/** * Widget to display some of the newest registrations, (if any). */ public function newestSignups(){ if(!\Core\user()->checkAccess('p:/user/users/manage')){ return ''; } // How far back do I want to search for? // 1 month sounds good! $date = new CoreDateTime(); $date->modify('-1 month'); $searches = UserModel::Find(['created > ' . $date->getFormatted('U')], 10, 'created DESC'); // No results? No problem :) if(!sizeof($searches)) return ''; $view = $this->getView(); $view->assign('enableavatar', (\ConfigHandler::Get('/user/enableavatar'))); $view->assign('users', $searches); }
public function wpadmin() { $view = $this->getView(); $request = $this->getPageRequest(); if ($request->isPost()) { // Did they actually try to submit this form?...... silly bot ;) SystemLogModel::LogSecurityEvent('/wp-admin Honeypot POST', 'POST submission to /wp-admin detected!', print_r($_POST, true)); $expireback = new CoreDateTime(); $expireback->modify('+2 days'); $block = IpBlacklistModel::Find(['ip_addr = ' . REMOTE_IP . '/32'], 1); if (!$block) { $block = new IpBlacklistModel(); $block->set('ip_addr', REMOTE_IP . '/32'); } $block->setFromArray(['expires' => $expireback->getFormatted('U', Time::TIMEZONE_GMT), 'message' => 'You tried to submit a wp-admin page.... this is not a WP site!', 'comment' => 'Bot or user submitted to wp-admin']); $block->save(); } else { // Just record the hit. SystemLogModel::LogSecurityEvent('/wp-admin Honeypot GET', 'GET request to /wp-admin detected!'); } $view->templatename = 'pages/wphoneypot/wpadmin.phtml'; $view->mastertemplate = false; }
/** * The hook catch for the "/core/admin/view" hook. */ public static function AdminHook() { // If this user doesn't have access to manage crons, just continue. if (!\Core\user()->checkAccess('p:/cron/viewlog')) { return; } $suffixtext = 'This could be a problem if you have scripts relying on it! <a href="' . \Core\resolve_link('/cron/howto') . '">Read how to resolve this issue</a>.'; // Lookup and make sure that the cron hooks have ran recently enough! $checks = [['cron' => 'hourly', 'modify' => '-1 hour', 'label' => 'hour'], ['cron' => 'daily', 'modify' => '-1 day', 'label' => 'day'], ['cron' => 'weekly', 'modify' => '-1 week', 'label' => 'week'], ['cron' => 'monthly', 'modify' => '-1 month', 'label' => 'month']]; foreach ($checks as $check) { $time = new CoreDateTime(); $cronfac = new ModelFactory('CronLogModel'); $cronfac->where('cron = ' . $check['cron']); $time->modify($check['modify']); $cronfac->where('created >= ' . $time->getFormatted('U', Time::TIMEZONE_GMT)); $count = $cronfac->count(); if ($count == 0) { \Core\set_message('Your ' . $check['cron'] . ' cron has not run in the last ' . $check['label'] . '! ' . $suffixtext, 'error'); // Only complain to the admin once per view. return; } } }
/** * Method to purge the user activity cron. * * This is useful because on an extremely busy site, this table can grow to several gigs within not much time. */ public static function PurgeUserActivityCron() { $opt = \ConfigHandler::Get('/user/activity/keephistory'); if($opt == 'all' || !$opt){ echo 'Not purging any user activity.' . "\n"; return true; } // Convert the key to a datestring value. $date = new \CoreDateTime(); switch($opt){ case '1-week': $date->modify('-1 week'); break; case '1-month': $date->modify('-1 month'); break; case '2-months': $date->modify('-2 month'); break; case '3-months': $date->modify('-3 month'); break; case '6-months': $date->modify('-6 month'); break; case '12-months': $date->modify('-12 month'); break; case '24-months': $date->modify('-24 month'); break; case '36-months': $date->modify('-36 month'); break; default: echo 'Invalid value for /user/activity/keephistory: [' . $opt . ']'; return false; } // And delete any activity older than this date. echo 'Purging user activity older than ' . $date->getFormatted('r') . "...\n"; $ds = new \Core\Datamodel\Dataset(); $ds->delete()->table('user_activity')->where('datetime < ' . $date->getFormatted('U', \TIME::TIMEZONE_GMT))->execute(); echo 'Removed ' . $ds->num_rows . ' record(s).' . "\n"; return true; }
/** * Form Handler for logging in. * * @static * * @param \Form $form * * @return bool|null|string */ public static function LoginHandler(\Form $form){ /** @var \FormElement $e */ $e = $form->getElement('email'); /** @var \FormElement $p */ $p = $form->getElement('pass'); /** @var \UserModel $u */ $u = \UserModel::Find(array('email' => $e->get('value')), 1); if(!$u){ // Log this as a login attempt! $logmsg = 'Failed Login. Email not registered' . "\n" . 'Email: ' . $e->get('value') . "\n"; \SystemLogModel::LogSecurityEvent('/user/login', $logmsg); $e->setError('t:MESSAGE_ERROR_USER_LOGIN_EMAIL_NOT_FOUND'); return false; } if($u->get('active') == 0){ // The model provides a quick cut-off for active/inactive users. // This is the control managed with in the admin. $logmsg = 'Failed Login. User tried to login before account activation' . "\n" . 'User: '******'email') . "\n"; \SystemLogModel::LogSecurityEvent('/user/login', $logmsg, null, $u->get('id')); $e->setError('t:MESSAGE_ERROR_USER_LOGIN_ACCOUNT_NOT_ACTIVE'); return false; } elseif($u->get('active') == -1){ // The model provides a quick cut-off for active/inactive users. // This is the control managed with in the admin. $logmsg = 'Failed Login. User tried to login after account deactivation.' . "\n" . 'User: '******'email') . "\n"; \SystemLogModel::LogSecurityEvent('/user/login', $logmsg, null, $u->get('id')); $e->setError('t:MESSAGE_ERROR_USER_LOGIN_ACCOUNT_DEACTIVATED'); return false; } try{ /** @var \Core\User\AuthDrivers\datastore $auth */ $auth = $u->getAuthDriver('datastore'); } catch(Exception $e){ $e->setError('t:MESSAGE_ERROR_USER_LOGIN_PASSWORD_AUTH_DISABLED'); return false; } // This is a special case if the password isn't set yet. // It can happen with imported users or if a password is invalidated. if($u->get('password') == ''){ // Use the Nonce system to generate a one-time key with this user's data. $nonce = \NonceModel::Generate( '20 minutes', ['type' => 'password-reset', 'user' => $u->get('id')] ); $link = '/datastoreauth/forgotpassword?e=' . urlencode($u->get('email')) . '&n=' . $nonce; $email = new \Email(); $email->setSubject('Initial Password Request'); $email->to($u->get('email')); $email->assign('link', \Core\resolve_link($link)); $email->assign('ip', REMOTE_IP); $email->templatename = 'emails/user/initialpassword.tpl'; try{ $email->send(); \SystemLogModel::LogSecurityEvent('/user/initialpassword/send', 'Initial password request sent successfully', null, $u->get('id')); \Core\set_message('t:MESSAGE_INFO_USER_LOGIN_MUST_SET_NEW_PASSWORD_INSTRUCTIONS_HAVE_BEEN_EMAILED'); return true; } catch(\Exception $e){ \Core\ErrorManagement\exception_handler($e); \Core\set_message('t:MESSAGE_ERROR_USER_LOGIN_MUST_SET_NEW_PASSWORD_UNABLE_TO_SEND_EMAIL'); return false; } } if(!$auth->checkPassword($p->get('value'))){ // Log this as a login attempt! $logmsg = 'Failed Login. Invalid password' . "\n" . 'Email: ' . $e->get('value') . "\n"; \SystemLogModel::LogSecurityEvent('/user/login/failed_password', $logmsg, null, $u->get('id')); // Also, I want to look up and see how many login attempts there have been in the past couple minutes. // If there are too many, I need to start slowing the attempts. $time = new \CoreDateTime(); $time->modify('-5 minutes'); $securityfactory = new \ModelFactory('SystemLogModel'); $securityfactory->where('code = /user/login/failed_password'); $securityfactory->where('datetime > ' . $time->getFormatted(\Time::FORMAT_EPOCH, \Time::TIMEZONE_GMT)); $securityfactory->where('ip_addr = ' . REMOTE_IP); $attempts = $securityfactory->count(); if($attempts > 4){ // Start slowing down the response. This should help deter brute force attempts. // (x+((x-7)/4)^3)-4 sleep( ($attempts+(($attempts-7)/4)^3)-4 ); // This makes a nice little curve with the following delays: // 5th attempt: 0.85 // 6th attempt: 2.05 // 7th attempt: 3.02 // 8th attempt: 4.05 // 9th attempt: 5.15 // 10th attempt: 6.52 // 11th attempt: 8.10 // 12th attempt: 10.05 } $e->setError('t:MESSAGE_ERROR_USER_LOGIN_INCORRECT_PASSWORD'); $p->set('value', ''); return false; } if($form->getElementValue('redirect')){ // The page was set via client-side javascript on the login page. // This is the most reliable option. $url = $form->getElementValue('redirect'); } elseif(REL_REQUEST_PATH == '/user/login'){ // If the user came from the registration page, get the page before that. $url = $form->referrer; } else{ // else the registration link is now on the same page as the 403 handler. $url = REL_REQUEST_PATH; } // Well, record this too! \SystemLogModel::LogSecurityEvent('/user/login', 'Login successful (via password)', null, $u->get('id')); // yay... $u->set('last_login', \CoreDateTime::Now('U', \Time::TIMEZONE_GMT)); $u->save(); \Core\Session::SetUser($u); // Allow an external script to override the redirecting URL. $overrideurl = \HookHandler::DispatchHook('/user/postlogin/getredirecturl'); if($overrideurl){ $url = $overrideurl; } return $url; }
/** * Shorthand function to generate and save a valid Nonce key. * * @param string $expires A human-readable string of an expire time in the future, ie: 2 seconds, 10 days, etc. * @param string|null|mixed $hash Can be used to validate this nonce from an external verification check. * @param mixed $data Any data that is needed to be stored along with this nonce. * @return string */ public static function Generate($expires = '2 hours', $hash = null, $data = null) { $nonce = new NonceModel(); $nonce->_generateAndSetKey(); $nonce->setHash($hash); // Determine the datetime that this nonce expires. $date = new CoreDateTime(); $date->modify($expires); $nonce->set('expires', $date->getFormatted('U', Time::TIMEZONE_GMT)); $nonce->set('data', $data); $nonce->save(); return $nonce->get('key'); }