require_once INCLUDE_DIR . 'class.ticket.php'; require_once INCLUDE_DIR . 'class.dept.php'; //clear some vars $errors = array(); $msg = ''; $nav = null; //Make sure the user is valid..before doing anything else. $thisclient = UserAuthenticationBackend::getUser(); if (isset($_GET['lang']) && $_GET['lang']) { if (Internationalization::getLanguageInfo($_GET['lang'])) { $_SESSION['client:lang'] = $_GET['lang']; } } // Bootstrap gettext translations as early as possible, but after attempting // to sign on the agent TextDomain::configureForUser($thisclient); //is the user logged in? if ($thisclient && $thisclient->getId() && $thisclient->isValid()) { $thisclient->refreshSession(); } else { $thisclient = null; } /******* CSRF Protectin *************/ // Enforce CSRF protection for POSTS if ($_POST && !$ost->checkCSRFToken()) { Http::redirect('index.php'); //just incase redirect fails die('Action denied (400)!'); } //Add token to the header - used on ajax calls [DO NOT CHANGE THE NAME] $ost->addExtraHeader('<meta name="csrf_token" content="' . $ost->getCSRFToken() . '" />');
function update($vars, &$errors) { global $cfg; $rtoken = $_SESSION['_client']['reset-token']; if ($vars['passwd1'] || $vars['passwd2'] || $vars['cpasswd'] || $rtoken) { if (!$vars['passwd1']) { $errors['passwd1'] = __('New password is required'); } elseif ($vars['passwd1'] && strlen($vars['passwd1']) < 6) { $errors['passwd1'] = __('Password must be at least 6 characters'); } elseif ($vars['passwd1'] && strcmp($vars['passwd1'], $vars['passwd2'])) { $errors['passwd2'] = __('Passwords do not match'); } if ($rtoken) { $_config = new Config('pwreset'); if ($_config->get($rtoken) != $this->getUserId()) { $errors['err'] = __('Invalid reset token. Logout and try again'); } elseif (!($ts = $_config->lastModified($rtoken)) && $cfg->getPwResetWindow() < time() - strtotime($ts)) { $errors['err'] = __('Invalid reset token. Logout and try again'); } } elseif ($this->get('passwd')) { if (!$vars['cpasswd']) { $errors['cpasswd'] = __('Current password is required'); } elseif (!$this->hasCurrentPassword($vars['cpasswd'])) { $errors['cpasswd'] = __('Invalid current password!'); } elseif (!strcasecmp($vars['passwd1'], $vars['cpasswd'])) { $errors['passwd1'] = __('New password MUST be different from the current password!'); } } } if (!$vars['timezone_id']) { $errors['timezone_id'] = __('Time zone selection is required'); } if ($errors) { return false; } $this->set('timezone_id', $vars['timezone_id']); $this->set('dst', isset($vars['dst']) ? 1 : 0); // Change language $this->set('lang', $vars['lang'] ?: null); $_SESSION['client:lang'] = null; TextDomain::configureForUser($this); if ($vars['backend']) { $this->set('backend', $vars['backend']); if ($vars['username']) { $this->set('username', $vars['username']); } } if ($vars['passwd1']) { $this->set('passwd', Passwd::hash($vars['passwd1'])); $info = array('password' => $vars['passwd1']); Signal::send('auth.pwchange', $this->getUser(), $info); $this->cancelResetTokens(); $this->clearStatus(UserAccountStatus::REQUIRE_PASSWD_RESET); } return $this->save(); }
*/ if (!function_exists('staffLoginPage')) { //Ajax interface can pre-declare the function to trap expired sessions. function staffLoginPage($msg) { global $ost, $cfg; $_SESSION['_staff']['auth']['dest'] = '/' . ltrim($_SERVER['REQUEST_URI'], '/'); $_SESSION['_staff']['auth']['msg'] = $msg; require SCP_DIR . 'login.php'; exit; } } $thisstaff = StaffAuthenticationBackend::getUser(); // Bootstrap gettext translations as early as possible, but after attempting // to sign on the agent TextDomain::configureForUser($thisstaff); //1) is the user Logged in for real && is staff. if (!$thisstaff || !$thisstaff->getId() || !$thisstaff->isValid()) { if (isset($_SESSION['_staff']['auth']['msg'])) { $msg = $_SESSION['_staff']['auth']['msg']; unset($_SESSION['_staff']['auth']['msg']); } elseif ($thisstaff && !$thisstaff->isValid()) { $msg = __('Session timed out due to inactivity'); } else { $msg = __('Ingresar usuario y contraseña'); } staffLoginPage($msg); exit; } //2) if not super admin..check system status and group status if (!$thisstaff->isAdmin()) {
Peter Rotich <*****@*****.**> Copyright (c) 2006-2013 osTicket http://www.osticket.com Released under the GNU General Public License WITHOUT ANY WARRANTY. See LICENSE.TXT for details. vim: expandtab sw=4 ts=4 sts=4: **********************************************************************/ require_once '../main.inc.php'; if (!defined('INCLUDE_DIR')) { die('Fatal Error. Kwaheri!'); } // Bootstrap gettext translations. Since no one is yet logged in, use the // system or browser default TextDomain::configureForUser(); require_once INCLUDE_DIR . 'class.staff.php'; require_once INCLUDE_DIR . 'class.csrf.php'; $content = Page::lookup(Page::getIdByType('banner-staff')); $dest = $_SESSION['_staff']['auth']['dest']; $msg = $_SESSION['_staff']['auth']['msg']; $msg = $msg ?: ($content ? $content->getName() : __('Authentication Required')); $dest = $dest && (!strstr($dest, 'login.php') && !strstr($dest, 'ajax.php')) ? $dest : 'index.php'; $show_reset = false; if ($_POST) { // Check the CSRF token, and ensure that future requests will have to // use a different CSRF token. This will help ward off both parallel and // serial brute force attacks, because new tokens will have to be // requested for each attempt. if (!$ost->checkCSRFToken()) { Http::response(400, __('Valid CSRF Token Required'));
function updateProfile($vars, &$errors) { global $cfg; $vars['firstname'] = Format::striptags($vars['firstname']); $vars['lastname'] = Format::striptags($vars['lastname']); if ($this->getId() != $vars['id']) { $errors['err'] = __('Internal error occurred'); } if (!$vars['firstname']) { $errors['firstname'] = __('First name is required'); } if (!$vars['lastname']) { $errors['lastname'] = __('Last name is required'); } if (!$vars['email'] || !Validator::is_valid_email($vars['email'])) { $errors['email'] = __('Valid email is required'); } elseif (Email::getIdByEmail($vars['email'])) { $errors['email'] = __('Already in-use as system email'); } elseif (($uid = Staff::getIdByEmail($vars['email'])) && $uid != $this->getId()) { $errors['email'] = __('Email already in-use by another agent'); } if ($vars['phone'] && !Validator::is_phone($vars['phone'])) { $errors['phone'] = __('Valid phone number is required'); } if ($vars['mobile'] && !Validator::is_phone($vars['mobile'])) { $errors['mobile'] = __('Valid phone number is required'); } if ($vars['passwd1'] || $vars['passwd2'] || $vars['cpasswd']) { if (!$vars['passwd1']) { $errors['passwd1'] = __('New password is required'); } elseif ($vars['passwd1'] && strlen($vars['passwd1']) < 6) { $errors['passwd1'] = __('Password must be at least 6 characters'); } elseif ($vars['passwd1'] && strcmp($vars['passwd1'], $vars['passwd2'])) { $errors['passwd2'] = __('Passwords do not match'); } if ($rtoken = $_SESSION['_staff']['reset-token']) { $_config = new Config('pwreset'); if ($_config->get($rtoken) != $this->getId()) { $errors['err'] = __('Invalid reset token. Logout and try again'); } elseif (!($ts = $_config->lastModified($rtoken)) && $cfg->getPwResetWindow() < time() - strtotime($ts)) { $errors['err'] = __('Invalid reset token. Logout and try again'); } } elseif (!$vars['cpasswd']) { $errors['cpasswd'] = __('Current password is required'); } elseif (!$this->cmp_passwd($vars['cpasswd'])) { $errors['cpasswd'] = __('Invalid current password!'); } elseif (!strcasecmp($vars['passwd1'], $vars['cpasswd'])) { $errors['passwd1'] = __('New password MUST be different from the current password!'); } } if (!$vars['timezone_id']) { $errors['timezone_id'] = __('Time zone selection is required'); } if ($vars['default_signature_type'] == 'mine' && !$vars['signature']) { $errors['default_signature_type'] = __("You don't have a signature"); } if ($errors) { return false; } $this->config->set('lang', $vars['lang']); $_SESSION['staff:lang'] = null; TextDomain::configureForUser($this); $sql = 'UPDATE ' . STAFF_TABLE . ' SET updated=NOW() ' . ' ,firstname=' . db_input($vars['firstname']) . ' ,lastname=' . db_input($vars['lastname']) . ' ,email=' . db_input($vars['email']) . ' ,phone="' . db_input(Format::phone($vars['phone']), false) . '"' . ' ,phone_ext=' . db_input($vars['phone_ext']) . ' ,mobile="' . db_input(Format::phone($vars['mobile']), false) . '"' . ' ,signature=' . db_input(Format::sanitize($vars['signature'])) . ' ,timezone_id=' . db_input($vars['timezone_id']) . ' ,daylight_saving=' . db_input(isset($vars['daylight_saving']) ? 1 : 0) . ' ,show_assigned_tickets=' . db_input(isset($vars['show_assigned_tickets']) ? 1 : 0) . ' ,max_page_size=' . db_input($vars['max_page_size']) . ' ,auto_refresh_rate=' . db_input($vars['auto_refresh_rate']) . ' ,default_signature_type=' . db_input($vars['default_signature_type']) . ' ,default_paper_size=' . db_input($vars['default_paper_size']); if ($vars['passwd1']) { $sql .= ' ,change_passwd=0, passwdreset=NOW(), passwd=' . db_input(Passwd::hash($vars['passwd1'])); $info = array('password' => $vars['passwd1']); Signal::send('auth.pwchange', $this, $info); $this->cancelResetTokens(); } $sql .= ' WHERE staff_id=' . db_input($this->getId()); //echo $sql; return db_query($sql); }