/** * Stores a new password for a user. */ public function store_action() { $this->check_ticket(); $errors = array(); $hasher = UserManagement::getPwdHasher(); $password = Request::get('new_password'); $confirm = Request::get('new_password_confirm'); if (!($hasher->CheckPassword(md5(Request::get('password')), $this->user['password']) || $hasher->CheckPassword(Request::get('password'), $this->user['password']) || strlen($this->user['password']) == 32 && md5(Request::get('password')) == $this->user['password'])) { $errors[] = _('Das aktuelle Passwort wurde nicht korrekt eingegeben.'); } if (!$this->validator->ValidatePassword($password)) { $errors[] = _('Das Passwort ist zu kurz - es sollte mindestens 4 Zeichen lang sein.'); } else { if ($password !== $confirm) { $errors[] = _('Die Wiederholung Ihres Passworts stimmt nicht mit Ihrer Eingabe überein.'); } else { if ($password == $this->user['username']) { $errors[] = _('Das Passwort darf nicht mit dem Nutzernamen übereinstimmen.'); } else { if (str_replace(array('.', ' '), '', strtolower($password)) == 'studip') { $errors[] = _('Aus Sicherheitsgründen darf das Passwort nicht "Stud.IP" oder eine Abwandlung davon sein.'); } } } } if (count($errors) > 0) { $this->reportErrorWithDetails(_('Bitte überprüfen Sie Ihre Eingabe:'), $errors); } else { $this->user->password = $hasher->HashPassword($password); if ($this->user->store()) { $this->reportSuccess(_('Das Passwort wurde erfolgreich geändert.')); } } $this->redirect('settings/password'); }
/** * * * * @access public * */ function isAuthenticated($username, $password) { $user = User::findByUsername($username); if (!$user || !$password || strlen($password) > 72) { $this->error_msg = _("Ungültige Benutzername/Passwort-Kombination!"); return false; } elseif ($user->username != $username) { $this->error_msg = _("Bitte achten Sie auf korrekte Groß-Kleinschreibung beim Username!"); return false; } elseif (!is_null($user->auth_plugin) && $user->auth_plugin != "standard") { $this->error_msg = sprintf(_("Dieser Benutzername wird bereits über %s authentifiziert!"), $user->auth_plugin); return false; } else { $pass = $user->password; // Password is stored as a md5 hash } $hasher = UserManagement::getPwdHasher(); $old_style_check = strlen($pass) == 32 && md5($password) == $pass; $migrated_check = $hasher->CheckPassword(md5($password), $pass); $check = $hasher->CheckPassword($password, $pass); if (!($check || $migrated_check || $old_style_check)) { $this->error_msg = _("Das Passwort ist falsch!"); return false; } else { return true; } }
function up() { $db = DBManager::get(); $db->exec("ALTER TABLE `auth_user_md5` CHANGE `password` `password` VARBINARY( 64 ) NOT NULL DEFAULT ''"); $hasher = UserManagement::getPwdHasher(); $pwd_up = $db->prepare("UPDATE auth_user_md5 SET password=? WHERE user_id=?"); foreach($db->query("SELECT user_id,password FROM auth_user_md5 WHERE auth_plugin='standard' AND password <> ''") as $row) { $new_pwd = $hasher->HashPassword($row['password']); $pwd_up->execute(array($new_pwd, $row['user_id'])); } SimpleORMap::expireTableScheme(); }
/** * @return bool|string */ function auth_doregister() { global $_language_path; $this->error_msg = ""; // check for direct link to register2.php if (!$_SESSION['_language'] || $_SESSION['_language'] == "") { $_SESSION['_language'] = get_accepted_languages(); } $_language_path = init_i18n($_SESSION['_language']); $this->auth["uname"] = Request::username('username'); // This provides access for "crcregister.ihtml" $validator = new email_validation_class(); // Klasse zum Ueberpruefen der Eingaben $validator->timeout = 10; // Wie lange warten wir auf eine Antwort des Mailservers? if (!Seminar_Session::check_ticket(Request::option('login_ticket'))) { return false; } $username = trim(Request::get('username')); $Vorname = trim(Request::get('Vorname')); $Nachname = trim(Request::get('Nachname')); // accept only registered domains if set $cfg = Config::GetInstance(); $email_restriction = $cfg->getValue('EMAIL_DOMAIN_RESTRICTION'); if ($email_restriction) { $Email = trim(Request::get('Email')) . '@' . trim(Request::get('emaildomain')); } else { $Email = trim(Request::get('Email')); } if (!$validator->ValidateUsername($username)) { $this->error_msg = $this->error_msg . _("Der gewählte Benutzername ist zu kurz!") . "<br>"; return false; } // username syntaktisch falsch oder zu kurz // auf doppelte Vergabe wird weiter unten getestet. if (!$validator->ValidatePassword(Request::quoted('password'))) { $this->error_msg = $this->error_msg . _("Das Passwort ist zu kurz!") . "<br>"; return false; } if (!$validator->ValidateName($Vorname)) { $this->error_msg = $this->error_msg . _("Der Vorname fehlt oder ist unsinnig!") . "<br>"; return false; } // Vorname nicht korrekt oder fehlend if (!$validator->ValidateName($Nachname)) { $this->error_msg = $this->error_msg . _("Der Nachname fehlt oder ist unsinnig!") . "<br>"; return false; // Nachname nicht korrekt oder fehlend } if (!$validator->ValidateEmailAddress($Email)) { $this->error_msg = $this->error_msg . _("Die E-Mail-Adresse fehlt oder ist falsch geschrieben!") . "<br>"; return false; } // E-Mail syntaktisch nicht korrekt oder fehlend $REMOTE_ADDR = $_SERVER["REMOTE_ADDR"]; $Zeit = date("H:i:s, d.m.Y", time()); if (!$validator->ValidateEmailHost($Email)) { // Mailserver nicht erreichbar, ablehnen $this->error_msg = $this->error_msg . _("Der Mailserver ist nicht erreichbar, bitte überprüfen Sie, ob Sie E-Mails mit der angegebenen Adresse verschicken und empfangen können!") . "<br>"; return false; } else { // Server ereichbar if (!$validator->ValidateEmailBox($Email)) { // aber user unbekannt. Mail an abuse! StudipMail::sendAbuseMessage("Register", "Emailbox unbekannt\n\nUser: {$username}\nEmail: {$Email}\n\nIP: {$REMOTE_ADDR}\nZeit: {$Zeit}\n"); $this->error_msg = $this->error_msg . _("Die angegebene E-Mail-Adresse ist nicht erreichbar, bitte überprüfen Sie Ihre Angaben!") . "<br>"; return false; } else { // Alles paletti, jetzt kommen die Checks gegen die Datenbank... } } $check_uname = StudipAuthAbstract::CheckUsername($username); if ($check_uname['found']) { // error_log("username schon vorhanden", 0); $this->error_msg = $this->error_msg . _("Der gewählte Benutzername ist bereits vorhanden!") . "<br>"; return false; // username schon vorhanden } if (count(User::findBySQL("Email LIKE " . DbManager::get()->quote($Email)))) { $this->error_msg = $this->error_msg . _("Die angegebene E-Mail-Adresse wird bereits von einem anderen Benutzer verwendet. Sie müssen eine andere E-Mail-Adresse angeben!") . "<br>"; return false; // Email schon vorhanden } // alle Checks ok, Benutzer registrieren... $hasher = UserManagement::getPwdHasher(); $new_user = new User(); $new_user->username = $username; $new_user->perms = 'user'; $new_user->password = $hasher->HashPassword(Request::get('password')); $new_user->vorname = $Vorname; $new_user->nachname = $Nachname; $new_user->email = $Email; $new_user->geschlecht = Request::int('geschlecht'); $new_user->title_front = trim(Request::get('title_front', Request::get('title_front_chooser'))); $new_user->title_rear = trim(Request::get('title_rear', Request::get('title_rear_chooser'))); $new_user->auth_plugin = 'standard'; $new_user->store(); if ($new_user->user_id) { self::sendValidationMail($new_user); $this->auth["perm"] = $new_user->perms; return $new_user->user_id; } }
/** * Imports a line of the table into the Stud.IP database if the check returns no errors. * @param array $line : array of fields * @return array : array('found' => true|false, 'errors' => "Error message", 'pk' => "primary key") */ public function importLine($line) { $plugin = $this->getPlugin(); $classname = $this['import_type']; if (!$classname) { return array(); } $data = $this->getMappedData($line); $pk = $this->getPrimaryKey($data); //Last chance to quit: $error = $this->checkLine($line, $data, $pk); $output = array(); $object = new $classname($pk); if (!$object->isNew()) { $output['found'] = true; $output['pk'] = $pk; foreach ((array) $this['tabledata']['ignoreonupdate'] as $fieldname) { unset($data[$fieldname]); } } else { $output['found'] = false; } foreach ($data as $fieldname => $value) { if ($value !== false && in_array($fieldname, $this->getTargetFields())) { $object[$fieldname] = $value; if ($classname === "User" && $fieldname === "password") { $object[$fieldname] = UserManagement::getPwdHasher()->HashPassword($value); } } } if (method_exists($object, "getFullName")) { $error['name'] = $output['name'] = $object->getFullName(); } elseif ($object->isField("name")) { $error['name'] = $output['name'] = $object['name']; } elseif ($object->isField("title")) { $error['name'] = $output['name'] = $object['title']; } if ($error && $error['errors']) { //exit here to have the name of the object in the log return $error; } if ($plugin) { $plugin->beforeUpdate($object, $line, $data); } $object->store(); $output['pk'] = (array) $object->getId(); //Dynamic special fields: switch ($classname) { case "Course": //fleximport_dozenten foreach ($data['fleximport_dozenten'] as $dozent_id) { $seminar = new Seminar($object->getId()); $seminar->addMember($dozent_id, 'dozent'); } //fleximport_related_institutes if (!$data['fleximport_related_institutes']) { $data['fleximport_related_institutes'] = array($object['institut_id']); } else { if (!in_array($object['institut_id'], $data['fleximport_related_institutes'])) { $data['fleximport_related_institutes'][] = $object['institut_id']; } } foreach ($data['fleximport_related_institutes'] as $institut_id) { $insert = DBManager::get()->prepare("\n INSERT IGNORE INTO seminar_inst\n SET seminar_id = :seminar_id,\n institut_id = :institut_id\n "); $insert->execute(array('seminar_id' => $object->getId(), 'institut_id' => $institut_id)); } if ($this['tabledata']['simplematching']["fleximport_course_userdomains"]['column'] || in_array("fleximport_course_userdomains", $this->fieldsToBeDynamicallyMapped())) { $statement = DBManager::get()->prepare("\n SELECT userdomain_id\n FROM seminar_userdomains\n WHERE seminar_id = ?\n "); $statement->execute(array($object->getId())); $olddomains = $statement->fetchAll(PDO::FETCH_COLUMN, 0); foreach (array_diff($data['fleximport_user_inst'], $olddomains) as $to_add) { $domain = new UserDomain($to_add); $domain->addSeminar($object->getId()); } foreach (array_diff($olddomains, $data['fleximport_user_inst']) as $to_remove) { $domain = new UserDomain($to_remove); $domain->removeSeminar($object->getId()); } } break; case "User": if ($this['tabledata']['simplematching']["fleximport_user_inst"]['column'] || in_array("fleximport_user_inst", $this->fieldsToBeDynamicallyMapped())) { if ($object['perms'] !== "root") { foreach ($data['fleximport_user_inst'] as $institut_id) { $member = new InstituteMember(array($object->getId(), $institut_id)); $member['inst_perms'] = $object['perms']; $member->store(); } } } if ($this['tabledata']['simplematching']["fleximport_userdomains"]['column'] || in_array("fleximport_userdomains", $this->fieldsToBeDynamicallyMapped())) { $olddomains = UserDomain::getUserDomainsForUser($object->getId()); foreach ($olddomains as $olddomain) { if (!in_array($olddomain->getID(), (array) $data['fleximport_userdomains'])) { $olddomain->removeUser($object->getId()); } } foreach ($data['fleximport_userdomains'] as $userdomain) { $domain = new UserDomain($userdomain); $domain->addUser($object->getId()); } AutoInsert::instance()->saveUser($object->getId()); foreach ($data['fleximport_userdomains'] as $domain_id) { if (!in_array($domain_id, $olddomains)) { $welcome = FleximportConfig::get("USERDOMAIN_WELCOME_" . $domain_id); if ($welcome) { foreach ($object->toArray() as $field => $value) { $welcome = str_replace("{{" . $field . "}}", $value, $welcome); } foreach ($line as $field => $value) { $welcome = str_replace("{{" . $field . "}}", $value, $welcome); } if (strpos($welcome, "\n") === false) { $subject = _("Willkommen!"); } else { $subject = strstr($welcome, "\n", true); $welcome = substr($welcome, strpos($welcome, "\n") + 1); } $messaging = new messaging(); $count = $messaging->insert_message($welcome, $object->username, '____%system%____', null, null, null, null, $subject, true, 'normal'); } } } } if ($this['tabledata']['simplematching']["fleximport_expiration_date"]['column'] || in_array("fleximport_expiration_date", $this->fieldsToBeDynamicallyMapped())) { if ($data['fleximport_expiration_date']) { UserConfig::get($object->getId())->store("EXPIRATION_DATE", $data['fleximport_expiration_date']); } else { UserConfig::get($object->getId())->delete("EXPIRATION_DATE"); } } if ($output['found'] === false && $data['fleximport_welcome_message'] !== "none") { $user_language = getUserLanguagePath($object->getId()); setTempLanguage(false, $user_language); if ($data['fleximport_welcome_message'] && FleximportConfig::get($data['fleximport_welcome_message'])) { $message = FleximportConfig::get($data['fleximport_welcome_message']); foreach ($data as $field => $value) { $message = str_replace("{{" . $field . "}}", $value, $message); } foreach ($line as $field => $value) { if (!in_array($field, $data)) { $message = str_replace("{{" . $field . "}}", $value, $message); } } if (strpos($message, "\n") === false) { $subject = dgettext($user_language, "Anmeldung Stud.IP-System"); } else { $subject = strstr($message, "\n", true); $message = substr($message, strpos($message, "\n") + 1); } } else { $Zeit = date("H:i:s, d.m.Y", time()); $this->user_data = array('auth_user_md5.username' => $object['username'], 'auth_user_md5.perms' => $object['perms'], 'auth_user_md5.Vorname' => $object['vorname'], 'auth_user_md5.Nachname' => $object['nachname'], 'auth_user_md5.Email' => $object['email']); $password = $data['password']; //this is the not hashed password in cleartext include "locale/{$user_language}/LC_MAILS/create_mail.inc.php"; $message = $mailbody; } if ($message) { $mail = new StudipMail(); $mail->addRecipient($object['email'], $object->getFullName()); $mail->setSubject($subject); $mail->setBodyText($message); $mail->setBodyHtml(formatReady($message)); if (Config::get()->MAILQUEUE_ENABLE) { MailQueueEntry::add($mail); } else { $mail->send(); } } restoreLanguage(); } break; } //Datafields: $datafields = array(); switch ($classname) { case "Course": $datafields = Datafield::findBySQL("object_type = 'sem'"); break; case "User": $datafields = Datafield::findBySQL("object_type = 'user'"); break; case "CourseMember": $datafields = Datafield::findBySQL("object_type = 'usersemdata'"); break; } foreach ($datafields as $datafield) { $fieldname = $datafield['name']; if (isset($data[$fieldname])) { $entry = new DatafieldEntryModel(array($datafield->getId(), $object->getId(), "")); $entry['content'] = $data[$fieldname]; $entry->store(); } } if ($classname === "Course") { if ($this['tabledata']['simplematching']["fleximport_studyarea"]['column'] || in_array("fleximport_studyarea", $this->fieldsToBeDynamicallyMapped())) { //Studienbereiche: $remove = DBManager::get()->prepare("\n DELETE FROM seminar_sem_tree\n WHERE seminar_id = :seminar_id\n "); $remove->execute(array('seminar_id' => $object->getId())); if ($GLOBALS['SEM_CLASS'][$GLOBALS['SEM_TYPE'][$data['status']]['class']]['bereiche']) { foreach ($data['fleximport_studyarea'] as $sem_tree_id) { $insert = DBManager::get()->prepare("\n INSERT IGNORE INTO seminar_sem_tree\n SET sem_tree_id = :sem_tree_id,\n seminar_id = :seminar_id\n "); $insert->execute(array('sem_tree_id' => $sem_tree_id, 'seminar_id' => $object->getId())); } } } if ($this['tabledata']['simplematching']["fleximport_locked"]['column'] || in_array("fleximport_locked", $this->fieldsToBeDynamicallyMapped())) { //Lock or unlock course if ($data['fleximport_locked']) { CourseSet::addCourseToSet(CourseSet::getGlobalLockedAdmissionSetId(), $object->getId()); } elseif (in_array($data['fleximport_locked'], array("0", 0)) && $data['fleximport_locked'] !== "") { CourseSet::removeCourseFromSet(CourseSet::getGlobalLockedAdmissionSetId(), $object->getId()); } } $folder_exist = DBManager::get()->prepare("\n SELECT 1 FROM folder WHERE range_id = ?\n "); $folder_exist->execute(array($object->getId())); if (!$folder_exist->fetch()) { $insert_folder = DBManager::get()->prepare("\n INSERT IGNORE INTO folder\n SET folder_id = MD5(CONCAT(:seminar_id, 'allgemeine_dateien')),\n range_id = :seminar_id,\n user_id = :user_id,\n name = :name,\n description = :description,\n mkdate = UNIX_TIMESTAMP(),\n chdate = UNIX_TIMESTAMP()\n "); $insert_folder->execute(array('seminar_id' => $object->getId(), 'user_id' => $GLOBALS['user']->id, 'name' => _("Allgemeiner Dateiordner"), 'description' => _("Ablage für allgemeine Ordner und Dokumente der Veranstaltung"))); } } if ($plugin && !$object->isNew()) { $plugin->afterUpdate($object, $line); } return $output; }