/**
* {@inheritdoc}
*
* Triggers {@link \Mibew\EventDispatcher\Events::OPERATOR_AUTHENTICATE}
* event.
*/
public function setOperatorFromRequest(Request $request)
{
// Try to get operator from session.
if (parent::setOperatorFromRequest($request)) {
return true;
}
// Check if operator had used "remember me" feature.
if ($request->cookies->has(REMEMBER_OPERATOR_COOKIE_NAME)) {
$cookie_value = $request->cookies->get(REMEMBER_OPERATOR_COOKIE_NAME);
list($login, $pwd) = preg_split('/\\x0/', base64_decode($cookie_value), 2);
$op = operator_by_login($login);
$can_login = $op && isset($pwd) && isset($op['vcpassword']) && calculate_password_hash($op['vclogin'], $op['vcpassword']) == $pwd && !operator_is_disabled($op);
if ($can_login) {
$this->operator = $op;
return true;
}
}
// Provide an ability for plugins to authenticate operator
$args = array('operator' => false, 'request' => $request);
$dispatcher = EventDispatcher::getInstance();
$dispatcher->triggerEvent(Events::OPERATOR_AUTHENTICATE, $args);
if (!empty($args['operator'])) {
$this->operator = $args['operator'];
return true;
}
// Operator's data cannot be extracted from the request.
return false;
}
/**
* Processes submitting of the form which is generated in
* {@link \Mibew\Controller\LoginController::showFormAction()} method.
*
* Triggers 'operatorLogin' event after operator logged in and pass to it an
* associative array with following items:
* - 'operator': array of the logged in operator info;
* - 'remember': boolean, indicates if system should remember operator.
*
* @param Request $request Incoming request.
* @return string Rendered page content.
*/
public function submitFormAction(Request $request)
{
csrf_check_token($request);
$login = $request->request->get('login');
$password = $request->request->get('password');
$remember = $request->request->get('isRemember') == 'on';
$errors = array();
$operator = operator_by_login($login);
$operator_can_login = $operator && isset($operator['vcpassword']) && check_password_hash($operator['vclogin'], $password, $operator['vcpassword']) && !operator_is_disabled($operator);
if ($operator_can_login) {
// Login the operator to the system
$this->getAuthenticationManager()->loginOperator($operator, $remember);
// Redirect the current operator to the needed page.
$target = isset($_SESSION[SESSION_PREFIX . 'backpath']) ? $_SESSION[SESSION_PREFIX . 'backpath'] : $request->getUriForPath('/operator');
return $this->redirect($target);
} else {
if (operator_is_disabled($operator)) {
$errors[] = getlocal('Your account is temporarily blocked. Please contact system administrator.');
} else {
$errors[] = getlocal("Entered login/password is incorrect");
}
}
// Rebuild login form
$request->attributes->set('errors', $errors);
return $this->showFormAction($request);
}
/**
* Generates a page for the first step of password recovery process.
*
* @param Request $request
* @return string Rendered page content
*/
public function indexAction(Request $request)
{
if ($this->getOperator()) {
// If the operator is logged in just redirect him to the home page.
return $this->redirect($request->getUriForPath('/operator'));
}
$page = array('version' => MIBEW_VERSION, 'title' => getlocal('Trouble Accessing Your Account?'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array());
$login_or_email = '';
if ($request->isMethod('POST')) {
// When HTTP GET method is used the form is just rendered but the
// user does not pass any data. Thus we need to prevent CSRF attacks
// only for POST requests
csrf_check_token($request);
}
if ($request->isMethod('POST') && $request->request->has('loginoremail')) {
$login_or_email = $request->request->get('loginoremail');
$to_restore = MailUtils::isValidAddress($login_or_email) ? operator_by_email($login_or_email) : operator_by_login($login_or_email);
if (!$to_restore) {
$page['errors'][] = getlocal('No such Operator');
}
$email = $to_restore['vcemail'];
if (count($page['errors']) == 0 && !MailUtils::isValidAddress($email)) {
$page['errors'][] = "Operator hasn't set his e-mail";
}
if (count($page['errors']) == 0) {
$token = sha1($to_restore['vclogin'] . (function_exists('openssl_random_pseudo_bytes') ? openssl_random_pseudo_bytes(32) : time() + microtime() . mt_rand(0, 99999999)));
// Update the operator
$to_restore['dtmrestore'] = time();
$to_restore['vcrestoretoken'] = $token;
update_operator($to_restore);
$href = $this->getRouter()->generate('password_recovery_reset', array('id' => $to_restore['operatorid'], 'token' => $token), UrlGeneratorInterface::ABSOLUTE_URL);
// Load mail templates and substitute placeholders there.
$mail_template = MailTemplate::loadByName('password_recovery', get_current_locale());
if (!$mail_template) {
throw new \RuntimeException('Cannot load "password_recovery" mail template');
}
$this->sendMail(MailUtils::buildMessage($email, $email, $mail_template->buildSubject(), $mail_template->buildBody(array(get_operator_name($to_restore), $href))));
$page['isdone'] = true;
return $this->render('password_recovery', $page);
}
}
$page['formloginoremail'] = $login_or_email;
$page['localeLinks'] = get_locale_links();
$page['isdone'] = false;
return $this->render('password_recovery', $page);
}
$errors[] = wrong_field("form.field.jabber");
}
if ($jabbernotify && $jabber == '') {
if ($settings['enablejabber'] == "1") {
$errors[] = no_field("form.field.jabber");
} else {
$jabbernotify = false;
}
}
if (!$opId && !$password) {
$errors[] = no_field("form.field.password");
}
if ($password != $passwordConfirm) {
$errors[] = getlocal("my_settings.error.password_match");
}
$existing_operator = operator_by_login($login);
if (!$opId && $existing_operator || $opId && $existing_operator && $opId != $existing_operator['operatorid']) {
$errors[] = getlocal("page_agent.error.duplicate_login");
}
$canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator);
if (!$canmodify) {
$errors[] = getlocal('page_agent.cannot_modify');
}
if (count($errors) == 0) {
if (!$opId) {
$newop = create_operator($login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0, "");
header("Location: {$webimroot}/operator/avatar.php?op=" . $newop['operatorid']);
exit;
} else {
update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0);
// update the session password
* EPL, indicate your decision by deleting the provisions above and replace them
* with the notice and other provisions required by the GPL.
*
* Contributors:
* Evgeny Gryaznov - initial API and implementation
*/
require_once '../libs/common.php';
require_once '../libs/operator.php';
require_once '../libs/settings.php';
require_once '../libs/notify.php';
$errors = array();
$page = array('version' => $version);
$loginoremail = "";
if (isset($_POST['loginoremail'])) {
$loginoremail = getparam("loginoremail");
$torestore = is_valid_email($loginoremail) ? operator_by_email($loginoremail) : operator_by_login($loginoremail);
if (!$torestore) {
$errors[] = getlocal("no_such_operator");
}
$email = $torestore['vcemail'];
if (count($errors) == 0 && !is_valid_email($email)) {
$errors[] = "Operator hasn't set his e-mail";
}
if (count($errors) == 0) {
$token = md5(time() + microtime() . rand(0, 99999999));
$link = connect();
$query = "update {$mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '{$token}' where operatorid = " . $torestore['operatorid'];
perform_query($query, $link);
$href = get_app_location(true, false) . "/operator/resetpwd.php?id=" . $torestore['operatorid'] . "&token={$token}";
webim_mail($email, $email, getstring("restore.mailsubj"), getstring2("restore.mailtext", array(get_operator_name($torestore), $href)), $link);
mysql_close($link);
* See the License for the specific language governing permissions and
* limitations under the License.
*/
require_once '../libs/common.php';
require_once '../libs/operator.php';
if (check_login(false)) {
header("Location: {$mibewroot}/operator/");
exit;
}
$errors = array();
$page = array('formisRemember' => true, 'version' => $version);
if (isset($_POST['login']) && isset($_POST['password'])) {
$login = getparam('login');
$password = getparam('password');
$remember = isset($_POST['isRemember']) && $_POST['isRemember'] == "on";
$operator = operator_by_login($login);
if ($operator && isset($operator['vcpassword']) && check_password_hash($login, $password, $operator['vcpassword'])) {
$target = $password == '' ? "{$mibewroot}/operator/operator.php?op=" . intval($operator['operatorid']) : (isset($_SESSION['backpath']) ? $_SESSION['backpath'] : "{$mibewroot}/operator/index.php");
login_operator($operator, $remember, is_secure_request());
header("Location: {$target}");
exit;
} else {
$errors[] = getlocal("page_login.error");
$page['formlogin'] = $login;
}
} else {
if (isset($_GET['login'])) {
$login = getgetparam('login');
if (preg_match("/^(\\w{1,15})\$/", $login)) {
$page['formlogin'] = $login;
}
function check_login($redirect = true)
{
global $mibewroot, $mysqlprefix, $remember_cookie_name;
if (!isset($_SESSION["{$mysqlprefix}operator"])) {
if (isset($_COOKIE[$remember_cookie_name])) {
list($login, $pwd) = preg_split('/\\x0/', base64_decode($_COOKIE[$remember_cookie_name]), 2);
$op = operator_by_login($login);
if ($op && isset($pwd) && isset($op['vcpassword']) && calculate_password_hash($op['vclogin'], $op['vcpassword']) == $pwd) {
$_SESSION["{$mysqlprefix}operator"] = $op;
return $op;
}
}
$requested = $_SERVER['PHP_SELF'];
if ($_SERVER['REQUEST_METHOD'] == 'GET' && $_SERVER['QUERY_STRING']) {
$requested .= "?" . $_SERVER['QUERY_STRING'];
}
if ($redirect) {
$_SESSION['backpath'] = $requested;
header("Location: {$mibewroot}/operator/login.php");
exit;
} else {
return null;
}
}
return $_SESSION["{$mysqlprefix}operator"];
}
function check_login($redirect = true)
{
global $webimroot, $mysqlprefix;
if (!isset($_SESSION["{$mysqlprefix}operator"])) {
if (isset($_COOKIE['webim_lite'])) {
list($login, $pwd) = preg_split("/,/", $_COOKIE['webim_lite'], 2);
$op = operator_by_login($login);
if ($op && isset($pwd) && isset($op['vcpassword']) && md5($op['vcpassword']) == $pwd) {
$_SESSION["{$mysqlprefix}operator"] = $op;
return $op;
}
}
$requested = $_SERVER['PHP_SELF'];
if ($_SERVER['REQUEST_METHOD'] == 'GET' && $_SERVER['QUERY_STRING']) {
$requested .= "?" . $_SERVER['QUERY_STRING'];
}
if ($redirect) {
$_SESSION['backpath'] = $requested;
header("Location: {$webimroot}/operator/login.php");
exit;
} else {
return null;
}
}
return $_SESSION["{$mysqlprefix}operator"];
}
/**
* Processes submitting of the form which is generated in
* {@link \Mibew\Controller\OperatorController::showEditFormAction()} method.
*
* @param Request $request Incoming request.
* @return string Rendered page content.
*/
public function submitFormAction(Request $request)
{
csrf_check_token($request);
$errors = array();
$operator = $this->getOperator();
$op_id = $request->attributes->getInt('operator_id');
$login = $request->request->get('login');
$email = $request->request->get('email');
$password = $request->request->get('password');
$password_confirm = $request->request->get('passwordConfirm');
$local_name = $request->request->get('name');
$common_name = $request->request->get('commonname');
$code = $request->request->get('code');
if (!$local_name) {
$errors[] = no_field('Name');
}
if (!$common_name) {
$errors[] = no_field('International name (Latin)');
}
// The login is needed only for new operators. If login is changed for
// existing operator the stored password hash becomes invalid.
if (!$op_id) {
if (!$login) {
$errors[] = no_field('Login');
} elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) {
$errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.');
}
}
if (!$email || !MailUtils::isValidAddress($email)) {
$errors[] = wrong_field('E-mail');
}
if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) {
$errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.');
}
if (!$op_id && !$password) {
$errors[] = no_field('Password');
}
if ($password != $password_confirm) {
$errors[] = getlocal('Entered passwords do not match');
}
$existing_operator = operator_by_login($login);
$duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_login) {
$errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.');
}
// Check if operator with specified email already exists in the database.
$existing_operator = operator_by_email($email);
$duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_email) {
$errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.');
}
if (count($errors) != 0) {
$request->attributes->set('errors', $errors);
// The form should be rebuild. Invoke appropriate action.
return $this->showFormAction($request);
}
if (!$op_id) {
// Create new operator and redirect the current operator to avatar
// page.
$new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code);
$redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid']));
return $this->redirect($redirect_to);
}
// Mix old operator's fields with updated values
$target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id);
// Set the password only if it's not an empty string.
if ($password !== '') {
$target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password);
}
// Update operator's fields in the database.
update_operator($target_operator);
// Operator's data are cached in the authentication manager, thus we need
// to manually update them.
if ($target_operator['operatorid'] == $operator['operatorid']) {
// Check if the admin has set his password for the first time.
$to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != '';
// Update operator's fields.
$this->getAuthenticationManager()->setOperator($target_operator);
// Redirect the admin to the home page if needed.
if ($to_dashboard) {
return $this->redirect($this->generateUrl('home_operator'));
}
}
// Redirect the operator to edit page again to use GET method instead of
// POST.
$redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true));
return $this->redirect($redirect_to);
}
