/** Returns the HTML of the status of the user, including the header */ public function get_status_html(Website $website) { $status_text = $this->user->getStatusText(); if ($status_text) { $status_text = '<em>' . nl2br(htmlSpecialChars($status_text)) . '</em>'; } // It's safe to display the edit links, as only moderators and up can // view account pages of banned/deleted users. // Check if account is banned if ($this->user->getStatus() == Authentication::STATUS_BANNED) { // Banned return <<<EOT <div class="error"> {$website->tReplaced("users.status.banned.this_account", $status_text)}. {$website->t("users.user_page_hidden")} <a class="arrow" href="{$website->getUrlPage("edit_account_status", $this->user->getId())}"> {$website->t("main.edit")} </a> </div> EOT; } // Check if account is deleted if ($this->user->getStatus() == Authentication::STATUS_DELETED) { return <<<EOT <div class="error"> {$website->tReplaced("users.status.deleted.this_account", $status_text)}. {$website->t("users.user_page_hidden")} <a class="arrow" href="{$website->getUrlPage("edit_account_status", $this->user->getId())}"> {$website->t("main.edit")} </a> </div> EOT; } return ''; }
/** * Call this when logging in an user. If password is correct, the last * login date is updated. If the password storage method was outdated, the * password is rehashed. * * @param User $user The user. * @param string $password_unhashed The password entered by the user. */ protected function loginCheck(User $user, $password_unhashed) { if ($this->userRepo == null) { // Unable to log in when userRepo is not present return false; } $password_hashed = $user->getPasswordHashed(); $loggedIn = false; if (strLen($password_hashed) == 32 && $password_hashed[0] != '$') { // Still md5(sha1($pass)), update if (md5(sha1($password_unhashed)) == $password_hashed) { // Gets saved later on, when updating the last login $user->setPassword($password_unhashed); $loggedIn = true; } } // Try to use modern password verification if (!$loggedIn) { $loggedIn = crypt($password_unhashed, $password_hashed) === $password_hashed; } if ($loggedIn) { $status = $user->getStatus(); // Check whether the account is deleted if ($status == Authentication::STATUS_DELETED) { // Act like the account doesn't exist return false; } // Check whether the account is banned if ($status == Authentication::STATUS_BANNED) { $text = $this->website->getText(); $text->addError($text->tReplaced("users.status.banned.your_account", $user->getStatusText())); return false; } // Check password strength if ($user->isWeakPassword($password_unhashed)) { $text = $this->website->getText(); $text->addError($text->t("users.your_password_is_insecure"), Link::of($text->getUrlPage("edit_password"), $text->t("users.password.edit"))); } // Update last login date (and possibly password hash, see above) if successfull $user->setLastLogin(new DateTime()); $this->userRepo->save($user); } return $loggedIn; }