function login($db, $email, $password) { global $config; restartSession(); $query = "SELECT * FROM `user` WHERE (`officialEmail` = ? OR `alternativeEmail` = ?)"; $stmt = $db->prepare($query); $stmt->execute(array($email, $email)); while ($row = $stmt->fetchObject()) { $passwordMd5 = computePasswordMD5($password, $row->salt); $genericMd5 = computePasswordMD5($password, ""); if ($passwordMd5 === $row->passwordMd5 || $genericMd5 == $config->teacherInterface->genericPasswordMd5) { if ($row->officialEmail === $email && $row->officialEmailValidated === "1" || $row->validated === "1") { saveLoginDate($db, $row->ID); $_SESSION["userID"] = $row->ID; $_SESSION["isAdmin"] = $row->isAdmin; if ($row->isAdmin) { $_SESSION["userType"] = "admin"; } else { $_SESSION["userType"] = "user"; } echo jsonUser($db, $row); return; } else { $message = "<p>Vos identifiants sont valides mais votre adresse email académique n'a pas encore été validée. Vous avez dû recevoir un mail après votre inscription avec un lien de validation, vérifiez éventuellement dans les courriers indésirables de votre boîte mail. Si vous n'avez rien reçu, ou si vous n'avez pas d'adresse académique qui fonctionne, contactez nous : " . $config->email->sInfoAddress . "</p>"; echo json_encode(array("success" => false, "message" => $message)); return; } } } echo json_encode(array("success" => false)); }
$action = $_REQUEST["action"]; $email = $_REQUEST["email"]; if ($action == "sendMail") { recoverSendMail($db, $email); } else { if ($action == "recover") { $recoverCode = $_REQUEST["recoverCode"]; $row = getUserFromEmail($db, $email); if (!$row || $row->recoverCode != $recoverCode) { echo "Le lien est invalide."; return; } echo "\r\n <!DOCTYPE html>\r\n <html>\r\n <head>\r\n <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />\r\n <link rel='stylesheet' href='jquery-ui-1.8.20.custom.css' />\r\n <link rel='stylesheet' href='admin.css' />\r\n <script src='jqGrid/js/jquery-1.7.2.min.js'></script> \r\n <script src='jquery-ui-1.8.20.custom.min.js'></script>\r\n <script type='text/javascript'>\r\n var strings = {\r\n 'unknown_email': 'Email inconnu',\r\n 'recover_email_sent_1': 'Vous allez recevoir un email à l\\'adresse ',\r\n 'recover_email_sent_2': '. Cliquez sur le lien qu\\'il contient pour définir un nouveau mot de passe',\r\n 'password_changed': 'Votre mot de passe a été modifié',\r\n 'option_no_filter': 'Pas de filtre',\r\n 'index_url': 'index.html'\r\n }\r\n function getRegions() { return {} };\r\n </script>\r\n <script src='admin.js'></script>\r\n </head>\r\n <body>\r\n <div id='divHeader'>\r\n <table style='width:100%'><tr>\r\n <td style='width:20%'><img src='images/castor_small.png'/></td>\r\n <td><p class='headerH1'>Castor Informatique France</p>\r\n <p class='headerH2'> Plate-forme du concours Castor - <span style='color:red;font-weight:bold'>ACCES COORDINATEUR</span></p>\r\n </td>\r\n <td></td>\r\n </tr></table>\r\n </div>\r\n <div class='dialog'>\r\n Entrez votre nouveau mot de passe : <input type='password' id='newPassword1' /><br/>\r\n Entrez de nouveau pour le confirmer : <input type='password' id='newPassword2' /><br/>\r\n <input type='button' id='buttonChangePassword' value='Valider' onclick='changePassword(\"" . $email . "\", \"" . $row->recoverCode . "\")' />\r\n </div></html>\r\n "; } else { if ($action === "changePassword") { $recoverCode = $_REQUEST["recoverCode"]; $password = $_REQUEST["password"]; $row = getUserFromEmail($db, $email); if (!$row || $row->recoverCode != $recoverCode) { echo "Le lien est invalide."; return; } $query = "UPDATE `user` SET `passwordMd5` = ? WHERE `ID` = ?"; $stmt = $db->prepare($query); $passwordMd5 = computePasswordMD5($password, $row->salt); $stmt->execute(array($passwordMd5, $row->ID)); echo json_encode(array("success" => true)); } } } unset($db);
function checkRequestUser($db, &$request, &$record, $operation, &$roles) { // Generated fields list($record["firstName"], $record["lastName"], $record["saniValid"], $trash) = DataSanitizer::formatUserNames($record["firstName"], $record["lastName"]); if ($operation === "insert") { $record["salt"] = generateSalt(); $record["passwordMd5"] = computePasswordMD5($record["password"], $record["salt"]); } $roles[] = "generator"; if ($operation === "insert") { if (existingEmail($db, $record["officialEmail"], 0)) { $message = "Un compte existe déjà pour l'email " . $record["officialEmail"] . "."; echo json_encode(array("success" => false, "message" => $message)); error_log($message); return false; } if (existingEmail($db, $record["alternativeEmail"], 0)) { $message = "Un compte existe déjà pour l'email " . $record["alternativeEmail"] . "."; echo json_encode(array("success" => false, "message" => $message)); error_log($message); return false; } $record["registrationDate"] = date('Y-m-d H:i:s'); } if (!checkUser($record)) { error_log("checkUser false"); return false; } if (!$_SESSION["isAdmin"] && $operation === "update") { $record["ID"] = $_SESSION["userID"]; $user = getUser($db); if ($record["password"] != "") { $oldPasswordMd5 = computePasswordMD5($record["old_password"], $user->salt); if ($oldPasswordMd5 !== $user->passwordMd5) { echo json_encode(array("success" => false, "message" => "mot de passe invalide")); error_log("Invalid password"); return false; } $record["passwordMd5"] = computePasswordMD5($record["password"], $user->salt); } if ($record["alternativeEmail"] !== $user->alternativeEmail) { $record["alternativeEmailValidated"] = "0"; } } // Filters if (!$_SESSION["isAdmin"] && $operation === "update") { // Could/should we use a filter for this ? if ($record["officialEmail"] !== $user->officialEmail && $user->officialEmailValidated) { error_log("impossible de modifier un email officiel validé"); return false; } } return true; }