/** * * authenticate user */ public function authenticate() { $errors = null; // destroy guests if disabled if (isset($_SESSION['simple_auth']['username']) && $_SESSION['simple_auth']['username'] == 'guest' && gatorconf::get('allow_guests') == false) { session_destroy(); session_start(); } // recover password 1/2 - send email if (gatorconf::get('enable_password_recovery') && isset($_GET['recover_password']) && !empty($_GET['recover_password']) && isset($_POST['emaildata']) && !empty($_POST['emaildata'])) { $email = filter_var(rawurldecode($_POST['emaildata']), FILTER_SANITIZE_EMAIL); $user = gator::getUser($email, 'email'); if ($user && filter_var($email, FILTER_VALIDATE_EMAIL)) { $generatedKey = 'otp-' . sha1(mt_rand(10000, 99999) . time()); gator::updateUser($user['username'], array('akey' => $generatedKey)); $url = gatorconf::get('base_url') . '/?otp=' . $generatedKey; $subject = gatorconf::get('account_email_subject'); $body = gatorconf::get('account_email_text') . "\n\n" . $url; $this->sendEmail($email, $subject, $body); } // flush url header('Location: ' . gatorconf::get('base_url')); die; } // recover password 1/2 - direct link enter if (gatorconf::get('enable_password_recovery') && isset($_GET['otp']) && !empty($_GET['otp'])) { $otp = strtolower(preg_replace("/[^a-z0-9\\-]+/i", "-", $_GET['otp'])); $user = gator::getUser($otp, 'akey'); if ($user) { gator::updateUser($user['username'], array('akey' => '')); $_SESSION['directlinkenter'] = 'passwordrecovery'; $this->loginUser($user); } sleep(2); // flush url header('Location: ' . gatorconf::get('base_url')); die; } if (!isset($_SESSION['simple_auth']['username']) || isset($_GET["login"])) { session_destroy(); session_start(); if (isset($_POST["submit"])) { $user = gator::getUser($_POST['username']); if (isset($user['permissions']) && !strstr($user['permissions'], 'r') || $user['username'] == 'guest' && gatorconf::get('allow_guests') == false) { $errors = lang::get("Access Forbidden"); gator::writeLog('auth bad - not activated'); } if (!isset($_POST['username']) || !isset($_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') { $errors = lang::get("Enter username and password."); gator::writeLog('auth bad - blank fields'); } if (isset($user['akey']) && $user['akey'] != '' && strpos($user['akey'], 'otp-') === false) { $errors = lang::get("Please open your email and click on the link to proceed."); gator::writeLog('auth bad - not activated'); } if (!$errors && $user['username'] == $_POST['username'] && gator::checkPassword($_POST['password'], $user['password'])) { $this->loginUser($user); } if (!$errors) { $errors = lang::get("Wrong username or password."); gator::writeLog('auth bad - wrong username or password'); sleep(1); } } if (!isset($_GET["login"]) && gatorconf::get('allow_guests') == true) { $user = gator::getUser('guest'); if ($user) { $this->loginUser($user); } // reload header('Location: ' . gatorconf::get('base_url')); die; } gator::display("header.php"); gator::display("login.php", array('errors' => $errors)); gator::display("footer.php"); exit; } }