/**
* Widget to display some of the newest registrations, (if any).
*/
public function newestSignups(){
if(!\Core\user()->checkAccess('p:/user/users/manage')){
return '';
}
// How far back do I want to search for?
// 1 month sounds good!
$date = new CoreDateTime();
$date->modify('-1 month');
$searches = UserModel::Find(['created > ' . $date->getFormatted('U')], 10, 'created DESC');
// No results? No problem :)
if(!sizeof($searches)) return '';
$view = $this->getView();
$view->assign('enableavatar', (\ConfigHandler::Get('/user/enableavatar')));
$view->assign('users', $searches);
}
public function wpadmin()
{
$view = $this->getView();
$request = $this->getPageRequest();
if ($request->isPost()) {
// Did they actually try to submit this form?...... silly bot ;)
SystemLogModel::LogSecurityEvent('/wp-admin Honeypot POST', 'POST submission to /wp-admin detected!', print_r($_POST, true));
$expireback = new CoreDateTime();
$expireback->modify('+2 days');
$block = IpBlacklistModel::Find(['ip_addr = ' . REMOTE_IP . '/32'], 1);
if (!$block) {
$block = new IpBlacklistModel();
$block->set('ip_addr', REMOTE_IP . '/32');
}
$block->setFromArray(['expires' => $expireback->getFormatted('U', Time::TIMEZONE_GMT), 'message' => 'You tried to submit a wp-admin page.... this is not a WP site!', 'comment' => 'Bot or user submitted to wp-admin']);
$block->save();
} else {
// Just record the hit.
SystemLogModel::LogSecurityEvent('/wp-admin Honeypot GET', 'GET request to /wp-admin detected!');
}
$view->templatename = 'pages/wphoneypot/wpadmin.phtml';
$view->mastertemplate = false;
}
/**
* The hook catch for the "/core/admin/view" hook.
*/
public static function AdminHook()
{
// If this user doesn't have access to manage crons, just continue.
if (!\Core\user()->checkAccess('p:/cron/viewlog')) {
return;
}
$suffixtext = 'This could be a problem if you have scripts relying on it! <a href="' . \Core\resolve_link('/cron/howto') . '">Read how to resolve this issue</a>.';
// Lookup and make sure that the cron hooks have ran recently enough!
$checks = [['cron' => 'hourly', 'modify' => '-1 hour', 'label' => 'hour'], ['cron' => 'daily', 'modify' => '-1 day', 'label' => 'day'], ['cron' => 'weekly', 'modify' => '-1 week', 'label' => 'week'], ['cron' => 'monthly', 'modify' => '-1 month', 'label' => 'month']];
foreach ($checks as $check) {
$time = new CoreDateTime();
$cronfac = new ModelFactory('CronLogModel');
$cronfac->where('cron = ' . $check['cron']);
$time->modify($check['modify']);
$cronfac->where('created >= ' . $time->getFormatted('U', Time::TIMEZONE_GMT));
$count = $cronfac->count();
if ($count == 0) {
\Core\set_message('Your ' . $check['cron'] . ' cron has not run in the last ' . $check['label'] . '! ' . $suffixtext, 'error');
// Only complain to the admin once per view.
return;
}
}
}
/**
* Method to purge the user activity cron.
*
* This is useful because on an extremely busy site, this table can grow to several gigs within not much time.
*/
public static function PurgeUserActivityCron() {
$opt = \ConfigHandler::Get('/user/activity/keephistory');
if($opt == 'all' || !$opt){
echo 'Not purging any user activity.' . "\n";
return true;
}
// Convert the key to a datestring value.
$date = new \CoreDateTime();
switch($opt){
case '1-week':
$date->modify('-1 week');
break;
case '1-month':
$date->modify('-1 month');
break;
case '2-months':
$date->modify('-2 month');
break;
case '3-months':
$date->modify('-3 month');
break;
case '6-months':
$date->modify('-6 month');
break;
case '12-months':
$date->modify('-12 month');
break;
case '24-months':
$date->modify('-24 month');
break;
case '36-months':
$date->modify('-36 month');
break;
default:
echo 'Invalid value for /user/activity/keephistory: [' . $opt . ']';
return false;
}
// And delete any activity older than this date.
echo 'Purging user activity older than ' . $date->getFormatted('r') . "...\n";
$ds = new \Core\Datamodel\Dataset();
$ds->delete()->table('user_activity')->where('datetime < ' . $date->getFormatted('U', \TIME::TIMEZONE_GMT))->execute();
echo 'Removed ' . $ds->num_rows . ' record(s).' . "\n";
return true;
}
/**
* Form Handler for logging in.
*
* @static
*
* @param \Form $form
*
* @return bool|null|string
*/
public static function LoginHandler(\Form $form){
/** @var \FormElement $e */
$e = $form->getElement('email');
/** @var \FormElement $p */
$p = $form->getElement('pass');
/** @var \UserModel $u */
$u = \UserModel::Find(array('email' => $e->get('value')), 1);
if(!$u){
// Log this as a login attempt!
$logmsg = 'Failed Login. Email not registered' . "\n" . 'Email: ' . $e->get('value') . "\n";
\SystemLogModel::LogSecurityEvent('/user/login', $logmsg);
$e->setError('t:MESSAGE_ERROR_USER_LOGIN_EMAIL_NOT_FOUND');
return false;
}
if($u->get('active') == 0){
// The model provides a quick cut-off for active/inactive users.
// This is the control managed with in the admin.
$logmsg = 'Failed Login. User tried to login before account activation' . "\n" . 'User: '******'email') . "\n";
\SystemLogModel::LogSecurityEvent('/user/login', $logmsg, null, $u->get('id'));
$e->setError('t:MESSAGE_ERROR_USER_LOGIN_ACCOUNT_NOT_ACTIVE');
return false;
}
elseif($u->get('active') == -1){
// The model provides a quick cut-off for active/inactive users.
// This is the control managed with in the admin.
$logmsg = 'Failed Login. User tried to login after account deactivation.' . "\n" . 'User: '******'email') . "\n";
\SystemLogModel::LogSecurityEvent('/user/login', $logmsg, null, $u->get('id'));
$e->setError('t:MESSAGE_ERROR_USER_LOGIN_ACCOUNT_DEACTIVATED');
return false;
}
try{
/** @var \Core\User\AuthDrivers\datastore $auth */
$auth = $u->getAuthDriver('datastore');
}
catch(Exception $e){
$e->setError('t:MESSAGE_ERROR_USER_LOGIN_PASSWORD_AUTH_DISABLED');
return false;
}
// This is a special case if the password isn't set yet.
// It can happen with imported users or if a password is invalidated.
if($u->get('password') == ''){
// Use the Nonce system to generate a one-time key with this user's data.
$nonce = \NonceModel::Generate(
'20 minutes',
['type' => 'password-reset', 'user' => $u->get('id')]
);
$link = '/datastoreauth/forgotpassword?e=' . urlencode($u->get('email')) . '&n=' . $nonce;
$email = new \Email();
$email->setSubject('Initial Password Request');
$email->to($u->get('email'));
$email->assign('link', \Core\resolve_link($link));
$email->assign('ip', REMOTE_IP);
$email->templatename = 'emails/user/initialpassword.tpl';
try{
$email->send();
\SystemLogModel::LogSecurityEvent('/user/initialpassword/send', 'Initial password request sent successfully', null, $u->get('id'));
\Core\set_message('t:MESSAGE_INFO_USER_LOGIN_MUST_SET_NEW_PASSWORD_INSTRUCTIONS_HAVE_BEEN_EMAILED');
return true;
}
catch(\Exception $e){
\Core\ErrorManagement\exception_handler($e);
\Core\set_message('t:MESSAGE_ERROR_USER_LOGIN_MUST_SET_NEW_PASSWORD_UNABLE_TO_SEND_EMAIL');
return false;
}
}
if(!$auth->checkPassword($p->get('value'))){
// Log this as a login attempt!
$logmsg = 'Failed Login. Invalid password' . "\n" . 'Email: ' . $e->get('value') . "\n";
\SystemLogModel::LogSecurityEvent('/user/login/failed_password', $logmsg, null, $u->get('id'));
// Also, I want to look up and see how many login attempts there have been in the past couple minutes.
// If there are too many, I need to start slowing the attempts.
$time = new \CoreDateTime();
$time->modify('-5 minutes');
$securityfactory = new \ModelFactory('SystemLogModel');
$securityfactory->where('code = /user/login/failed_password');
$securityfactory->where('datetime > ' . $time->getFormatted(\Time::FORMAT_EPOCH, \Time::TIMEZONE_GMT));
$securityfactory->where('ip_addr = ' . REMOTE_IP);
$attempts = $securityfactory->count();
if($attempts > 4){
// Start slowing down the response. This should help deter brute force attempts.
// (x+((x-7)/4)^3)-4
sleep( ($attempts+(($attempts-7)/4)^3)-4 );
// This makes a nice little curve with the following delays:
// 5th attempt: 0.85
// 6th attempt: 2.05
// 7th attempt: 3.02
// 8th attempt: 4.05
// 9th attempt: 5.15
// 10th attempt: 6.52
// 11th attempt: 8.10
// 12th attempt: 10.05
}
$e->setError('t:MESSAGE_ERROR_USER_LOGIN_INCORRECT_PASSWORD');
$p->set('value', '');
return false;
}
if($form->getElementValue('redirect')){
// The page was set via client-side javascript on the login page.
// This is the most reliable option.
$url = $form->getElementValue('redirect');
}
elseif(REL_REQUEST_PATH == '/user/login'){
// If the user came from the registration page, get the page before that.
$url = $form->referrer;
}
else{
// else the registration link is now on the same page as the 403 handler.
$url = REL_REQUEST_PATH;
}
// Well, record this too!
\SystemLogModel::LogSecurityEvent('/user/login', 'Login successful (via password)', null, $u->get('id'));
// yay...
$u->set('last_login', \CoreDateTime::Now('U', \Time::TIMEZONE_GMT));
$u->save();
\Core\Session::SetUser($u);
// Allow an external script to override the redirecting URL.
$overrideurl = \HookHandler::DispatchHook('/user/postlogin/getredirecturl');
if($overrideurl){
$url = $overrideurl;
}
return $url;
}
/**
* Shorthand function to generate and save a valid Nonce key.
*
* @param string $expires A human-readable string of an expire time in the future, ie: 2 seconds, 10 days, etc.
* @param string|null|mixed $hash Can be used to validate this nonce from an external verification check.
* @param mixed $data Any data that is needed to be stored along with this nonce.
* @return string
*/
public static function Generate($expires = '2 hours', $hash = null, $data = null)
{
$nonce = new NonceModel();
$nonce->_generateAndSetKey();
$nonce->setHash($hash);
// Determine the datetime that this nonce expires.
$date = new CoreDateTime();
$date->modify($expires);
$nonce->set('expires', $date->getFormatted('U', Time::TIMEZONE_GMT));
$nonce->set('data', $data);
$nonce->save();
return $nonce->get('key');
}
