/** * builds the security notes while checking some security issues * these notes should be displayed! * * @return array returns the security issues, or null if none found! * @author Andreas Morsing * * @internal rev : **/ function getSecurityNotes(&$db) { $repository['type'] = config_get('repositoryType'); $repository['path'] = config_get('repositoryPath'); $securityNotes = null; if (checkForInstallDir()) { $securityNotes[] = lang_get("sec_note_remove_install_dir"); } $authCfg = config_get('authentication'); if ('LDAP' == $authCfg['method']) { if (!checkForLDAPExtension()) { $securityNotes[] = lang_get("ldap_extension_not_loaded"); } } else { if (checkForAdminDefaultPwd($db)) { $securityNotes[] = lang_get("sec_note_admin_default_pwd"); } } if (!checkForBTSConnection()) { $securityNotes[] = lang_get("bts_connection_problems"); } if ($repository['type'] == TL_REPOSITORY_TYPE_FS) { $ret = checkForRepositoryDir($repository['path']); if (!$ret['status_ok']) { $securityNotes[] = $ret['msg']; } } // Needed when schemas change has been done. // This call can be removed when release is stable $res = checkSchemaVersion($db); $msg = $res['msg']; if ($msg != "") { $securityNotes[] = $msg; } $msg = checkEmailConfig(); if (!is_null($msg)) { foreach ($msg as $detail) { $securityNotes[] = $detail; } } checkForExtensions($securityNotes); if (!is_null($securityNotes)) { $user_feedback = config_get('config_check_warning_mode'); switch ($user_feedback) { case 'SCREEN': break; case 'FILE': case 'SILENT': $warnings = ''; $filename = config_get('log_path') . 'config_check.txt'; if (@($handle = fopen($filename, 'w'))) { $warnings = implode("\n", $securityNotes); @fwrite($handle, $warnings); @fclose($handle); } $securityNotes = null; if ($user_feedback == 'FILE') { $securityNotes[] = sprintf(lang_get('config_check_warnings'), $filename); } break; } } return $securityNotes; }
/** * doBlockingChecks * * wrong Schema version will BLOCK ANY login action * * @param &$dbHandler DataBase Handler * @param &$guiObj some gui elements that will be used to give feedback * */ function doBlockingChecks(&$dbHandler, &$guiObj) { $op = checkSchemaVersion($dbHandler); if ($op['status'] < tl::OK) { // Houston we have a problem // This check to kill session was added to avoid following situation // TestLink 1.9.5 installed // Install TestLink 1.9.6 in another folder, pointing to same OLD DB // you logged in TL 1.9.5 => session is created // you try to login to 1.9.6, you get the Update DB Schema message but // anyway because a LIVE AND VALID session you are allowed to login => BAD if (isset($op['kill_session']) && $op['kill_session']) { session_unset(); session_destroy(); } $guiObj->note = $op['msg']; renderLoginScreen($guiObj); } }
$gui->hint_text = $gui->link_to_op = ''; $smarty->assign('gui', $gui); $smarty->display('workAreaSimple.tpl'); tLog('Connection fail page shown.', 'ERROR'); exit; } $args = init_args(); $gui = init_gui($db, $args); switch ($args->action) { case 'doLogin': case 'ajaxlogin': doSessionStart(); unset($_SESSION['basehref']); setPaths(); // check if db scheme is up to date else deny login $op = checkSchemaVersion($db); // only try to authorize user if scheme version is OK if ($op['status'] == tl::OK) { $op = doAuthorize($db, $args->login, $args->pwd); } if ($op['status'] < tl::OK) { $gui->note = is_null($op['msg']) ? lang_get('bad_user_passwd') : $op['msg']; if ($args->action == 'ajaxlogin') { echo json_encode(array('success' => false, 'reason' => $gui->note)); } else { $doRender = true; } } else { // Login successful, redirect to destination $args->currentUser = $_SESSION['currentUser']; logAuditEvent(TLS("audit_login_succeeded", $args->login, $_SERVER['REMOTE_ADDR']), "LOGIN", $args->currentUser->dbID, "users");