/** * Processes submitting of the form which is generated in * {@link \Mibew\Controller\LoginController::showFormAction()} method. * * Triggers 'operatorLogin' event after operator logged in and pass to it an * associative array with following items: * - 'operator': array of the logged in operator info; * - 'remember': boolean, indicates if system should remember operator. * * @param Request $request Incoming request. * @return string Rendered page content. */ public function submitFormAction(Request $request) { csrf_check_token($request); $login = $request->request->get('login'); $password = $request->request->get('password'); $remember = $request->request->get('isRemember') == 'on'; $errors = array(); $operator = operator_by_login($login); $operator_can_login = $operator && isset($operator['vcpassword']) && check_password_hash($operator['vclogin'], $password, $operator['vcpassword']) && !operator_is_disabled($operator); if ($operator_can_login) { // Login the operator to the system $this->getAuthenticationManager()->loginOperator($operator, $remember); // Redirect the current operator to the needed page. $target = isset($_SESSION[SESSION_PREFIX . 'backpath']) ? $_SESSION[SESSION_PREFIX . 'backpath'] : $request->getUriForPath('/operator'); return $this->redirect($target); } else { if (operator_is_disabled($operator)) { $errors[] = getlocal('Your account is temporarily blocked. Please contact system administrator.'); } else { $errors[] = getlocal("Entered login/password is incorrect"); } } // Rebuild login form $request->attributes->set('errors', $errors); return $this->showFormAction($request); }
* limitations under the License. */ require_once '../libs/common.php'; require_once '../libs/operator.php'; if (check_login(false)) { header("Location: {$mibewroot}/operator/"); exit; } $errors = array(); $page = array('formisRemember' => true, 'version' => $version); if (isset($_POST['login']) && isset($_POST['password'])) { $login = getparam('login'); $password = getparam('password'); $remember = isset($_POST['isRemember']) && $_POST['isRemember'] == "on"; $operator = operator_by_login($login); if ($operator && isset($operator['vcpassword']) && check_password_hash($login, $password, $operator['vcpassword'])) { $target = $password == '' ? "{$mibewroot}/operator/operator.php?op=" . intval($operator['operatorid']) : (isset($_SESSION['backpath']) ? $_SESSION['backpath'] : "{$mibewroot}/operator/index.php"); login_operator($operator, $remember, is_secure_request()); header("Location: {$target}"); exit; } else { $errors[] = getlocal("page_login.error"); $page['formlogin'] = $login; } } else { if (isset($_GET['login'])) { $login = getgetparam('login'); if (preg_match("/^(\\w{1,15})\$/", $login)) { $page['formlogin'] = $login; } }
<?php /* * This file is a part of Mibew Messenger. * * Copyright 2005-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ require_once '../libs/common.php'; require_once '../libs/operator.php'; $operator = check_login(); $link = connect(); loadsettings_($link); $isonline = is_operator_online($operator['operatorid'], $link); mysql_close($link); $page = array('version' => $version, 'localeLinks' => get_locale_links("{$mibewroot}/operator/index.php"), 'needUpdate' => $settings['dbversion'] != $dbversion, 'needChangePassword' => check_password_hash($operator['vclogin'], '', $operator['vcpassword']), 'profilePage' => "{$mibewroot}/operator/operator.php?op=" . safe_htmlspecialchars($operator['operatorid']), 'updateWizard' => "{$mibewroot}/install/", 'newFeatures' => $settings['featuresversion'] != $featuresversion, 'featuresPage' => "{$mibewroot}/operator/features.php", 'isOnline' => $isonline); prepare_menu($operator); start_html_output(); require '../view/menu.php';
if (isset($_GET['op'])) { $opId = verifyparam('op', "/^\\d{1,10}\$/"); $op = operator_by_id($opId); if (!$op) { $errors[] = getlocal("no_such_operator"); $page['opid'] = topage($opId); } else { $page['formlogin'] = topage($op['vclogin']); $page['formname'] = topage($op['vclocalename']); $page['formemail'] = topage($op['vcemail']); $page['formjabber'] = topage($op['vcjabbername']); $page['formjabbernotify'] = $op['inotify'] != 0; $page['formcommonname'] = topage($op['vccommonname']); $page['opid'] = topage($op['operatorid']); } } } if (!$opId && !is_capable($can_administrate, $operator)) { $errors[] = "You are not allowed to create operators"; } elseif ($opId && $opId != $operator['operatorid']) { check_permissions($operator, $can_administrate); } $canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator); $page['stored'] = isset($_GET['stored']); $page['canmodify'] = $canmodify ? "1" : ""; $page['showjabber'] = $settings['enablejabber'] == "1"; $page['needChangePassword'] = $opId == $operator['operatorid'] ? check_password_hash($operator['vclogin'], '', $operator['vcpassword']) : FALSE; prepare_menu($operator); setup_operator_settings_tabs($opId, 0); start_html_output(); require '../view/agent.php';
<?php require_once "../include/core.php"; session_start(); loadLocale('acp'); if (isset($_POST["action"])) { switch ($_POST["action"]) { case 'login': if (isset($_POST["login"]) && isset($_POST["password"])) { $authData = array('login' => $_POST['login']); $password = $_POST['password']; $prep = $db->prepare("SELECT `id`, `login`, `password` FROM `" . DB_TABLE_PREFIX . "master` WHERE `disabled`=0 AND `login`=:login"); $resp = $prep->execute($authData); $res = $prep->fetchAll(); if (count($res) == 1 && check_password_hash($password, $res[0]['password'])) { $row = $res[0]; $_SESSION['user_id'] = $row['id']; $_SESSION['user_login'] = $row['login']; $_SESSION['user_theme'] = "./themes/" . $theme->name; l('auth', 'login', 'master', $row['id'], NULL, array('ip' => $_SERVER['REMOTE_ADDR'])); redirect(); die; } else { l('auth', 'badlogin', 'master', NULL, NULL, array('ip' => $_SERVER['REMOTE_ADDR'], 'login' => $_POST['login'])); redirect("auth.php?badpassword=true"); die; } } break; case 'logout': if (isset($_SESSION['user_id'])) {
/** * Processes submitting of the form which is generated in * {@link \Mibew\Controller\OperatorController::showEditFormAction()} method. * * @param Request $request Incoming request. * @return string Rendered page content. */ public function submitFormAction(Request $request) { csrf_check_token($request); $errors = array(); $operator = $this->getOperator(); $op_id = $request->attributes->getInt('operator_id'); $login = $request->request->get('login'); $email = $request->request->get('email'); $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); $local_name = $request->request->get('name'); $common_name = $request->request->get('commonname'); $code = $request->request->get('code'); if (!$local_name) { $errors[] = no_field('Name'); } if (!$common_name) { $errors[] = no_field('International name (Latin)'); } // The login is needed only for new operators. If login is changed for // existing operator the stored password hash becomes invalid. if (!$op_id) { if (!$login) { $errors[] = no_field('Login'); } elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) { $errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.'); } } if (!$email || !MailUtils::isValidAddress($email)) { $errors[] = wrong_field('E-mail'); } if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) { $errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.'); } if (!$op_id && !$password) { $errors[] = no_field('Password'); } if ($password != $password_confirm) { $errors[] = getlocal('Entered passwords do not match'); } $existing_operator = operator_by_login($login); $duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_login) { $errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.'); } // Check if operator with specified email already exists in the database. $existing_operator = operator_by_email($email); $duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_email) { $errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.'); } if (count($errors) != 0) { $request->attributes->set('errors', $errors); // The form should be rebuild. Invoke appropriate action. return $this->showFormAction($request); } if (!$op_id) { // Create new operator and redirect the current operator to avatar // page. $new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code); $redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid'])); return $this->redirect($redirect_to); } // Mix old operator's fields with updated values $target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id); // Set the password only if it's not an empty string. if ($password !== '') { $target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password); } // Update operator's fields in the database. update_operator($target_operator); // Operator's data are cached in the authentication manager, thus we need // to manually update them. if ($target_operator['operatorid'] == $operator['operatorid']) { // Check if the admin has set his password for the first time. $to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != ''; // Update operator's fields. $this->getAuthenticationManager()->setOperator($target_operator); // Redirect the admin to the home page if needed. if ($to_dashboard) { return $this->redirect($this->generateUrl('home_operator')); } } // Redirect the operator to edit page again to use GET method instead of // POST. $redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true)); return $this->redirect($redirect_to); }