private function _setAdminPassword()
{
global $locale, $defender;
if ($this->_getPasswordInput("user_admin_password")) {
// if submit current admin password
$this->_userAdminPassword = $this->_getPasswordInput("user_admin_password");
// var1
$this->_newUserAdminPassword = $this->_getPasswordInput("user_admin_password1");
// var2
$this->_newUserAdminPassword2 = $this->_getPasswordInput("user_admin_password2");
// var3
$passAuth = new PasswordAuth();
//print_p($this->_userAdminPassword); // this is not available if no password exist
//print_p($this->_newUserAdminPassword);
//print_p($this->_newUserAdminPassword2);
if (!$this->userData['user_admin_password'] && !$this->userData['user_admin_salt']) {
// New Admin
$valid_current_password = 1;
$passAuth->inputPassword = '******';
$passAuth->inputNewPassword = $this->_userAdminPassword;
$passAuth->inputNewPassword2 = $this->_newUserAdminPassword2;
} else {
// Old Admin
// Intialize password auth
$passAuth->inputPassword = $this->_userAdminPassword;
// var1
$passAuth->inputNewPassword = $this->_newUserAdminPassword;
// var2
$passAuth->inputNewPassword2 = $this->_newUserAdminPassword2;
// var3
$passAuth->currentPasswordHash = $this->userData['user_admin_password'];
$passAuth->currentAlgo = $this->userData['user_admin_algo'];
$passAuth->currentSalt = $this->userData['user_admin_salt'];
$valid_current_password = $passAuth->isValidCurrentPassword();
}
if ($valid_current_password) {
$this->_isValidCurrentAdminPassword = 1;
// authenticated. now do the integrity check
$_isValidNewPassword = $passAuth->isValidNewPassword();
switch ($_isValidNewPassword) {
case '0':
// New password is valid
$new_admin_password = $passAuth->getNewHash();
$new_admin_salt = $passAuth->getNewSalt();
$new_admin_algo = $passAuth->getNewAlgo();
$this->data['user_admin_algo'] = $new_admin_algo;
$this->data['user_admin_salt'] = $new_admin_salt;
$this->data['user_admin_password'] = $new_admin_password;
break;
case '1':
// new password is old password
$defender->stop();
$defender->setInputError('user_admin_password');
$defender->setInputError('user_admin_password1');
$defender->setErrorText('user_admin_password', $locale['u144'] . $locale['u146'] . $locale['u133']);
$defender->setErrorText('user_admin_password1', $locale['u144'] . $locale['u146'] . $locale['u133']);
break;
case '2':
// The two new passwords are not identical
$defender->stop();
$defender->setInputError('user_admin_password1');
$defender->setInputError('user_admin_password2');
$defender->setErrorText('user_admin_password1', $locale['u144'] . $locale['u148a']);
$defender->setErrorText('user_admin_password2', $locale['u144'] . $locale['u148a']);
break;
case '3':
// New password contains invalid chars / symbols
$defender->stop();
$defender->setInputError('user_admin_password1');
$defender->setErrorText('user_admin_password1', $locale['u144'] . $locale['u142'] . "<br />" . $locale['u147']);
break;
}
} else {
$defender->stop();
$defender->setInputError('user_admin_password');
$defender->setErrorText('user_admin_password', $locale['u149a']);
}
} else {
// check db only - admin cannot save profile page without password
if (iADMIN) {
$require_valid_password = $this->userData['user_admin_password'] ? TRUE : FALSE;
if (!$require_valid_password) {
// 149 for admin
$defender->stop();
$defender->setInputError('user_admin_password');
$defender->setErrorText('user_admin_password', $locale['u149a']);
}
}
}
}
$userPassword = "";
$adminPassword = "";
$userPass = new PasswordAuth();
$userPass->inputNewPassword = isset($_POST['password1']) ? stripinput(trim($_POST['password1'])) : "";
$userPass->inputNewPassword2 = isset($_POST['password2']) ? stripinput(trim($_POST['password2'])) : "";
$returnValue = $userPass->isValidNewPassword();
if ($returnValue == 0) {
$userPassword = $userPass->getNewHash();
$userSalt = $userPass->getNewSalt();
} elseif ($returnValue == 2) {
$error .= $locale['071'] . "<br /><br />\n";
$error_pass = "******";
} elseif ($returnValue == 3) {
$error .= $locale['072'] . "<br /><br />\n";
}
$adminPass = new PasswordAuth();
$adminPass->inputNewPassword = isset($_POST['admin_password1']) ? stripinput(trim($_POST['admin_password1'])) : "";
$adminPass->inputNewPassword2 = isset($_POST['admin_password2']) ? stripinput(trim($_POST['admin_password2'])) : "";
$returnValue = $adminPass->isValidNewPassword();
if ($returnValue == 0) {
$adminPassword = $adminPass->getNewHash();
$adminSalt = $adminPass->getNewSalt();
} elseif ($returnValue == 2) {
$error .= $locale['073'] . "<br /><br />\n";
$error_pass = "******";
} elseif ($returnValue == 3) {
$error .= $locale['075'] . "<br /><br />\n";
}
if ($userPass->inputNewPassword == $adminPass->inputNewPassword) {
$error .= $locale['074'] . "<br /><br />\n";
$error_pass = "******";
private function _setEmailVerification()
{
global $settings, $locale;
require_once INCLUDES . "sendmail_include.php";
$userCode = hash_hmac("sha1", PasswordAuth::getNewPassword(), $this->_userEmail);
$activationUrl = $settings['siteurl'] . "register.php?email=" . $this->_userEmail . "&code=" . $userCode;
$message = str_replace("USER_NAME", $this->_userName, $locale['u152']);
$message = str_replace("USER_PASSWORD", $this->_newUserPassword, $message);
$message = str_replace("ACTIVATION_LINK", $activationUrl, $message);
if (sendemail($this->_userName, $this->_userEmail, $settings['siteusername'], $settings['siteemail'], $locale['u151'], $message)) {
$userInfo = serialize(array("user_name" => $this->_userName, "user_password" => $this->_newUserPasswordHash, "user_salt" => $this->_newUserPasswordSalt, "user_algo" => $this->_newUserPasswordAlgo, "user_email" => $this->_userEmail, "user_field_fields" => $this->_dbFields, "user_field_inputs" => $this->_dbValues));
$userInfo = addslash($userInfo);
$result = dbquery("INSERT INTO " . DB_NEW_USERS . " (\n\t\t\t\t\tuser_code, user_name, user_email, user_datestamp, user_info\n\t\t\t\t) VALUES(\n\t\t\t\t\t'" . $userCode . "', '" . $this->_userName . "', '" . $this->_userEmail . "', '" . time() . "', '" . $userInfo . "'\n\t\t\t\t)");
$this->_completeMessage = $locale['u150'];
} else {
$this->_setError("email_activation", $locale['u153'] . "<br />" . $locale['u154']);
}
}
public static function getNewRandomSalt($length = 12)
{
return sha1(PasswordAuth::getNewPassword($length));
}
$user_sql = "user_level='102'";
} else {
redirect(FUSION_SELF . $aidlink . "&error=1");
}
$result = dbquery("SELECT user_id, user_name, user_email FROM " . DB_USERS . " WHERE " . $user_sql . " ORDER BY user_level DESC, user_id");
while ($data = dbarray($result)) {
$loginPassIsReset = false;
$adminPassIsReset = false;
$adminPass = new PasswordAuth();
$newLoginPass = "";
$newAdminPass = $adminPass->getNewPassword(12);
$adminPass->inputNewPassword = $newAdminPass;
$adminPass->inputNewPassword2 = $newAdminPass;
$adminPassIsReset = $adminPass->isValidNewPassword() === 0 ? true : false;
if (isset($_POST['reset_login']) && $_POST['reset_login'] == 1) {
$loginPass = new PasswordAuth();
$newLoginPass = $loginPass->getNewPassword(12);
$loginPass->inputNewPassword = $newLoginPass;
$loginPass->inputNewPassword2 = $newLoginPass;
$message = str_replace(array("[USER_NAME]", "[NEW_PASS]", "[NEW_ADMIN_PASS]", "[ADMIN]", "[RESET_MESSAGE]"), array($data['user_name'], $newLoginPass, $newAdminPass, $userdata['user_name'], $reset_message), $locale['409']);
$loginPassIsReset = $loginPass->isValidNewPassword() === 0 ? true : false;
} else {
$message = str_replace(array("[USER_NAME]", "[NEW_ADMIN_PASS]", "[ADMIN]", "[RESET_MESSAGE]"), array($data['user_name'], $newAdminPass, $userdata['user_name'], $reset_message), $locale['408']);
$loginPassIsReset = true;
}
if ($loginPassIsReset && $adminPassIsReset && sendemail($data['user_name'], $data['user_email'], $userdata['user_name'], $userdata['user_email'], $locale['407'] . $settings['sitename'], $message)) {
$result2 = dbquery("UPDATE " . DB_USERS . " SET\n\t\t\t\t\t\t" . ($newLoginPass ? "user_algo='" . $loginPass->getNewAlgo() . "', user_salt='" . $loginPass->getNewSalt() . "', \n\t\t\t\t\t\t\t\t\t\t\tuser_password='******', " : "") . "\n\t\t\t\t\t\tuser_admin_algo='" . $adminPass->getNewAlgo() . "', user_admin_salt='" . $adminPass->getNewSalt() . "', \n\t\t\t\t\t\tuser_admin_password='******'\n\t\t\t\t\tWHERE user_id='" . $data['user_id'] . "'");
$reset_success[] = array($data['user_id'], $data['user_name'], $data['user_email']);
} else {
$reset_failed[] = array($data['user_id'], $data['user_name'], $data['user_email']);
}
/**
* Authenticates current user with credentials, passed as a parameters. The user should be
* guest. If not, exception will be raised. You should make logout before.
*
* The $auth_credentials parameter should contain information to auth. In case of simple
* built-in auth, the array must contain "login" and "password" keys. Optionally, "one_time_token"
* may be passed to authenticate using it instead of login and password.
* Custom auth methods (OAuth, OpenID) may use this array to pass required information. The
* BeforeAuth behavior code intercept this credentials and manage custom authentication.
* If after that callback session was updated with new user, the auth process considered to be
* successful and further actions will be skipped.
*
* If user.split_auth_message is not false, the incorrect auth message will be split into two messages:
* one for incorrect login, another for incorrect password. In other case, the single message
* will be outputted via the exception.
*
* Behaviors BeforeAuth and AfterAuth are available.
*/
function auth(array $auth_credentials)
{
if ($this->id !== self::GUEST) {
throw new UserException("User already authenticated.Log out before.");
}
if (empty($auth_credentials)) {
throw new UserException("You must specify auth credentials. E.g. array('login'=>'qwe', 'password'=>'qwe') ");
}
$this->trigger("BeforeAuth", array($this, &$auth_credentials));
$new_user = User::renew();
if ($new_user->isGuest() && isset($auth_credentials['login'], $auth_credentials['password'])) {
$new_user = self::findBy("login", $auth_credentials['login']);
if (Config::getInstance()->user->split_auth_message) {
if (is_null($new_user)) {
throw new UserAuthException("No such user with login '{$auth_credentials['login']}'");
}
if (!PasswordAuth::match($new_user, $auth_credentials['password'])) {
throw new UserAuthException("Password don't match");
} elseif ($new_user->getState() != "active") {
throw new UserAuthException("User is not active");
}
} elseif (is_null($new_user) || $new_user->getState() != "active" || !PasswordAuth::match($new_user, $auth_credentials['password'])) {
throw new UserAuthException("Login or password don't match or user is not active");
}
}
if (User::renew()->isGuest() && Config::getInstance()->session->one_time_token->allowed && isset($auth_credentials['one_time_token'])) {
if (is_null($user_id = OneTimeTokenAuth::findUser($auth_credentials['one_time_token'], true))) {
throw new UserAuthException("Wrong one time token");
}
$new_user = self::findBy("id", $user_id);
}
$this->trigger("AfterAuth", array($this, &$new_user));
return self::forceAuth($new_user);
}
}
}
} else {
redirect(BASEDIR . "register.php?msg=1");
}
if (preg_check("/^[-0-9A-Z_\\.]{1,50}@([-0-9A-Z_\\.]+\\.){1,50}([0-9A-Z]){2,4}\$/i", $email)) {
$check1 = dbquery("SELECT * FROM " . DB_USERS . " WHERE user_email='" . $email . "'");
$check2 = dbquery("SELECT * FROM " . DB_RM_USERS . " WHERE rmuser_useremail='" . $email . "'");
if (dbrows($check1) || dbrows($check2)) {
redirect(BASEDIR . "register.php?msg=3");
}
} else {
redirect(BASEDIR . "register.php?msg=4");
}
require_once CLASSES . "PasswordAuth.class.php";
$passAuth = new PasswordAuth();
$passAuth->inputNewPassword = $password1;
$passAuth->inputNewPassword2 = $password2;
$passAuth->currentPassword = "";
$valid = $passAuth->isValidNewPassword();
if ($valid === 0) {
$password = $password1;
} else {
redirect(BASEDIR . "register.php?msg=5");
}
} else {
redirect(BASEDIR . "register.php");
}
}
require_once INCLUDES . "bbcode_include.php";
// finish doublecheck - start app
public static function setAdminCookie($inputPassword)
{
global $userdata;
if (iADMIN) {
require_once CLASSES . "PasswordAuth.class.php";
// Initialize password auth
$passAuth = new PasswordAuth();
$passAuth->currentAlgo = $userdata['user_admin_algo'];
$passAuth->currentSalt = $userdata['user_admin_salt'];
$passAuth->currentPasswordHash = $userdata['user_admin_password'];
$passAuth->inputPassword = $inputPassword;
// Check if input password is valid
if ($passAuth->isValidCurrentPassword(true)) {
$userdata['user_admin_algo'] = $passAuth->getNewAlgo();
$userdata['user_admin_salt'] = $passAuth->getNewSalt();
$userdata['user_admin_password'] = $passAuth->getNewHash();
$result = dbquery("UPDATE " . DB_USERS . "\n\t\t\t\t\tSET user_admin_algo='" . $userdata['user_admin_algo'] . "', user_admin_salt='" . $userdata['user_admin_salt'] . "', user_admin_password='******'user_admin_password'] . "'\n\t\t\t\t\tWHERE user_id='" . $userdata['user_id'] . "'");
Authenticate::setUserCookie($userdata['user_id'], $userdata['user_admin_salt'], $userdata['user_admin_algo'], false, false);
}
}
}
$sql1 .= ", " . $f_name;
$sql2 .= ", '" . $f_value . "'";
} else {
$sql1 .= $f_name;
$sql2 .= "'" . $f_value . "'";
}
$i++;
}
//echo $sql1.$sql2;
$ins_appp = dbquery("INSERT INTO " . DB_RM_FORM_APPS . " (" . $sql1 . ") VALUES (" . $sql2 . ")");
$appp_id = mysql_insert_id();
$name = $app['username'];
$email = $app['useremail'];
$password = $app['password'];
require_once CLASSES . "PasswordAuth.class.php";
$passAuth = new PasswordAuth();
$passAuth->inputNewPassword = $password;
$passAuth->inputNewPassword2 = $password;
$passAuth->currentPassword = "";
echo $valid = $passAuth->isValidNewPassword();
if ($valid === 0) {
// New password is valid
$hash = $passAuth->getNewHash();
$algo = $passAuth->getNewAlgo();
$salt = $passAuth->getNewSalt();
}
$code = md5($name . $email);
$ins_rm_user = dbquery("INSERT INTO " . DB_RM_USERS . " (rmuser_username, rmuser_useremail, rmuser_password, rmuser_algo, rmuser_salt, rmuser_code, rmuser_verified, rmuser_approved) VALUES ('" . $name . "', '" . $email . "', '" . $hash . "', '" . $algo . "', '" . $salt . "', '" . $code . "', '0', '0')");
$rm_user_id = mysql_insert_id();
$ins_app = dbquery("INSERT INTO " . DB_RM_APPS . " (app_rm_user, app_user, app_form, app_voted, app_votes_yes, app_votes_no, app_date, app_status, app_username, app_useremail) VALUES ('" . $rm_user_id . "', '0', '" . $appp_id . "', '', '0', '0', '" . $time . "', '0', '" . $name . "', '" . $email . "')");
// sendmail, verify user
public static function setAdminCookie($inputPassword)
{
global $userdata;
if (iADMIN) {
// Initialize password auth
$passAuth = new PasswordAuth();
$passAuth->currentAlgo = $userdata['user_admin_algo'];
$passAuth->currentSalt = $userdata['user_admin_salt'];
$passAuth->currentPasswordHash = $userdata['user_admin_password'];
$passAuth->inputPassword = $inputPassword;
// Check if input password is valid
if ($passAuth->isValidCurrentPassword(TRUE)) {
$userdata['user_admin_algo'] = $passAuth->getNewAlgo();
$userdata['user_admin_salt'] = $passAuth->getNewSalt();
$userdata['user_admin_password'] = $passAuth->getNewHash();
$result = dbquery("UPDATE " . DB_USERS . "\n\t\t\t\t\tSET user_admin_algo='" . $userdata['user_admin_algo'] . "', user_admin_salt='" . $userdata['user_admin_salt'] . "', user_admin_password='******'user_admin_password'] . "'\n\t\t\t\t\tWHERE user_id='" . $userdata['user_id'] . "'");
Authenticate::setUserCookie($userdata['user_id'], $userdata['user_admin_salt'], $userdata['user_admin_algo'], FALSE, FALSE);
return TRUE;
}
}
return FALSE;
}
if ($result && $result2) {
$auth = new Authenticate($nick, $pass, true);
$userdata = $auth->getUserData();
unset($auth);
redirect($_POST['url']);
} else {
redirect(BASEDIR . "login.php?ulogin_error");
}
}
if (isset($_POST['ex_user_save'])) {
$result = dbquery("SELECT * FROM " . DB_USERS . " WHERE user_name='" . $_POST['user_name'] . "'");
if (dbrows($result)) {
$user = dbarray($result);
require_once CLASSES . "PasswordAuth.class.php";
// Initialize password auth
$passAuth = new PasswordAuth();
$passAuth->currentAlgo = $user['user_algo'];
$passAuth->currentSalt = $user['user_salt'];
$passAuth->currentPasswordHash = $user['user_password'];
$passAuth->inputPassword = $_POST['user_pass'];
if ($passAuth->isValidCurrentPassword(false)) {
$result = dbquery("INSERT INTO " . DB_ULOGIN . " (ulogin_user, ulogin_identity, ulogin_network, ulogin_fullname) VALUES ('" . $user['user_id'] . "','" . $_POST['identity'] . "','" . $_POST['network'] . "', '" . iconv($locale['charset'], "UTF-8", $_POST['full_name']) . "')");
$auth = new Authenticate($_POST['user_name'], $_POST['user_pass'], true);
unset($auth);
if ($result) {
redirect($_POST['url']);
}
} else {
redirect(BASEDIR . "login.php?ulogin_error");
}
} else {