/** * Create a new user * @return bool - returns true on success */ public function userCreate() { $form = new sfc\Form(SSP_Path(), $this->cfg->userTable, "userCreate"); $form->errorAutoFormDisplay = false; $form->addPlaceholder = $this->addPlaceholder; $form->tpl = $this->tpl(array("title" => "New user"), true); if ($this->subTpl != "") { $form->tplf = $this->subTpl; } else { $form->tplf = "usercreation.tpl"; } $form->fe("text", "FirstName", "First name"); $form->fep("width=30,required=true, sql=false"); $form->fe("text", "FamilyName", "Family name"); $form->fep("width=30,required=true, sql=false"); $form->fe("text", "email", "Email"); $form->fep("width=30,required=true, dataType=email, dbField=UserEmail"); if ($this->cfg->loginType == 1 or $this->cfg->getUserName) { $form->fe("text", "name", "User name"); $form->fep("width=15,required=true,dataType=password, dbField=UserName"); } $form->fe("check", "askUser", "Ask user for password (don't have to enter one)", array(0, 1)); $form->fep('sql=false'); $form->fe("password", "password", "Password"); $form->fep("width=15, dataType=password, dbField=UserPassword"); $form->fe("password", "password2", "Enter password again"); $form->fep("width=15,sql=false,dataType=password"); if ($this->cfg->fixedIpAddress) { $form->fe("text", "ip", "IP address"); $form->fep("width=35,dataType=real, dbField=UserIp"); } // allow flags to be set by admin $form->fe("select", "UserAccess", "User Access rights", $this->cfg->userAccessTypeDropdown); $form->fep("dataType=password"); $checkData = array("0", "1"); $fep = "dataType=bin"; $form->fe("check", "UserDisabled", "User Disabled", $checkData); $form->fep($fep); $form->fe("check", "UserPending", "User Pending program enable", $checkData); $form->fep($fep); $form->fe("check", "UserAdminPending", "User waiting admin vetting", $checkData); $form->fep($fep); $form->fe("check", "CreationFinished", "User creation finished", $checkData); $form->fep($fep . ",deflt=true"); $form->fe("check", "UserWaiting", "Waiting for user to act on email", $checkData); $form->fep($fep); $form->fe("submit", "submit", "Create user"); // Check for form submission $result = ''; if ($form->processForm($_POST)) { if (!$form->error) { $form->setField("email", strtolower($form->getField("email"))); if ($this->userCreateCheck($form)) { $result = $form->create(true); } else { // create user // user ID $userId = SSP_uniqueId(); $add["UserId"] = $userId; $add["UserDateCreated"] = time(); if ($form->getField('askUser') == 0) { $form->setField("password", $this->session->cryptPassword($form->getField("password"))); } $form->alsoAdd = $add; $query = $form->querySave(); $this->db->insert($this->cfg->userTable, $form->saveFields, "SSP Admin User Creation: Creating new user "); $data = array('UserId' => $userId, 'FirstName' => $form->getField('FirstName'), 'FamilyName' => $form->getField('FamilyName')); $this->db->insert($this->cfg->userMiscTable, $data, "SSP Admin User Creation: Creating new user misc data"); if ($form->getField('askUser') != 0) { // send email if new user entering password $this->userJoinEmail($userId); } $result = true; } } else { $result = $form->create(true); } } else { $result = $form->create(); } return $result; }
function loginSetup() { // sets up the system fo an automatic login from remote // check supplied data if (isset($this->data["userName"]) and isset($this->data["sessionId"]) and isset($this->data["accessLevel"]) and isset($this->data["userIp"])) { if (is_object($this->session) and method_exists($this->session, "validRemoteUser")) { if ($this->session->validRemoteUser($this->data["userName"])) { // check for existing remote login entry $where = array("remoteSession" => $this->data["sessionId"], "userName" => $this->data["userName"], "userIp" => $this->data["userIp"], "localSession" => $this->session->sessionToken); $remote = $this->db->get($this->sessionStatusTable, $where, "API Interface: Checking for current remote login record"); if ($remote) { $loginToken = $remote->id; } else { // create remote user login entry $loginToken = SSP_uniqueId(); $fields = array("id" => $loginToken, "remoteSession" => $this->data["sessionId"], "userName" => $this->data["userName"], "localSession" => $this->session->sessionToken, "userIp" => $this->data["userIp"]); $this->db->insert($this->sessionStatusTable, $fields, "API Interface: Inserting new remote login record"); } $this->data = array("loginToken" => $loginToken); $this->acknowledgeReply(); } else { $this->errorReply("Invalid remote user"); } } else { $this->errorReply("Not an SSP system or has no validRemoteUser function"); } } else { $this->errorReply("Invalid data supplied for remote login"); } }
/** * User joinup function */ public function userJoin() { if ($this->cfg->confirmType == 0 or $this->cfg->confirmType == 3) { $needPassword = true; } else { $needPassword = false; } $form = new sfc\Form(SSP_Path(), $this->cfg->userTable, "userJoin"); $form->tpl = $this->tpl(array("title" => "Join SSP"), true); $form->errorAutoFormDisplay = false; if ($this->subTpl != "") { $form->tplf = $this->subTpl; } else { $form->tplf = "userJoin.tpl"; } $form->fe("text", "firstName", "First name"); $form->fep("width=30, required=true"); $form->fe("text", "lastName", "Last name"); $form->fep("width=30, required=true"); $form->fe("text", "email", "Your email"); $form->fep("width=30,required=true, dataType=email"); if ($this->cfg->loginType == 1 or $this->cfg->getUserName) { $form->fe("text", "name", "User name"); $form->fep("width=15,required=true,dataType=password"); } if ($needPassword) { $form->fe("password", "password", "Your password"); $form->fep("width=15, required=true, dataType=password, minChar=" . $this->cfg->minPassword); $form->fe("password", "password2", "Enter password again"); $form->fep("width=15,sql=false,dataType=password,required=true"); } if ($this->cfg->userHasSignUpOptions) { // user has a set of options to sign up $form->fe("select", "signUpLevel", "Type of membership", $this->cfg->userAccessSignUpDropdown); $form->fep("dataType=int, sql=false"); } $form->tda("loginPath", $this->cfg->logonScript); if ($form->processForm($_POST)) { if (!$form->error) { $form->setField("email", strtolower($form->getField("email"))); if ($this->userCreateCheck($form)) { return $form->create(true); } else { $loginData = array(); $userId = SSP_uniqueId(); $loginData["UserId"] = $userId; $loginData["UserEmail"] = $form->getField("email"); if ($needPassword) { $loginData["UserPassword"] = $this->session->cryptPassword($form->getField("password")); } if ($this->cfg->userHasSignUpOptions) { if (isset($this->cfg->userAccessSignUpLevels[$form->getField("signUpLevel")])) { $loginData["UserAccess"] = $this->cfg->userAccessSignUpLevels[$form->getField("signUpLevel")]; } else { $loginData["UserAccess"] = $this->cfg->userDefault; } } else { $loginData["UserAccess"] = $this->cfg->userDefault; } if ($this->cfg->adminCheck) { $loginData["UserAdminPending"] = 1; } if ($this->cfg->confirmType != 0) { $loginData["UserWaiting"] = 1; } if ($this->cfg->furtherProgram) { $loginData["UserPending"] = 1; } // create login record $this->db->insert($this->cfg->userTable, $loginData, "Inserting new member login data"); $miscData = array(); $miscData["UserId"] = $userId; $miscData["FirstName"] = $form->getField("firstName"); $miscData["FamilyName"] = $form->getField("lastName"); $this->db->insert($this->cfg->userMiscTable, $miscData, "Inserting new member misc data"); $this->id = $userId; $this->userFinish($userId); return $this->welcomeScreen(); } } else { return $form->create(true); } } else { return $form->create(); } }
/** * Check user account is valid for login and sets up session and remember me * cookie if requested * @param object $userInfo - user login information returned by the db * @return string/bool - user's id on success else false */ private function logonCheck($userInfo) { $loginOk = false; // if external login check ok do the rest if ($this->userLoginCheck($userInfo)) { // do final checks on the user and set up session info $userOk = true; // check user flags foreach ($this->cfg->validUserFlags as $flagName => $validFlagValue) { if ($userInfo->{$flagName} != $validFlagValue) { $userOk = false; $this->errorDesc = "Invalid user flag " . $flagName . " value required: " . $validFlagValue . " actual: " . $userInfo->{$flagName}; break; } } if ($this->cfg->fixedIpAddress or $userInfo->UserIpCheck) { // check user IP $allowedIpAddreses = explode(',', $userInfo->UserIp); $foundAddress = false; foreach ($allowedIpAddreses as $ipAddress) { if (strcasecmp(SSP_paddIp($_SERVER["REMOTE_ADDR"]), SSP_paddIp($ipAddress)) === 0) { // Fixed ip correct // set User ip for update into the session table $querySet["SessionUserIp"] = $userInfo->UserIp; $foundAddress = true; break; } } if (!$foundAddress) { $this->errorDesc = "Current ip address {$_SERVER["REMOTE_ADDR"]} not in users list"; $userOk = false; } } // check user is not already logged in if ($userOk and !$this->cfg->allowMultipleLogin) { $where = array("UserId" => $userInfo->UserId); if ($this->db->get($this->cfg->sessionTable, $where, "SSP Logon: Checking for multiple logins")) { // user already logged in $this->errorDesc = "User already logged in"; $userOk = false; } } // do final set up if everything has worked ok if ($userOk) { $loginOk = true; $querySet["UserId"] = $userInfo->UserId; if ($this->cfg->checkIpAddress) { // set up IP address for this session $querySet["SessionIp"] = $_SERVER["REMOTE_ADDR"]; } if ($this->cfg->randomCheck) { // set up random check cookie and entry $randomCookie = mt_rand(0, 100000); setcookie($this->cfg->randomCookie, $randomCookie, 0, $this->cfg->cookiePath, $this->cfg->cookieDomain, $this->cfg->useSSL); $querySet["SessionRandom"] = $randomCookie; } if ($this->rememberMe and !$this->rememberMeLogin and $this->rememberMeSave) { // create remember me cookie if the user was not procuced and the box was ticked $idSet = SSP_uniqueId(); $userIdSet = $userInfo->UserId; $timeSet = time() + $this->cfg->loginRememberMePeriod * 24 * 3600; $rememberMeSet = array("id" => $idSet, "user_id" => $userIdSet, "date_expires" => $timeSet); $this->db->insert($this->cfg->tableRememberMe, $rememberMeSet, "SSP Logon: creating remember me entry"); setcookie($this->cfg->loginRememberMeCookie, $idSet, $timeSet, "/", $this->cfg->cookieDomain, $this->cfg->useSSL); } // update session table $where = array("SessionId" => session_id()); $this->db->update($this->cfg->sessionTable, $querySet, $where, "SSP Logon: Set up user session after succesful login"); // update login times $oldLoginTime = $userInfo->UserDateLogon; $currentLogonTime = time(); $fields = array("UserDateLogon" => $currentLogonTime, "UserDateLastLogon" => $oldLoginTime); $where = array("UserId" => $userInfo->UserId); $this->db->update($this->cfg->userTable, $fields, $where, "SSP session handling: Update login times"); } } if ($loginOk) { // change the current session ID to prevent session fixation attacks $oldSessionId = session_id(); session_regenerate_id(); $fields = array("SessionId" => session_id()); $where = array("SessionId" => $oldSessionId); $this->db->update($this->cfg->sessionTable, $fields, $where, "SSP session handling: updating new session record after session regen"); return $userInfo->UserId; } else { $this->error = true; sleep($this->cfg->logonFailDelay); return false; } }