public static function checkRemoteAPIUser($remote_ip, $api_user, $api_user_pass)
{
$username = $api_user;
$password = Core_AuthService::getHash($api_user_pass);
$dbh = Core_DBH::getDBH();
try {
$sth = $dbh->prepare("\n\t\t\t\tSELECT user_id\n\t\t\t\tFROM " . DB_PREFIX . "user\n\t\t\t\tWHERE\n\t\t\t\t\tusername = :username AND\n\t\t\t\t\tpassword = :password AND\n\t\t\t\t\tstatus = 'Active'\n\t\t\t\t;");
$sth->bindParam(':username', $username);
$sth->bindParam(':password', $password);
$sth->execute();
$result = $sth->fetchAll(PDO::FETCH_ASSOC);
} catch (PDOException $e) {
echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine();
die;
}
if (!empty($result)) {
$user_id = $result[0]['user_id'];
// NIST Level 2 Standard Role Based Access Control Library
$rbac = new PhpRbac\Rbac();
// Verify API Role
if ($rbac->Users->hasRole('api', $user_id)) {
// Update User Activity
try {
$sth = $dbh->prepare("\n\t\t\t\t\t\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\tSET\n\t\t\t\t\t\t\tlast_login\t\t= :last_login,\n\t\t\t\t\t\t\tlast_activity\t= :last_activity,\n\t\t\t\t\t\t\tlast_ip \t\t= :last_ip,\n\t\t\t\t\t\t\tlast_host\t\t= :last_host\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id\t\t\t= :user_id\n\t\t\t\t\t\t;");
$last_login = date('Y-m-d H:i:s');
$last_activity = date('Y-m-d H:i:s');
$last_host = gethostbyaddr($remote_ip);
$sth->bindParam(':last_login', $last_login);
$sth->bindParam(':last_activity', $last_activity);
$sth->bindParam(':last_ip', $remote_ip);
$sth->bindParam(':last_host', $last_host);
$sth->bindParam(':user_id', $user_id);
$sth->execute();
} catch (PDOException $e) {
echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine();
die;
}
// Update $_SERVER
$_SERVER['PHP_AUTH_USER'] = $user_id;
return TRUE;
}
}
return FALSE;
}
*/
$gui = new Core_GUI($module);
/**
* Javascript Generator
*/
$js = new Core_GUI_JS($module);
/**
* Build Page Header
*/
$gui->getHeader();
/**
* PAGE BODY
*/
//------------------------------------------------------------------------------------------------------------+
// Call security component
$authService = Core_AuthService::getAuthService();
if ($authService->isBanned()) {
?>
<!-- BAN MSG -->
<div id="banmsg" class="alert alert-warning" role="alert">
<strong><?php
echo T_('Too many incorrect login attempts');
?>
</strong>
<?php
echo T_('Please wait');
echo ' ' . CONF_SEC_BAN_DURATION . ' ';
echo T_('seconds before trying again.');
?>
</div>
<!-- END: BAN MSG -->
/**
* Check If The Current Session Is Legit
*
* @param none
* @return bool
* @access public
*/
public function getSessionValidity()
{
if (!empty($this->username)) {
$credentials = $this->decryptSessionCredentials();
// Level 1
if ($credentials['username'] == $this->username && $credentials['key'] == $this->auth_key && $credentials['token'] == session_id()) {
// Level 2
$dbh = Core_DBH::getDBH();
// Fetch information from the database
$sth = $dbh->prepare("\n\t\t\t\t\tSELECT username, last_ip, token\n\t\t\t\t\tFROM " . DB_PREFIX . "user\n\t\t\t\t\tWHERE\n\t\t\t\t\t\tuser_id = :user_id\n\t\t\t\t\t;");
$sth->bindParam(':user_id', $this->session['INFORMATION']['id']);
$sth->execute();
$userResult = $sth->fetchAll(PDO::FETCH_ASSOC);
// Verify
if ($userResult[0]['username'] == $this->username && $userResult[0]['last_ip'] == $_SERVER['REMOTE_ADDR'] && $userResult[0]['token'] == session_id()) {
// Update User Activity on page request
$last_activity = date('Y-m-d H:i:s');
$sth = $dbh->prepare("\n\t\t\t\t\t\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\tSET\n\t\t\t\t\t\t\tlast_activity\t= :last_activity\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id\t\t\t= :user_id\n\t\t\t\t\t\t;");
$uid = Core_AuthService::getSessionInfo('ID');
$sth->bindParam(':last_activity', $last_activity);
$sth->bindParam(':user_id', $uid);
$sth->execute();
return TRUE;
} else {
return FALSE;
}
}
}
return FALSE;
}
if (!empty($module)) {
// NIST Level 2 Standard Role Based Access Control Library
$rbac = new PhpRbac\Rbac();
$resource = ucfirst($module) . '/';
if (!empty($page)) {
$resource = ucfirst($module) . '/' . $page . '/';
}
$resource = preg_replace('#(\\/+)#', '/', $resource);
// MAINTENANCE CHECK
if (BGP_MAINTENANCE_MODE == 1 && $rbac->Users->hasRole('root', $authService->getSessionInfo('ID')) === FALSE) {
Core_AuthService::logout();
Flight::redirect('/503');
}
// DROP API USERS
if ($rbac->Users->hasRole('api', $authService->getSessionInfo('ID')) && $rbac->Users->hasRole('root', $authService->getSessionInfo('ID')) === FALSE) {
Core_AuthService::logout();
Flight::redirect('/403');
}
// Verify User Authorization On The Requested Resource
// Root Users Can Bypass
if ($rbac->Users->hasRole('root', $authService->getSessionInfo('ID')) || $rbac->check($resource, $authService->getSessionInfo('ID'))) {
switch (Flight::request()->method) {
case 'GET':
// Process Task Query Parameter
$task = Flight::request()->query['task'];
// Page
if (!empty($page)) {
bgp_safe_require(MODS_DIR . '/' . $module . '/' . $module . '.' . $page . '.php');
} else {
if (!empty($page) && $page == 'process' && !empty($task)) {
// Verify User Authorization On The Called Method
/**
* User Password Renewal
*
* @param string $username
* @param string $email
* @param optional bool $captcha_validation
*
* @author Nikita Rousseau
*/
public function sendNewPassword($username, $email, $captcha_validation = TRUE)
{
$form = array('username' => $username, 'email' => $email);
$errors = array();
// array to hold validation errors
$data = array();
// array to pass back data
$dbh = Core_DBH::getDBH();
// Get Database Handle
// validate the variables ======================================================
$v = new Valitron\Validator($form);
$rules = ['required' => [['username'], ['email']], 'alphaNum' => [['username']], 'email' => [['email']]];
$v->rules($rules);
$v->validate();
$errors = $v->errors();
// Verify the form =============================================================
if (empty($errors)) {
$username = $form['username'];
$email = $form['email'];
try {
$sth = $dbh->prepare("\n\t\t\t\t\tSELECT user_id, email\n\t\t\t\t\tFROM " . DB_PREFIX . "user\n\t\t\t\t\tWHERE\n\t\t\t\t\t\tusername = :username AND\n\t\t\t\t\t\temail \t = :email AND\n\t\t\t\t\t\tstatus = 'active'\n\t\t\t\t\t;");
$sth->bindParam(':username', $username);
$sth->bindParam(':email', $email);
$sth->execute();
$result = $sth->fetchAll();
} catch (PDOException $e) {
echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine();
die;
}
if (!empty($result) && $captcha_validation == TRUE) {
$authService = Core_AuthService::getAuthService();
// Reset Login Attempts
$authService->rsSecCount();
// Reset User Passwd
$plainTextPasswd = bgp_create_random_password(13);
$digestPasswd = Core_AuthService::getHash($plainTextPasswd);
try {
// Update User Passwd
$sth = $dbh->prepare("\n\t\t\t\t\t\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\tSET\n\t\t\t\t\t\t\tpassword \t= :password\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id\t\t= :user_id\n\t\t\t\t\t\t;");
$sth->bindParam(':password', $digestPasswd);
$sth->bindParam(':user_id', $result[0]['user_id']);
$sth->execute();
} catch (PDOException $e) {
echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine();
die;
}
// Send Email
$to = htmlentities($result[0]['email'], ENT_QUOTES);
$subject = T_('Reset Password');
$message = T_('Your password has been reset to:');
$message .= "<br /><br />" . $plainTextPasswd . "<br /><br />";
$message .= T_('With IP') . ': ';
$message .= $_SERVER['REMOTE_ADDR'];
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'From: Bright Game Panel System <root@' . $_SERVER['SERVER_NAME'] . '>' . "\r\n";
$headers .= 'X-Mailer: PHP/' . phpversion();
$mail = mail($to, $subject, $message, $headers);
// Log Event
$logger = self::getLogger();
$logger->info('Password reset.');
} else {
// Call security component
$authService = Core_AuthService::getAuthService();
$authService->incrementSecCount();
// Log Event
$logger = self::getLogger();
$logger->info('Bad password reset.');
// Messages
if (empty($result)) {
$errors['username'] = T_('Wrong information.');
$errors['email'] = T_('Wrong information.');
}
if ($captcha_validation == FALSE) {
$errors['captcha'] = T_('Wrong CAPTCHA Code.');
}
}
}
// return a response ===========================================================
// response if there are errors
if (!empty($errors)) {
// if there are items in our errors array, return those errors
$data['success'] = false;
$data['errors'] = $errors;
// notification
$authService = Core_AuthService::getAuthService();
if ($authService->isBanned()) {
$data['msgType'] = 'warning';
$data['msg'] = T_('You have been banned') . ' ' . CONF_SEC_BAN_DURATION . ' ' . T_('seconds!');
} else {
$data['msgType'] = 'warning';
$data['msg'] = T_('Invalid information provided!');
}
} else {
if (!$mail) {
// mail delivery error
$data['success'] = false;
// notification
$data['msgType'] = 'danger';
$data['msg'] = T_('An error has occured while sending the email. Contact your system administrator.');
} else {
$data['success'] = true;
}
}
// return all our data to an AJAX call
return $data;
}
/**
* Update User Configuration
*
* @param string $username
* @param string $password0
* @param string $password1
* @param string $email
* @param string $language
* @param optional string $firstname
* @param optional string $lastname
* @param optional string $template
*
* @author Nikita Rousseau
*/
public function updateUserConfig($username, $password0, $password1, $email, $language, $firstname = '', $lastname = '', $template = 'bootstrap.min.css')
{
$form = array('username' => $username, 'password0' => $password0, 'password1' => $password1, 'email' => $email, 'language' => $language, 'template' => $template);
$errors = array();
// array to hold validation errors
$data = array();
// array to pass back data
$dbh = Core_DBH::getDBH();
// Get Database Handle
// Get languages
$languages = parse_ini_file(CONF_LANG_INI);
$languages = array_flip(array_values($languages));
// Get templates
$templates = parse_ini_file(CONF_TEMPLATES_INI);
$templates = array_flip(array_values($templates));
// validate the variables ======================================================
$v = new Valitron\Validator($form);
$rules = ['required' => [['username'], ['password0'], ['password1'], ['email'], ['language']], 'alphaNum' => [['username']], 'lengthMin' => [['username', 4], ['password0', 8]], 'equals' => [['password0', 'password1']], 'email' => [['email']], 'in' => [['language', $languages], ['template', $templates]]];
$labels = array('username' => T_('Username'), 'password0' => T_('Password'), 'password1' => T_('Confirmation Password'), 'email' => T_('Email'), 'language' => T_('Language'), 'template' => T_('Template'));
$v->rules($rules);
$v->labels($labels);
$v->validate();
$errors = $v->errors();
// Apply =======================================================================
if (empty($errors)) {
// Database update
$db_data['username'] = $form['username'];
$db_data['password'] = Core_AuthService::getHash($form['password0']);
$db_data['email'] = $form['email'];
$db_data['lang'] = $form['language'];
if (!empty($firstname)) {
$db_data['firstname'] = $firstname;
}
if (!empty($lastname)) {
$db_data['lastname'] = $lastname;
}
if ($template != 'bootstrap.min.css') {
$db_data['template'] = $template;
}
$authService = Core_AuthService::getAuthService();
$uid = Core_AuthService::getSessionInfo('ID');
foreach ($db_data as $key => $value) {
try {
$sth = $dbh->prepare("\tUPDATE " . DB_PREFIX . "user\n\t\t\t\t\t\t\t\t\t\t\tSET " . $key . " = :" . $key . "\n\t\t\t\t\t\t\t\t\t\t\tWHERE user_id = '" . $uid . "';");
$sth->bindParam(':' . $key, $value);
$sth->execute();
} catch (PDOException $e) {
echo $e->getMessage() . ' in ' . $e->getFile() . ' on line ' . $e->getLine();
die;
}
}
// Reload Session
$authService->rmSessionInfo();
$authService->setSessionInfo($uid, $db_data['username'], $db_data['firstname'], $db_data['lastname'], $db_data['lang'], $db_data['template']);
$authService->setSessionPerms();
$this->rmCookie('LANG');
}
// return a response and log ===================================================
$logger = self::getLogger();
// response if there are errors
if (!empty($errors)) {
// if there are items in our errors array, return those errors
$data['success'] = false;
$data['errors'] = $errors;
$data['msgType'] = 'warning';
$data['msg'] = T_('Bad Settings!');
$logger->info('Failed to update user configuration.');
} else {
$data['success'] = true;
$logger->info('Updated user configuration.');
}
// return all our data to an AJAX call
return $data;
}
<!-- SCRIPT -->
<?php
/**
* Generate AngularJS Code
*
* @param String $task
* @param String $schema
* @param String $form
* @param String $model
* @param String $redirect
*/
// Schema Definition
$schema = "\n{\n\ttype: 'object',\n\tproperties: {\n\t\tusername: {\n\t\t\ttitle: '" . T_('Login') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tpassword0: {\n\t\t\ttitle: '" . T_('Password') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tpassword1: {\n\t\t\ttitle: '" . T_('Confirm Password') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tfirstname: {\n\t\t\ttitle: '" . T_('First Name') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tlastname: {\n\t\t\ttitle: '" . T_('Last Name') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\temail: {\n\t\t\ttitle: '" . T_('Email') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\tlanguage: {\n\t\t\ttitle: '" . T_('Language') . "',\n\t\t\ttype: 'string'\n\t\t},\n\t\ttemplate: {\n\t\t\ttitle: '" . T_('Template') . "',\n\t\t\ttype: 'string'\n\t\t}\n\t},\n\t'required': [\n\t\t'username',\n\t\t'password0',\n\t\t'password1',\n\t\t'email',\n\t\t'language'\n\t]\n}";
// Form Definition
$form = "\n[\n\t{\n\t\t'key': 'username',\n\t\t'type': 'text',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-user\"></span>',\n\t\tplaceholder: '" . T_('Login') . "'\n\t},\n\t{\n\t\t'key': 'password0',\n\t\t'type': 'password',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-lock\"></span>',\n\t\tplaceholder: '" . T_('Password') . "'\n\t},\n\t{\n\t\t'key': 'password1',\n\t\t'type': 'password',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-lock\"></span>',\n\t\tplaceholder: '" . T_('Password') . "'\n\t},\n\t{\n\t\t'key': 'firstname',\n\t\t'type': 'text',\n\t\tfieldAddonLeft: 'Optional'\n\t},\n\t{\n\t\t'key': 'lastname',\n\t\t'type': 'text',\n\t\tfieldAddonLeft: 'Optional'\n\t},\n\t{\n\t\t'key': 'email',\n\t\t'type': 'email',\n\t\tfieldAddonLeft: '<span class=\"glyphicon glyphicon-envelope\"></span>',\n\t\tplaceholder: '" . T_('Email') . "'\n\t},\n\t{\n\t\t'key': 'language',\n\t\t'type': 'select',\n\t\ttitleMap: " . $langMap . "\n\t},\n\t{\n\t\t'key': 'template',\n\t\t'type': 'select',\n\t\ttitleMap: " . $templateMap . "\n\t}\n]";
// Model Init
$model = json_encode(array('username' => htmlspecialchars($profile['username'], ENT_QUOTES), 'password0', 'password1', 'firstname' => htmlspecialchars($profile['firstname'], ENT_QUOTES), 'lastname' => htmlspecialchars($profile['lastname'], ENT_QUOTES), 'email' => htmlspecialchars($profile['email'], ENT_QUOTES), 'language' => htmlspecialchars(Core_AuthService::getSessionInfo('LANG'), ENT_QUOTES), 'template' => htmlspecialchars($profile['template'], ENT_QUOTES)), JSON_FORCE_OBJECT);
$js->getAngularCode('updateUserConfig', $schema, $form, $model);
?>
<!-- END: SCRIPT -->
<?php
//------------------------------------------------------------------------------------------------------------+
/**
* END: PAGE BODY
*/
/**
* Build Page Footer
*/
$gui->getFooter();
</form>
</div>
</div>
</div>
</div>
<!-- END: CONTENTS -->
<!-- SCRIPT -->
<?php
/**
* Generate AngularJS Code
* @arg $task
* @arg $inputs
* @arg $redirect
*/
$fields = array('username' => htmlspecialchars($profile['username'], ENT_QUOTES), 'password0', 'password1', 'firstname' => htmlspecialchars($profile['firstname'], ENT_QUOTES), 'lastname' => htmlspecialchars($profile['lastname'], ENT_QUOTES), 'email' => htmlspecialchars($profile['email'], ENT_QUOTES), 'language' => htmlspecialchars(Core_AuthService::getSessionInfo('LANG'), ENT_QUOTES));
$js->getAngularController('updateUserConfig', $fields, './');
?>
<!-- END: SCRIPT -->
<?php
//------------------------------------------------------------------------------------------------------------+
/**
* END: PAGE BODY
*/
/**
* Build Page Footer
*/
$gui->getFooter();
// Clean Up
unset($module, $gui, $js);
