/** * Gets the specifeid fields from the misc table * @param array $fields - fields to get, null gets the lot * @param string $errorString - error to generate on failure * @param string $id - optinoal user id * @return object */ protected function getMisc($fields, $errorString, $id = "") { if ($id == "") { $where["UserId"] = $this->id; } else { $where["UserId"] = $id; } if (is_Array($fields)) { $row = $this->db->getf($this->cfg->userMiscTable, $fields, $where, $errorString); } else { $row = $this->db->get($this->cfg->userMiscTable, $where, $errorString); } return $row; }
/** * Constructor * @param string $pageAccessLevel - users allowed to access the page * @param bool $pageCheckEquals - if true only this user type can access this page * @param bool $doHistory - do history for this page * @param ProtectConfig $config - Protected session configuration options */ public function __construct($pageAccessLevel = "", $pageCheckEquals = false, $doHistory = true, $config = false) { global $loginContent; if ($config === false) { $this->config = new \w34u\ssp\ProtectConfig(); } else { $this->config = $config; } $this->cfg = Configuration::getConfiguration(); $this->db = SspDb::getConnection(); // set up db session handling $handler = new SessionHandler(); session_set_save_handler(array($handler, 'open'), array($handler, 'close'), array($handler, 'read'), array($handler, 'write'), array($handler, 'destroy'), array($handler, 'gc')); // the following prevents unexpected effects when using objects as save handlers register_shutdown_function("session_write_close"); session_start(); $this->setupLanguage(); $this->maintenanceMode(); // turn off sql cacheing if it is set, but preserve the status to turn it back on after if ($this->db->cache) { $queryResultCacheing = true; $this->db->cache = false; } else { $queryResultCacheing = false; } $pageAccessLevel = $this->checkParameters($pageAccessLevel, $pageCheckEquals); if (isset($loginContent)) { $_SESSION["SSP_LoginPageAddtionalContent"] = $loginContent; } // check https:// site, and if fail divert to correct url if ($this->cfg->useSSL or $this->config->forceSSLPath) { if (!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] == "off") { // script not called using https SSP_Divert(SSP_Path(true, true)); } } $this->country = ""; // do any external routines before history is called $this->autoLogin(); if ($doHistory) { $this->pageHistory(); } // get all session information for valid sessions $query = sprintf("select * from %s where %s = ? and %s = ?", $this->cfg->sessionTable, $this->db->qt("SessionId"), $this->db->qt("SessionName")); $values = array(session_id(), session_name()); $this->db->query($query, $values, "SSP session handling: Get session information"); if ($this->db->numRows() > 0) { // get result if existing session $sessionInfo = $this->db->fetchRow(); $newSession = false; } else { $newSession = true; $this->log("New session started"); } // process user information if logged in. $userFault = false; $needHigherLogin = false; $userInfo = null; if (!$newSession and trim($sessionInfo->UserId) != "") { $where = array("UserId" => $sessionInfo->UserId); $userInfo = $this->db->get($this->cfg->userTable, $where, "SSP Session: getting login data"); if ($this->db->numRows()) { // user found // check for login expiry if ($sessionInfo->SessionTime + $this->cfg->loginExpiry > time()) { $this->loggedIn = true; $this->userId = $userInfo->UserId; $this->userName = $userInfo->UserName; $this->userAccessLevel = $userInfo->UserAccess; if ($this->cfg->userLevels[$this->userAccessLevel] >= $this->cfg->adminLevel) { // admin user $this->admin = true; } $this->userEmail = SSP_decrypt($userInfo->UserEmail); if (isset($userInfo->country) and trim($userInfo->country) != "") { $this->country = $userInfo->country; } } else { $this->log("Login expired"); $this->loggedIn = false; $this->db->update($this->cfg->sessionTable, array('UserId' => ''), array('SessionId' => session_id(), 'SessionName' => session_name()), 'SSP Session: clearing user id from expired login'); } } else { $this->log("User not found from ID"); $userFault = true; } } $pageAccess = $this->cfg->userLevels[$pageAccessLevel]; if ($this->loggedIn) { // do security checking for user if logged in // validate flags $flagsValid = true; foreach ($this->cfg->validUserFlags as $flagName => $validFlagValue) { if ($userInfo->{$flagName} != $validFlagValue) { $flagsValid = false; $this->log("Invalid user flag " . $flagName . " value required: " . $validFlagValue . " actual: " . $userInfo->{$flagName}); break; } } if (!$flagsValid) { $userFault = true; } elseif ($this->cfg->userLevels[$userInfo->UserAccess] < $pageAccess) { // user does not have a high enough access level $userFault = true; $needHigherLogin = true; // flag higher login needed $this->log("User Access level not high enough Level: " . $userInfo->UserAccess . " " . $this->cfg->userLevels[$userInfo->UserAccess] . " Page " . $pageAccess); } elseif ($pageCheckEquals and $this->cfg->userLevels[$userInfo->UserAccess] != $pageAccess) { // user does not have the correct user access level $userFault = true; $needHigherLogin = true; // flag different login needed $this->log("User Access level not equal to the page's level"); } elseif ($this->cfg->checkIpAddress and SSP_trimIp($sessionInfo->SessionIp) !== SSP_trimIp($_SERVER["REMOTE_ADDR"])) { // users IP address has changed $userFault = true; $this->log("User IP address changed " . SSP_paddIp($_SERVER["REMOTE_ADDR"])); } elseif (($this->cfg->fixedIpAddress or $userInfo->UserIpCheck) and SSP_paddIp($sessionInfo->SessionUserIp) !== SSP_paddIp($_SERVER["REMOTE_ADDR"])) { // user is at incorrect IP address $userFault = true; $this->log("User IP address incorrect, UserIP: " . SSP_paddIp($sessionInfo->SessionUserIp) . " Remote IP: " . SSP_paddIp($_SERVER["REMOTE_ADDR"])); } $userFault = $this->chackRandom($sessionInfo); } else { $this->log("User not logged in"); } // handle user faults $this->userFaultHandling($pageAccess, $userFault, $needHigherLogin, $queryResultCacheing); // final setup of page $this->finalSetup($userInfo); // restore query cacheing mode $this->db->cache = $queryResultCacheing; }