/** * {@inheritdoc} * * Triggers {@link \Mibew\EventDispatcher\Events::OPERATOR_AUTHENTICATE} * event. */ public function setOperatorFromRequest(Request $request) { // Try to get operator from session. if (parent::setOperatorFromRequest($request)) { return true; } // Check if operator had used "remember me" feature. if ($request->cookies->has(REMEMBER_OPERATOR_COOKIE_NAME)) { $cookie_value = $request->cookies->get(REMEMBER_OPERATOR_COOKIE_NAME); list($login, $pwd) = preg_split('/\\x0/', base64_decode($cookie_value), 2); $op = operator_by_login($login); $can_login = $op && isset($pwd) && isset($op['vcpassword']) && calculate_password_hash($op['vclogin'], $op['vcpassword']) == $pwd && !operator_is_disabled($op); if ($can_login) { $this->operator = $op; return true; } } // Provide an ability for plugins to authenticate operator $args = array('operator' => false, 'request' => $request); $dispatcher = EventDispatcher::getInstance(); $dispatcher->triggerEvent(Events::OPERATOR_AUTHENTICATE, $args); if (!empty($args['operator'])) { $this->operator = $args['operator']; return true; } // Operator's data cannot be extracted from the request. return false; }
/** * Processes submitting of the form which is generated in * {@link \Mibew\Controller\LoginController::showFormAction()} method. * * Triggers 'operatorLogin' event after operator logged in and pass to it an * associative array with following items: * - 'operator': array of the logged in operator info; * - 'remember': boolean, indicates if system should remember operator. * * @param Request $request Incoming request. * @return string Rendered page content. */ public function submitFormAction(Request $request) { csrf_check_token($request); $login = $request->request->get('login'); $password = $request->request->get('password'); $remember = $request->request->get('isRemember') == 'on'; $errors = array(); $operator = operator_by_login($login); $operator_can_login = $operator && isset($operator['vcpassword']) && check_password_hash($operator['vclogin'], $password, $operator['vcpassword']) && !operator_is_disabled($operator); if ($operator_can_login) { // Login the operator to the system $this->getAuthenticationManager()->loginOperator($operator, $remember); // Redirect the current operator to the needed page. $target = isset($_SESSION[SESSION_PREFIX . 'backpath']) ? $_SESSION[SESSION_PREFIX . 'backpath'] : $request->getUriForPath('/operator'); return $this->redirect($target); } else { if (operator_is_disabled($operator)) { $errors[] = getlocal('Your account is temporarily blocked. Please contact system administrator.'); } else { $errors[] = getlocal("Entered login/password is incorrect"); } } // Rebuild login form $request->attributes->set('errors', $errors); return $this->showFormAction($request); }
/** * Generates a page for the first step of password recovery process. * * @param Request $request * @return string Rendered page content */ public function indexAction(Request $request) { if ($this->getOperator()) { // If the operator is logged in just redirect him to the home page. return $this->redirect($request->getUriForPath('/operator')); } $page = array('version' => MIBEW_VERSION, 'title' => getlocal('Trouble Accessing Your Account?'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array()); $login_or_email = ''; if ($request->isMethod('POST')) { // When HTTP GET method is used the form is just rendered but the // user does not pass any data. Thus we need to prevent CSRF attacks // only for POST requests csrf_check_token($request); } if ($request->isMethod('POST') && $request->request->has('loginoremail')) { $login_or_email = $request->request->get('loginoremail'); $to_restore = MailUtils::isValidAddress($login_or_email) ? operator_by_email($login_or_email) : operator_by_login($login_or_email); if (!$to_restore) { $page['errors'][] = getlocal('No such Operator'); } $email = $to_restore['vcemail']; if (count($page['errors']) == 0 && !MailUtils::isValidAddress($email)) { $page['errors'][] = "Operator hasn't set his e-mail"; } if (count($page['errors']) == 0) { $token = sha1($to_restore['vclogin'] . (function_exists('openssl_random_pseudo_bytes') ? openssl_random_pseudo_bytes(32) : time() + microtime() . mt_rand(0, 99999999))); // Update the operator $to_restore['dtmrestore'] = time(); $to_restore['vcrestoretoken'] = $token; update_operator($to_restore); $href = $this->getRouter()->generate('password_recovery_reset', array('id' => $to_restore['operatorid'], 'token' => $token), UrlGeneratorInterface::ABSOLUTE_URL); // Load mail templates and substitute placeholders there. $mail_template = MailTemplate::loadByName('password_recovery', get_current_locale()); if (!$mail_template) { throw new \RuntimeException('Cannot load "password_recovery" mail template'); } $this->sendMail(MailUtils::buildMessage($email, $email, $mail_template->buildSubject(), $mail_template->buildBody(array(get_operator_name($to_restore), $href)))); $page['isdone'] = true; return $this->render('password_recovery', $page); } } $page['formloginoremail'] = $login_or_email; $page['localeLinks'] = get_locale_links(); $page['isdone'] = false; return $this->render('password_recovery', $page); }
$errors[] = wrong_field("form.field.jabber"); } if ($jabbernotify && $jabber == '') { if ($settings['enablejabber'] == "1") { $errors[] = no_field("form.field.jabber"); } else { $jabbernotify = false; } } if (!$opId && !$password) { $errors[] = no_field("form.field.password"); } if ($password != $passwordConfirm) { $errors[] = getlocal("my_settings.error.password_match"); } $existing_operator = operator_by_login($login); if (!$opId && $existing_operator || $opId && $existing_operator && $opId != $existing_operator['operatorid']) { $errors[] = getlocal("page_agent.error.duplicate_login"); } $canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator); if (!$canmodify) { $errors[] = getlocal('page_agent.cannot_modify'); } if (count($errors) == 0) { if (!$opId) { $newop = create_operator($login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0, ""); header("Location: {$webimroot}/operator/avatar.php?op=" . $newop['operatorid']); exit; } else { update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0); // update the session password
* EPL, indicate your decision by deleting the provisions above and replace them * with the notice and other provisions required by the GPL. * * Contributors: * Evgeny Gryaznov - initial API and implementation */ require_once '../libs/common.php'; require_once '../libs/operator.php'; require_once '../libs/settings.php'; require_once '../libs/notify.php'; $errors = array(); $page = array('version' => $version); $loginoremail = ""; if (isset($_POST['loginoremail'])) { $loginoremail = getparam("loginoremail"); $torestore = is_valid_email($loginoremail) ? operator_by_email($loginoremail) : operator_by_login($loginoremail); if (!$torestore) { $errors[] = getlocal("no_such_operator"); } $email = $torestore['vcemail']; if (count($errors) == 0 && !is_valid_email($email)) { $errors[] = "Operator hasn't set his e-mail"; } if (count($errors) == 0) { $token = md5(time() + microtime() . rand(0, 99999999)); $link = connect(); $query = "update {$mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '{$token}' where operatorid = " . $torestore['operatorid']; perform_query($query, $link); $href = get_app_location(true, false) . "/operator/resetpwd.php?id=" . $torestore['operatorid'] . "&token={$token}"; webim_mail($email, $email, getstring("restore.mailsubj"), getstring2("restore.mailtext", array(get_operator_name($torestore), $href)), $link); mysql_close($link);
* See the License for the specific language governing permissions and * limitations under the License. */ require_once '../libs/common.php'; require_once '../libs/operator.php'; if (check_login(false)) { header("Location: {$mibewroot}/operator/"); exit; } $errors = array(); $page = array('formisRemember' => true, 'version' => $version); if (isset($_POST['login']) && isset($_POST['password'])) { $login = getparam('login'); $password = getparam('password'); $remember = isset($_POST['isRemember']) && $_POST['isRemember'] == "on"; $operator = operator_by_login($login); if ($operator && isset($operator['vcpassword']) && check_password_hash($login, $password, $operator['vcpassword'])) { $target = $password == '' ? "{$mibewroot}/operator/operator.php?op=" . intval($operator['operatorid']) : (isset($_SESSION['backpath']) ? $_SESSION['backpath'] : "{$mibewroot}/operator/index.php"); login_operator($operator, $remember, is_secure_request()); header("Location: {$target}"); exit; } else { $errors[] = getlocal("page_login.error"); $page['formlogin'] = $login; } } else { if (isset($_GET['login'])) { $login = getgetparam('login'); if (preg_match("/^(\\w{1,15})\$/", $login)) { $page['formlogin'] = $login; }
function check_login($redirect = true) { global $mibewroot, $mysqlprefix, $remember_cookie_name; if (!isset($_SESSION["{$mysqlprefix}operator"])) { if (isset($_COOKIE[$remember_cookie_name])) { list($login, $pwd) = preg_split('/\\x0/', base64_decode($_COOKIE[$remember_cookie_name]), 2); $op = operator_by_login($login); if ($op && isset($pwd) && isset($op['vcpassword']) && calculate_password_hash($op['vclogin'], $op['vcpassword']) == $pwd) { $_SESSION["{$mysqlprefix}operator"] = $op; return $op; } } $requested = $_SERVER['PHP_SELF']; if ($_SERVER['REQUEST_METHOD'] == 'GET' && $_SERVER['QUERY_STRING']) { $requested .= "?" . $_SERVER['QUERY_STRING']; } if ($redirect) { $_SESSION['backpath'] = $requested; header("Location: {$mibewroot}/operator/login.php"); exit; } else { return null; } } return $_SESSION["{$mysqlprefix}operator"]; }
function check_login($redirect = true) { global $webimroot, $mysqlprefix; if (!isset($_SESSION["{$mysqlprefix}operator"])) { if (isset($_COOKIE['webim_lite'])) { list($login, $pwd) = preg_split("/,/", $_COOKIE['webim_lite'], 2); $op = operator_by_login($login); if ($op && isset($pwd) && isset($op['vcpassword']) && md5($op['vcpassword']) == $pwd) { $_SESSION["{$mysqlprefix}operator"] = $op; return $op; } } $requested = $_SERVER['PHP_SELF']; if ($_SERVER['REQUEST_METHOD'] == 'GET' && $_SERVER['QUERY_STRING']) { $requested .= "?" . $_SERVER['QUERY_STRING']; } if ($redirect) { $_SESSION['backpath'] = $requested; header("Location: {$webimroot}/operator/login.php"); exit; } else { return null; } } return $_SESSION["{$mysqlprefix}operator"]; }
/** * Processes submitting of the form which is generated in * {@link \Mibew\Controller\OperatorController::showEditFormAction()} method. * * @param Request $request Incoming request. * @return string Rendered page content. */ public function submitFormAction(Request $request) { csrf_check_token($request); $errors = array(); $operator = $this->getOperator(); $op_id = $request->attributes->getInt('operator_id'); $login = $request->request->get('login'); $email = $request->request->get('email'); $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); $local_name = $request->request->get('name'); $common_name = $request->request->get('commonname'); $code = $request->request->get('code'); if (!$local_name) { $errors[] = no_field('Name'); } if (!$common_name) { $errors[] = no_field('International name (Latin)'); } // The login is needed only for new operators. If login is changed for // existing operator the stored password hash becomes invalid. if (!$op_id) { if (!$login) { $errors[] = no_field('Login'); } elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) { $errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.'); } } if (!$email || !MailUtils::isValidAddress($email)) { $errors[] = wrong_field('E-mail'); } if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) { $errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.'); } if (!$op_id && !$password) { $errors[] = no_field('Password'); } if ($password != $password_confirm) { $errors[] = getlocal('Entered passwords do not match'); } $existing_operator = operator_by_login($login); $duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_login) { $errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.'); } // Check if operator with specified email already exists in the database. $existing_operator = operator_by_email($email); $duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_email) { $errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.'); } if (count($errors) != 0) { $request->attributes->set('errors', $errors); // The form should be rebuild. Invoke appropriate action. return $this->showFormAction($request); } if (!$op_id) { // Create new operator and redirect the current operator to avatar // page. $new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code); $redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid'])); return $this->redirect($redirect_to); } // Mix old operator's fields with updated values $target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id); // Set the password only if it's not an empty string. if ($password !== '') { $target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password); } // Update operator's fields in the database. update_operator($target_operator); // Operator's data are cached in the authentication manager, thus we need // to manually update them. if ($target_operator['operatorid'] == $operator['operatorid']) { // Check if the admin has set his password for the first time. $to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != ''; // Update operator's fields. $this->getAuthenticationManager()->setOperator($target_operator); // Redirect the admin to the home page if needed. if ($to_dashboard) { return $this->redirect($this->generateUrl('home_operator')); } } // Redirect the operator to edit page again to use GET method instead of // POST. $redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true)); return $this->redirect($redirect_to); }