function removeme_post(&$a)
{
if (!local_channel()) {
return;
}
if ($_SESSION['delegate']) {
return;
}
if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) {
return;
}
if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) {
return;
}
if ($_POST['verify'] !== $_SESSION['remove_account_verify']) {
return;
}
$account = App::get_account();
if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) {
return;
}
if ($account['account_password_changed'] != NULL_DATE) {
$d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours');
if ($account['account_password_changed'] > d1) {
notice(t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL);
return;
}
}
require_once 'include/Contact.php';
$global_remove = intval($_POST['global']);
channel_remove(local_channel(), 1 - $global_remove, true);
}
/**
* API Login via basic-auth or OAuth
*/
function api_login(&$a)
{
$record = null;
require_once 'include/oauth.php';
// login with oauth
try {
$oauth = new ZotOAuth1();
$req = OAuth1Request::from_request();
list($consumer, $token) = $oauth->verify_request($req);
if (!is_null($token)) {
$oauth->loginUser($token->uid);
App::set_oauth_key($consumer->key);
call_hooks('logged_in', App::$user);
return;
}
killme();
} catch (Exception $e) {
logger($e->getMessage());
}
// workarounds for HTTP-auth in CGI mode
if (x($_SERVER, 'REDIRECT_REMOTE_USER')) {
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
if (strlen($userpass)) {
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
}
if (x($_SERVER, 'HTTP_AUTHORIZATION')) {
$userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6));
if (strlen($userpass)) {
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
}
require_once 'include/auth.php';
require_once 'include/security.php';
// process normal login request
if (isset($_SERVER['PHP_AUTH_USER'])) {
$channel_login = 0;
$record = account_verify_password($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
if ($record && $record['channel']) {
$channel_login = $record['channel']['channel_id'];
}
}
if ($record['account']) {
authenticate_success($record['account']);
if ($channel_login) {
change_channel($channel_login);
}
$_SESSION['allow_api'] = true;
return true;
} else {
$_SERVER['PHP_AUTH_PW'] = '*****';
logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG);
log_failed_login('API login failure');
retry_basic_auth();
}
}
function post()
{
if (!local_channel()) {
return;
}
if ($_SESSION['delegate']) {
return;
}
if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) {
return;
}
if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) {
return;
}
if ($_POST['verify'] !== $_SESSION['remove_account_verify']) {
return;
}
$account = \App::get_account();
$account_id = get_account_id();
if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) {
return;
}
if ($account['account_password_changed'] != NULL_DATE) {
$d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours');
if ($account['account_password_changed'] > d1) {
notice(t('Account removals are not allowed within 48 hours of changing the account password.') . EOL);
return;
}
}
$global_remove = intval($_POST['global']);
account_remove($account_id, 1 - $global_remove);
}
function removeaccount_post(&$a)
{
if (!local_user()) {
return;
}
if (x($_SESSION, 'submanage') && intval($_SESSION['submanage'])) {
return;
}
if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) {
return;
}
if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) {
return;
}
if ($_POST['verify'] !== $_SESSION['remove_account_verify']) {
return;
}
$account = $a->get_account();
$account_id = get_account_id();
if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) {
return;
}
if ($account['account_password_changed'] != NULL_DATE) {
$d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours');
if ($account['account_password_changed'] > d1) {
notice(t('Account removals are not allowed within 48 hours of changing the account password.') . EOL);
return;
}
}
require_once 'include/Contact.php';
$global_remove = intval($_POST['global']);
account_remove($account_id, true);
}
/**
* @brief Validates a username and password.
*
* Guest access is granted with the password "+++".
*
* @see \Sabre\DAV\Auth\Backend\AbstractBasic::validateUserPass
* @param string $username
* @param string $password
* @return bool
*/
protected function validateUserPass($username, $password)
{
require_once 'include/auth.php';
$record = account_verify_password($username, $password);
if ($record && $record['account_default_channel']) {
$r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", intval($record['account_id']), intval($record['account_default_channel']));
if ($r) {
return $this->setAuthenticated($r[0]);
}
}
$r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1", dbesc($username));
if ($r) {
$x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1", intval($r[0]['channel_account_id']));
if ($x) {
// @fixme this foreach should not be needed?
foreach ($x as $record) {
if (($record['account_flags'] == ACCOUNT_OK || $record['account_flags'] == ACCOUNT_UNVERIFIED) && hash('whirlpool', $record['account_salt'] . $password) === $record['account_password']) {
logger('password verified for ' . $username);
return $this->setAuthenticated($r[0]);
}
}
}
}
$error = 'password failed for ' . $username;
logger($error);
log_failed_login($error);
return false;
}
}
if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') {
$record = null;
$addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null);
/**
*
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded.
*
*/
call_hooks('authenticate', $addon_auth);
if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
$record = $addon_auth['user_record'];
} else {
$record = get_app()->account = account_verify_password($_POST['username'], $_POST['password']);
if (get_app()->account) {
$_SESSION['account_id'] = get_app()->account['account_id'];
} else {
notice(t('Failed authentication') . EOL);
}
logger('authenticate: ' . print_r(get_app()->account, true), LOGGER_DEBUG);
}
if (!$record || !count($record)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
logger($error);
// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
$authlog = get_config('system', 'authlog');
if ($authlog) {
@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
}
function post()
{
check_form_security_token_redirectOnErr('/settings/account', 'settings_account');
call_hooks('account_settings_post', $_POST);
$errs = array();
$email = x($_POST, 'email') ? trim(notags($_POST['email'])) : '';
$techlevel = array_key_exists('techlevel', $_POST) ? intval($_POST['techlevel']) : 0;
$account = \App::get_account();
if ($email != $account['account_email']) {
if (!valid_email($email)) {
$errs[] = t('Not valid email.');
}
$adm = trim(get_config('system', 'admin_email'));
if ($adm && strcasecmp($email, $adm) == 0) {
$errs[] = t('Protected email address. Cannot change to that email.');
$email = \App::$account['account_email'];
}
if (!$errs) {
$r = q("update account set account_email = '%s' where account_id = %d", dbesc($email), intval($account['account_id']));
if (!$r) {
$errs[] = t('System failure storing new email. Please try again.');
}
}
}
if ($techlevel != $account['account_level']) {
$r = q("update account set account_level = %d where account_id = %d", intval($techlevel), intval($account['account_id']));
info(t('Technical skill level updated') . EOL);
}
if ($errs) {
foreach ($errs as $err) {
notice($err . EOL);
}
$errs = array();
}
if (x($_POST, 'npassword') || x($_POST, 'confirm')) {
$origpass = trim($_POST['origpass']);
require_once 'include/auth.php';
if (!account_verify_password($email, $origpass)) {
$errs[] = t('Password verification failed.');
}
$newpass = trim($_POST['npassword']);
$confirm = trim($_POST['confirm']);
if ($newpass != $confirm) {
$errs[] = t('Passwords do not match. Password unchanged.');
}
if (!x($newpass) || !x($confirm)) {
$errs[] = t('Empty passwords are not allowed. Password unchanged.');
}
if (!$errs) {
$salt = random_string(32);
$password_encoded = hash('whirlpool', $salt . $newpass);
$r = q("update account set account_salt = '%s', account_password = '******', account_password_changed = '%s' \n\t\t\t\t\twhere account_id = %d", dbesc($salt), dbesc($password_encoded), dbesc(datetime_convert()), intval(get_account_id()));
if ($r) {
info(t('Password changed.') . EOL);
} else {
$errs[] = t('Password update failed. Please try again.');
}
}
}
if ($errs) {
foreach ($errs as $err) {
notice($err . EOL);
}
}
goaway(z_root() . '/settings/account');
}
function post()
{
if (!local_channel()) {
return;
}
if ($_SESSION['delegate']) {
return;
}
$channel = \App::get_channel();
logger('mod_settings: ' . print_r($_REQUEST, true));
if (argc() > 1 && argv(1) === 'oauth' && x($_POST, 'remove')) {
check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
$key = $_POST['remove'];
q("DELETE FROM tokens WHERE id='%s' AND uid=%d", dbesc($key), local_channel());
goaway(z_root() . "/settings/oauth/");
return;
}
if (argc() > 2 && argv(1) === 'oauth' && (argv(2) === 'edit' || argv(2) === 'add') && x($_POST, 'submit')) {
check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
$name = x($_POST, 'name') ? $_POST['name'] : '';
$key = x($_POST, 'key') ? $_POST['key'] : '';
$secret = x($_POST, 'secret') ? $_POST['secret'] : '';
$redirect = x($_POST, 'redirect') ? $_POST['redirect'] : '';
$icon = x($_POST, 'icon') ? $_POST['icon'] : '';
$ok = true;
if ($name == '') {
$ok = false;
notice(t('Name is required') . EOL);
}
if ($key == '' || $secret == '') {
$ok = false;
notice(t('Key and Secret are required') . EOL);
}
if ($ok) {
if ($_POST['submit'] == t("Update")) {
$r = q("UPDATE clients SET\n\t\t\t\t\t\t\t\tclient_id='%s',\n\t\t\t\t\t\t\t\tpw='%s',\n\t\t\t\t\t\t\t\tclname='%s',\n\t\t\t\t\t\t\t\tredirect_uri='%s',\n\t\t\t\t\t\t\t\ticon='%s',\n\t\t\t\t\t\t\t\tuid=%d\n\t\t\t\t\t\t\tWHERE client_id='%s'", dbesc($key), dbesc($secret), dbesc($name), dbesc($redirect), dbesc($icon), intval(local_channel()), dbesc($key));
} else {
$r = q("INSERT INTO clients (client_id, pw, clname, redirect_uri, icon, uid)\n\t\t\t\t\t\tVALUES ('%s','%s','%s','%s','%s',%d)", dbesc($key), dbesc($secret), dbesc($name), dbesc($redirect), dbesc($icon), intval(local_channel()));
$r = q("INSERT INTO xperm (xp_client, xp_channel, xp_perm) VALUES ('%s', %d, '%s') ", dbesc($key), intval(local_channel()), dbesc('all'));
}
}
goaway(z_root() . "/settings/oauth/");
return;
}
if (argc() > 1 && argv(1) == 'featured') {
check_form_security_token_redirectOnErr('/settings/featured', 'settings_featured');
call_hooks('feature_settings_post', $_POST);
build_sync_packet();
return;
}
if (argc() > 1 && argv(1) == 'tokens') {
check_form_security_token_redirectOnErr('/settings/tokens', 'settings_tokens');
$token_errs = 0;
if (array_key_exists('token', $_POST)) {
$atoken_id = $_POST['atoken_id'] ? intval($_POST['atoken_id']) : 0;
$name = trim(escape_tags($_POST['name']));
$token = trim($_POST['token']);
if (!$name || !$token) {
$token_errs++;
}
if (trim($_POST['expires'])) {
$expires = datetime_convert(date_default_timezone_get(), 'UTC', $_POST['expires']);
} else {
$expires = NULL_DATE;
}
$max_atokens = service_class_fetch(local_channel(), 'access_tokens');
if ($max_atokens) {
$r = q("select count(atoken_id) as total where atoken_uid = %d", intval(local_channel()));
if ($r && intval($r[0]['total']) >= $max_tokens) {
notice(sprintf(t('This channel is limited to %d tokens'), $max_tokens) . EOL);
return;
}
}
}
if ($token_errs) {
notice(t('Name and Password are required.') . EOL);
return;
}
if ($atoken_id) {
$r = q("update atoken set atoken_name = '%s', atoken_token = '%s' atoken_expires = '%s' \n\t\t\t\t\twhere atoken_id = %d and atoken_uid = %d", dbesc($name), dbesc($token), dbesc($expires), intval($atoken_id), intval($channel['channel_id']));
} else {
$r = q("insert into atoken ( atoken_aid, atoken_uid, atoken_name, atoken_token, atoken_expires )\n\t\t\t\t\tvalues ( %d, %d, '%s', '%s', '%s' ) ", intval($channel['channel_account_id']), intval($channel['channel_id']), dbesc($name), dbesc($token), dbesc($expires));
}
info(t('Token saved.') . EOL);
return;
}
if (argc() > 1 && argv(1) === 'features') {
check_form_security_token_redirectOnErr('/settings/features', 'settings_features');
// Build list of features and check which are set
$features = get_features();
$all_features = array();
foreach ($features as $k => $v) {
foreach ($v as $f) {
$all_features[] = $f[0];
}
}
foreach ($all_features as $k) {
if (x($_POST, "feature_{$k}")) {
set_pconfig(local_channel(), 'feature', $k, 1);
} else {
set_pconfig(local_channel(), 'feature', $k, 0);
}
}
build_sync_packet();
return;
}
if (argc() > 1 && argv(1) == 'display') {
check_form_security_token_redirectOnErr('/settings/display', 'settings_display');
$theme = x($_POST, 'theme') ? notags(trim($_POST['theme'])) : \App::$channel['channel_theme'];
$mobile_theme = x($_POST, 'mobile_theme') ? notags(trim($_POST['mobile_theme'])) : '';
$preload_images = x($_POST, 'preload_images') ? intval($_POST['preload_images']) : 0;
$user_scalable = x($_POST, 'user_scalable') ? intval($_POST['user_scalable']) : 0;
$nosmile = x($_POST, 'nosmile') ? intval($_POST['nosmile']) : 0;
$title_tosource = x($_POST, 'title_tosource') ? intval($_POST['title_tosource']) : 0;
$channel_list_mode = x($_POST, 'channel_list_mode') ? intval($_POST['channel_list_mode']) : 0;
$network_list_mode = x($_POST, 'network_list_mode') ? intval($_POST['network_list_mode']) : 0;
$channel_divmore_height = x($_POST, 'channel_divmore_height') ? intval($_POST['channel_divmore_height']) : 400;
if ($channel_divmore_height < 50) {
$channel_divmore_height = 50;
}
$network_divmore_height = x($_POST, 'network_divmore_height') ? intval($_POST['network_divmore_height']) : 400;
if ($network_divmore_height < 50) {
$network_divmore_height = 50;
}
$browser_update = x($_POST, 'browser_update') ? intval($_POST['browser_update']) : 0;
$browser_update = $browser_update * 1000;
if ($browser_update < 10000) {
$browser_update = 10000;
}
$itemspage = x($_POST, 'itemspage') ? intval($_POST['itemspage']) : 20;
if ($itemspage > 100) {
$itemspage = 100;
}
if ($mobile_theme == "---") {
del_pconfig(local_channel(), 'system', 'mobile_theme');
} else {
set_pconfig(local_channel(), 'system', 'mobile_theme', $mobile_theme);
}
set_pconfig(local_channel(), 'system', 'preload_images', $preload_images);
set_pconfig(local_channel(), 'system', 'user_scalable', $user_scalable);
set_pconfig(local_channel(), 'system', 'update_interval', $browser_update);
set_pconfig(local_channel(), 'system', 'itemspage', $itemspage);
set_pconfig(local_channel(), 'system', 'no_smilies', 1 - intval($nosmile));
set_pconfig(local_channel(), 'system', 'title_tosource', $title_tosource);
set_pconfig(local_channel(), 'system', 'channel_list_mode', $channel_list_mode);
set_pconfig(local_channel(), 'system', 'network_list_mode', $network_list_mode);
set_pconfig(local_channel(), 'system', 'channel_divmore_height', $channel_divmore_height);
set_pconfig(local_channel(), 'system', 'network_divmore_height', $network_divmore_height);
if ($theme == \App::$channel['channel_theme']) {
// call theme_post only if theme has not been changed
if (($themeconfigfile = $this->get_theme_config_file($theme)) != null) {
require_once $themeconfigfile;
theme_post($a);
}
}
$r = q("UPDATE channel SET channel_theme = '%s' WHERE channel_id = %d", dbesc($theme), intval(local_channel()));
call_hooks('display_settings_post', $_POST);
build_sync_packet();
goaway(z_root() . '/settings/display');
return;
// NOTREACHED
}
if (argc() > 1 && argv(1) === 'account') {
check_form_security_token_redirectOnErr('/settings/account', 'settings_account');
call_hooks('account_settings_post', $_POST);
// call_hooks('settings_account', $_POST);
$errs = array();
$email = x($_POST, 'email') ? trim(notags($_POST['email'])) : '';
$account = \App::get_account();
if ($email != $account['account_email']) {
if (!valid_email($email)) {
$errs[] = t('Not valid email.');
}
$adm = trim(get_config('system', 'admin_email'));
if ($adm && strcasecmp($email, $adm) == 0) {
$errs[] = t('Protected email address. Cannot change to that email.');
$email = \App::$user['email'];
}
if (!$errs) {
$r = q("update account set account_email = '%s' where account_id = %d", dbesc($email), intval($account['account_id']));
if (!$r) {
$errs[] = t('System failure storing new email. Please try again.');
}
}
}
if ($errs) {
foreach ($errs as $err) {
notice($err . EOL);
}
$errs = array();
}
if (x($_POST, 'npassword') || x($_POST, 'confirm')) {
$origpass = trim($_POST['origpass']);
require_once 'include/auth.php';
if (!account_verify_password($email, $origpass)) {
$errs[] = t('Password verification failed.');
}
$newpass = trim($_POST['npassword']);
$confirm = trim($_POST['confirm']);
if ($newpass != $confirm) {
$errs[] = t('Passwords do not match. Password unchanged.');
}
if (!x($newpass) || !x($confirm)) {
$errs[] = t('Empty passwords are not allowed. Password unchanged.');
}
if (!$errs) {
$salt = random_string(32);
$password_encoded = hash('whirlpool', $salt . $newpass);
$r = q("update account set account_salt = '%s', account_password = '******', account_password_changed = '%s' \n\t\t\t\t\t\twhere account_id = %d", dbesc($salt), dbesc($password_encoded), dbesc(datetime_convert()), intval(get_account_id()));
if ($r) {
info(t('Password changed.') . EOL);
} else {
$errs[] = t('Password update failed. Please try again.');
}
}
}
if ($errs) {
foreach ($errs as $err) {
notice($err . EOL);
}
}
goaway(z_root() . '/settings/account');
}
check_form_security_token_redirectOnErr('/settings', 'settings');
call_hooks('settings_post', $_POST);
$set_perms = '';
$role = x($_POST, 'permissions_role') ? notags(trim($_POST['permissions_role'])) : '';
$oldrole = get_pconfig(local_channel(), 'system', 'permissions_role');
if ($role != $oldrole || $role === 'custom') {
if ($role === 'custom') {
$hide_presence = x($_POST, 'hide_presence') && intval($_POST['hide_presence']) == 1 ? 1 : 0;
$publish = x($_POST, 'profile_in_directory') && intval($_POST['profile_in_directory']) == 1 ? 1 : 0;
$def_group = x($_POST, 'group-selection') ? notags(trim($_POST['group-selection'])) : '';
$r = q("update channel set channel_default_group = '%s' where channel_id = %d", dbesc($def_group), intval(local_channel()));
$global_perms = get_perms();
foreach ($global_perms as $k => $v) {
$set_perms .= ', ' . $v[0] . ' = ' . intval($_POST[$k]) . ' ';
}
$acl = new \Zotlabs\Access\AccessList($channel);
$acl->set_from_array($_POST);
$x = $acl->get();
$r = q("update channel set channel_allow_cid = '%s', channel_allow_gid = '%s', \n\t\t\t\t\tchannel_deny_cid = '%s', channel_deny_gid = '%s' where channel_id = %d", dbesc($x['allow_cid']), dbesc($x['allow_gid']), dbesc($x['deny_cid']), dbesc($x['deny_gid']), intval(local_channel()));
} else {
$role_permissions = get_role_perms($_POST['permissions_role']);
if (!$role_permissions) {
notice('Permissions category could not be found.');
return;
}
$hide_presence = 1 - intval($role_permissions['online']);
if ($role_permissions['default_collection']) {
$r = q("select hash from groups where uid = %d and gname = '%s' limit 1", intval(local_channel()), dbesc(t('Friends')));
if (!$r) {
require_once 'include/group.php';
group_add(local_channel(), t('Friends'));
group_add_member(local_channel(), t('Friends'), $channel['channel_hash']);
$r = q("select hash from groups where uid = %d and gname = '%s' limit 1", intval(local_channel()), dbesc(t('Friends')));
}
if ($r) {
q("update channel set channel_default_group = '%s', channel_allow_gid = '%s', channel_allow_cid = '', channel_deny_gid = '', channel_deny_cid = '' where channel_id = %d", dbesc($r[0]['hash']), dbesc('<' . $r[0]['hash'] . '>'), intval(local_channel()));
} else {
notice(sprintf('Default privacy group \'%s\' not found. Please create and re-submit permission change.', t('Friends')) . EOL);
return;
}
} else {
q("update channel set channel_default_group = '', channel_allow_gid = '', channel_allow_cid = '', channel_deny_gid = '', \n\t\t\t\t\t\tchannel_deny_cid = '' where channel_id = %d", intval(local_channel()));
}
$r = q("update abook set abook_my_perms = %d where abook_channel = %d and abook_self = 1", intval(array_key_exists('perms_accept', $role_permissions) ? $role_permissions['perms_accept'] : 0), intval(local_channel()));
set_pconfig(local_channel(), 'system', 'autoperms', $role_permissions['perms_auto'] ? intval($role_permissions['perms_accept']) : 0);
foreach ($role_permissions as $p => $v) {
if (strpos($p, 'channel_') !== false) {
$set_perms .= ', ' . $p . ' = ' . intval($v) . ' ';
}
if ($p === 'directory_publish') {
$publish = intval($v);
}
}
}
set_pconfig(local_channel(), 'system', 'hide_online_status', $hide_presence);
set_pconfig(local_channel(), 'system', 'permissions_role', $role);
}
$username = x($_POST, 'username') ? notags(trim($_POST['username'])) : '';
$timezone = x($_POST, 'timezone_select') ? notags(trim($_POST['timezone_select'])) : '';
$defloc = x($_POST, 'defloc') ? notags(trim($_POST['defloc'])) : '';
$openid = x($_POST, 'openid_url') ? notags(trim($_POST['openid_url'])) : '';
$maxreq = x($_POST, 'maxreq') ? intval($_POST['maxreq']) : 0;
$expire = x($_POST, 'expire') ? intval($_POST['expire']) : 0;
$evdays = x($_POST, 'evdays') ? intval($_POST['evdays']) : 3;
$photo_path = x($_POST, 'photo_path') ? escape_tags(trim($_POST['photo_path'])) : '';
$attach_path = x($_POST, 'attach_path') ? escape_tags(trim($_POST['attach_path'])) : '';
$channel_menu = x($_POST['channel_menu']) ? htmlspecialchars_decode(trim($_POST['channel_menu']), ENT_QUOTES) : '';
$expire_items = x($_POST, 'expire_items') ? intval($_POST['expire_items']) : 0;
$expire_starred = x($_POST, 'expire_starred') ? intval($_POST['expire_starred']) : 0;
$expire_photos = x($_POST, 'expire_photos') ? intval($_POST['expire_photos']) : 0;
$expire_network_only = x($_POST, 'expire_network_only') ? intval($_POST['expire_network_only']) : 0;
$allow_location = x($_POST, 'allow_location') && intval($_POST['allow_location']) == 1 ? 1 : 0;
$blocktags = x($_POST, 'blocktags') && intval($_POST['blocktags']) == 1 ? 0 : 1;
// this setting is inverted!
$unkmail = x($_POST, 'unkmail') && intval($_POST['unkmail']) == 1 ? 1 : 0;
$cntunkmail = x($_POST, 'cntunkmail') ? intval($_POST['cntunkmail']) : 0;
$suggestme = x($_POST, 'suggestme') ? intval($_POST['suggestme']) : 0;
$post_newfriend = $_POST['post_newfriend'] == 1 ? 1 : 0;
$post_joingroup = $_POST['post_joingroup'] == 1 ? 1 : 0;
$post_profilechange = $_POST['post_profilechange'] == 1 ? 1 : 0;
$adult = $_POST['adult'] == 1 ? 1 : 0;
$cal_first_day = x($_POST, 'first_day') && intval($_POST['first_day']) == 1 ? 1 : 0;
$channel = \App::get_channel();
$pageflags = $channel['channel_pageflags'];
$existing_adult = $pageflags & PAGE_ADULT ? 1 : 0;
if ($adult != $existing_adult) {
$pageflags = $pageflags ^ PAGE_ADULT;
}
$notify = 0;
if (x($_POST, 'notify1')) {
$notify += intval($_POST['notify1']);
}
if (x($_POST, 'notify2')) {
$notify += intval($_POST['notify2']);
}
if (x($_POST, 'notify3')) {
$notify += intval($_POST['notify3']);
}
if (x($_POST, 'notify4')) {
$notify += intval($_POST['notify4']);
}
if (x($_POST, 'notify5')) {
$notify += intval($_POST['notify5']);
}
if (x($_POST, 'notify6')) {
$notify += intval($_POST['notify6']);
}
if (x($_POST, 'notify7')) {
$notify += intval($_POST['notify7']);
}
if (x($_POST, 'notify8')) {
$notify += intval($_POST['notify8']);
}
$vnotify = 0;
if (x($_POST, 'vnotify1')) {
$vnotify += intval($_POST['vnotify1']);
}
if (x($_POST, 'vnotify2')) {
$vnotify += intval($_POST['vnotify2']);
}
if (x($_POST, 'vnotify3')) {
$vnotify += intval($_POST['vnotify3']);
}
if (x($_POST, 'vnotify4')) {
$vnotify += intval($_POST['vnotify4']);
}
if (x($_POST, 'vnotify5')) {
$vnotify += intval($_POST['vnotify5']);
}
if (x($_POST, 'vnotify6')) {
$vnotify += intval($_POST['vnotify6']);
}
if (x($_POST, 'vnotify7')) {
$vnotify += intval($_POST['vnotify7']);
}
if (x($_POST, 'vnotify8')) {
$vnotify += intval($_POST['vnotify8']);
}
if (x($_POST, 'vnotify9')) {
$vnotify += intval($_POST['vnotify9']);
}
if (x($_POST, 'vnotify10')) {
$vnotify += intval($_POST['vnotify10']);
}
if (x($_POST, 'vnotify11')) {
$vnotify += intval($_POST['vnotify11']);
}
$always_show_in_notices = x($_POST, 'always_show_in_notices') ? 1 : 0;
$channel = \App::get_channel();
$err = '';
$name_change = false;
if ($username != $channel['channel_name']) {
$name_change = true;
require_once 'include/channel.php';
$err = validate_channelname($username);
if ($err) {
notice($err);
return;
}
}
if ($timezone != $channel['channel_timezone']) {
if (strlen($timezone)) {
date_default_timezone_set($timezone);
}
}
set_pconfig(local_channel(), 'system', 'use_browser_location', $allow_location);
set_pconfig(local_channel(), 'system', 'suggestme', $suggestme);
set_pconfig(local_channel(), 'system', 'post_newfriend', $post_newfriend);
set_pconfig(local_channel(), 'system', 'post_joingroup', $post_joingroup);
set_pconfig(local_channel(), 'system', 'post_profilechange', $post_profilechange);
set_pconfig(local_channel(), 'system', 'blocktags', $blocktags);
set_pconfig(local_channel(), 'system', 'channel_menu', $channel_menu);
set_pconfig(local_channel(), 'system', 'vnotify', $vnotify);
set_pconfig(local_channel(), 'system', 'always_show_in_notices', $always_show_in_notices);
set_pconfig(local_channel(), 'system', 'evdays', $evdays);
set_pconfig(local_channel(), 'system', 'photo_path', $photo_path);
set_pconfig(local_channel(), 'system', 'attach_path', $attach_path);
set_pconfig(local_channel(), 'system', 'cal_first_day', $cal_first_day);
$r = q("update channel set channel_name = '%s', channel_pageflags = %d, channel_timezone = '%s', channel_location = '%s', channel_notifyflags = %d, channel_max_anon_mail = %d, channel_max_friend_req = %d, channel_expire_days = %d {$set_perms} where channel_id = %d", dbesc($username), intval($pageflags), dbesc($timezone), dbesc($defloc), intval($notify), intval($unkmail), intval($maxreq), intval($expire), intval(local_channel()));
if ($r) {
info(t('Settings updated.') . EOL);
}
if (!is_null($publish)) {
$r = q("UPDATE profile SET publish = %d WHERE is_default = 1 AND uid = %d", intval($publish), intval(local_channel()));
}
if ($name_change) {
$r = q("update xchan set xchan_name = '%s', xchan_name_date = '%s' where xchan_hash = '%s'", dbesc($username), dbesc(datetime_convert()), dbesc($channel['channel_hash']));
$r = q("update profile set fullname = '%s' where uid = %d and is_default = 1", dbesc($username), intval($channel['channel_id']));
}
\Zotlabs\Daemon\Master::Summon(array('Directory', local_channel()));
build_sync_packet();
//$_SESSION['theme'] = $theme;
if ($email_changed && \App::$config['system']['register_policy'] == REGISTER_VERIFY) {
// FIXME - set to un-verified, blocked and redirect to logout
// Why? Are we verifying people or email addresses?
}
goaway(z_root() . '/settings');
return;
// NOTREACHED
}
/**
* Simple HTTP Login
*/
function api_login(&$a)
{
// login with oauth
try {
$oauth = new FKOAuth1();
$req = OAuthRequest::from_request();
list($consumer, $token) = $oauth->verify_request($req);
// list($consumer,$token) = $oauth->verify_request(OAuthRequest::from_request());
if (!is_null($token)) {
$oauth->loginUser($token->uid);
$a->set_oauth_key($consumer->key);
call_hooks('logged_in', $a->user);
return;
}
echo __FILE__ . __LINE__ . __FUNCTION__ . "<pre>";
// var_dump($consumer, $token);
die;
} catch (Exception $e) {
logger(__FILE__ . __LINE__ . __FUNCTION__ . "\n" . $e);
}
// workaround for HTTP-auth in CGI mode
if (x($_SERVER, 'REDIRECT_REMOTE_USER')) {
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
if (strlen($userpass)) {
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
}
if (x($_SERVER, 'HTTP_AUTHORIZATION')) {
$userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6));
if (strlen($userpass)) {
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
}
if (!isset($_SERVER['PHP_AUTH_USER'])) {
logger('API_login: '******'WWW-Authenticate: Basic realm="Red"');
header('HTTP/1.0 401 Unauthorized');
die('This api requires login');
}
// process normal login request
require_once 'include/auth.php';
$channel_login = 0;
$record = account_verify_password($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
if (!$record) {
$r = q("select * from channel where channel_address = '%s' limit 1", dbesc($_SERVER['PHP_AUTH_USER']));
if ($r) {
$x = q("select * from account where account_id = %d limit 1", intval($r[0]['channel_account_id']));
if ($x) {
$record = account_verify_password($x[0]['account_email'], $_SERVER['PHP_AUTH_PW']);
if ($record) {
$channel_login = $r[0]['channel_id'];
}
}
}
if (!$record) {
logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG);
header('WWW-Authenticate: Basic realm="Red"');
header('HTTP/1.0 401 Unauthorized');
die('This api requires login');
}
}
require_once 'include/security.php';
authenticate_success($record);
if ($channel_login) {
change_channel($channel_login);
}
$_SESSION['allow_api'] = true;
}
$record = null;
$addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null);
/**
*
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded.
*
*/
call_hooks('authenticate', $addon_auth);
$atoken = null;
$account = null;
if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
$account = $addon_auth['user_record'];
} else {
$verify = account_verify_password($_POST['username'], $_POST['password']);
if ($verify) {
$atoken = $verify['xchan'];
$channel = $verify['channel'];
$account = App::$account = $verify['account'];
}
if (App::$account) {
$_SESSION['account_id'] = App::$account['account_id'];
} elseif ($atoken) {
atoken_login($atoken);
} else {
notice(t('Failed authentication') . EOL);
}
}
if (!($account || $atoken)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
/**
* @brief Validates a username and password.
*
*
* @see \Sabre\DAV\Auth\Backend\AbstractBasic::validateUserPass
* @param string $username
* @param string $password
* @return bool
*/
protected function validateUserPass($username, $password)
{
require_once 'include/auth.php';
$record = account_verify_password($username, $password);
if ($record && $record['account']) {
if ($record['channel']) {
$channel = $record['channel'];
} else {
$r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", intval($record['account']['account_id']), intval($record['account']['account_default_channel']));
if ($r) {
$channel = $r[0];
}
}
}
if ($channel && $this->check_module_access($channel['channel_id'])) {
return $this->setAuthenticated($channel);
}
if ($this->module_disabled) {
$error = 'module not enabled for ' . $username;
} else {
$error = 'password failed for ' . $username;
}
logger($error);
log_failed_login($error);
return false;
}
}
if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') {
$record = null;
$addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null);
/**
*
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded.
*
*/
call_hooks('authenticate', $addon_auth);
if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
$record = $addon_auth['user_record'];
} else {
$record = App::$account = account_verify_password($_POST['username'], $_POST['password']);
if (App::$account) {
$_SESSION['account_id'] = App::$account['account_id'];
} else {
notice(t('Failed authentication') . EOL);
}
logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
}
if (!$record || !count($record)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
logger($error);
// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
$authlog = get_config('system', 'authlog');
if ($authlog) {
@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
}
/**
*
* @param string $username
* @param string $password
*/
protected function validateUserPass($username, $password)
{
if (trim($password) === '+++') {
logger('reddav: validateUserPass: guest ' . $username);
return true;
}
require_once 'include/auth.php';
$record = account_verify_password($username, $password);
if ($record && $record['account_default_channel']) {
$r = q("select * from channel where channel_account_id = %d and channel_id = %d limit 1", intval($record['account_id']), intval($record['account_default_channel']));
if ($r) {
$this->currentUser = $r[0]['channel_address'];
$this->channel_name = $r[0]['channel_address'];
$this->channel_id = $r[0]['channel_id'];
$this->channel_hash = $this->observer = $r[0]['channel_hash'];
$_SESSION['uid'] = $r[0]['channel_id'];
$_SESSION['account_id'] = $r[0]['channel_account_id'];
$_SESSION['authenticated'] = true;
return true;
}
}
$r = q("select * from channel where channel_address = '%s' limit 1", dbesc($username));
if ($r) {
$x = q("select * from account where account_id = %d limit 1", intval($r[0]['channel_account_id']));
if ($x) {
foreach ($x as $record) {
if ($record['account_flags'] == ACCOUNT_OK || $record['account_flags'] == ACCOUNT_UNVERIFIED && hash('whirlpool', $record['account_salt'] . $password) === $record['account_password']) {
logger('(DAV) RedBasicAuth: password verified for ' . $username);
$this->currentUser = $r[0]['channel_address'];
$this->channel_name = $r[0]['channel_address'];
$this->channel_id = $r[0]['channel_id'];
$this->channel_hash = $this->observer = $r[0]['channel_hash'];
$_SESSION['uid'] = $r[0]['channel_id'];
$_SESSION['account_id'] = $r[0]['channel_account_id'];
$_SESSION['authenticated'] = true;
return true;
}
}
}
}
logger('(DAV) RedBasicAuth: password failed for ' . $username);
return false;
}
