/**
* Validate incoming hashed value to be the hashed value of operator's password
*
* @param string $login operator's login
* @param string $password Operator's password (as plain text)
* @param string $hash incoming hashed value
*
* @return boolean true if incoming value is the correct hashed value of
* operators' password and false otherwise
*/
function check_password_hash($login, $password, $hash)
{
if (preg_match('/^\$/', $hash)) {
return !strcmp(calculate_password_hash($login, $password), $hash);
} else {
return !strcmp(md5($password), $hash);
}
}
if ($token != $operator['vcrestoretoken']) {
$errors[] = "Wrong token";
$page['showform'] = false;
}
}
if (count($errors) == 0 && isset($_POST['password'])) {
$password = getparam('password');
$passwordConfirm = getparam('passwordConfirm');
if (!$password) {
$errors[] = no_field("form.field.password");
}
if ($password != $passwordConfirm) {
$errors[] = getlocal("my_settings.error.password_match");
}
if (count($errors) == 0) {
$page['isdone'] = true;
$link = connect();
$query = "update {$mysqlprefix}chatoperator set vcpassword = '******'vclogin'], $password), $link) . "', vcrestoretoken = '' where operatorid = " . intval($opId);
perform_query($query, $link);
mysql_close($link);
$page['loginname'] = $operator['vclogin'];
start_html_output();
require '../view/resetpwd.php';
exit;
}
}
$page['id'] = $opId;
$page['token'] = $token;
$page['isdone'] = false;
start_html_output();
require '../view/resetpwd.php';
/**
* Sets password of the main administrator of the system.
*
* It is one of the installation steps. Normally it should be called after
* {@link Installer::createTables()}.
*
* One can get all logged messages of this step using
* {@link Installer::getLog()} method. Also the list of all errors can be
* got using {@link \Mibew\Installer::getErrors()}.
*
* @param string $password Administrator password.
* @return boolean True if the password was set and false otherwise.
*/
public function setPassword($password)
{
if (!($db = $this->getDatabase())) {
return false;
}
try {
$db->query('UPDATE {operator} SET vcpassword = :pass WHERE vclogin = :login', array(':login' => 'admin', ':pass' => calculate_password_hash('admin', $password)));
} catch (\Exception $e) {
$this->errors[] = getlocal('Cannot set password. Error: {0}', array($e->getMessage()));
return false;
}
return true;
}
}
$canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator);
if (!$canmodify) {
$errors[] = getlocal('page_agent.cannot_modify');
}
if (count($errors) == 0) {
if (!$opId) {
$newop = create_operator($login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0, "");
header("Location: {$mibewroot}/operator/avatar.php?op=" . intval($newop['operatorid']));
exit;
} else {
update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0);
// update the session password
if (!empty($password) && $opId == $operator['operatorid']) {
$toDashboard = check_password_hash($login, '', $operator['vcpassword']) && $password != '';
$_SESSION["{$mysqlprefix}operator"]['vcpassword'] = calculate_password_hash($login, $password);
if ($toDashboard) {
header("Location: {$mibewroot}/operator/index.php");
exit;
}
}
header("Location: {$mibewroot}/operator/operator.php?op=" . intval($opId) . "&stored");
exit;
}
} else {
$page['formlogin'] = topage($login);
$page['formname'] = topage($localname);
$page['formemail'] = topage($email);
$page['formjabber'] = topage($jabber);
$page['formjabbernotify'] = $jabbernotify;
$page['formcommonname'] = topage($commonname);
/**
* {@inheritdoc}
*/
public function attachOperatorToResponse(Response $response)
{
parent::attachOperatorToResponse($response);
if ($this->loggedOut) {
// Clear remember cookie.
$cookie_factory = $this->getCookieFactory();
$response->headers->clearCookie(REMEMBER_OPERATOR_COOKIE_NAME, $cookie_factory->getPath(), $cookie_factory->getDomain());
} elseif ($this->loggedIn) {
// Set remember me cookie if needed
if ($this->remember) {
$password_hash = calculate_password_hash($this->operator['vclogin'], $this->operator['vcpassword']);
$remember_cookie = $this->getCookieFactory()->createCookie(REMEMBER_OPERATOR_COOKIE_NAME, base64_encode($this->operator['vclogin'] . "" . $password_hash), time() + 60 * 60 * 24 * 1000, true);
$response->headers->setCookie($remember_cookie);
}
}
}
/**
* Processes submitting of the form which is generated in
* {@link \Mibew\Controller\OperatorController::showEditFormAction()} method.
*
* @param Request $request Incoming request.
* @return string Rendered page content.
*/
public function submitFormAction(Request $request)
{
csrf_check_token($request);
$errors = array();
$operator = $this->getOperator();
$op_id = $request->attributes->getInt('operator_id');
$login = $request->request->get('login');
$email = $request->request->get('email');
$password = $request->request->get('password');
$password_confirm = $request->request->get('passwordConfirm');
$local_name = $request->request->get('name');
$common_name = $request->request->get('commonname');
$code = $request->request->get('code');
if (!$local_name) {
$errors[] = no_field('Name');
}
if (!$common_name) {
$errors[] = no_field('International name (Latin)');
}
// The login is needed only for new operators. If login is changed for
// existing operator the stored password hash becomes invalid.
if (!$op_id) {
if (!$login) {
$errors[] = no_field('Login');
} elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) {
$errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.');
}
}
if (!$email || !MailUtils::isValidAddress($email)) {
$errors[] = wrong_field('E-mail');
}
if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) {
$errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.');
}
if (!$op_id && !$password) {
$errors[] = no_field('Password');
}
if ($password != $password_confirm) {
$errors[] = getlocal('Entered passwords do not match');
}
$existing_operator = operator_by_login($login);
$duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_login) {
$errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.');
}
// Check if operator with specified email already exists in the database.
$existing_operator = operator_by_email($email);
$duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_email) {
$errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.');
}
if (count($errors) != 0) {
$request->attributes->set('errors', $errors);
// The form should be rebuild. Invoke appropriate action.
return $this->showFormAction($request);
}
if (!$op_id) {
// Create new operator and redirect the current operator to avatar
// page.
$new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code);
$redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid']));
return $this->redirect($redirect_to);
}
// Mix old operator's fields with updated values
$target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id);
// Set the password only if it's not an empty string.
if ($password !== '') {
$target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password);
}
// Update operator's fields in the database.
update_operator($target_operator);
// Operator's data are cached in the authentication manager, thus we need
// to manually update them.
if ($target_operator['operatorid'] == $operator['operatorid']) {
// Check if the admin has set his password for the first time.
$to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != '';
// Update operator's fields.
$this->getAuthenticationManager()->setOperator($target_operator);
// Redirect the admin to the home page if needed.
if ($to_dashboard) {
return $this->redirect($this->generateUrl('home_operator'));
}
}
// Redirect the operator to edit page again to use GET method instead of
// POST.
$redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true));
return $this->redirect($redirect_to);
}
/**
* Resets operators password and provides an ability to set the new one.
*
* @param Request $request
* @return string Rendered page content
*/
public function resetAction(Request $request)
{
$page = array('version' => MIBEW_VERSION, 'showform' => true, 'title' => getlocal('Change your password'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array());
if ($request->isMethod('POST')) {
// When HTTP GET method is used the form is just rendered but the
// user does not pass any data. Thus we need to prevent CSRF attacks
// only for POST requests
csrf_check_token($request);
}
// Make sure user id is specified and its format is correct.
$op_id = $request->isMethod('GET') ? $request->query->get('id') : $request->request->get('id');
if (!preg_match("/^\\d{1,9}\$/", $op_id)) {
throw new BadRequestException();
}
// Make sure token is specified and its format is correct.
$token = $request->isMethod('GET') ? $request->query->get('token') : $request->request->get('token');
if (!preg_match("/^[\\dabcdef]+\$/", $token)) {
throw new BadRequestException();
}
$operator = operator_by_id($op_id);
if (!$operator) {
$page['errors'][] = 'No such operator';
$page['showform'] = false;
} elseif ($token != $operator['vcrestoretoken']) {
$page['errors'][] = 'Wrong token';
$page['showform'] = false;
}
if (count($page['errors']) == 0 && $request->isMethod('POST') && $request->request->has('password')) {
$password = $request->request->get('password');
$password_confirm = $request->request->get('passwordConfirm');
if (!$password) {
$page['errors'][] = no_field('Password');
}
if ($password != $password_confirm) {
$page['errors'][] = getlocal('Entered passwords do not match');
}
if (count($page['errors']) == 0) {
$page['isdone'] = true;
// Update the operator
$operator['vcrestoretoken'] = '';
$operator['vcpassword'] = calculate_password_hash($operator['vclogin'], $password);
update_operator($operator);
$page['loginname'] = $operator['vclogin'];
return $this->render('password_recovery_reset', $page);
}
}
$page['id'] = $op_id;
$page['token'] = $token;
$page['isdone'] = false;
return $this->render('password_recovery_reset', $page);
}
function attempt_login($login, $password)
{
$db = option('db_conn');
$stmt = $db->prepare('SELECT * FROM users WHERE login = :login');
$stmt->bindValue(':login', $login);
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if (ip_banned()) {
login_log(false, $login, isset($user['id']) ? $user['id'] : null);
return ['error' => 'banned'];
}
if (user_locked($user)) {
login_log(false, $login, $user['id']);
return ['error' => 'locked'];
}
if (!empty($user) && calculate_password_hash($password, $user['salt']) == $user['password_hash']) {
login_log(true, $login, $user['id']);
return ['user' => $user];
} elseif (!empty($user)) {
login_log(false, $login, $user['id']);
return ['error' => 'wrong_password'];
} else {
login_log(false, $login);
return ['error' => 'wrong_login'];
}
}
