/** * Verifies user credentials before creating the theme and displaying the request. */ public function __construct() { $user = User::identify(); if ( !$user->loggedin ) { Session::add_to_set( 'login', $_SERVER['REQUEST_URI'], 'original' ); if ( URL::get_matched_rule()->action == 'admin_ajax' && isset( $_SERVER['HTTP_REFERER'] ) ) { $ar = new AjaxResponse(408, _t('Your session has ended, please log in and try again.') ); $ar->out(); } else { $post_raw = $_POST->get_array_copy_raw(); if ( !empty( $post_raw ) ) { Session::add_to_set( 'last_form_data', $post_raw, 'post' ); Session::error( _t( 'We saved the last form you posted. Log back in to continue its submission.' ), 'expired_form_submission' ); } $get_raw = $_GET->get_array_copy_raw(); if ( !empty( $get_raw ) ) { Session::add_to_set( 'last_form_data', $get_raw, 'get' ); Session::error( _t( 'We saved the last form you posted. Log back in to continue its submission.' ), 'expired_form_submission' ); } Utils::redirect( URL::get( 'auth', array( 'page' => 'login' ) ) ); } exit; } $last_form_data = Session::get_set( 'last_form_data' ); // This was saved in the "if ( !$user )" above, UserHandler transferred it properly. /* At this point, Controller has not created handler_vars, so we have to modify $_POST/$_GET. */ if ( isset( $last_form_data['post'] ) ) { $_POST = $_POST->merge( $last_form_data['post'] ); $_SERVER['REQUEST_METHOD'] = 'POST'; // This will trigger the proper act_admin switches. Session::remove_error( 'expired_form_submission' ); } if ( isset( $last_form_data['get'] ) ) { $_GET = $_GET->merge( $last_form_data['get'] ); Session::remove_error( 'expired_form_submission' ); // No need to change REQUEST_METHOD since GET is the default. } $user->remember(); // Create an instance of the active public theme so that its plugin functions are implemented $this->active_theme = Themes::create(); // setup the stacks for javascript in the admin - it's a method so a plugin can call it externally self::setup_stacks(); // on every page load check the plugins currently loaded against the list we last checked for updates and trigger a cron if we need to Update::check_plugins(); }
public function loginform_do_login($form) { $name = $form->habari_username->value; $pass = $form->habari_password->value; if (null != $name || null != $pass) { $user = User::authenticate($name, $pass); if ($user instanceof User && $user != false) { $userinfo = $user->info; // if there's an unused password reset token, unset it to make sure there's no possibility of a compromise that way if (isset($userinfo->password_reset)) { unset($userinfo->password_reset); } /* Successfully authenticated. */ // Timestamp last login date and time. $user->info->authenticate_time = DateTime::create()->format('Y-m-d H:i:s'); $user->update(); // Remove left over expired session error message. if (Session::has_errors('expired_session')) { Session::remove_error('expired_session'); } $login_session = Session::get_set('login'); if (!empty($login_session)) { /* Now that we know we're dealing with the same user, transfer the form data so he does not lose his request */ if (!empty($login_session['post_data'])) { Session::add_to_set('last_form_data', $last_form_data['post'], 'post'); } if (!empty($login_session['get_data'])) { Session::add_to_set('last_form_data', $last_form_data['get'], 'get'); } // don't bother parsing out the URL, we store the URI that was requested, so just append that to the hostname and we're done $login_dest = Site::get_url('host') . $login_session['original']; } else { $login_session = null; $login_dest = Site::get_url('admin'); } // filter the destination $login_dest = Plugins::filter('login_redirect_dest', $login_dest, $user, $login_session); // finally, redirect to the destination Utils::redirect($login_dest); return true; } /* Authentication failed. */ // Remove submitted password, see, we're secure! $form->habari_password->value = ''; $this->handler_vars['error'] = _t('Bad credentials'); } }
/** * Verifies user credentials before creating the theme and displaying the request. */ public function __construct() { $user = User::identify(); if (!$user->loggedin) { Session::add_to_set('login', $_SERVER['REQUEST_URI'], 'original'); if (URL::get_matched_rule()->name == 'admin_ajax' && isset($_SERVER['HTTP_REFERER'])) { header('Content-Type: text/javascript;charset=utf-8'); echo '{callback: function(){location.href="' . $_SERVER['HTTP_REFERER'] . '"} }'; } else { $post_raw = $_POST->get_array_copy_raw(); if (!empty($post_raw)) { Session::add_to_set('last_form_data', $post_raw, 'post'); Session::error(_t('We saved the last form you posted. Log back in to continue its submission.'), 'expired_form_submission'); } $get_raw = $_GET->get_array_copy_raw(); if (!empty($get_raw)) { Session::add_to_set('last_form_data', $get_raw, 'get'); Session::error(_t('We saved the last form you posted. Log back in to continue its submission.'), 'expired_form_submission'); } Utils::redirect(URL::get('auth', array('page' => 'login'))); } exit; } $last_form_data = Session::get_set('last_form_data'); // This was saved in the "if ( !$user )" above, UserHandler transferred it properly. /* At this point, Controller has not created handler_vars, so we have to modify $_POST/$_GET. */ if (isset($last_form_data['post'])) { $_POST = $_POST->merge($last_form_data['post']); $_SERVER['REQUEST_METHOD'] = 'POST'; // This will trigger the proper act_admin switches. Session::remove_error('expired_form_submission'); } if (isset($last_form_data['get'])) { $_GET = $_GET->merge($last_form_data['get']); Session::remove_error('expired_form_submission'); // No need to change REQUEST_METHOD since GET is the default. } $user->remember(); // Create an instance of the active public theme so that its plugin functions are implemented $this->active_theme = Themes::create(); // setup the stacks for javascript in the admin - it's a method so a plugin can call it externally self::setup_stacks(); }
/** * Either just display the login form; or check a user's credentials, and * create a session for them; or handle a password reset request. */ public function act_login() { // If we're a reset password request, do that. if (isset($_POST['submit_button']) && $_POST['submit_button'] === _t('Reset password')) { Utils::check_request_method(array('POST')); $name = $this->handler_vars['habari_username']; if ($name !== NULL) { if (!is_numeric($name) && ($user = User::get($name))) { $hash = Utils::random_password(); $user->info->password_reset = md5($hash); $user->info->commit(); $message = _t('Please visit %1$s to reset your password.', array(URL::get('user', array('page' => 'password_reset', 'id' => $user->id, 'hash' => $hash)))); Utils::mail($user->email, _t('[%1$s] Password reset request for %2$s', array(Options::get('title'), $user->displayname)), $message); } // Moving this inside the check for user existence would allow attackers to test usernames, so don't Session::notice(_t('A password reset request has been sent to the user.')); } } else { Utils::check_request_method(array('GET', 'HEAD', 'POST')); $name = $_POST['habari_username']; $pass = $_POST['habari_password']; if (NULL != $name || NULL != $pass) { $user = User::authenticate($name, $pass); if ($user instanceof User && FALSE != $user) { /* Successfully authenticated. */ // Timestamp last login date and time. $user->info->authenticate_time = date('Y-m-d H:i:s'); $user->update(); // Remove left over expired session error message. if (Session::has_errors('expired_session')) { Session::remove_error('expired_session'); } $login_session = Session::get_set('login'); if (!empty($login_session)) { /* Now that we know we're dealing with the same user, transfer the form data so he does not lose his request */ if (!empty($login_session['post_data'])) { Session::add_to_set('last_form_data', $last_form_data['post'], 'post'); } if (!empty($login_session['get_data'])) { Session::add_to_set('last_form_data', $last_form_data['get'], 'get'); } /* Redirect to the correct admin page */ $dest = explode('/', MultiByte::substr($login_session['original'], MultiByte::strpos($login_session['original'], 'admin/'))); if ('' == $dest[0]) { $login_dest = Site::get_url('admin'); } else { // Replace '?' with '&' in $dest[1] before call URL::get() // Therefore calling URL::get() with a query string $dest[1] = str_replace('?', '&', $dest[1]); $login_dest = URL::get('admin', 'page=' . $dest[1]); } } else { $login_session = null; $login_dest = Site::get_url('admin'); } // filter the destination $login_dest = Plugins::filter('login_redirect_dest', $login_dest, $user, $login_session); // finally, redirect to the destination Utils::redirect($login_dest); return TRUE; } /* Authentication failed. */ // Remove submitted password, see, we're secure! $_POST['habari_password'] = ''; $this->handler_vars['error'] = _t('Bad credentials'); } } // Display the login form. $this->login_form($name); }