function removeme_post(&$a) { if (!local_channel()) { return; } if ($_SESSION['delegate']) { return; } if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) { return; } if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) { return; } if ($_POST['verify'] !== $_SESSION['remove_account_verify']) { return; } $account = App::get_account(); if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) { return; } if ($account['account_password_changed'] != NULL_DATE) { $d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours'); if ($account['account_password_changed'] > d1) { notice(t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL); return; } } require_once 'include/Contact.php'; $global_remove = intval($_POST['global']); channel_remove(local_channel(), 1 - $global_remove, true); }
/** * API Login via basic-auth or OAuth */ function api_login(&$a) { $record = null; require_once 'include/oauth.php'; // login with oauth try { $oauth = new ZotOAuth1(); $req = OAuth1Request::from_request(); list($consumer, $token) = $oauth->verify_request($req); if (!is_null($token)) { $oauth->loginUser($token->uid); App::set_oauth_key($consumer->key); call_hooks('logged_in', App::$user); return; } killme(); } catch (Exception $e) { logger($e->getMessage()); } // workarounds for HTTP-auth in CGI mode if (x($_SERVER, 'REDIRECT_REMOTE_USER')) { $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)); if (strlen($userpass)) { list($name, $password) = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; } } if (x($_SERVER, 'HTTP_AUTHORIZATION')) { $userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6)); if (strlen($userpass)) { list($name, $password) = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; } } require_once 'include/auth.php'; require_once 'include/security.php'; // process normal login request if (isset($_SERVER['PHP_AUTH_USER'])) { $channel_login = 0; $record = account_verify_password($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); if ($record && $record['channel']) { $channel_login = $record['channel']['channel_id']; } } if ($record['account']) { authenticate_success($record['account']); if ($channel_login) { change_channel($channel_login); } $_SESSION['allow_api'] = true; return true; } else { $_SERVER['PHP_AUTH_PW'] = '*****'; logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG); log_failed_login('API login failure'); retry_basic_auth(); } }
function post() { if (!local_channel()) { return; } if ($_SESSION['delegate']) { return; } if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) { return; } if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) { return; } if ($_POST['verify'] !== $_SESSION['remove_account_verify']) { return; } $account = \App::get_account(); $account_id = get_account_id(); if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) { return; } if ($account['account_password_changed'] != NULL_DATE) { $d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours'); if ($account['account_password_changed'] > d1) { notice(t('Account removals are not allowed within 48 hours of changing the account password.') . EOL); return; } } $global_remove = intval($_POST['global']); account_remove($account_id, 1 - $global_remove); }
function removeaccount_post(&$a) { if (!local_user()) { return; } if (x($_SESSION, 'submanage') && intval($_SESSION['submanage'])) { return; } if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) { return; } if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) { return; } if ($_POST['verify'] !== $_SESSION['remove_account_verify']) { return; } $account = $a->get_account(); $account_id = get_account_id(); if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) { return; } if ($account['account_password_changed'] != NULL_DATE) { $d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours'); if ($account['account_password_changed'] > d1) { notice(t('Account removals are not allowed within 48 hours of changing the account password.') . EOL); return; } } require_once 'include/Contact.php'; $global_remove = intval($_POST['global']); account_remove($account_id, true); }
/** * @brief Validates a username and password. * * Guest access is granted with the password "+++". * * @see \Sabre\DAV\Auth\Backend\AbstractBasic::validateUserPass * @param string $username * @param string $password * @return bool */ protected function validateUserPass($username, $password) { require_once 'include/auth.php'; $record = account_verify_password($username, $password); if ($record && $record['account_default_channel']) { $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", intval($record['account_id']), intval($record['account_default_channel'])); if ($r) { return $this->setAuthenticated($r[0]); } } $r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1", dbesc($username)); if ($r) { $x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1", intval($r[0]['channel_account_id'])); if ($x) { // @fixme this foreach should not be needed? foreach ($x as $record) { if (($record['account_flags'] == ACCOUNT_OK || $record['account_flags'] == ACCOUNT_UNVERIFIED) && hash('whirlpool', $record['account_salt'] . $password) === $record['account_password']) { logger('password verified for ' . $username); return $this->setAuthenticated($r[0]); } } } } $error = 'password failed for ' . $username; logger($error); log_failed_login($error); return false; }
} if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') { $record = null; $addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null); /** * * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained * and later plugins should not interfere with an earlier one that succeeded. * */ call_hooks('authenticate', $addon_auth); if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) { $record = $addon_auth['user_record']; } else { $record = get_app()->account = account_verify_password($_POST['username'], $_POST['password']); if (get_app()->account) { $_SESSION['account_id'] = get_app()->account['account_id']; } else { notice(t('Failed authentication') . EOL); } logger('authenticate: ' . print_r(get_app()->account, true), LOGGER_DEBUG); } if (!$record || !count($record)) { $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']; logger($error); // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention $authlog = get_config('system', 'authlog'); if ($authlog) { @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND); }
function post() { check_form_security_token_redirectOnErr('/settings/account', 'settings_account'); call_hooks('account_settings_post', $_POST); $errs = array(); $email = x($_POST, 'email') ? trim(notags($_POST['email'])) : ''; $techlevel = array_key_exists('techlevel', $_POST) ? intval($_POST['techlevel']) : 0; $account = \App::get_account(); if ($email != $account['account_email']) { if (!valid_email($email)) { $errs[] = t('Not valid email.'); } $adm = trim(get_config('system', 'admin_email')); if ($adm && strcasecmp($email, $adm) == 0) { $errs[] = t('Protected email address. Cannot change to that email.'); $email = \App::$account['account_email']; } if (!$errs) { $r = q("update account set account_email = '%s' where account_id = %d", dbesc($email), intval($account['account_id'])); if (!$r) { $errs[] = t('System failure storing new email. Please try again.'); } } } if ($techlevel != $account['account_level']) { $r = q("update account set account_level = %d where account_id = %d", intval($techlevel), intval($account['account_id'])); info(t('Technical skill level updated') . EOL); } if ($errs) { foreach ($errs as $err) { notice($err . EOL); } $errs = array(); } if (x($_POST, 'npassword') || x($_POST, 'confirm')) { $origpass = trim($_POST['origpass']); require_once 'include/auth.php'; if (!account_verify_password($email, $origpass)) { $errs[] = t('Password verification failed.'); } $newpass = trim($_POST['npassword']); $confirm = trim($_POST['confirm']); if ($newpass != $confirm) { $errs[] = t('Passwords do not match. Password unchanged.'); } if (!x($newpass) || !x($confirm)) { $errs[] = t('Empty passwords are not allowed. Password unchanged.'); } if (!$errs) { $salt = random_string(32); $password_encoded = hash('whirlpool', $salt . $newpass); $r = q("update account set account_salt = '%s', account_password = '******', account_password_changed = '%s' \n\t\t\t\t\twhere account_id = %d", dbesc($salt), dbesc($password_encoded), dbesc(datetime_convert()), intval(get_account_id())); if ($r) { info(t('Password changed.') . EOL); } else { $errs[] = t('Password update failed. Please try again.'); } } } if ($errs) { foreach ($errs as $err) { notice($err . EOL); } } goaway(z_root() . '/settings/account'); }
function post() { if (!local_channel()) { return; } if ($_SESSION['delegate']) { return; } $channel = \App::get_channel(); logger('mod_settings: ' . print_r($_REQUEST, true)); if (argc() > 1 && argv(1) === 'oauth' && x($_POST, 'remove')) { check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth'); $key = $_POST['remove']; q("DELETE FROM tokens WHERE id='%s' AND uid=%d", dbesc($key), local_channel()); goaway(z_root() . "/settings/oauth/"); return; } if (argc() > 2 && argv(1) === 'oauth' && (argv(2) === 'edit' || argv(2) === 'add') && x($_POST, 'submit')) { check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth'); $name = x($_POST, 'name') ? $_POST['name'] : ''; $key = x($_POST, 'key') ? $_POST['key'] : ''; $secret = x($_POST, 'secret') ? $_POST['secret'] : ''; $redirect = x($_POST, 'redirect') ? $_POST['redirect'] : ''; $icon = x($_POST, 'icon') ? $_POST['icon'] : ''; $ok = true; if ($name == '') { $ok = false; notice(t('Name is required') . EOL); } if ($key == '' || $secret == '') { $ok = false; notice(t('Key and Secret are required') . EOL); } if ($ok) { if ($_POST['submit'] == t("Update")) { $r = q("UPDATE clients SET\n\t\t\t\t\t\t\t\tclient_id='%s',\n\t\t\t\t\t\t\t\tpw='%s',\n\t\t\t\t\t\t\t\tclname='%s',\n\t\t\t\t\t\t\t\tredirect_uri='%s',\n\t\t\t\t\t\t\t\ticon='%s',\n\t\t\t\t\t\t\t\tuid=%d\n\t\t\t\t\t\t\tWHERE client_id='%s'", dbesc($key), dbesc($secret), dbesc($name), dbesc($redirect), dbesc($icon), intval(local_channel()), dbesc($key)); } else { $r = q("INSERT INTO clients (client_id, pw, clname, redirect_uri, icon, uid)\n\t\t\t\t\t\tVALUES ('%s','%s','%s','%s','%s',%d)", dbesc($key), dbesc($secret), dbesc($name), dbesc($redirect), dbesc($icon), intval(local_channel())); $r = q("INSERT INTO xperm (xp_client, xp_channel, xp_perm) VALUES ('%s', %d, '%s') ", dbesc($key), intval(local_channel()), dbesc('all')); } } goaway(z_root() . "/settings/oauth/"); return; } if (argc() > 1 && argv(1) == 'featured') { check_form_security_token_redirectOnErr('/settings/featured', 'settings_featured'); call_hooks('feature_settings_post', $_POST); build_sync_packet(); return; } if (argc() > 1 && argv(1) == 'tokens') { check_form_security_token_redirectOnErr('/settings/tokens', 'settings_tokens'); $token_errs = 0; if (array_key_exists('token', $_POST)) { $atoken_id = $_POST['atoken_id'] ? intval($_POST['atoken_id']) : 0; $name = trim(escape_tags($_POST['name'])); $token = trim($_POST['token']); if (!$name || !$token) { $token_errs++; } if (trim($_POST['expires'])) { $expires = datetime_convert(date_default_timezone_get(), 'UTC', $_POST['expires']); } else { $expires = NULL_DATE; } $max_atokens = service_class_fetch(local_channel(), 'access_tokens'); if ($max_atokens) { $r = q("select count(atoken_id) as total where atoken_uid = %d", intval(local_channel())); if ($r && intval($r[0]['total']) >= $max_tokens) { notice(sprintf(t('This channel is limited to %d tokens'), $max_tokens) . EOL); return; } } } if ($token_errs) { notice(t('Name and Password are required.') . EOL); return; } if ($atoken_id) { $r = q("update atoken set atoken_name = '%s', atoken_token = '%s' atoken_expires = '%s' \n\t\t\t\t\twhere atoken_id = %d and atoken_uid = %d", dbesc($name), dbesc($token), dbesc($expires), intval($atoken_id), intval($channel['channel_id'])); } else { $r = q("insert into atoken ( atoken_aid, atoken_uid, atoken_name, atoken_token, atoken_expires )\n\t\t\t\t\tvalues ( %d, %d, '%s', '%s', '%s' ) ", intval($channel['channel_account_id']), intval($channel['channel_id']), dbesc($name), dbesc($token), dbesc($expires)); } info(t('Token saved.') . EOL); return; } if (argc() > 1 && argv(1) === 'features') { check_form_security_token_redirectOnErr('/settings/features', 'settings_features'); // Build list of features and check which are set $features = get_features(); $all_features = array(); foreach ($features as $k => $v) { foreach ($v as $f) { $all_features[] = $f[0]; } } foreach ($all_features as $k) { if (x($_POST, "feature_{$k}")) { set_pconfig(local_channel(), 'feature', $k, 1); } else { set_pconfig(local_channel(), 'feature', $k, 0); } } build_sync_packet(); return; } if (argc() > 1 && argv(1) == 'display') { check_form_security_token_redirectOnErr('/settings/display', 'settings_display'); $theme = x($_POST, 'theme') ? notags(trim($_POST['theme'])) : \App::$channel['channel_theme']; $mobile_theme = x($_POST, 'mobile_theme') ? notags(trim($_POST['mobile_theme'])) : ''; $preload_images = x($_POST, 'preload_images') ? intval($_POST['preload_images']) : 0; $user_scalable = x($_POST, 'user_scalable') ? intval($_POST['user_scalable']) : 0; $nosmile = x($_POST, 'nosmile') ? intval($_POST['nosmile']) : 0; $title_tosource = x($_POST, 'title_tosource') ? intval($_POST['title_tosource']) : 0; $channel_list_mode = x($_POST, 'channel_list_mode') ? intval($_POST['channel_list_mode']) : 0; $network_list_mode = x($_POST, 'network_list_mode') ? intval($_POST['network_list_mode']) : 0; $channel_divmore_height = x($_POST, 'channel_divmore_height') ? intval($_POST['channel_divmore_height']) : 400; if ($channel_divmore_height < 50) { $channel_divmore_height = 50; } $network_divmore_height = x($_POST, 'network_divmore_height') ? intval($_POST['network_divmore_height']) : 400; if ($network_divmore_height < 50) { $network_divmore_height = 50; } $browser_update = x($_POST, 'browser_update') ? intval($_POST['browser_update']) : 0; $browser_update = $browser_update * 1000; if ($browser_update < 10000) { $browser_update = 10000; } $itemspage = x($_POST, 'itemspage') ? intval($_POST['itemspage']) : 20; if ($itemspage > 100) { $itemspage = 100; } if ($mobile_theme == "---") { del_pconfig(local_channel(), 'system', 'mobile_theme'); } else { set_pconfig(local_channel(), 'system', 'mobile_theme', $mobile_theme); } set_pconfig(local_channel(), 'system', 'preload_images', $preload_images); set_pconfig(local_channel(), 'system', 'user_scalable', $user_scalable); set_pconfig(local_channel(), 'system', 'update_interval', $browser_update); set_pconfig(local_channel(), 'system', 'itemspage', $itemspage); set_pconfig(local_channel(), 'system', 'no_smilies', 1 - intval($nosmile)); set_pconfig(local_channel(), 'system', 'title_tosource', $title_tosource); set_pconfig(local_channel(), 'system', 'channel_list_mode', $channel_list_mode); set_pconfig(local_channel(), 'system', 'network_list_mode', $network_list_mode); set_pconfig(local_channel(), 'system', 'channel_divmore_height', $channel_divmore_height); set_pconfig(local_channel(), 'system', 'network_divmore_height', $network_divmore_height); if ($theme == \App::$channel['channel_theme']) { // call theme_post only if theme has not been changed if (($themeconfigfile = $this->get_theme_config_file($theme)) != null) { require_once $themeconfigfile; theme_post($a); } } $r = q("UPDATE channel SET channel_theme = '%s' WHERE channel_id = %d", dbesc($theme), intval(local_channel())); call_hooks('display_settings_post', $_POST); build_sync_packet(); goaway(z_root() . '/settings/display'); return; // NOTREACHED } if (argc() > 1 && argv(1) === 'account') { check_form_security_token_redirectOnErr('/settings/account', 'settings_account'); call_hooks('account_settings_post', $_POST); // call_hooks('settings_account', $_POST); $errs = array(); $email = x($_POST, 'email') ? trim(notags($_POST['email'])) : ''; $account = \App::get_account(); if ($email != $account['account_email']) { if (!valid_email($email)) { $errs[] = t('Not valid email.'); } $adm = trim(get_config('system', 'admin_email')); if ($adm && strcasecmp($email, $adm) == 0) { $errs[] = t('Protected email address. Cannot change to that email.'); $email = \App::$user['email']; } if (!$errs) { $r = q("update account set account_email = '%s' where account_id = %d", dbesc($email), intval($account['account_id'])); if (!$r) { $errs[] = t('System failure storing new email. Please try again.'); } } } if ($errs) { foreach ($errs as $err) { notice($err . EOL); } $errs = array(); } if (x($_POST, 'npassword') || x($_POST, 'confirm')) { $origpass = trim($_POST['origpass']); require_once 'include/auth.php'; if (!account_verify_password($email, $origpass)) { $errs[] = t('Password verification failed.'); } $newpass = trim($_POST['npassword']); $confirm = trim($_POST['confirm']); if ($newpass != $confirm) { $errs[] = t('Passwords do not match. Password unchanged.'); } if (!x($newpass) || !x($confirm)) { $errs[] = t('Empty passwords are not allowed. Password unchanged.'); } if (!$errs) { $salt = random_string(32); $password_encoded = hash('whirlpool', $salt . $newpass); $r = q("update account set account_salt = '%s', account_password = '******', account_password_changed = '%s' \n\t\t\t\t\t\twhere account_id = %d", dbesc($salt), dbesc($password_encoded), dbesc(datetime_convert()), intval(get_account_id())); if ($r) { info(t('Password changed.') . EOL); } else { $errs[] = t('Password update failed. Please try again.'); } } } if ($errs) { foreach ($errs as $err) { notice($err . EOL); } } goaway(z_root() . '/settings/account'); } check_form_security_token_redirectOnErr('/settings', 'settings'); call_hooks('settings_post', $_POST); $set_perms = ''; $role = x($_POST, 'permissions_role') ? notags(trim($_POST['permissions_role'])) : ''; $oldrole = get_pconfig(local_channel(), 'system', 'permissions_role'); if ($role != $oldrole || $role === 'custom') { if ($role === 'custom') { $hide_presence = x($_POST, 'hide_presence') && intval($_POST['hide_presence']) == 1 ? 1 : 0; $publish = x($_POST, 'profile_in_directory') && intval($_POST['profile_in_directory']) == 1 ? 1 : 0; $def_group = x($_POST, 'group-selection') ? notags(trim($_POST['group-selection'])) : ''; $r = q("update channel set channel_default_group = '%s' where channel_id = %d", dbesc($def_group), intval(local_channel())); $global_perms = get_perms(); foreach ($global_perms as $k => $v) { $set_perms .= ', ' . $v[0] . ' = ' . intval($_POST[$k]) . ' '; } $acl = new \Zotlabs\Access\AccessList($channel); $acl->set_from_array($_POST); $x = $acl->get(); $r = q("update channel set channel_allow_cid = '%s', channel_allow_gid = '%s', \n\t\t\t\t\tchannel_deny_cid = '%s', channel_deny_gid = '%s' where channel_id = %d", dbesc($x['allow_cid']), dbesc($x['allow_gid']), dbesc($x['deny_cid']), dbesc($x['deny_gid']), intval(local_channel())); } else { $role_permissions = get_role_perms($_POST['permissions_role']); if (!$role_permissions) { notice('Permissions category could not be found.'); return; } $hide_presence = 1 - intval($role_permissions['online']); if ($role_permissions['default_collection']) { $r = q("select hash from groups where uid = %d and gname = '%s' limit 1", intval(local_channel()), dbesc(t('Friends'))); if (!$r) { require_once 'include/group.php'; group_add(local_channel(), t('Friends')); group_add_member(local_channel(), t('Friends'), $channel['channel_hash']); $r = q("select hash from groups where uid = %d and gname = '%s' limit 1", intval(local_channel()), dbesc(t('Friends'))); } if ($r) { q("update channel set channel_default_group = '%s', channel_allow_gid = '%s', channel_allow_cid = '', channel_deny_gid = '', channel_deny_cid = '' where channel_id = %d", dbesc($r[0]['hash']), dbesc('<' . $r[0]['hash'] . '>'), intval(local_channel())); } else { notice(sprintf('Default privacy group \'%s\' not found. Please create and re-submit permission change.', t('Friends')) . EOL); return; } } else { q("update channel set channel_default_group = '', channel_allow_gid = '', channel_allow_cid = '', channel_deny_gid = '', \n\t\t\t\t\t\tchannel_deny_cid = '' where channel_id = %d", intval(local_channel())); } $r = q("update abook set abook_my_perms = %d where abook_channel = %d and abook_self = 1", intval(array_key_exists('perms_accept', $role_permissions) ? $role_permissions['perms_accept'] : 0), intval(local_channel())); set_pconfig(local_channel(), 'system', 'autoperms', $role_permissions['perms_auto'] ? intval($role_permissions['perms_accept']) : 0); foreach ($role_permissions as $p => $v) { if (strpos($p, 'channel_') !== false) { $set_perms .= ', ' . $p . ' = ' . intval($v) . ' '; } if ($p === 'directory_publish') { $publish = intval($v); } } } set_pconfig(local_channel(), 'system', 'hide_online_status', $hide_presence); set_pconfig(local_channel(), 'system', 'permissions_role', $role); } $username = x($_POST, 'username') ? notags(trim($_POST['username'])) : ''; $timezone = x($_POST, 'timezone_select') ? notags(trim($_POST['timezone_select'])) : ''; $defloc = x($_POST, 'defloc') ? notags(trim($_POST['defloc'])) : ''; $openid = x($_POST, 'openid_url') ? notags(trim($_POST['openid_url'])) : ''; $maxreq = x($_POST, 'maxreq') ? intval($_POST['maxreq']) : 0; $expire = x($_POST, 'expire') ? intval($_POST['expire']) : 0; $evdays = x($_POST, 'evdays') ? intval($_POST['evdays']) : 3; $photo_path = x($_POST, 'photo_path') ? escape_tags(trim($_POST['photo_path'])) : ''; $attach_path = x($_POST, 'attach_path') ? escape_tags(trim($_POST['attach_path'])) : ''; $channel_menu = x($_POST['channel_menu']) ? htmlspecialchars_decode(trim($_POST['channel_menu']), ENT_QUOTES) : ''; $expire_items = x($_POST, 'expire_items') ? intval($_POST['expire_items']) : 0; $expire_starred = x($_POST, 'expire_starred') ? intval($_POST['expire_starred']) : 0; $expire_photos = x($_POST, 'expire_photos') ? intval($_POST['expire_photos']) : 0; $expire_network_only = x($_POST, 'expire_network_only') ? intval($_POST['expire_network_only']) : 0; $allow_location = x($_POST, 'allow_location') && intval($_POST['allow_location']) == 1 ? 1 : 0; $blocktags = x($_POST, 'blocktags') && intval($_POST['blocktags']) == 1 ? 0 : 1; // this setting is inverted! $unkmail = x($_POST, 'unkmail') && intval($_POST['unkmail']) == 1 ? 1 : 0; $cntunkmail = x($_POST, 'cntunkmail') ? intval($_POST['cntunkmail']) : 0; $suggestme = x($_POST, 'suggestme') ? intval($_POST['suggestme']) : 0; $post_newfriend = $_POST['post_newfriend'] == 1 ? 1 : 0; $post_joingroup = $_POST['post_joingroup'] == 1 ? 1 : 0; $post_profilechange = $_POST['post_profilechange'] == 1 ? 1 : 0; $adult = $_POST['adult'] == 1 ? 1 : 0; $cal_first_day = x($_POST, 'first_day') && intval($_POST['first_day']) == 1 ? 1 : 0; $channel = \App::get_channel(); $pageflags = $channel['channel_pageflags']; $existing_adult = $pageflags & PAGE_ADULT ? 1 : 0; if ($adult != $existing_adult) { $pageflags = $pageflags ^ PAGE_ADULT; } $notify = 0; if (x($_POST, 'notify1')) { $notify += intval($_POST['notify1']); } if (x($_POST, 'notify2')) { $notify += intval($_POST['notify2']); } if (x($_POST, 'notify3')) { $notify += intval($_POST['notify3']); } if (x($_POST, 'notify4')) { $notify += intval($_POST['notify4']); } if (x($_POST, 'notify5')) { $notify += intval($_POST['notify5']); } if (x($_POST, 'notify6')) { $notify += intval($_POST['notify6']); } if (x($_POST, 'notify7')) { $notify += intval($_POST['notify7']); } if (x($_POST, 'notify8')) { $notify += intval($_POST['notify8']); } $vnotify = 0; if (x($_POST, 'vnotify1')) { $vnotify += intval($_POST['vnotify1']); } if (x($_POST, 'vnotify2')) { $vnotify += intval($_POST['vnotify2']); } if (x($_POST, 'vnotify3')) { $vnotify += intval($_POST['vnotify3']); } if (x($_POST, 'vnotify4')) { $vnotify += intval($_POST['vnotify4']); } if (x($_POST, 'vnotify5')) { $vnotify += intval($_POST['vnotify5']); } if (x($_POST, 'vnotify6')) { $vnotify += intval($_POST['vnotify6']); } if (x($_POST, 'vnotify7')) { $vnotify += intval($_POST['vnotify7']); } if (x($_POST, 'vnotify8')) { $vnotify += intval($_POST['vnotify8']); } if (x($_POST, 'vnotify9')) { $vnotify += intval($_POST['vnotify9']); } if (x($_POST, 'vnotify10')) { $vnotify += intval($_POST['vnotify10']); } if (x($_POST, 'vnotify11')) { $vnotify += intval($_POST['vnotify11']); } $always_show_in_notices = x($_POST, 'always_show_in_notices') ? 1 : 0; $channel = \App::get_channel(); $err = ''; $name_change = false; if ($username != $channel['channel_name']) { $name_change = true; require_once 'include/channel.php'; $err = validate_channelname($username); if ($err) { notice($err); return; } } if ($timezone != $channel['channel_timezone']) { if (strlen($timezone)) { date_default_timezone_set($timezone); } } set_pconfig(local_channel(), 'system', 'use_browser_location', $allow_location); set_pconfig(local_channel(), 'system', 'suggestme', $suggestme); set_pconfig(local_channel(), 'system', 'post_newfriend', $post_newfriend); set_pconfig(local_channel(), 'system', 'post_joingroup', $post_joingroup); set_pconfig(local_channel(), 'system', 'post_profilechange', $post_profilechange); set_pconfig(local_channel(), 'system', 'blocktags', $blocktags); set_pconfig(local_channel(), 'system', 'channel_menu', $channel_menu); set_pconfig(local_channel(), 'system', 'vnotify', $vnotify); set_pconfig(local_channel(), 'system', 'always_show_in_notices', $always_show_in_notices); set_pconfig(local_channel(), 'system', 'evdays', $evdays); set_pconfig(local_channel(), 'system', 'photo_path', $photo_path); set_pconfig(local_channel(), 'system', 'attach_path', $attach_path); set_pconfig(local_channel(), 'system', 'cal_first_day', $cal_first_day); $r = q("update channel set channel_name = '%s', channel_pageflags = %d, channel_timezone = '%s', channel_location = '%s', channel_notifyflags = %d, channel_max_anon_mail = %d, channel_max_friend_req = %d, channel_expire_days = %d {$set_perms} where channel_id = %d", dbesc($username), intval($pageflags), dbesc($timezone), dbesc($defloc), intval($notify), intval($unkmail), intval($maxreq), intval($expire), intval(local_channel())); if ($r) { info(t('Settings updated.') . EOL); } if (!is_null($publish)) { $r = q("UPDATE profile SET publish = %d WHERE is_default = 1 AND uid = %d", intval($publish), intval(local_channel())); } if ($name_change) { $r = q("update xchan set xchan_name = '%s', xchan_name_date = '%s' where xchan_hash = '%s'", dbesc($username), dbesc(datetime_convert()), dbesc($channel['channel_hash'])); $r = q("update profile set fullname = '%s' where uid = %d and is_default = 1", dbesc($username), intval($channel['channel_id'])); } \Zotlabs\Daemon\Master::Summon(array('Directory', local_channel())); build_sync_packet(); //$_SESSION['theme'] = $theme; if ($email_changed && \App::$config['system']['register_policy'] == REGISTER_VERIFY) { // FIXME - set to un-verified, blocked and redirect to logout // Why? Are we verifying people or email addresses? } goaway(z_root() . '/settings'); return; // NOTREACHED }
/** * Simple HTTP Login */ function api_login(&$a) { // login with oauth try { $oauth = new FKOAuth1(); $req = OAuthRequest::from_request(); list($consumer, $token) = $oauth->verify_request($req); // list($consumer,$token) = $oauth->verify_request(OAuthRequest::from_request()); if (!is_null($token)) { $oauth->loginUser($token->uid); $a->set_oauth_key($consumer->key); call_hooks('logged_in', $a->user); return; } echo __FILE__ . __LINE__ . __FUNCTION__ . "<pre>"; // var_dump($consumer, $token); die; } catch (Exception $e) { logger(__FILE__ . __LINE__ . __FUNCTION__ . "\n" . $e); } // workaround for HTTP-auth in CGI mode if (x($_SERVER, 'REDIRECT_REMOTE_USER')) { $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)); if (strlen($userpass)) { list($name, $password) = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; } } if (x($_SERVER, 'HTTP_AUTHORIZATION')) { $userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6)); if (strlen($userpass)) { list($name, $password) = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; } } if (!isset($_SERVER['PHP_AUTH_USER'])) { logger('API_login: '******'WWW-Authenticate: Basic realm="Red"'); header('HTTP/1.0 401 Unauthorized'); die('This api requires login'); } // process normal login request require_once 'include/auth.php'; $channel_login = 0; $record = account_verify_password($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); if (!$record) { $r = q("select * from channel where channel_address = '%s' limit 1", dbesc($_SERVER['PHP_AUTH_USER'])); if ($r) { $x = q("select * from account where account_id = %d limit 1", intval($r[0]['channel_account_id'])); if ($x) { $record = account_verify_password($x[0]['account_email'], $_SERVER['PHP_AUTH_PW']); if ($record) { $channel_login = $r[0]['channel_id']; } } } if (!$record) { logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG); header('WWW-Authenticate: Basic realm="Red"'); header('HTTP/1.0 401 Unauthorized'); die('This api requires login'); } } require_once 'include/security.php'; authenticate_success($record); if ($channel_login) { change_channel($channel_login); } $_SESSION['allow_api'] = true; }
$record = null; $addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null); /** * * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained * and later plugins should not interfere with an earlier one that succeeded. * */ call_hooks('authenticate', $addon_auth); $atoken = null; $account = null; if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) { $account = $addon_auth['user_record']; } else { $verify = account_verify_password($_POST['username'], $_POST['password']); if ($verify) { $atoken = $verify['xchan']; $channel = $verify['channel']; $account = App::$account = $verify['account']; } if (App::$account) { $_SESSION['account_id'] = App::$account['account_id']; } elseif ($atoken) { atoken_login($atoken); } else { notice(t('Failed authentication') . EOL); } } if (!($account || $atoken)) { $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
/** * @brief Validates a username and password. * * * @see \Sabre\DAV\Auth\Backend\AbstractBasic::validateUserPass * @param string $username * @param string $password * @return bool */ protected function validateUserPass($username, $password) { require_once 'include/auth.php'; $record = account_verify_password($username, $password); if ($record && $record['account']) { if ($record['channel']) { $channel = $record['channel']; } else { $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", intval($record['account']['account_id']), intval($record['account']['account_default_channel'])); if ($r) { $channel = $r[0]; } } } if ($channel && $this->check_module_access($channel['channel_id'])) { return $this->setAuthenticated($channel); } if ($this->module_disabled) { $error = 'module not enabled for ' . $username; } else { $error = 'password failed for ' . $username; } logger($error); log_failed_login($error); return false; }
} if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') { $record = null; $addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null); /** * * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained * and later plugins should not interfere with an earlier one that succeeded. * */ call_hooks('authenticate', $addon_auth); if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) { $record = $addon_auth['user_record']; } else { $record = App::$account = account_verify_password($_POST['username'], $_POST['password']); if (App::$account) { $_SESSION['account_id'] = App::$account['account_id']; } else { notice(t('Failed authentication') . EOL); } logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL); } if (!$record || !count($record)) { $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']; logger($error); // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention $authlog = get_config('system', 'authlog'); if ($authlog) { @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND); }
/** * * @param string $username * @param string $password */ protected function validateUserPass($username, $password) { if (trim($password) === '+++') { logger('reddav: validateUserPass: guest ' . $username); return true; } require_once 'include/auth.php'; $record = account_verify_password($username, $password); if ($record && $record['account_default_channel']) { $r = q("select * from channel where channel_account_id = %d and channel_id = %d limit 1", intval($record['account_id']), intval($record['account_default_channel'])); if ($r) { $this->currentUser = $r[0]['channel_address']; $this->channel_name = $r[0]['channel_address']; $this->channel_id = $r[0]['channel_id']; $this->channel_hash = $this->observer = $r[0]['channel_hash']; $_SESSION['uid'] = $r[0]['channel_id']; $_SESSION['account_id'] = $r[0]['channel_account_id']; $_SESSION['authenticated'] = true; return true; } } $r = q("select * from channel where channel_address = '%s' limit 1", dbesc($username)); if ($r) { $x = q("select * from account where account_id = %d limit 1", intval($r[0]['channel_account_id'])); if ($x) { foreach ($x as $record) { if ($record['account_flags'] == ACCOUNT_OK || $record['account_flags'] == ACCOUNT_UNVERIFIED && hash('whirlpool', $record['account_salt'] . $password) === $record['account_password']) { logger('(DAV) RedBasicAuth: password verified for ' . $username); $this->currentUser = $r[0]['channel_address']; $this->channel_name = $r[0]['channel_address']; $this->channel_id = $r[0]['channel_id']; $this->channel_hash = $this->observer = $r[0]['channel_hash']; $_SESSION['uid'] = $r[0]['channel_id']; $_SESSION['account_id'] = $r[0]['channel_account_id']; $_SESSION['authenticated'] = true; return true; } } } } logger('(DAV) RedBasicAuth: password failed for ' . $username); return false; }