/** * Process * All the action happens here. * If you are not logged in, it will print the login form. * Submitting that form will then try to authenticate you. * If you are successfully authenticated, you get redirected back to the main index page (quickstats etc). * Otherwise, will show an error message and the login form again. * * @see ShowLoginForm * @uses AuthenticationSystem::Authenticate() * * @return Void Doesn't return anything. Checks the action and passes it off to the appropriate area. */ function Process() { $action = IEM::requestGetGET('Action', '', 'strtolower'); switch ($action) { case 'forgotpass': $this->ShowForgotForm(); break; case 'changepassword': if (!IEM::sessionGet('ForgotUser')) { $this->ShowForgotForm('login_error', GetLang('BadLogin_Link')); break; } $userapi = GetUser(-1); $loaded = $userapi->Load(IEM::sessionGet('ForgotUser')); if (!$loaded) { $this->ShowForgotForm('login_error', GetLang('BadLogin_Link')); break; } $password = IEM::requestGetPOST('ss_password', false); $confirm = IEM::requestGetPOST('ss_password_confirm', false); if ($password == false || ($password != $confirm)) { $this->ShowForgotForm_Step2($userapi->Get('username'), 'login_error', GetLang('PasswordsDontMatch')); break; } $userapi->password = $password; $userapi->Save(); $code = md5(uniqid(rand(), true)); $userapi->ResetForgotCode($code); $this->ShowLoginForm('login_success', GetLang('PasswordUpdated')); break; case 'sendpass': $user = GetUser(-1); $username = IEM::requestGetPOST('ss_username', ''); /** * Fix vulnerabilities with MySQL * Documented here: http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/ * * Basically MySQL is truncating values in a column */ $username = preg_replace('/\s+/', ' ', $username); $username = trim($username); /** * ----- */ $founduser = $user->Find($username); if (!$founduser) { $this->ShowForgotForm('login_error', GetLang('BadLogin_Forgot')); break; } $user->Load($founduser, false); $code = md5(uniqid(rand(), true)); $user->ResetForgotCode($code); $link = SENDSTUDIO_APPLICATION_URL . '/admin/index.php?Page=Login&Action=ConfirmCode&user='******'&code=' . $code; $message = sprintf(GetLang('ChangePasswordEmail'), $link); $email_api = $this->GetApi('Email'); $email_api->Set('CharSet', SENDSTUDIO_CHARSET); $email_api->Set('Multipart', false); $email_api->AddBody('text', $message); $email_api->Set('Subject', GetLang('ChangePasswordSubject')); $email_api->Set('FromAddress', SENDSTUDIO_EMAIL_ADDRESS); $email_api->Set('ReplyTo', SENDSTUDIO_EMAIL_ADDRESS); $email_api->Set('BounceAddress', SENDSTUDIO_EMAIL_ADDRESS); $email_api->SetSmtp(SENDSTUDIO_SMTP_SERVER, SENDSTUDIO_SMTP_USERNAME, @base64_decode(SENDSTUDIO_SMTP_PASSWORD), SENDSTUDIO_SMTP_PORT); $user_fullname = $user->Get('fullname'); $email_api->AddRecipient($user->emailaddress, $user_fullname, 't'); $email_api->Send(); $this->ShowForgotForm_Step2($username,'login_success', sprintf(GetLang('ChangePassword_Emailed'), $user->emailaddress)); break; case 'confirmcode': $user = IEM::requestGetGET('user', false, 'intval'); $code = IEM::requestGetGET('code', false, 'trim'); if (empty($user) || empty($code)) { $this->ShowForgotForm('login_error', GetLang('BadLogin_Link')); break; } $userapi = GetUser(-1); $loaded = $userapi->Load($user, false); if (!$loaded || $userapi->Get('forgotpasscode') != $code) { $this->ShowForgotForm('login_error', GetLang('BadLogin_Link')); break; } IEM::sessionSet('ForgotUser', $user); $this->ShowForgotForm_Step2($userapi->Get('username')); break; case 'login': $auth_system = new AuthenticationSystem(); $username = IEM::requestGetPOST('ss_username', ''); $password = IEM::requestGetPOST('ss_password', ''); $result = $auth_system->Authenticate($username, $password); if ($result === -1) { $this->ShowLoginForm('login_error', GetLang('PleaseWaitAWhile')); break; } elseif ($result === -2) { $this->ShowLoginForm('login_error', GetLang('FreeTrial_Expiry_Login')); break; } elseif (!$result) { $this->ShowLoginForm('login_error', GetLang('BadLogin')); break; } elseif ($result && defined('IEM_SYSTEM_ACTIVE') && !IEM_SYSTEM_ACTIVE) { $msg = (isset($result['admintype']) && $result['admintype'] == 'a') ? 'ApplicationInactive_Admin' : 'ApplicationInactive_Regular'; $this->ShowLoginForm('login_error', GetLang($msg)); break; } $rememberdetails = IEM::requestGetPOST('rememberme', false); $rememberdetails = (bool)$rememberdetails; $user = false; $rand_check = false; IEM::userLogin($result['userid']); $oneyear = 365 * 24 * 3600; // one year's time. $redirect = $this->_validateTakeMeToRedirect(IEM::requestGetPOST('ss_takemeto', 'index.php')); if ($rememberdetails) { if (!$user) { $user = IEM::userGetCurrent(); } if (!$rand_check) { $rand_check = uniqid(true); } $usercookie_info = array('user' => $user->userid, 'time' => time(), 'rand' => $rand_check, 'takemeto' => $redirect); IEM::requestSetCookie('IEM_CookieLogin', $usercookie_info, $oneyear); $usercookie_info = array('takemeto' => $redirect); IEM::requestSetCookie('IEM_LoginPreference', $usercookie_info, $oneyear); } header('Location: ' . SENDSTUDIO_APPLICATION_URL . '/admin/' . $redirect); exit(); break; default: $msg = false; $template = false; if ($action == 'logout') { $this->LoadLanguageFile('Logout'); } $this->ShowLoginForm($template, $msg); break; } }