public function __construct() { parent::__construct(); $sIp = Ip::get(); $oAdminModel = new AdminModel(); $oSecurityModel = new SecurityModel(); $sEmail = $this->httpRequest->post('mail'); $sUsername = $this->httpRequest->post('username'); $sPassword = $this->httpRequest->post('password'); /*** Security IP Login ***/ $sIpLogin = DbConfig::getSetting('ipLogin'); /*** Check if the connection is not locked ***/ $bIsLoginAttempt = (bool) DbConfig::getSetting('isAdminLoginAttempt'); $iMaxAttempts = (int) DbConfig::getSetting('maxAdminLoginAttempts'); $iTimeDelay = (int) DbConfig::getSetting('loginAdminAttemptTime'); if ($bIsLoginAttempt && !$oSecurityModel->checkLoginAttempt($iMaxAttempts, $iTimeDelay, $sEmail, $this->view, 'Admins')) { \PFBC\Form::setError('form_admin_login', Form::loginAttemptsExceededMsg($iTimeDelay)); return; // Stop execution of the method. } /*** Check Login ***/ $bIsLogged = $oAdminModel->adminLogin($sEmail, $sUsername, $sPassword); $bIsIpBanned = !empty($sIpLogin) && $sIpLogin !== $sIp; if (!$bIsLogged || $bIsIpBanned) { sleep(2); // Security against brute-force attack to avoid drowning the server and the database if (!$bIsLogged) { $oSecurityModel->addLoginLog($sEmail, $sUsername, $sPassword, 'Failed! Incorrect Email, Username or Password', 'Admins'); if ($bIsLoginAttempt) { $oSecurityModel->addLoginAttempt('Admins'); } $this->session->set('captcha_admin_enabled', 1); // Enable Captcha \PFBC\Form::setError('form_admin_login', t('"Email", "Username" or "Password" is Incorrect')); } elseif ($bIsIpBanned) { $this->session->set('captcha_admin_enabled', 1); // Enable Captcha \PFBC\Form::setError('form_admin_login', t('Incorrect Login!')); $oSecurityModel->addLoginLog($sEmail, $sUsername, $sPassword, 'Failed! Bad Ip adress', 'Admins'); } } else { $oSecurityModel->clearLoginAttempts('Admins'); $this->session->remove('captcha_admin_enabled'); // Is disconnected if the user is logged on as "user" or "affiliate". if (UserCore::auth() || AffiliateCore::auth()) { $this->session->destroy(); } $iId = $oAdminModel->getId($sEmail, null, 'Admins'); $oAdminData = $oAdminModel->readProfile($iId, 'Admins'); // Regenerate the session ID to prevent the session fixation $this->session->regenerateId(); $aSessionData = array('admin_id' => $oAdminData->profileId, 'admin_email' => $oAdminData->email, 'admin_username' => $oAdminData->username, 'admin_first_name' => $oAdminData->firstName, 'admin_ip' => $sIp, 'admin_http_user_agent' => $this->browser->getUserAgent(), 'admin_token' => Various::genRnd($oAdminData->email)); $this->session->set($aSessionData); $oSecurityModel->addLoginLog($sEmail, $sUsername, '*****', 'Logged in!', 'Admins'); $oAdminModel->setLastActivity($oAdminData->profileId, 'Admins'); HeaderUrl::redirect(Uri::get(PH7_ADMIN_MOD, 'main', 'index'), t('You signup is successfully!')); } }
public function __construct() { parent::__construct(); // Admin Security, if you have forgotten your admin password, comment this code below if ($this->httpRequest->get('mod') == PH7_ADMIN_MOD && ($this->registry->action == 'forgot' || $this->registry->action == 'reset')) { Header::redirect(Uri::get(PH7_ADMIN_MOD, 'main', 'login'), t('For security reasons, you do not have the right to generate a new password. To disable this security option, you must go to the Permission file of "lost-password" module'), 'error'); } if ((UserCore::auth() || AffiliateCore::auth() || AdminCore::auth()) && ($this->registry->action == 'forgot' || $this->registry->action == 'reset')) { Header::redirect(Uri::get('lost-password', 'main', 'account'), $this->alreadyConnectedMsg(), 'error'); } }
public function account() { if (UserCore::auth()) { $sUrl = Uri::get('user', 'account', 'index'); } elseif (AffiliateCore::auth()) { $sUrl = Uri::get('affiliate', 'account', 'index'); } elseif (AdminCore::auth()) { $sUrl = Uri::get(PH7_ADMIN_MOD, 'main', 'index'); } else { $sUrl = $this->registry->site_url; } Header::redirect($sUrl); }
public function __construct() { parent::__construct(); $bAffAuth = AffiliateCore::auth(); $bAdminAuth = AdminCore::auth(); if (!$bAffAuth && ($this->registry->controller === 'AdsController' || $this->registry->action === 'logout')) { Header::redirect(Uri::get('affiliate', 'signup', 'step1'), $this->signUpMsg(), 'error'); } if (!$bAffAuth && !$bAdminAuth && ($this->registry->controller === 'AccountController' && $this->registry->action !== 'activate')) { Header::redirect(Uri::get('affiliate', 'signup', 'step1'), $this->signUpMsg(), 'error'); } if ($bAffAuth && ($this->registry->controller === 'SignupController' || $this->registry->action === 'activate' || $this->registry->action === 'resendactivation' || $this->registry->action === 'login')) { Header::redirect(Uri::get('affiliate', 'account', 'index'), $this->alreadyConnectedMsg(), 'error'); } if (!$bAdminAuth && $this->registry->controller === 'AdminController') { // For security reasons, we do not redirectionnons the user to hide the url of the administrative part. Header::redirect(Uri::get('affiliate', 'home', 'index'), $this->adminSignInMsg(), 'error'); } }
<?php /** * @author Pierre-Henry Soria <*****@*****.**> * @copyright (c) 2012-2016, Pierre-Henry Soria. All Rights Reserved. * @license GNU General Public License; See PH7.LICENSE.txt and PH7.COPYRIGHT.txt in the root directory. * @package PH7 / App / System / Core / Asset / Ajax / Popup */ namespace PH7; defined('PH7') or exit('Restricted access'); use PH7\Framework\Mvc\Request\Http, PH7\Framework\Layout\Html\Design, PH7\Framework\Url\Url, PH7\Framework\Mvc\Router\Uri, PH7\Framework\Url\Header; if (AdminCore::auth() || UserCore::auth() || AffiliateCore::auth()) { $oHttpRequest = new Http(); $oDesign = new Design(); $oDesign->htmlHeader(); $oDesign->usefulHtmlHeader(); echo '<div class="center">'; if ($oHttpRequest->getExists(array('mod', 'ctrl', 'act', 'id'))) { $sLabel = $oHttpRequest->get('label'); $sMod = $oHttpRequest->get('mod'); $sCtrl = $oHttpRequest->get('ctrl'); $sAct = $oHttpRequest->get('act'); $mId = $oHttpRequest->get('id'); ConfirmCoreForm::display(array('label' => Url::decode($sLabel), 'module' => $sMod, 'controller' => $sCtrl, 'action' => $sAct, 'id' => $mId)); } else { echo '<p>' . t('Bad parameters in the URL!') . '</p>'; } echo '</div>'; $oDesign->htmlFooter(); unset($oHttpRequest, $oDesign);
/** * Gets The Current Session Token. * * @access protected * @return mixed (string | boolean) The "token" if a user is logged or "true" if no user is logged. */ protected function currentSess() { if (\PH7\UserCore::auth()) { $sToken = $this->_oSession->get('member_token'); } elseif (\PH7\AdminCore::auth()) { $sToken = $this->_oSession->get('admin_token'); } elseif (\PH7\AffiliateCore::auth()) { $sToken = $this->_oSession->get('affiliate_token'); } else { $sToken = true; } // If nobody is logged on, we did not need to do this test, so it returns true return $sToken; }
/** * Display accurate homepage URL. * * @return void The homepage URL output. */ public function homePageUrl() { if (\PH7\AdminCore::auth()) { $this->url(PH7_ADMIN_MOD, 'main', 'index'); } elseif (\PH7\AffiliateCore::auth()) { $this->url('affiliate', 'account', 'index'); } else { echo PH7_URL_ROOT; } }
/** * Set a user authentication. * * @param object $oUserData User database object. * @param object \PH7\UserCoreModel $oUserModel * @param object \PH7\Framework\Session\Session $oSession * @return void */ public function setAuth($oUserData, UserCoreModel $oUserModel, Session $oSession) { // Is disconnected if the user is logged on as "affiliate" or "administrator". if (AffiliateCore::auth() || AdminCore::auth()) { $oSession->destroy(); } // Regenerate the session ID to prevent the session fixation $oSession->regenerateId(); // Now we connect the member $aSessionData = ['member_id' => $oUserData->profileId, 'member_email' => $oUserData->email, 'member_username' => $oUserData->username, 'member_first_name' => $oUserData->firstName, 'member_sex' => $oUserData->sex, 'member_group_id' => $oUserData->groupId, 'member_ip' => Ip::get(), 'member_http_user_agent' => (new Browser())->getUserAgent(), 'member_token' => Various::genRnd($oUserData->email)]; $oSession->set($aSessionData); (new Framework\Mvc\Model\Security())->addLoginLog($oUserData->email, $oUserData->username, '*****', 'Logged in!'); $oUserModel->setLastActivity($oUserData->profileId); unset($oUserModel, $oUserData); }