function logError($msg)
{
include_once dirname(__FILE__) . "/error.class.inc.php";
$e = new errorHandler();
$e->setError(9, "Logging error: " . $msg);
$e->dumpError();
return;
}
// include the crypto thing
include_once "../includes/crypt.class.inc.php";
startCMSSession();
// include_once the error handler
include_once "../includes/error.class.inc.php";
$e = new errorHandler();
// if $max_attempts system setting is set, use it, otherwise set to 3
$max_attempts = !empty($max_attempts) ? $max_attempts : 3;
$username = preg_replace("/[^\\w\\.@-]/", "", htmlspecialchars($_POST['username']));
$givenPassword = preg_replace("/[^\\w\\.@-]/", "", htmlspecialchars($_POST['password']));
$captcha_code = preg_replace("/[^\\w\\.@-]/", "", $_POST['captcha_code']);
$sql = "SELECT {$dbase}." . $table_prefix . "manager_users.*, {$dbase}." . $table_prefix . "user_attributes.* FROM {$dbase}." . $table_prefix . "manager_users, {$dbase}." . $table_prefix . "user_attributes WHERE {$dbase}." . $table_prefix . "manager_users.username REGEXP BINARY '^" . $username . "\$' and {$dbase}." . $table_prefix . "user_attributes.internalKey={$dbase}." . $table_prefix . "manager_users.id;";
$rs = mysql_query($sql);
$limit = mysql_num_rows($rs);
if ($limit == 0 || $limit > 1) {
$e->setError(900);
$e->dumpError();
}
$row = mysql_fetch_assoc($rs);
$internalKey = $row['internalKey'];
$dbasePassword = $row['password'];
$failedlogins = $row['failedlogincount'];
$blocked = $row['blocked'];
$blockeduntil = $row['blockeduntil'];
$registeredsessionid = $row['sessionid'];
$role = $row['role'];
$lastlogin = $row['lastlogin'];
$nrlogins = $row['logincount'];
$fullname = $row['fullname'];
$email = $row['email'];
if ($failedlogins >= $max_attempts && $blockeduntil > time()) {
if ($oT->checkTemplateById($_REQUEST['id'], $_REQUEST['customtable'])) {
$tbl = (int) $_REQUEST['customtable'];
$onetbl = $modx->getFullTableName('customtable_' . $tbl);
$manager_theme = $modx->config['manager_theme'];
include_once "header.inc.php";
include_once MODX_BASE_PATH . "/assets/plugins/customtables/mutate_content.dynamic.php";
include_once "footer.inc.php";
die;
}
}
if ($action == 5 && isset($_REQUEST['customtable']) && $_POST['mode'] == '27') {
if (isset($_REQUEST['customtable']) && $oT->checkTemplate($_REQUEST['customtable'])) {
if (!$modx->hasPermission('save_document')) {
include_once MODX_MANAGER_PATH . "includes/error.class.inc.php";
$err = new errorHandler();
$err->setError(3, "You don't have enough privileges for this action!");
$err->dumpError();
}
$oT->api->setTable('customtable_' . $_REQUEST['customtable']);
$oT->updateDoc($_POST);
$oT->modx->clearCache();
header('Location:index.php?a=27&customtable=' . $_REQUEST['customtable'] . '&id=' . (int) $_POST['id']);
echo 'updated';
die;
}
}
break;
case 'OnWebPageInit':
$oT->checkCacheEvents();
break;
default:
$length_eng_lang = count($_lang);
if ($manager_language != "english") {
include_once "includes/lang/" . $manager_language . ".inc.php";
}
// include_once the error handler
include_once "includes/error.class.inc.php";
$e = new errorHandler();
// first we check to see if this is a frameset request
if (!isset($_POST['a']) && !isset($_GET['a']) && $e->getError() == 0) {
// this looks to be a top-level frameset request, so let's serve up a frameset
include_once "frames/1.php";
exit;
}
// retrieve the action directive form the request
if (isset($_GET['a']) && isset($_POST['a'])) {
$e->setError(100);
$e->dumpError();
// set $e to a corresponding errorcode
// we know that if an error occurs here, something's wrong,
// so we dump the error, thereby stopping the script.
} else {
$action = $_REQUEST['a'];
}
// now we decide what to do according to the action request.
switch ($action) {
/********************************************************************/
// frame management - show the requested frame
/********************************************************************/
case "1":
// get the requested frame
$frame = $_REQUEST['f'];
function userLogin($username, $password, $rememberme = 0, $url = "", $id = "", $alias = "", $use_captcha = 0, $captcha_code = "")
{
// Performs user login and permissions assignment
// And combination of the following variables can be sent
// Defaults to current document
// $url = and fully qualified URL (no validation performed)
// $id = an existing document ID (no validation performed)
// $alias = any document alias (no validation performed)
// include the crypto thing
include_once "./manager/includes/crypt.class.inc.php";
// include_once the error handler
include_once "./manager/includes/error.class.inc.php";
$e = new errorHandler();
if ($use_captcha == 1) {
if ($_SESSION['veriword'] != $captcha_code) {
unset($_SESSION['veriword']);
$e->setError(905);
$e->dumpError();
$newloginerror = 1;
}
}
unset($_SESSION['veriword']);
$username = htmlspecialchars($username);
$givenPassword = htmlspecialchars($password);
$sql = "SELECT " . $this->db . "manager_users.*, " . $this->db . "user_attributes.* FROM " . $this->db . "manager_users, " . $this->db . "user_attributes WHERE " . $this->db . "manager_users.username REGEXP BINARY '^" . $username . "\$' and " . $this->db . "user_attributes.internalKey=" . $this->db . "manager_users.id;";
$rs = $this->dbQuery($sql);
$limit = $this->recordCount($rs);
if ($limit == 0 || $limit > 1) {
$e->setError(900);
$e->dumpError();
}
$row = $this->fetchRow($rs);
$_SESSION['shortname'] = $username;
$_SESSION['fullname'] = $row['fullname'];
$_SESSION['email'] = $row['email'];
$_SESSION['phone'] = $row['phone'];
$_SESSION['mobilephone'] = $row['mobilephone'];
$_SESSION['internalKey'] = $row['internalKey'];
$_SESSION['failedlogins'] = $row['failedlogincount'];
$_SESSION['lastlogin'] = $row['lastlogin'];
$_SESSION['role'] = $row['role'];
$_SESSION['nrlogins'] = $row['logincount'];
if ($row['failedlogincount'] >= $this->config['max_attempts'] && $row['blockeduntil'] > time()) {
session_destroy();
session_unset();
$e->setError(902);
$e->dumpError();
}
if ($row['failedlogincount'] >= $this->config['max_attempts'] && $row['blockeduntil'] < time()) {
$sql = "UPDATE " . $this->db . "user_attributes SET failedlogincount='0', blockeduntil='" . (time() - 1) . "' where internalKey=" . $row['internalKey'] . ";";
$rs = $this->dbQuery($sql);
}
if ($row['blocked'] == "1") {
session_destroy();
session_unset();
$e->setError(903);
$e->dumpError();
}
if ($row['blockeduntil'] > time()) {
session_destroy();
session_unset();
$e->setError(904);
$e->dumpError();
}
if ($row['password'] != md5($givenPassword)) {
session_destroy();
session_unset();
$e->setError(901);
$newloginerror = 1;
$e->dumpError();
}
$sql = "SELECT * FROM " . $this->db . "user_roles where id=" . $row['role'] . ";";
$rs = $this->dbQuery($sql);
$row = $this->fetchRow($rs);
$_SESSION['permissions'] = $row;
$_SESSION['frames'] = 0;
$_SESSION['validated'] = 1;
if ($url == "") {
$url = $this->makeURL($id, $alias);
}
$this->sendRedirect($url);
}