$message = ''; $referrer = strip_tags(urldecode(html_entity_decode(varset($_SERVER['HTTP_REFERER'], ''), ENT_QUOTES))); $emailurl = $source == 'referer' ? $referrer : SITEURL; $comments = $tp->post_toHTML(varset($_POST['comment'], ''), TRUE, 'retain_nl, emotes_off, no_make_clickable'); $author = $tp->post_toHTML(varset($_POST['author_name'], ''), FALSE, 'emotes_off, no_make_clickable'); $email_send = check_email(varset($_POST['email_send'], '')); if (isset($_POST['emailsubmit'])) { if (!$email_send) { $error .= LAN_EMAIL_106; } if ($use_imagecode) { if (!isset($_POST['code_verify']) || !isset($_POST['rand_num'])) { header('location:' . e_BASE . 'index.php'); exit; } if (!$sec_img->verify_code($_POST['rand_num'], $_POST['code_verify'])) { header('location:' . e_BASE . 'index.php'); exit; } } if ($comments == '') { $message = LAN_EMAIL_6 . ' ' . SITENAME . ' (' . SITEURL . ')'; if (USER == TRUE) { $message .= "\n\n" . LAN_EMAIL_1 . " " . USERNAME; } else { $message .= "\n\n" . LAN_EMAIL_1 . " " . $author; } } else { // $message .= $comments."\n"; // Added to message later on } $ip = e107::getIPHandler()->getIP(FALSE);
/** # Class called when user attempts to log in # # @param string $username, $_POSTED user name # @param string $userpass, $_POSTED user password # @param $autologin - 'signup' - uses a specially encoded password - logs in if matches # - zero for 'normal' login # - non-zero sets the 'remember me' flag in the cookie ' @param string $response - response string returned by CHAP login (instead of password) # @return boolean - FALSE on login fail, TRUE on login successful */ public function login($username, $userpass, $autologin, $response = '', $noredirect = false) { $pref = e107::getPref(); $tp = e107::getParser(); $sql = e107::getDb(); $e_event = e107::getEvent(); $_E107 = e107::getE107(); $username = trim($username); $userpass = trim($userpass); if ($_E107['cli'] && $username == '') { return FALSE; } $forceLogin = $autologin === 'signup'; if (!$forceLogin && $autologin === 'provider') { $forceLogin = '******'; } if ($username == "" || $userpass == "" && $response == '' && $forceLogin !== 'provider') { // Required fields blank return $this->invalidLogin($username, LOGIN_BLANK_FIELD); } // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'IP: '.$fip,FALSE,LOG_TO_ROLLING); // $this->e107->check_ban("banlist_ip='{$this->userIP}' ",FALSE); // This will exit if a ban is in force e107::getIPHandler()->checkBan("banlist_ip='{$this->userIP}' ", FALSE); // This will exit if a ban is in force $autologin = intval($autologin); // Will decode to zero if forced login $authorized = false; if (!$forceLogin && $this->e107->isInstalled('alt_auth')) { $authMethod[0] = varset($pref['auth_method'], 'e107'); // Primary authentication method $authMethod[1] = varset($pref['auth_method2'], 'none'); // Secondary authentication method (if defined) $result = false; foreach ($authMethod as $method) { if ($method == 'e107') { if ($this->lookupUser($username, $forceLogin)) { if ($this->checkUserPassword($username, $userpass, $response, $forceLogin) === TRUE) { $authorized = true; $result = LOGIN_CONTINUE; // Valid User exists in local DB } elseif (varset($pref['auth_badpassword'], TRUE)) { $result = LOGIN_TRY_OTHER; continue; // Should use alternate method for password auth } else { return $this->invalidLogin($username, LOGIN_ABORT); } } } else { if ($method != 'none') { $auth_file = e_PLUGIN . 'alt_auth/' . $method . '_auth.php'; if (file_exists($auth_file)) { require_once e_PLUGIN . 'alt_auth/alt_auth_login_class.php'; $al = new alt_login($method, $username, $userpass); $result = $al->loginResult; switch ($result) { case LOGIN_ABORT: return $this->invalidLogin($username, LOGIN_ABORT); break; case LOGIN_DB_ERROR: return $this->invalidLogin($username, LOGIN_DB_ERROR); break; case AUTH_SUCCESS: $authorized = true; break; case LOGIN_TRY_OTHER: continue; break; } } } } if ($result === LOGIN_CONTINUE) { break; } } } $username = preg_replace("/\\sOR\\s|\\=|\\#/", "", $username); // Check secure image if (!$forceLogin && $pref['logcode'] && extension_loaded('gd')) { require_once e_HANDLER . "secure_img_handler.php"; $sec_img = new secure_image(); if (!$sec_img->verify_code($_POST['rand_num'], $_POST['code_verify'])) { // Invalid code return $this->invalidLogin($username, LOGIN_BAD_CODE); } } if (empty($this->userData)) { if (!$this->lookupUser($username, $forceLogin)) { return $this->invalidLogin($username, LOGIN_BAD_USERNAME); // User doesn't exist } } if ($authorized !== true && $this->checkUserPassword($username, $userpass, $response, $forceLogin) !== true) { return $this->invalidLogin($username, LOGIN_BAD_PW); } // Check user status switch ($this->userData['user_ban']) { case USER_REGISTERED_NOT_VALIDATED: // User not fully signed up - hasn't activated account. return $this->invalidLogin($username, LOGIN_NOT_ACTIVATED); case USER_BANNED: // User banned return $this->invalidLogin($username, LOGIN_BANNED, $this->userData['user_id']); case USER_VALIDATED: // Valid user break; // Nothing to do ATM // Nothing to do ATM case USER_EMAIL_BOUNCED: $bounceLAN = "Emails to [x] are bouncing back. Please [verify your email address is correct]."; //TODO LAN $bounceMessage = $tp->lanVars($bounceLAN, $this->userData['user_email'], true); $bounceMessage = str_replace(array('[', ']'), array("<a href='" . e_HTTP . "usersettings.php'>", "</a>"), $bounceMessage); e107::getMessage()->addWarning($bounceMessage, 'default', true); break; default: // May want to pick this up } // User is OK as far as core is concerned // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'User passed basics',FALSE,LOG_TO_ROLLING); if ($this->passResult !== FALSE && $this->passResult !== PASSWORD_VALID) { // May want to rewrite password using salted hash (or whatever the preferred method is) - $pass_result has the value to write // If login by email address also allowed, will have to write that value too // $sql->update('user',"`user_password` = '{$pass_result}' WHERE `user_id`=".intval($this->userData['user_id'])); } $userpass = ''; // Finished with any plaintext password - can get rid of it $ret = $e_event->trigger("preuserlogin", $username); if ($ret != '') { return $this->invalidLogin($username, LOGIN_BAD_TRIGGER, $ret); } // Trigger events happy as well $user_id = $this->userData['user_id']; $user_name = $this->userData['user_name']; $user_admin = $this->userData['user_admin']; $user_email = $this->userData['user_email']; /* restrict more than one person logging in using same us/pw */ if ($pref['disallowMultiLogin']) { if ($sql->db_Select("online", "online_ip", "online_user_id='" . $user_id . "." . $user_name . "'")) { return $this->invalidLogin($username, LOGIN_MULTIPLE, $user_id); } } // User login definitely accepted here $cookieval = $this->userMethods->makeUserCookie($this->userData, $autologin); // Calculate class membership - needed for a couple of things // Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point $class_list = $this->userMethods->addCommonClasses($this->userData, TRUE); $user_logging_opts = e107::getConfig()->get('user_audit_opts'); if (isset($user_logging_opts[USER_AUDIT_LOGIN]) && in_array(varset($pref['user_audit_class'], ''), $class_list)) { // Need to note in user audit trail $this->e107->admin_log->user_audit(USER_AUDIT_LOGIN, '', $user_id, $user_name); } $edata_li = array('user_id' => $user_id, 'user_name' => $user_name, 'class_list' => implode(',', $class_list), 'remember_me' => $autologin, 'user_admin' => $user_admin, 'user_email' => $user_email); e107::getEvent()->trigger("login", $edata_li); if ($_E107['cli']) { return $cookieval; } if (in_array(e_UC_NEWUSER, $class_list)) { if (time() > $this->userData['user_join'] + varset($pref['user_new_period'], 0) * 86400) { // 'New user' probationary period expired - we can take them out of the class $this->userData['user_class'] = $this->e107->user_class->ucRemove(e_UC_NEWUSER, $this->userData['user_class']); // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login new user complete",$this->userData['user_class'],FALSE,FALSE); $sql->update('user', "`user_class` = '" . $this->userData['user_class'] . "'", 'WHERE `user_id`=' . $this->userData['user_id']); unset($class_list[e_UC_NEWUSER]); $edata_li = array('user_id' => $user_id, 'user_name' => $username, 'class_list' => implode(',', $class_list), 'user_email' => $user_email); $e_event->trigger('userNotNew', $edata_li); } } if ($noredirect) { return true; } $redir = e_REQUEST_URL; //$redir = e_SELF; //if (e_QUERY) $redir .= '?'.str_replace('&','&',e_QUERY); if (isset($pref['frontpage_force']) && is_array($pref['frontpage_force'])) { // See if we're to force a page immediately following login - assumes $pref['frontpage_force'] is an ordered list of rules // $log_info = "New user: "******" Class: ".$this->userData['user_class']." Admin: ".$this->userData['user_admin']." Perms: ".$this->userData['user_perms']; // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login Start",$log_info,FALSE,FALSE); // FIXME - front page now supports SEF URLs - make a check here foreach ($pref['frontpage_force'] as $fk => $fp) { if (in_array($fk, $class_list)) { // We've found the entry of interest if (strlen($fp)) { if (strpos($fp, 'http') === FALSE) { $fp = str_replace(e_HTTP, '', $fp); // This handles sites in a subdirectory properly (normally, will replace nothing) $fp = SITEURL . $fp; } //$redir = ((strpos($fp, 'http') === FALSE) ? SITEURL : '').$tp->replaceConstants($fp, TRUE, FALSE); $redir = e107::getParser()->replaceConstants($fp, TRUE, FALSE); // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Redirect active",$redir,FALSE,FALSE); } break; } } } $redirPrev = e107::getRedirect()->getPreviousUrl(); if ($redirPrev) { e107::getRedirect()->redirect($redirPrev); } e107::getRedirect()->redirect($redir); exit; }