t'type': 'email',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-envelope\"></span>',\n\t\tplaceholder: '" . T_('Email') . "'\n\t},\n\t{\n\t\t'key': 'language',\n\t\t'type': 'select',\n\t\ttitleMap: " . $langMap . "\n\t},\n\t{\n\t\t'key': 'template',\n\t\t'type': 'select',\n\t\ttitleMap: " . $templateMap . "\n\t}\n]"; // Model Init $model = json_encode(array('username' => htmlspecialchars($profile['username'], ENT_QUOTES), 'password0', 'password1', 'firstname' => htmlspecialchars($profile['firstname'], ENT_QUOTES), 'lastname' => htmlspecialchars($profile['lastname'], ENT_QUOTES), 'email' => htmlspecialchars($profile['email'], ENT_QUOTES), 'language' => htmlspecialchars(Core_AuthService::getSessionInfo('LANG'), ENT_QUOTES), 'template' => htmlspecialchars($profile['template'], ENT_QUOTES)), JSON_FORCE_OBJECT); $js->getAngularCode('updateUserConfig', $schema, $form, $model); ?> <!-- END: SCRIPT --> <?php //------------------------------------------------------------------------------------------------------------+ /** * END: PAGE BODY */ /** * Build Page Footer */ $gui->getFooter();
</form> </div> </div> </div> </div> <!-- END: CONTENTS --> <!-- SCRIPT --> <?php /** * Generate AngularJS Code * @arg $task * @arg $inputs * @arg $redirect */ $fields = array('username' => htmlspecialchars($profile['username'], ENT_QUOTES), 'password0', 'password1', 'firstname' => htmlspecialchars($profile['firstname'], ENT_QUOTES), 'lastname' => htmlspecialchars($profile['lastname'], ENT_QUOTES), 'email' => htmlspecialchars($profile['email'], ENT_QUOTES), 'language' => htmlspecialchars(Core_AuthService::getSessionInfo('LANG'), ENT_QUOTES)); $js->getAngularController('updateUserConfig', $fields, './'); ?> <!-- END: SCRIPT --> <?php //------------------------------------------------------------------------------------------------------------+ /** * END: PAGE BODY */ /** * Build Page Footer */ $gui->getFooter(); // Clean Up unset($module, $gui, $js);