/**
* The login procedure for both administrators and clients in. If successful, redirects them to the
* appropriate page, otherwise returns an error.
*
* @param array $infohash This parameter should be a hash (e.g. $_POST or $_GET) containing both
* "username" and "password" keys, containing that information for the user trying
* to log in.
* @param boolean $login_as_client [optional] This optional parameter is used by administrators
* to log in as a particular client, allowing them to view how the account looks,
* even if it is disabled.
* @return string error message string (if error occurs). Otherwise it redirects the user to the
* appropriate page, based on account type.
*/
function ft_login($infohash, $login_as_client = false)
{
global $g_root_url, $g_table_prefix, $LANG;
$settings = ft_get_settings("", "core");
$username = strip_tags($infohash["username"]);
$username = ft_sanitize($username);
$password = isset($infohash["password"]) ? ft_sanitize($infohash["password"]) : "";
$password = strip_tags($password);
// extract info about this user's account
$query = mysql_query("\r\n SELECT account_id, account_type, account_status, password, temp_reset_password, login_page\r\n FROM {$g_table_prefix}accounts\r\n WHERE username = '******'\r\n ");
$account_info = mysql_fetch_assoc($query);
$has_temp_reset_password = empty($account_info["temp_reset_password"]) ? false : true;
// error check user login info
if (!$login_as_client) {
if (empty($password)) {
return $LANG["validation_no_password"];
}
if ($account_info["account_status"] == "disabled") {
return $LANG["validation_account_disabled"];
}
if ($account_info["account_status"] == "pending") {
return $LANG["validation_account_pending"];
}
if (empty($username)) {
return $LANG["validation_account_not_recognized"];
}
$password_correct = md5(md5($password)) == $account_info["password"];
$temp_password_correct = md5(md5($password)) == $account_info["temp_reset_password"];
if (!$password_correct && !$temp_password_correct) {
// if this is a client account and the administrator has enabled the maximum failed login attempts feature,
// keep track of the count
$account_settings = ft_get_account_settings($account_info["account_id"]);
// stores the MAXIMUM number of failed attempts permitted, before the account gets disabled. If the value
// is empty in either the user account or for the default value, that means the administrator doesn't want
// to track the failed login attempts
$max_failed_login_attempts = isset($account_settings["max_failed_login_attempts"]) ? $account_settings["max_failed_login_attempts"] : $settings["default_max_failed_login_attempts"];
if ($account_info["account_type"] == "client" && !empty($max_failed_login_attempts)) {
$num_failed_login_attempts = isset($account_settings["num_failed_login_attempts"]) && !empty($account_settings["num_failed_login_attempts"]) ? $account_settings["num_failed_login_attempts"] : 0;
$num_failed_login_attempts++;
if ($num_failed_login_attempts >= $max_failed_login_attempts) {
ft_disable_client($account_info["account_id"]);
ft_set_account_settings($account_info["account_id"], array("num_failed_login_attempts" => 0));
return $LANG["validation_account_disabled"];
} else {
ft_set_account_settings($account_info["account_id"], array("num_failed_login_attempts" => $num_failed_login_attempts));
}
}
return $LANG["validation_wrong_password"];
}
}
extract(ft_process_hook_calls("main", compact("account_info"), array("account_info")), EXTR_OVERWRITE);
// all checks out. Log them in, after populating sessions
$_SESSION["ft"]["settings"] = $settings;
$_SESSION["ft"]["account"] = ft_get_account_info($account_info["account_id"]);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
// this is deliberate.
$_SESSION["ft"]["account"]["password"] = md5(md5($password));
ft_cache_account_menu($account_info["account_id"]);
// if this is an administrator, ensure the API version is up to date
if ($account_info["account_type"] == "admin") {
ft_update_api_version();
} else {
ft_set_account_settings($account_info["account_id"], array("num_failed_login_attempts" => 0));
}
// for clients, store the forms & form Views that they are allowed to access
if ($account_info["account_type"] == "client") {
$_SESSION["ft"]["permissions"] = ft_get_client_form_views($account_info["account_id"]);
}
// if the user just logged in with a temporary password, append some args to pass to the login page
// so that they will be prompted to changing it upon login
$reset_password_args = array();
if (md5(md5($password)) == $account_info["temp_reset_password"]) {
$reset_password_args["message"] = "change_temp_password";
}
// redirect the user to whatever login page they specified in their settings
$login_url = ft_construct_page_url($account_info["login_page"], "", $reset_password_args);
$login_url = "{$g_root_url}{$login_url}";
if (!$login_as_client) {
ft_update_last_logged_in($account_info["account_id"]);
}
session_write_close();
header("Location: {$login_url}");
exit;
}
/**
* This function lets you log a client or administrator in programmatically. By default, it logs the user in
* and redirects them to whatever login page they specified in their user account. However, you can override
* this in two ways: either specify a custom URL where they should be directed to, or avoid redirecting at
* all. If you choose the latter, make sure you've initiated SESSIONS on the calling page - otherwise the
* login account information (needed to be stored in sessions) is lost.
*
* @param array $info a hash with the following possible parameters:
* "username" - the username
* "password" - the password
* "auto_redirect_after_login" - (boolean, defaulted to false) determines whether or not the user should
* be automatically redirected to a URL after a successful login.
* "login_url" - the URL to redirect to (if desired). If this isn't set, but auto_redirect_after_login IS,
* it will log the user in normally, to whatever login page they've specified in their account.
*/
function ft_api_login($info)
{
global $g_root_url, $g_table_prefix, $LANG, $g_api_debug;
$username = ft_sanitize($info["username"]);
$password = isset($info["password"]) ? ft_sanitize($info["password"]) : "";
// extract info about this user's account
$query = mysql_query("\n SELECT account_id, account_type, account_status, password, login_page\n FROM {$g_table_prefix}accounts\n WHERE username = '******'\n ");
$account_info = mysql_fetch_assoc($query);
if (empty($password)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1000, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1000);
}
}
if (empty($account_info)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1004, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1004);
}
}
if ($account_info["account_status"] == "disabled") {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1001, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1001);
}
}
if ($account_info["account_status"] == "pending") {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1002, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1002);
}
}
if (md5(md5($password)) != $account_info["password"]) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 1003, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 1003);
}
}
// all checks out. Log them in, after populating sessions
$_SESSION["ft"]["settings"] = ft_get_settings("", "core");
// only load the core settings
$_SESSION["ft"]["account"] = ft_get_account_info($account_info["account_id"]);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
$_SESSION["ft"]["account"]["password"] = md5(md5($password));
ft_cache_account_menu($account_info["account_id"]);
// if this is an administrator, build and cache the upgrade link and ensure the API version is up to date
if ($account_info["account_type"] == "admin") {
ft_update_api_version();
ft_build_and_cache_upgrade_info();
}
// for clients, store the forms & form Views that they are allowed to access
if ($account_info["account_type"] == "client") {
$_SESSION["ft"]["permissions"] = ft_get_client_form_views($account_info["account_id"]);
}
// redirect the user to whatever login page they specified in their settings
if (isset($info["auto_redirect_after_login"]) && $info["auto_redirect_after_login"]) {
if (isset($info["login_url"]) && !empty($info["login_url"])) {
session_write_close();
header("Location: {$login_url}");
exit;
} else {
$login_url = ft_construct_page_url($account_info["login_page"]);
$login_url = "{$g_root_url}{$login_url}";
session_write_close();
header("Location: {$login_url}");
exit;
}
}
return array(true, "");
}