/** * checks password posting * * @param string $authType override of athorization type */ function zp_handle_password($authType = NULL, $check_auth = NULL, $check_user = NULL) { global $_zp_loggedin, $_zp_login_error, $_zp_current_album, $_zp_current_zenpage_page, $_zp_gallery; if (empty($authType)) { // not supplied by caller $check_auth = ''; if (isset($_GET['z']) && @$_GET['p'] == 'full-image' || isset($_GET['p']) && $_GET['p'] == '*full-image') { $authType = 'zp_image_auth'; $check_auth = getOption('protected_image_password'); $check_user = getOption('protected_image_user'); } else { if (in_context(ZP_SEARCH)) { // search page $authType = 'zp_search_auth'; $check_auth = getOption('search_password'); $check_user = getOption('search_user'); } else { if (in_context(ZP_ALBUM)) { // album page $authType = "zp_album_auth_" . $_zp_current_album->getID(); $check_auth = $_zp_current_album->getPassword(); $check_user = $_zp_current_album->getUser(); if (empty($check_auth)) { $parent = $_zp_current_album->getParent(); while (!is_null($parent)) { $check_auth = $parent->getPassword(); $check_user = $parent->getUser(); $authType = "zp_album_auth_" . $parent->getID(); if (!empty($check_auth)) { break; } $parent = $parent->getParent(); } } } else { if (in_context(ZP_ZENPAGE_PAGE)) { $authType = "zp_page_auth_" . $_zp_current_zenpage_page->getID(); $check_auth = $_zp_current_zenpage_page->getPassword(); $check_user = $_zp_current_zenpage_page->getUser(); if (empty($check_auth)) { $pageobj = $_zp_current_zenpage_page; while (empty($check_auth)) { $parentID = $pageobj->getParentID(); if ($parentID == 0) { break; } $sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID; $result = query_single_row($sql); $pageobj = new ZenpagePage($result['titlelink']); $authType = "zp_page_auth_" . $pageobj->getID(); $check_auth = $pageobj->getPassword(); $check_user = $pageobj->getUser(); } } } } } } if (empty($check_auth)) { // anything else is controlled by the gallery credentials $authType = 'zp_gallery_auth'; $check_auth = $_zp_gallery->getPassword(); $check_user = $_zp_gallery->getUser(); } } // Handle the login form. if (DEBUG_LOGIN) { debugLog("zp_handle_password: \$authType={$authType}; \$check_auth={$check_auth}; \$check_user={$check_user}; "); } if (isset($_POST['password']) && isset($_POST['pass'])) { // process login form if (isset($_POST['user'])) { $post_user = sanitize($_POST['user']); } else { $post_user = ''; } $post_pass = $_POST['pass']; // We should not sanitize the password foreach (Zenphoto_Authority::$hashList as $hash => $hi) { $auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi); $success = $auth == $check_auth && $post_user == $check_user; if (DEBUG_LOGIN) { debugLog("zp_handle_password({$success}): \$post_user={$post_user}; \$post_pass={$post_pass}; \$check_auth={$check_auth}; \$auth={$auth}; \$hash={$hash};"); } if ($success) { break; } } $success = zp_apply_filter('guest_login_attempt', $success, $post_user, $post_pass, $authType); if ($success) { // Correct auth info. Set the cookie. if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid credentials"); } zp_setCookie($authType, $auth); if (isset($_POST['redirect'])) { $redirect_to = sanitizeRedirect($_POST['redirect'], true); if (!empty($redirect_to)) { header("Location: " . $redirect_to); exitZP(); } } } else { // Clear the cookie, just in case if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid credentials"); } zp_clearCookie($authType); $_zp_login_error = true; } return; } if (empty($check_auth)) { //no password on record or admin logged in return; } if (($saved_auth = zp_getCookie($authType)) != '') { if ($saved_auth == $check_auth) { if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid cookie"); } return; } else { // Clear the cookie if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid cookie"); } zp_clearCookie($authType); } } }
/** * * handles save of user/password * @param object $object */ function processCredentials($object, $suffix = '') { $notify = ''; if (isset($_POST['password_enabled' . $suffix]) && $_POST['password_enabled' . $suffix]) { if (is_object($object)) { $olduser = $object->getUser(); } else { $olduser = getOption($object . '_user'); } $newuser = trim(sanitize($_POST['user' . $suffix], 3)); $pwd = trim(sanitize($_POST['pass' . $suffix])); if (isset($_POST['disclose_password' . $suffix])) { $pass2 = $pwd; } else { if (isset($_POST['pass_r' . $suffix])) { $pass2 = trim(sanitize($_POST['pass_r' . $suffix])); } else { $pass2 = ''; } } $fail = ''; if ($olduser != $newuser) { if (!empty($newuser) && strlen($_POST['pass' . $suffix]) == 0) { $fail = '?mismatch=user'; } } if (!$fail && $pwd == $pass2) { if (is_object($object)) { $object->setUser($newuser); } else { setOption($object . '_user', $newuser); } if (empty($pwd)) { if (strlen($_POST['pass' . $suffix]) == 0) { // clear the password if (is_object($object)) { $object->setPassword(NULL); } else { setOption($object . '_password', NULL); } } } else { if (is_object($object)) { $object->setPassword(Zenphoto_Authority::passwordHash($newuser, $pwd)); } else { setOption($object . '_password', Zenphoto_Authority::passwordHash($newuser, $pwd)); } } } else { if (empty($fail)) { $notify = '?mismatch'; } else { $notify = $fail; } } $hint = process_language_string_save('hint' . $suffix, 3); if (is_object($object)) { $object->setPasswordHint($hint); } else { setOption($object . '_hint', $hint); } } return $notify; }
/** * Hashes and stores the password * @param $pwd */ function setPass($pwd) { $hash_type = getOption('strong_hash'); $pwd = Zenphoto_Authority::passwordHash($this->getUser(), $pwd, $hash_type); $this->set('pass', $pwd); $this->set('passupdate', date('Y-m-d H:i:s')); $this->set('passhash', $hash_type); return $pwd; }
/** * Creates a feed object from the URL parameters fetched only * */ function __construct($options = NULL) { global $_zp_gallery, $_zp_current_admin_obj, $_zp_loggedin; if (empty($options)) { self::feed404(); } $this->feedtype = $options['rss']; parent::__construct($options); if (isset($options['token'])) { // The link camed from a logged in user, see if it is valid $link = $options; unset($link['token']); $token = Zenphoto_Authority::passwordHash(serialize($link), ''); if ($token == $options['token']) { $adminobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => (int) $link['user'])); if ($adminobj) { $_zp_current_admin_obj = $adminobj; $_zp_loggedin = $_zp_current_admin_obj->getRights(); } } } // general feed setup $channeltitlemode = getOption('RSS_title'); $this->host = html_encode($_SERVER["HTTP_HOST"]); //channeltitle general switch ($channeltitlemode) { case 'gallery': $this->channel_title = $_zp_gallery->getBareTitle($this->locale); break; case 'website': $this->channel_title = getBare($_zp_gallery->getWebsiteTitle($this->locale)); break; case 'both': $website_title = $_zp_gallery->getWebsiteTitle($this->locale); $this->channel_title = $_zp_gallery->getBareTitle($this->locale); if (!empty($website_title)) { $this->channel_title = $website_title . ' - ' . $this->channel_title; } break; } // individual feedtype setup switch ($this->feedtype) { case 'gallery': if (!getOption('RSS_album_image')) { self::feed404(); } $albumname = $this->getChannelTitleExtra(); if ($this->albumfolder) { $alb = newAlbum($this->albumfolder, true, true); if ($alb->exists) { $albumtitle = $alb->getTitle(); if ($this->mode == 'albums' || $this->collection) { $albumname = ' - ' . html_encode($albumtitle) . $this->getChannelTitleExtra(); } } else { self::feed404(); } } else { $albumtitle = ''; } $albumname = $this->getChannelTitleExtra(); $this->channel_title = html_encode($this->channel_title . ' ' . getBare($albumname)); $this->imagesize = $this->getImageSize(); require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php'; break; case 'news': //Zenpage News RSS if (!getOption('RSS_articles')) { self::feed404(); } $titleappendix = gettext(' (Latest news)'); switch ($this->newsoption) { case 'withalbums': case 'withalbums_mtime': case 'withalbums_publishdate': case 'withalbums_latestupdated': $titleappendix = gettext(' (Latest news and albums)'); break; case 'withimages': case 'withimages_mtime': case 'withimages_publishdate': $titleappendix = gettext(' (Latest news and images)'); break; default: switch ($this->sortorder) { case 'popular': $titleappendix = gettext(' (Most popular news)'); break; case 'mostrated': $titleappendix = gettext(' (Most rated news)'); break; case 'toprated': $titleappendix = gettext(' (Top rated news)'); break; case 'random': $titleappendix = gettext(' (Random news)'); break; } break; } $this->channel_title = html_encode($this->channel_title . $this->cattitle . $titleappendix); $this->imagesize = $this->getImageSize(); $this->itemnumber = getOption("RSS_zenpage_items"); // # of Items displayed on the feed require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php'; require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; break; case 'pages': //Zenpage News RSS if (!getOption('RSS_pages')) { self::feed404(); } switch ($this->sortorder) { case 'popular': $titleappendix = gettext(' (Most popular pages)'); break; case 'mostrated': $titleappendix = gettext(' (Most rated pages)'); break; case 'toprated': $titleappendix = gettext(' (Top rated pages)'); break; case 'random': $titleappendix = gettext(' (Random pages)'); break; default: $titleappendix = gettext(' (Latest pages)'); break; } $this->channel_title = html_encode($this->channel_title . $titleappendix); require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; break; case 'comments': //Comments RSS if (!getOption('RSS_comments')) { self::feed404(); } if ($this->id) { switch ($this->commentfeedtype) { case 'album': $table = 'albums'; break; case 'image': $table = 'images'; break; case 'news': $table = 'news'; break; case 'page': $table = 'pages'; break; default: self::feed404(); break; } $this->itemobj = getItemByID($table, $this->id); if ($this->itemobj) { $title = ' - ' . $this->itemobj->getTitle(); } else { self::feed404(); } } else { $this->itemobj = NULL; $title = NULL; } $this->channel_title = html_encode($this->channel_title . $title . gettext(' (latest comments)')); if (extensionEnabled('zenpage')) { require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; } break; case 'null': //we just want the class instantiated return; } $this->feeditems = $this->getitems(); }
function checkAuthorization($authCode, $id) { global $_zp_current_admin_obj; if (LDAP_ID_OFFSET && $id > LDAP_ID_OFFSET) { // LDAP ID $ldid = $id - LDAP_ID_OFFSET; $ad = self::ldapInit(LDAP_DOMAIN); if ($ad) { self::ldapReader($ad); $userData = self::ldapUser($ad, "(uidNumber={$ldid})"); if ($userData) { $userData = array_change_key_case($userData, CASE_LOWER); if (DEBUG_LOGIN) { debugLogBacktrace("LDAPcheckAuthorization({$authCode}, {$ldid})"); } $goodAuth = Zenphoto_Authority::passwordHash($userData['uid'][0], serialize($userData)); if ($authCode == $goodAuth) { $userobj = self::setupUser($ad, $userData); if ($userobj) { $_zp_current_admin_obj = $userobj; $rights = $_zp_current_admin_obj->getRights(); } else { $rights = 0; } if (DEBUG_LOGIN) { debugLog(sprintf('LDAPcheckAuthorization: from %1$s->%2$X', $authCode, $rights)); } } else { if (DEBUG_LOGIN) { debugLog(sprintf('LDAPcheckAuthorization: AuthCode %1$s <> %2$s', $goodAuth, $authCode)); } } } @ldap_unbind($ad); } } if ($_zp_current_admin_obj) { return $_zp_current_admin_obj->getRights(); } else { return parent::checkAuthorization($authCode, $id); } }