function OnPostback() { # new list for validation $this->o_error_list = new XhtmlElement('ul'); $this->o_error_list->AddAttribute('class', 'validationSummary'); # check we've got email if (isset($_POST['email']) and !trim($_POST['email']) or !isset($_POST['email'])) { $this->o_error_list->AddControl(new XhtmlElement('li', 'Please enter your email address')); } # check for request to resend activation email if (isset($_POST['resend']) and !$this->o_error_list->CountControls()) { # Get the person's name and id. Only checking email at this point creates the possibility that someone could # fake this request for another user, but the worst they can do is send a new activation request to that other # user; they can't gain any information themselves or disable anyone's account. Don't try to check password because # browser security means we can't be sure it'll be repopulated and reposted. $authentication = $this->GetAuthenticationManager(); $authentication->ReadByEmail($_POST['email']); $account = $authentication->GetFirst(); if (is_object($account)) { # send a new email $s_hash = $authentication->SaveRequest($account->GetId()); $email_success = $authentication->SendActivationEmail($account, $s_hash); # redirect to activation message $s_email_status = $email_success ? '' : '&email=no'; $this->Redirect($this->GetSettings()->GetUrl('AccountActivate') . '?action=request&name=' . urlencode($account->GetName()) . '&address=' . urlencode($account->GetEmail()) . $s_email_status); } } # check we've got password if (isset($_POST['password']) and !trim($_POST['password']) or !isset($_POST['password'])) { $this->o_error_list->AddControl(new XhtmlElement('li', 'Please enter your password')); } # no message so form OK if (!$this->o_error_list->CountControls()) { # try to sign in $sign_in_result = $this->GetAuthenticationManager()->SignIn($_POST['email'], $_POST['password'], isset($_POST['remember_me'])); switch ($sign_in_result) { case SignInResult::Success(): if (isset($_POST['page'])) { header('Location: ' . str_replace('&', '&', str_replace('&', '&', $_POST['page']))); } else { header('location: ' . $this->GetSettings()->GetClientRoot()); } exit; case SignInResult::AccountDisabled(): $this->o_error_list->AddControl(new XhtmlElement('li', 'Sorry, your account has been disabled due to misuse.')); break; case SignInResult::NotActivated(): $not_activated = new XhtmlElement('li', 'You need to activate your account. Check your email inbox.'); $not_activated->AddControl('<input type="submit" name="resend" value="Send a new email" class="inlineButton" />'); $this->o_error_list->AddControl($not_activated); break; case SignInResult::NotFound(): $this->o_error_list->AddControl(new XhtmlElement('li', 'You tried to sign in with an incorrect email address and/or password. Please sign in again.')); break; } } }
/** * Once a user has been validated, do everything needed to sign them in * @param $user User * @param bool $enable_auto_sign_in * @return SignInResult */ public function SignInValidUser(User $user, $enable_auto_sign_in) { # Bail out if user account not activated # (if there's no role it's because I've tried to activate the account by flipping # the activation field, but I haven't added the account to the "Signed in user" role) if (!$user->GetAccountActivated()) { return SignInResult::NotActivated(); } # bail out if user account has been disabled if ($user->GetAccountDisabled()) { if ($this->auto_sign_in instanceof IAutoSignIn) { $this->SaveAutoSignIn($user->GetId(), false); } return SignInResult::AccountDisabled(); } # Elevation of privilege, so regenerate session id to guard against session fixation attack if (!headers_sent()) { session_regenerate_id(false); } $this->SaveToSession($user); $this->LoadUserPermissions(); $this->Lock(array("nsa_user")); # update stats in db... $sql = 'UPDATE nsa_user SET ' . 'sign_in_count = sign_in_count+1, ' . 'last_signed_in = ' . gmdate('U') . ' ' . 'WHERE user_id = ' . $user->GetId(); $this->GetDataConnection()->query($sql); $this->Unlock(); # process remember me option if ($this->auto_sign_in instanceof IAutoSignIn) { $this->auto_sign_in->SaveAutoSignIn($user->GetId(), $enable_auto_sign_in); } return SignInResult::Success(); }