/** * Merges rights for multiple group memebership or templates * @param object $userobj * @param array $groups */ static function merge_rights($userobj, $groups, $primeObjects) { global $_zp_authority; $templates = false; $objects = $primeObjects; $custom = array(); $oldgroups = $userobj->getGroup(); $oldrights = $userobj->getRights(); $oldobjects = $userobj->getObjects(); $rights = 0; foreach ($groups as $key => $groupname) { if (empty($groupname)) { // force the first template to happen $group = new Zenphoto_Administrator('', 0); $group->setName('template'); } else { $group = Zenphoto_Authority::newAdministrator($groupname, 0, false); } if ($group->loaded) { if ($group->getName() == 'template') { unset($groups[$key]); if ($userobj->getID() > 0 && !$templates) { // fetch the existing rights and objects $templates = true; // but only once! $rights = $userobj->getRights(); $objects = $userobj->getObjects(); } } $rights = $group->getRights() | $rights; $objects = array_merge($group->getObjects(), $objects); $custom[] = $group->getCustomData(); } else { unset($groups[$key]); } } $userobj->setCustomData(array_shift($custom)); // for now it is first come, first served. // unique objects $newobjects = array(); foreach ($objects as $object) { $key = serialize(array('type' => $object['type'], 'data' => $object['data'])); if (array_key_exists($key, $newobjects)) { if (array_key_exists('edit', $object)) { $newobjects[$key]['edit'] = @$newobjects[$key]['edit'] | $object['edit']; } } else { $newobjects[$key] = $object; } } $objects = array(); foreach ($newobjects as $object) { $objects[] = $object; } $userobj->setGroup($newgroups = implode(',', $groups)); $userobj->setRights($rights); $userobj->setObjects($objects); $updated = $newgroups != $oldgroups || $oldobjects != $objects || empty($newgroups) && $rights != $oldrights; return $updated; }
static function save($savemsg, $userobj, $what) { global $_zp_gallery; if ($what == 'new' && ($mail = $userobj->getEmail())) { $ref = Zenphoto_Authority::getResetTicket($adm = $userobj->getUser(), $userobj->getPass()); $msg = "\n" . sprintf(gettext('You are receiving this e-mail because a user code (%1$s) has been created for you on the Zenphoto gallery %2$s.'), $adm, $_zp_gallery->getTitle()) . "\n" . sprintf(gettext('To set your Zenphoto User password visit: %s'), FULLWEBPATH . "/" . ZENFOLDER . "/admin-users.php?ticket={$ref}&user={$adm}") . "\n" . gettext("This ticket will automatically expire in 3 days."); $err_msg = zp_mail(gettext("Zenphoto user created"), $msg, array($mail)); if (!empty($err_msg)) { $savemsg .= $err_msg; } } return $savemsg; }
window.location = "' . FULLWEBPATH . '/' . ZENFOLDER . '/' . UTILITIES_FOLDER . '/backup_restore.php?compression=' . $compression_handler . '"; } </script> '; } } $_zp_options = NULL; //invalidate any options from before the restore if (getOption('zenphoto_install') !== $signaure) { $l1 = '<a href="' . WEBPATH . '/' . ZENFOLDER . '/setup.php">'; $messages .= '<div class="notebox"> <h2>' . sprintf(gettext('You have restored your database from a different instance of Zenphoto. You should run %1$ssetup%2$s to insure proper migration.'), $l1, '</a>') . '</h2> </div>'; } setOption('license_accepted', ZENPHOTO_VERSION . '[' . ZENPHOTO_RELEASE . ']'); if ($oldlibauth != Zenphoto_Authority::getVersion()) { if (!$_zp_authority->migrateAuth($oldlibauth)) { $messages .= ' <div class="errorbox fade-message"> <h2>' . gettext('Zenphoto Rights migration failed!') . '</h2> </div> '; } } } } if (isset($_GET['compression'])) { $compression_handler = sanitize($_GET['compression']); $messages = ' <div class="messagebox fade-message"> <h2>
$group->save(); if ($group->getName() == 'group') { //have to update any users who have this group designate. $groupname = $group->getUser(); foreach ($admins as $admin) { if ($admin['valid']) { $hisgroups = explode(',', $admin['group']); if (in_array($groupname, $hisgroups)) { $user = Zenphoto_Authority::newAdministrator($admin['user'], $admin['valid']); user_groups::merge_rights($user, $hisgroups, user_groups::getPrimeObjects($user)); $user->save(); } } } //user assignments: first clear out existing ones Zenphoto_Authority::updateAdminField('group', NULL, array('`valid`>=' => '1', '`group`=' => $groupname)); //then add the ones marked $target = 'user_' . $i . '-'; foreach ($_POST as $item => $username) { if (strpos($item, $target) !== false) { $username = postIndexDecode(substr(sanitize($item), strlen($target))); //$username = substr($item, strlen($target)); $user = $_zp_authority->getAnAdmin(array('`user`=' => $username, '`valid`>=' => 1)); user_groups::merge_rights($user, $hisgroups, user_groups::getPrimeObjects($user)); $user->save(); } } } } } $notify = '&saved';
/** * Processes the verification POST tickets * @param string $script (we do not use this) * @return string */ static function verify($script) { //process any verifications posted if (isset($_GET['verify_federated_user'])) { $params = unserialize(pack("H*", trim(sanitize($_GET['verify_federated_user']), '.'))); if (time() - $params['date'] < 2592000) { $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0)); if ($userobj) { $groupname = getOption('federated_login_group'); $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $groupname, '`valid`=' => 0)); if ($groupobj) { $userobj->setRights($groupobj->getRights()); $userobj->setGroup($groupname); $userobj->setObjects($groupobj->getObjects()); if (getOption('register_user_create_album')) { $userobj->createPrimealbum(); } $userobj->save(); } zp_apply_filter('register_user_verified', $userobj); if (getOption('register_logon_user_notify')) { zp_mail(gettext('Zenphoto Gallery registration'), sprintf(gettext('%1$s (%2$s) has registered for the zenphoto gallery providing an e-mail address of %3$s.'), $userobj->getName(), $userobj->getUser(), $userobj->getEmail())); } Zenphoto_Authority::logUser($userobj); header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php'); exitZP(); } } } return $script; }
static function notify($tab, $subtab) { if ($tab == 'users' && ($subtab = 'users')) { if (user_expiry::checkPasswordRenew()) { echo '<p class="errorbox">' . gettext('You must change your password.'), '</p>'; } else { if (Zenphoto_Authority::getAnAdmin(array('`valid`>' => 1))) { echo '<p class="notebox">' . gettext('You have users whose credentials have expired.'), '</p>'; } } } }
']);"><?php echo gettext('Migrate rights'); ?> </a> </span> <br class="clearall" /> </p> <br class="clearall" /> <?php } else { if (Zenphoto_Authority::getVersion() > Zenphoto_Authority::$preferred_version) { ?> <br class="clearall" /> <p class="notebox"> <?php printf(gettext('You may wish to revert the <em>Zenphoto_Authority</em> user rights to version %s for backwards compatibility with prior Zenphoto releases.'), Zenphoto_Authority::getVersion() - 1); ?> <br class="clearall" /> <span class="buttons"> <a onclick="launchScript('', ['action=migrate_rights', 'revert=true', 'XSRFToken=<?php echo getXSRFToken('migrate_rights'); ?> ']);"><?php echo gettext('Revert rights'); ?> </a> </span> <br class="clearall" /> </p> <br class="clearall" /> <?php
<?php /** * processes the authorization (or login) of users * * @author Stephen Billard (sbillard) * * @package admin */ // force UTF-8 Ø global $_zp_current_admin_obj, $_zp_loggedin, $_zp_authority; $_zp_current_admin_obj = null; if (!class_exists('Zenphoto_Authority')) { require_once dirname(__FILE__) . '/class-auth.php'; } $_zp_authority = new Zenphoto_Authority(); foreach (Zenphoto_Authority::getRights() as $key => $right) { define($key, $right['value']); } define('MANAGED_OBJECT_RIGHTS_EDIT', 1); define('MANAGED_OBJECT_RIGHTS_UPLOAD', 2); define('MANAGED_OBJECT_RIGHTS_VIEW', 4); define('MANAGED_OBJECT_MEMBER', 16); define('LIST_RIGHTS', NO_RIGHTS); if (!defined('USER_RIGHTS')) { define('USER_RIGHTS', NO_RIGHTS); } if (defined('VIEW_ALL_RIGHTS')) { define('ALL_ALBUMS_RIGHTS', VIEW_ALL_RIGHTS); define('ALL_PAGES_RIGHTS', VIEW_ALL_RIGHTS); define('ALL_NEWS_RIGHTS', VIEW_ALL_RIGHTS);
/** * Logs an attempt for a guest user to log onto the site * Returns the "success" parameter. * * @param bool $success * @param string $user * @param string $pass * @param string $athority what kind of login * @return bool */ static function guestLoginLogger($success, $user, $pass, $athority) { switch (getOption('logger_log_type')) { case 'all': break; case 'success': if (!$success) { return false; } break; case 'fail': if ($success) { return true; } break; } $name = ''; if ($success) { $admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`=' => 1)); $pass = ''; // mask it from display if (is_object($admin)) { $name = $admin->getName(); } } security_logger::Logger((int) ($success && true), $user, $name, 'Front-end', $athority, $pass); return $success; }
/** * * creates a unique id for a search * @param string $table Database table * @param string $search Search string * @param string $sort Sort criteria */ protected function getCacheTag($table, $search, $sort) { $user = '******'; $authCookies = Zenphoto_Authority::getAuthCookies(); if (!empty($authCookies)) { // some sort of password exists, play it safe and make the tag unique $user = getUserIP(); } return array('item' => $table, 'fields' => implode(', ', $this->fieldList), 'search' => $search, 'sort' => $sort, 'user' => $user); }
/** * Prints the logout link if the user is logged in. * This is for album passwords only, not admin users; * * @param string $before before text * @param string $after after text * @param int $showLoginForm to display a login form * to not display a login form, but just a login link, set to 0 * to display a login form set to 1 * to display a link to a login form in colorbox, set to 2, but you must have colorbox enabled for the theme pages where this link appears.) * @param string $logouttext optional replacement text for "Logout" */ function printUserLogin_out($before = '', $after = '', $showLoginForm = NULL, $logouttext = NULL) { global $_zp_gallery, $__redirect, $_zp_current_admin_obj, $_zp_login_error, $_zp_gallery_page; $excludedPages = array('password.php', 'register.php', 'favorites.php', '404.php'); $logintext = gettext('Login'); if (is_null($logouttext)) { $logouttext = gettext("Logout"); } $params = array("'userlog=0'"); if (!empty($__redirect)) { foreach ($__redirect as $param => $value) { $params[] .= "'" . $param . '=' . urlencode($value) . "'"; } } if (is_null($showLoginForm)) { $showLoginForm = getOption('user_logout_login_form'); } if (is_object($_zp_current_admin_obj)) { if (!$_zp_current_admin_obj->logout_link) { return; } } $cookies = Zenphoto_Authority::getAuthCookies(); if (empty($cookies) || !zp_loggedin()) { if (!in_array($_zp_gallery_page, $excludedPages)) { switch ($showLoginForm) { case 1: ?> <div class="passwordform"> <?php printPasswordForm('', true, false); ?> </div> <?php break; case 2: if (getOption('colorbox_' . $_zp_gallery->getCurrentTheme() . '_' . stripSuffix($_zp_gallery_page)) && zp_has_filter('theme_head', 'colorbox::css')) { ?> <script type="text/javascript"> // <!-- <![CDATA[ $(document).ready(function() { $(".logonlink").colorbox({ inline: true, innerWidth: "400px", href: "#passwordform", close: '<?php echo gettext("close"); ?> ', open: $('#passwordform_enclosure .errorbox').length }); }); // ]]> --> </script> <?php if ($before) { echo '<span class="beforetext">' . html_encodeTagged($before) . '</span>'; } ?> <a href="#" class="logonlink" title="<?php echo $logintext; ?> "><?php echo $logintext; ?> </a> <span id="passwordform_enclosure" style="display:none"> <div class="passwordform"> <?php printPasswordForm('', true, false); ?> </div> </span> <?php if ($after) { echo '<span class="aftertext">' . html_encodeTagged($after) . '</span>'; } } break; default: if ($loginlink = zp_apply_filter('login_link', getCustomPageURL('password'))) { if ($before) { echo '<span class="beforetext">' . html_encodeTagged($before) . '</span>'; } ?> <a href="<?php echo $loginlink; ?> " title="<?php echo $logintext; ?> "><?php echo $logintext; ?> </a> <?php if ($after) { echo '<span class="aftertext">' . html_encodeTagged($after) . '</span>'; } } } } } else { if ($before) { echo '<span class="beforetext">' . html_encodeTagged($before) . '</span>'; } $logoutlink = "javascript:launchScript('" . FULLWEBPATH . "/',[" . implode(',', $params) . "]);"; ?> <a href="<?php echo $logoutlink; ?> " title="<?php echo $logouttext; ?> "><?php echo $logouttext; ?> </a> <?php if ($after) { echo '<span class="aftertext">' . html_encodeTagged($after) . '</span>'; } } }
static function post_processor() { global $admin_e, $admin_n, $user, $_zp_authority, $_zp_captcha, $_zp_gallery, $_notify, $_link, $_message; //Handle registration if (isset($_POST['username']) && !empty($_POST['username'])) { $_notify = 'honeypot'; // honey pot check } if (getOption('register_user_captcha')) { if (isset($_POST['code'])) { $code = sanitize($_POST['code'], 3); $code_ok = sanitize($_POST['code_h'], 3); } else { $code = ''; $code_ok = ''; } if (!$_zp_captcha->checkCaptcha($code, $code_ok)) { $_notify = 'invalidcaptcha'; } } $admin_n = trim(sanitize($_POST['admin_name'])); if (empty($admin_n)) { $_notify = 'incomplete'; } if (isset($_POST['admin_email'])) { $admin_e = trim(sanitize($_POST['admin_email'])); } else { $admin_e = trim(sanitize($_POST['user'])); } if (!is_valid_email_zp($admin_e)) { $_notify = 'invalidemail'; } $pass = trim(sanitize($_POST['pass'])); $user = trim(sanitize($_POST['user'])); if (empty($pass)) { $_notify = 'empty'; } else { if (!empty($user) && !empty($admin_n) && !empty($admin_e)) { if (isset($_POST['disclose_password']) || $pass == trim(sanitize($_POST['pass_r']))) { $currentadmin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`>' => 0)); if (is_object($currentadmin)) { $_notify = 'exists'; } if (empty($_notify)) { $userobj = Zenphoto_Authority::newAdministrator(''); $userobj->transient = false; $userobj->setUser($user); $userobj->setPass($pass); $userobj->setName($admin_n); $userobj->setEmail($admin_e); $userobj->setRights(0); $userobj->setObjects(NULL); $userobj->setGroup(''); $userobj->setCustomData(''); $userobj->setLanguage(getUserLocale()); if (extensionEnabled('userAddressFields')) { $addresses = getOption('register_user_address_info'); $userinfo = register_user::getUserInfo(0); $_comment_form_save_post = serialize($userinfo); if ($addresses == 'required') { if (!isset($userinfo['street']) || empty($userinfo['street'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the street field.'); } if (!isset($userinfo['city']) || empty($userinfo['city'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the city field.'); } if (!isset($userinfo['state']) || empty($userinfo['state'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the state field.'); } if (!isset($userinfo['country']) || empty($userinfo['country'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the country field.'); } if (!isset($userinfo['postal']) || empty($userinfo['postal'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the postal code field.'); } } zp_setCookie('reister_user_form_addresses', $_comment_form_save_post); userAddressFields::setCustomData($userobj, $userinfo); } zp_apply_filter('register_user_registered', $userobj); if ($userobj->transient) { if (empty($_notify)) { $_notify = 'filter'; } } else { $userobj->save(); if (MOD_REWRITE) { $verify = '?verify='; } else { $verify = '&verify='; } $_link = PROTOCOL . "://" . $_SERVER['HTTP_HOST'] . register_user::getLink() . $verify . bin2hex(serialize(array('user' => $user, 'email' => $admin_e))); $_message = sprintf(get_language_string(getOption('register_user_text')), $_link, $admin_n, $user, $pass); $_notify = zp_mail(get_language_string(gettext('Registration confirmation')), $_message, array($user => $admin_e)); if (empty($_notify)) { $_notify = 'accepted'; } } } } else { $_notify = 'mismatch'; } } else { $_notify = 'incomplete'; } } }
<?php /** * processes the authorization (or login) of admin users * @package admin */ // force UTF-8 Ø global $_zp_current_admin_obj, $_zp_loggedin, $_zp_null_account, $_zp_reset_admin, $_zp_authority; $_zp_current_admin_obj = null; if (file_exists(dirname(dirname(__FILE__)) . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php')) { // load a custom authroization package if it is present require_once dirname(dirname(__FILE__)) . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php'; } else { require_once dirname(__FILE__) . '/lib-auth.php'; $_zp_authority = new Zenphoto_Authority(); } foreach ($_zp_authority->getRights() as $key => $right) { define($key, $right['value']); } define('MANAGED_OBJECT_RIGHTS_EDIT', 1); define('MANAGED_OBJECT_RIGHTS_UPLOAD', 2); define('MANAGED_OBJECT_RIGHTS_VIEW_IMAGE', 4); define('LIST_RIGHTS', NO_RIGHTS); if (defined('VIEW_ALL_RIGHTS')) { define('VIEW_ALBUMS_RIGHTS', VIEW_ALL_RIGHTS); define('VIEW_PAGES_RIGHTS', VIEW_ALL_RIGHTS); define('VIEW_NEWS_RIGHTS', VIEW_ALL_RIGHTS); define('VIEW_SEARCH_RIGHTS', NO_RIGHTS); define('VIEW_GALLERY_RIGHTS', NO_RIGHTS); define('VIEW_FULLIMAGE_RIGHTS', NO_RIGHTS); } else {
static function setupUser($ad, $userData) { global $_zp_authority; $user = $userData['uid'][0]; $id = $userData['uidnumber'][0] + LDAP_ID_OFFSET; $name = $userData['cn'][0]; $groups = self::getZPGroups($ad, $user); $adminObj = Zenphoto_Authority::newAdministrator(''); $adminObj->setID($id); $adminObj->transient = true; if (isset($userData['email'][0])) { $adminObj->setEmail($userData['email'][0]); } $adminObj->setUser($user); $adminObj->setName($name); $adminObj->setPass(serialize($userData)); if (class_exists('user_groups')) { user_groups::merge_rights($adminObj, $groups, array()); if (DEBUG_LOGIN) { debugLogVar("LDAsetupUser: groups:", $adminObj->getGroup()); } $rights = $adminObj->getRights() & ~USER_RIGHTS; $adminObj->setRights($rights); } else { $rights = DEFAULT_RIGHTS & ~USER_RIGHTS; $adminObj->setRights(DEFAULT_RIGHTS & ~USER_RIGHTS); } if ($rights) { $_zp_authority->addOtherUser($adminObj); return $adminObj; } return NULL; }
} } } $notify = '&saved'; } else { $notify = '&post_error'; } header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=groups&subpage=' . $subpage . $notify); exitZP(); case 'saveauserassignments': if (isset($_POST['checkForPostTruncation'])) { for ($i = 0; $i < $_POST['totalusers']; $i++) { if (isset($_POST[$i . 'group'])) { $newgroups = sanitize($_POST[$i . 'group']); $username = trim(sanitize($_POST[$i . '-user'], 3)); $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $username, '`valid`>=' => 1)); user_groups::merge_rights($userobj, $newgroups); $userobj->save(); } } $notify = '&saved'; } else { $notify = '&post_error'; } header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=assignments&subpage=' . $subpage . $notify); exitZP(); } } printAdminHeader('users'); $background = ''; ?>
/** * Creates a feed object from the URL parameters fetched only * */ function __construct($options = NULL) { global $_zp_gallery, $_zp_current_admin_obj, $_zp_loggedin; if (empty($options)) { self::feed404(); } $this->feedtype = $options['rss']; parent::__construct($options); if (isset($options['token'])) { // The link camed from a logged in user, see if it is valid $link = $options; unset($link['token']); $token = Zenphoto_Authority::passwordHash(serialize($link), ''); if ($token == $options['token']) { $adminobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => (int) $link['user'])); if ($adminobj) { $_zp_current_admin_obj = $adminobj; $_zp_loggedin = $_zp_current_admin_obj->getRights(); } } } // general feed setup $channeltitlemode = getOption('RSS_title'); $this->host = html_encode($_SERVER["HTTP_HOST"]); //channeltitle general switch ($channeltitlemode) { case 'gallery': $this->channel_title = $_zp_gallery->getBareTitle($this->locale); break; case 'website': $this->channel_title = getBare($_zp_gallery->getWebsiteTitle($this->locale)); break; case 'both': $website_title = $_zp_gallery->getWebsiteTitle($this->locale); $this->channel_title = $_zp_gallery->getBareTitle($this->locale); if (!empty($website_title)) { $this->channel_title = $website_title . ' - ' . $this->channel_title; } break; } // individual feedtype setup switch ($this->feedtype) { case 'gallery': if (!getOption('RSS_album_image')) { self::feed404(); } $albumname = $this->getChannelTitleExtra(); if ($this->albumfolder) { $alb = newAlbum($this->albumfolder, true, true); if ($alb->exists) { $albumtitle = $alb->getTitle(); if ($this->mode == 'albums' || $this->collection) { $albumname = ' - ' . html_encode($albumtitle) . $this->getChannelTitleExtra(); } } else { self::feed404(); } } else { $albumtitle = ''; } $albumname = $this->getChannelTitleExtra(); $this->channel_title = html_encode($this->channel_title . ' ' . getBare($albumname)); $this->imagesize = $this->getImageSize(); require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php'; break; case 'news': //Zenpage News RSS if (!getOption('RSS_articles')) { self::feed404(); } $titleappendix = gettext(' (Latest news)'); switch ($this->newsoption) { case 'withalbums': case 'withalbums_mtime': case 'withalbums_publishdate': case 'withalbums_latestupdated': $titleappendix = gettext(' (Latest news and albums)'); break; case 'withimages': case 'withimages_mtime': case 'withimages_publishdate': $titleappendix = gettext(' (Latest news and images)'); break; default: switch ($this->sortorder) { case 'popular': $titleappendix = gettext(' (Most popular news)'); break; case 'mostrated': $titleappendix = gettext(' (Most rated news)'); break; case 'toprated': $titleappendix = gettext(' (Top rated news)'); break; case 'random': $titleappendix = gettext(' (Random news)'); break; } break; } $this->channel_title = html_encode($this->channel_title . $this->cattitle . $titleappendix); $this->imagesize = $this->getImageSize(); $this->itemnumber = getOption("RSS_zenpage_items"); // # of Items displayed on the feed require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php'; require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; break; case 'pages': //Zenpage News RSS if (!getOption('RSS_pages')) { self::feed404(); } switch ($this->sortorder) { case 'popular': $titleappendix = gettext(' (Most popular pages)'); break; case 'mostrated': $titleappendix = gettext(' (Most rated pages)'); break; case 'toprated': $titleappendix = gettext(' (Top rated pages)'); break; case 'random': $titleappendix = gettext(' (Random pages)'); break; default: $titleappendix = gettext(' (Latest pages)'); break; } $this->channel_title = html_encode($this->channel_title . $titleappendix); require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; break; case 'comments': //Comments RSS if (!getOption('RSS_comments')) { self::feed404(); } if ($this->id) { switch ($this->commentfeedtype) { case 'album': $table = 'albums'; break; case 'image': $table = 'images'; break; case 'news': $table = 'news'; break; case 'page': $table = 'pages'; break; default: self::feed404(); break; } $this->itemobj = getItemByID($table, $this->id); if ($this->itemobj) { $title = ' - ' . $this->itemobj->getTitle(); } else { self::feed404(); } } else { $this->itemobj = NULL; $title = NULL; } $this->channel_title = html_encode($this->channel_title . $title . gettext(' (latest comments)')); if (extensionEnabled('zenpage')) { require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; } break; case 'null': //we just want the class instantiated return; } $this->feeditems = $this->getitems(); }
static function check($authorized) { global $_zp_authority, $_zp_current_admin_obj; if (!$authorized) { // not logged in via normal zenphoto handling // PHP-CGI auth fixd if (isset($_SERVER['HTTP_AUTHORIZATION'])) { $auth_params = explode(":", base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); $_SERVER['PHP_AUTH_USER'] = $auth_params[0]; unset($auth_params[0]); $_SERVER['PHP_AUTH_PW'] = implode('', $auth_params); } if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { $auth_params = explode(":", base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); $_SERVER['PHP_AUTH_USER'] = $auth_params[0]; unset($auth_params[0]); $_SERVER['PHP_AUTH_PW'] = implode('', $auth_params); } if (array_key_exists('PHP_AUTH_USER', $_SERVER) && array_key_exists('PHP_AUTH_PW', $_SERVER)) { $user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; if (getOption('http_auth_trust')) { $userobj = $_zp_authority->getAnAdmin(array('`user`=' => $user, '`valid`=' => 1)); } else { $userobj = Zenphoto_Authority::checkLogon($user, $pass); } if ($userobj) { $_zp_current_admin_obj = $userobj; $_zp_current_admin_obj->logout_link = false; $authorized = $_zp_current_admin_obj->getRights(); } } } return $authorized; }
static function handleOptionSave($themename, $themealbum) { if (!class_exists('user_groups')) { $saved_rights = NO_RIGHTS; $rightslist = sortMultiArray(Zenphoto_Authority::getRights(), array('set', 'value')); foreach ($rightslist as $rightselement => $right) { if (isset($_POST['register_user-' . $rightselement])) { $saved_rights = $saved_rights | $_POST['register_user-' . $rightselement]; } } setOption('register_user_user_rights', $saved_rights); } return false; }
/** * * handles save of user/password * @param object $object */ function processCredentials($object, $suffix = '') { $notify = ''; if (isset($_POST['password_enabled' . $suffix]) && $_POST['password_enabled' . $suffix]) { if (is_object($object)) { $olduser = $object->getUser(); } else { $olduser = getOption($object . '_user'); } $newuser = trim(sanitize($_POST['user' . $suffix], 3)); $pwd = trim(sanitize($_POST['pass' . $suffix])); if (isset($_POST['disclose_password' . $suffix])) { $pass2 = $pwd; } else { if (isset($_POST['pass_r' . $suffix])) { $pass2 = trim(sanitize($_POST['pass_r' . $suffix])); } else { $pass2 = ''; } } $fail = ''; if ($olduser != $newuser) { if (!empty($newuser) && strlen($_POST['pass' . $suffix]) == 0) { $fail = '?mismatch=user'; } } if (!$fail && $pwd == $pass2) { if (is_object($object)) { $object->setUser($newuser); } else { setOption($object . '_user', $newuser); } if (empty($pwd)) { if (strlen($_POST['pass' . $suffix]) == 0) { // clear the password if (is_object($object)) { $object->setPassword(NULL); } else { setOption($object . '_password', NULL); } } } else { if (is_object($object)) { $object->setPassword(Zenphoto_Authority::passwordHash($newuser, $pwd)); } else { setOption($object . '_password', Zenphoto_Authority::passwordHash($newuser, $pwd)); } } } else { if (empty($fail)) { $notify = '?mismatch'; } else { $notify = $fail; } } $hint = process_language_string_save('hint' . $suffix, 3); if (is_object($object)) { $object->setPasswordHint($hint); } else { setOption($object . '_hint', $hint); } } return $notify; }
/** * This is the cookie processor filter handler * it invokes the child class check() method to see if there is a valid visitor to the site * The check() method should return "false" if there is no valid visitor or an array of * User information if there is one. * * If there is a valid user, the user name is checked against Zenphoto users. If such user exists * he will be automatically logged in. If no user by that userid exists a transient user will be * created and logged in. User details are filled in from the user information in the passed array. * * Most enteries in the result array are simply stored into the user property of the same name. However, * there are some special handling items that may be present: * <ul> * <li>groups: an array of the user's group membership</li> * <li>objects: a Zenphoto "managed object list" array</li> * <li>album: the name of the user's primary album</li> * <li>logout_link: information that the plugin can use when a user loggs out</li> * </ul> * * All the above may be missing. However, if there is no groups entry, there needs to be an * entry for the user's rights otherwise he will have none. There should not be both a rights entry * and a groups entry as they are mutually exclusive. * * album and objects entries should come last in the list so all other properties are processed first as * these methods may modify other properties. * * @param BIT $authorized */ function check($authorized) { global $_zp_current_admin_obj; if (!$authorized) { // not logged in via normal Zenphoto handling if ($result = $this->user()) { $user = $result['user']; $searchfor = array('`user`=' => $user, '`valid`=' => 1); $userobj = Zenphoto_Authority::getAnAdmin($searchfor); if (!$userobj) { unset($result['id']); unset($result['user']); $authority = ''; // create a transient user $userobj = new Zenphoto_Administrator('', 1); $userobj->setUser($user); $userobj->setRights(NO_RIGHTS); // just incase none get set // Flag as external credentials for completeness $properties = array_keys($result); // the list of things we got from the external authority array_unshift($properties, $this->auth); $userobj->setCredentials($properties); // populate the user properties $member = false; // no group membership (yet) foreach ($result as $key => $value) { switch ($key) { case 'authority': $authority = '::' . $value; unset($result['authority']); break; case 'groups': // find the corresponding Zenphoto group (if it exists) $rights = NO_RIGHTS; $objects = array(); $groups = $value; foreach ($groups as $key => $group) { $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0)); if ($groupobj) { $member = true; $rights = $groupobj->getRights() | $rights; $objects = array_merge($groupobj->getObjects(), $objects); if ($groupobj->getName() == 'template') { unset($groups[$key]); } } else { unset($groups[$key]); } } if ($member) { $userobj->setGroup(implode(',', $groups)); $userobj->setRights($rights); $userobj->setObjects($objects); } break; case 'defaultgroup': if (!$member && isset($result['defaultgroup'])) { // No Zenphoto group, use the default group $group = $result['defaultgroup']; $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0)); if ($groupobj) { $rights = $groupobj->getRights(); $objects = $groupobj->getObjects(); if ($groupobj->getName() != 'template') { $group = NULL; } $userobj->setGroup($group); $userobj->setRights($rights); $userobj->setObjects($objects); } } break; case 'objects': $userobj->setObjects($objects); break; case 'album': $userobj->createPrimealbum(false, $value); break; default: $userobj->set($key, $value); break; } } $properties = array_keys($result); // the list of things we got from the external authority array_unshift($properties, $this->auth . $authority); $userobj->setCredentials($properties); } if (isset($result['logout_link'])) { $userobj->logout_link = $result['logout_link']; } $_zp_current_admin_obj = $userobj; $authorized = $_zp_current_admin_obj->getRights(); } } return $authorized; }
/** * checks password posting * * @param string $authType override of athorization type */ function zp_handle_password($authType = NULL, $check_auth = NULL, $check_user = NULL) { global $_zp_loggedin, $_zp_login_error, $_zp_current_album, $_zp_current_zenpage_page, $_zp_gallery; if (empty($authType)) { // not supplied by caller $check_auth = ''; if (isset($_GET['z']) && @$_GET['p'] == 'full-image' || isset($_GET['p']) && $_GET['p'] == '*full-image') { $authType = 'zp_image_auth'; $check_auth = getOption('protected_image_password'); $check_user = getOption('protected_image_user'); } else { if (in_context(ZP_SEARCH)) { // search page $authType = 'zp_search_auth'; $check_auth = getOption('search_password'); $check_user = getOption('search_user'); } else { if (in_context(ZP_ALBUM)) { // album page $authType = "zp_album_auth_" . $_zp_current_album->getID(); $check_auth = $_zp_current_album->getPassword(); $check_user = $_zp_current_album->getUser(); if (empty($check_auth)) { $parent = $_zp_current_album->getParent(); while (!is_null($parent)) { $check_auth = $parent->getPassword(); $check_user = $parent->getUser(); $authType = "zp_album_auth_" . $parent->getID(); if (!empty($check_auth)) { break; } $parent = $parent->getParent(); } } } else { if (in_context(ZP_ZENPAGE_PAGE)) { $authType = "zp_page_auth_" . $_zp_current_zenpage_page->getID(); $check_auth = $_zp_current_zenpage_page->getPassword(); $check_user = $_zp_current_zenpage_page->getUser(); if (empty($check_auth)) { $pageobj = $_zp_current_zenpage_page; while (empty($check_auth)) { $parentID = $pageobj->getParentID(); if ($parentID == 0) { break; } $sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID; $result = query_single_row($sql); $pageobj = new ZenpagePage($result['titlelink']); $authType = "zp_page_auth_" . $pageobj->getID(); $check_auth = $pageobj->getPassword(); $check_user = $pageobj->getUser(); } } } } } } if (empty($check_auth)) { // anything else is controlled by the gallery credentials $authType = 'zp_gallery_auth'; $check_auth = $_zp_gallery->getPassword(); $check_user = $_zp_gallery->getUser(); } } // Handle the login form. if (DEBUG_LOGIN) { debugLog("zp_handle_password: \$authType={$authType}; \$check_auth={$check_auth}; \$check_user={$check_user}; "); } if (isset($_POST['password']) && isset($_POST['pass'])) { // process login form if (isset($_POST['user'])) { $post_user = sanitize($_POST['user']); } else { $post_user = ''; } $post_pass = $_POST['pass']; // We should not sanitize the password foreach (Zenphoto_Authority::$hashList as $hash => $hi) { $auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi); $success = $auth == $check_auth && $post_user == $check_user; if (DEBUG_LOGIN) { debugLog("zp_handle_password({$success}): \$post_user={$post_user}; \$post_pass={$post_pass}; \$check_auth={$check_auth}; \$auth={$auth}; \$hash={$hash};"); } if ($success) { break; } } $success = zp_apply_filter('guest_login_attempt', $success, $post_user, $post_pass, $authType); if ($success) { // Correct auth info. Set the cookie. if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid credentials"); } zp_setCookie($authType, $auth); if (isset($_POST['redirect'])) { $redirect_to = sanitizeRedirect($_POST['redirect'], true); if (!empty($redirect_to)) { header("Location: " . $redirect_to); exitZP(); } } } else { // Clear the cookie, just in case if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid credentials"); } zp_clearCookie($authType); $_zp_login_error = true; } return; } if (empty($check_auth)) { //no password on record or admin logged in return; } if (($saved_auth = zp_getCookie($authType)) != '') { if ($saved_auth == $check_auth) { if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid cookie"); } return; } else { // Clear the cookie if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid cookie"); } zp_clearCookie($authType); } } }
<?php /** * processes the authorization (or login) of admin users * @package admin */ // force UTF-8 Ø global $_zp_current_admin_obj, $_zp_loggedin, $_zp_authority; $_zp_current_admin_obj = null; if (file_exists(SERVERPATH . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php')) { // load a custom authroization package if it is present require_once SERVERPATH . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php'; } else { require_once dirname(__FILE__) . '/lib-auth.php'; $_zp_authority = new Zenphoto_Authority(); } foreach (Zenphoto_Authority::getRights() as $key => $right) { define($key, $right['value']); } define('MANAGED_OBJECT_RIGHTS_EDIT', 1); define('MANAGED_OBJECT_RIGHTS_UPLOAD', 2); define('MANAGED_OBJECT_RIGHTS_VIEW', 4); define('LIST_RIGHTS', NO_RIGHTS); if (!defined('USER_RIGHTS')) { define('USER_RIGHTS', NO_RIGHTS); } if (defined('VIEW_ALL_RIGHTS')) { define('ALL_ALBUMS_RIGHTS', VIEW_ALL_RIGHTS); define('ALL_PAGES_RIGHTS', VIEW_ALL_RIGHTS); define('ALL_NEWS_RIGHTS', VIEW_ALL_RIGHTS); define('VIEW_SEARCH_RIGHTS', NO_RIGHTS);
echo $targetid; ?> ').tagSuggest({ tags: [ <?php echo implode(',', $dbfields); ?> ] }); }); // ]]> --> </script> <?php } zp_apply_filter('texteditor_config', 'zenphoto'); Zenphoto_Authority::printPasswordFormJS(); ?> </head> <body> <?php printLogoAndLinks(); ?> <div id="main"> <?php printTabs(); ?> <div id="content"> <?php /* Page code */ ?> <div id="container">
/** * Re-validates user's e-mail via ticket. * @param string $path the script (which we ignore) * @return string */ static function reverify($path) { global $_zp_authority; //process any verifications posted if (isset($_GET['user_expiry_reverify'])) { $params = unserialize(pack("H*", trim(sanitize($_GET['user_expiry_reverify']), '.'))); if (time() - $params['date'] < 2592000) { $userobj = $_zp_authority->getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0)); if ($userobj) { $credentials = $userobj->getCredentials(); $credentials[] = 'expiry'; $credentials[] = 'email'; $credentials = array_unique($credentials); } $userobj->setCredentials($credentials); $userobj->setValid(1); $userobj->set('loggedin', date('Y-m-d H:i:s')); $userobj->save(); Zenphoto_Authority::logUser($userobj); header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php'); exitZP(); } } if (user_expiry::checkPasswordRenew()) { header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin-users.php?page=users&tab=users'); exitZP(); } return $path; }
$groupobj->set('other_credentials', gettext('Managers of one or more albums')); $groupobj->setValid(0); $groupobj->save(); $groupsdefined[] = 'album managers'; } if (!in_array('default', $groupsdefined)) { $groupobj = Zenphoto_Authority::newAdministrator('default', 0); $groupobj->setName('template'); $groupobj->setRights(DEFAULT_RIGHTS); $groupobj->set('other_credentials', gettext('Default user settings')); $groupobj->setValid(0); $groupobj->save(); $groupsdefined[] = 'default'; } if (!in_array('newuser', $groupsdefined)) { $groupobj = Zenphoto_Authority::newAdministrator('newuser', 0); $groupobj->setName('template'); $groupobj->setRights(NO_RIGHTS); $groupobj->set('other_credentials', gettext('Newly registered and verified users')); $groupobj->setValid(0); $groupobj->save(); $groupsdefined[] = 'newuser'; } setOption('defined_groups', serialize($groupsdefined)); // record that these have been set once (and never again) setOptionDefault('RSS_album_image', 1); setOptionDefault('RSS_comments', 1); setOptionDefault('RSS_articles', 1); setOptionDefault('RSS_pages', 1); setOptionDefault('RSS_article_comments', 1); setOptionDefault('AlbumThumbSelect', 1);
/** * Hashes and stores the password * @param $pwd */ function setPass($pwd) { $hash_type = getOption('strong_hash'); $pwd = Zenphoto_Authority::passwordHash($this->getUser(), $pwd, $hash_type); $this->set('pass', $pwd); $this->set('passupdate', date('Y-m-d H:i:s')); $this->set('passhash', $hash_type); return $pwd; }
/** * Wrapper function to get the author of a news article or page: Used by getNewsAuthor() and getPageAuthor(). * * @param bool $fullname False for the user name, true for the full name * * @return string */ function getAuthor($fullname = false) { global $_zp_current_zenpage_page, $_zp_current_zenpage_news; if (is_Pages()) { $obj = $_zp_current_zenpage_page; } else { if (is_News()) { $obj = $_zp_current_zenpage_news; } else { $obj = false; } } if ($obj) { if ($fullname) { $admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $obj->getAuthor(), '`valid`=' => 1)); if (is_object($admin) && $admin->getName()) { return $admin->getName(); } } return $obj->getAuthor(); } return false; }
$ordered[$key] = $admin['date']; } } asort($ordered); $adminordered = array(); foreach ($ordered as $key => $user) { $adminordered[] = $admins[$key]; } $msg = NULL; if (isset($_GET['action'])) { $action = sanitize($_GET['action']); XSRFdefender($action); if ($action == 'expiry') { foreach ($_POST as $key => $action) { if (strpos($key, 'r_') === 0) { $userobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => str_replace('r_', '', postIndexDecode($key)))); if ($userobj) { switch ($action) { case 'delete': $userobj->remove(); break; case 'disable': $userobj->setValid(2); $userobj->save(); break; case 'enable': $userobj->setValid(1); $userobj->save(); break; case 'renew': $newdate = getOption('user_expiry_interval') * 86400 + strtotime($userobj->getDateTime());