function autologin()
{
if (auth_is_user_authenticated()) {
return;
}
$t_login_method = config_get('login_method');
if ($t_login_method != BASIC_AUTH) {
trigger_error("Invalid login method. ({$t_login_method})", ERROR);
}
$t_user_id = user_get_id_by_name($_SERVER['REMOTE_USER']);
if (!$t_user_id) {
trigger_error('Invalid user.', ERROR);
}
user_increment_login_count($t_user_id);
user_reset_failed_login_count_to_zero($t_user_id);
user_reset_lost_password_in_progress_count_to_zero($t_user_id);
auth_set_cookies($t_user_id, true);
auth_set_tokens($t_user_id);
}
*/
# don't auto-login when trying to verify new user
$g_login_anonymous = false;
/**
* MantisBT Core API's
*/
require_once 'core.php';
# check if at least one way to get here is enabled
if (OFF == config_get('allow_signup') && OFF == config_get('lost_password_feature') && OFF == config_get('send_reset_password')) {
trigger_error(ERROR_LOST_PASSWORD_NOT_ENABLED, ERROR);
}
$f_user_id = gpc_get_string('id');
$f_confirm_hash = gpc_get_string('confirm_hash');
# force logout on the current user if already authenticated
if (auth_is_user_authenticated()) {
auth_logout();
# reload the page after logout
print_header_redirect("verify.php?id={$f_user_id}&confirm_hash={$f_confirm_hash}");
}
$t_calculated_confirm_hash = auth_generate_confirm_hash($f_user_id);
if ($f_confirm_hash != $t_calculated_confirm_hash) {
trigger_error(ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR);
}
# set a temporary cookie so the login information is passed between pages.
auth_set_cookies($f_user_id, false);
user_reset_failed_login_count_to_zero($f_user_id);
user_reset_lost_password_in_progress_count_to_zero($f_user_id);
# fake login so the user can set their password
auth_attempt_script_login(user_get_field($f_user_id, 'username'));
user_increment_login_count($f_user_id);
include dirname(__FILE__) . DIRECTORY_SEPARATOR . 'account_page.php';
/**
* Attempt to login the user with the given password
* If the user fails validation, false is returned
* If the user passes validation, the cookies are set and
* true is returned. If $p_perm_login is true, the long-term
* cookie is created.
* @param string $p_username a prepared username
* @param string $p_password a prepared password
* @param bool $p_perm_login whether to create a long-term cookie
* @return bool indicates if authentication was successful
* @access public
*/
function auth_attempt_login($p_username, $p_password, $p_perm_login = false)
{
$t_user_id = user_get_id_by_name($p_username);
$t_login_method = config_get('login_method');
if (false === $t_user_id) {
if (BASIC_AUTH == $t_login_method) {
$t_auto_create = true;
} else {
if (LDAP == $t_login_method && ldap_authenticate_by_username($p_username, $p_password)) {
$t_auto_create = true;
} else {
$t_auto_create = false;
}
}
if ($t_auto_create) {
# attempt to create the user
$t_cookie_string = user_create($p_username, md5($p_password));
if (false === $t_cookie_string) {
# it didn't work
return false;
}
# ok, we created the user, get the row again
$t_user_id = user_get_id_by_name($p_username);
if (false === $t_user_id) {
# uh oh, something must be really wrong
# @@@ trigger an error here?
return false;
}
} else {
return false;
}
}
# check for disabled account
if (!user_is_enabled($t_user_id)) {
return false;
}
# max. failed login attempts achieved...
if (!user_is_login_request_allowed($t_user_id)) {
return false;
}
# check for anonymous login
if (!user_is_anonymous($t_user_id)) {
# anonymous login didn't work, so check the password
if (!auth_does_password_match($t_user_id, $p_password)) {
user_increment_failed_login_count($t_user_id);
return false;
}
}
# ok, we're good to login now
# increment login count
user_increment_login_count($t_user_id);
user_reset_failed_login_count_to_zero($t_user_id);
user_reset_lost_password_in_progress_count_to_zero($t_user_id);
# set the cookies
auth_set_cookies($t_user_id, $p_perm_login);
auth_set_tokens($t_user_id);
return true;
}
/**
* Attempt to login the user with the given password
* If the user fails validation, false is returned
* If the user passes validation, the cookies are set and
* true is returned. If $p_perm_login is true, the long-term
* cookie is created.
* @param string $p_username A prepared username.
* @param string $p_password A prepared password.
* @param boolean $p_perm_login Whether to create a long-term cookie.
* @return boolean indicates if authentication was successful
* @access public
*/
function auth_attempt_login($p_username, $p_password, $p_perm_login = false)
{
$t_user_id = auth_get_user_id_from_login_name($p_username);
if ($t_user_id === false) {
$t_user_id = auth_auto_create_user($p_username, $p_password);
if ($t_user_id === false) {
return false;
}
}
# check for disabled account
if (!user_is_enabled($t_user_id)) {
return false;
}
# max. failed login attempts achieved...
if (!user_is_login_request_allowed($t_user_id)) {
return false;
}
# check for anonymous login
if (!user_is_anonymous($t_user_id)) {
# anonymous login didn't work, so check the password
if (!auth_does_password_match($t_user_id, $p_password)) {
user_increment_failed_login_count($t_user_id);
return false;
}
}
# ok, we're good to login now
# increment login count
user_increment_login_count($t_user_id);
user_reset_failed_login_count_to_zero($t_user_id);
user_reset_lost_password_in_progress_count_to_zero($t_user_id);
# set the cookies
auth_set_cookies($t_user_id, $p_perm_login);
auth_set_tokens($t_user_id);
return true;
}
function auth_attempt_script_login($p_username, $p_password = null)
{
global $g_script_login_cookie, $g_cache_current_user_id;
$t_user_id = user_get_id_by_name($p_username);
$t_user = user_get_row($t_user_id);
# check for disabled account
if (OFF == $t_user['enabled']) {
return false;
}
# validate password if supplied
if (null !== $p_password) {
if (!auth_does_password_match($t_user_id, $p_password)) {
return false;
}
}
# ok, we're good to login now
# increment login count
user_increment_login_count($t_user_id);
# set the cookies
$g_script_login_cookie = $t_user['cookie_string'];
# cache user id for future reference
$g_cache_current_user_id = $t_user_id;
return true;
}