/** * Validate incoming hashed value to be the hashed value of operator's password * * @param string $login operator's login * @param string $password Operator's password (as plain text) * @param string $hash incoming hashed value * * @return boolean true if incoming value is the correct hashed value of * operators' password and false otherwise */ function check_password_hash($login, $password, $hash) { if (preg_match('/^\$/', $hash)) { return !strcmp(calculate_password_hash($login, $password), $hash); } else { return !strcmp(md5($password), $hash); } }
if ($token != $operator['vcrestoretoken']) { $errors[] = "Wrong token"; $page['showform'] = false; } } if (count($errors) == 0 && isset($_POST['password'])) { $password = getparam('password'); $passwordConfirm = getparam('passwordConfirm'); if (!$password) { $errors[] = no_field("form.field.password"); } if ($password != $passwordConfirm) { $errors[] = getlocal("my_settings.error.password_match"); } if (count($errors) == 0) { $page['isdone'] = true; $link = connect(); $query = "update {$mysqlprefix}chatoperator set vcpassword = '******'vclogin'], $password), $link) . "', vcrestoretoken = '' where operatorid = " . intval($opId); perform_query($query, $link); mysql_close($link); $page['loginname'] = $operator['vclogin']; start_html_output(); require '../view/resetpwd.php'; exit; } } $page['id'] = $opId; $page['token'] = $token; $page['isdone'] = false; start_html_output(); require '../view/resetpwd.php';
/** * Sets password of the main administrator of the system. * * It is one of the installation steps. Normally it should be called after * {@link Installer::createTables()}. * * One can get all logged messages of this step using * {@link Installer::getLog()} method. Also the list of all errors can be * got using {@link \Mibew\Installer::getErrors()}. * * @param string $password Administrator password. * @return boolean True if the password was set and false otherwise. */ public function setPassword($password) { if (!($db = $this->getDatabase())) { return false; } try { $db->query('UPDATE {operator} SET vcpassword = :pass WHERE vclogin = :login', array(':login' => 'admin', ':pass' => calculate_password_hash('admin', $password))); } catch (\Exception $e) { $this->errors[] = getlocal('Cannot set password. Error: {0}', array($e->getMessage())); return false; } return true; }
} $canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator); if (!$canmodify) { $errors[] = getlocal('page_agent.cannot_modify'); } if (count($errors) == 0) { if (!$opId) { $newop = create_operator($login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0, ""); header("Location: {$mibewroot}/operator/avatar.php?op=" . intval($newop['operatorid'])); exit; } else { update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0); // update the session password if (!empty($password) && $opId == $operator['operatorid']) { $toDashboard = check_password_hash($login, '', $operator['vcpassword']) && $password != ''; $_SESSION["{$mysqlprefix}operator"]['vcpassword'] = calculate_password_hash($login, $password); if ($toDashboard) { header("Location: {$mibewroot}/operator/index.php"); exit; } } header("Location: {$mibewroot}/operator/operator.php?op=" . intval($opId) . "&stored"); exit; } } else { $page['formlogin'] = topage($login); $page['formname'] = topage($localname); $page['formemail'] = topage($email); $page['formjabber'] = topage($jabber); $page['formjabbernotify'] = $jabbernotify; $page['formcommonname'] = topage($commonname);
/** * {@inheritdoc} */ public function attachOperatorToResponse(Response $response) { parent::attachOperatorToResponse($response); if ($this->loggedOut) { // Clear remember cookie. $cookie_factory = $this->getCookieFactory(); $response->headers->clearCookie(REMEMBER_OPERATOR_COOKIE_NAME, $cookie_factory->getPath(), $cookie_factory->getDomain()); } elseif ($this->loggedIn) { // Set remember me cookie if needed if ($this->remember) { $password_hash = calculate_password_hash($this->operator['vclogin'], $this->operator['vcpassword']); $remember_cookie = $this->getCookieFactory()->createCookie(REMEMBER_OPERATOR_COOKIE_NAME, base64_encode($this->operator['vclogin'] . "" . $password_hash), time() + 60 * 60 * 24 * 1000, true); $response->headers->setCookie($remember_cookie); } } }
/** * Processes submitting of the form which is generated in * {@link \Mibew\Controller\OperatorController::showEditFormAction()} method. * * @param Request $request Incoming request. * @return string Rendered page content. */ public function submitFormAction(Request $request) { csrf_check_token($request); $errors = array(); $operator = $this->getOperator(); $op_id = $request->attributes->getInt('operator_id'); $login = $request->request->get('login'); $email = $request->request->get('email'); $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); $local_name = $request->request->get('name'); $common_name = $request->request->get('commonname'); $code = $request->request->get('code'); if (!$local_name) { $errors[] = no_field('Name'); } if (!$common_name) { $errors[] = no_field('International name (Latin)'); } // The login is needed only for new operators. If login is changed for // existing operator the stored password hash becomes invalid. if (!$op_id) { if (!$login) { $errors[] = no_field('Login'); } elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) { $errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.'); } } if (!$email || !MailUtils::isValidAddress($email)) { $errors[] = wrong_field('E-mail'); } if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) { $errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.'); } if (!$op_id && !$password) { $errors[] = no_field('Password'); } if ($password != $password_confirm) { $errors[] = getlocal('Entered passwords do not match'); } $existing_operator = operator_by_login($login); $duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_login) { $errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.'); } // Check if operator with specified email already exists in the database. $existing_operator = operator_by_email($email); $duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_email) { $errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.'); } if (count($errors) != 0) { $request->attributes->set('errors', $errors); // The form should be rebuild. Invoke appropriate action. return $this->showFormAction($request); } if (!$op_id) { // Create new operator and redirect the current operator to avatar // page. $new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code); $redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid'])); return $this->redirect($redirect_to); } // Mix old operator's fields with updated values $target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id); // Set the password only if it's not an empty string. if ($password !== '') { $target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password); } // Update operator's fields in the database. update_operator($target_operator); // Operator's data are cached in the authentication manager, thus we need // to manually update them. if ($target_operator['operatorid'] == $operator['operatorid']) { // Check if the admin has set his password for the first time. $to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != ''; // Update operator's fields. $this->getAuthenticationManager()->setOperator($target_operator); // Redirect the admin to the home page if needed. if ($to_dashboard) { return $this->redirect($this->generateUrl('home_operator')); } } // Redirect the operator to edit page again to use GET method instead of // POST. $redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true)); return $this->redirect($redirect_to); }
/** * Resets operators password and provides an ability to set the new one. * * @param Request $request * @return string Rendered page content */ public function resetAction(Request $request) { $page = array('version' => MIBEW_VERSION, 'showform' => true, 'title' => getlocal('Change your password'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array()); if ($request->isMethod('POST')) { // When HTTP GET method is used the form is just rendered but the // user does not pass any data. Thus we need to prevent CSRF attacks // only for POST requests csrf_check_token($request); } // Make sure user id is specified and its format is correct. $op_id = $request->isMethod('GET') ? $request->query->get('id') : $request->request->get('id'); if (!preg_match("/^\\d{1,9}\$/", $op_id)) { throw new BadRequestException(); } // Make sure token is specified and its format is correct. $token = $request->isMethod('GET') ? $request->query->get('token') : $request->request->get('token'); if (!preg_match("/^[\\dabcdef]+\$/", $token)) { throw new BadRequestException(); } $operator = operator_by_id($op_id); if (!$operator) { $page['errors'][] = 'No such operator'; $page['showform'] = false; } elseif ($token != $operator['vcrestoretoken']) { $page['errors'][] = 'Wrong token'; $page['showform'] = false; } if (count($page['errors']) == 0 && $request->isMethod('POST') && $request->request->has('password')) { $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); if (!$password) { $page['errors'][] = no_field('Password'); } if ($password != $password_confirm) { $page['errors'][] = getlocal('Entered passwords do not match'); } if (count($page['errors']) == 0) { $page['isdone'] = true; // Update the operator $operator['vcrestoretoken'] = ''; $operator['vcpassword'] = calculate_password_hash($operator['vclogin'], $password); update_operator($operator); $page['loginname'] = $operator['vclogin']; return $this->render('password_recovery_reset', $page); } } $page['id'] = $op_id; $page['token'] = $token; $page['isdone'] = false; return $this->render('password_recovery_reset', $page); }
function attempt_login($login, $password) { $db = option('db_conn'); $stmt = $db->prepare('SELECT * FROM users WHERE login = :login'); $stmt->bindValue(':login', $login); $stmt->execute(); $user = $stmt->fetch(PDO::FETCH_ASSOC); if (ip_banned()) { login_log(false, $login, isset($user['id']) ? $user['id'] : null); return ['error' => 'banned']; } if (user_locked($user)) { login_log(false, $login, $user['id']); return ['error' => 'locked']; } if (!empty($user) && calculate_password_hash($password, $user['salt']) == $user['password_hash']) { login_log(true, $login, $user['id']); return ['user' => $user]; } elseif (!empty($user)) { login_log(false, $login, $user['id']); return ['error' => 'wrong_password']; } else { login_log(false, $login); return ['error' => 'wrong_login']; } }