/** For now we need to bring our own methods for Authentication handling Returns false on success and an error message if something goes wrong. This one already capable of handling bcryp so they are somewhat an example for the new authentication coming soon. */ public function CheckPass($password = "", $userId = false) { global $MESSAGE, $database; if (!defined('WB_PASS_LENGTH_MIN')) { define('WB_PASS_LENGTH_MIN', 6); } if (!defined('WB_PASS_LENGTH_MAX')) { define('WB_PASS_LENGTH_MAX', 50); } // empty if (empty($password)) { return $MESSAGE['USERS_PASSWORD_EMPTY']; } // too short $regex = "/.{" . WB_PASS_LENGTH_MIN . ",}/su"; if (!preg_match($regex, $password)) { return $MESSAGE['USERS_PASSWORD_TOO_SHORT']; } // too long $regex = "/^.{1," . WB_PASS_LENGTH_MAX . "}\$/su"; if (!preg_match($regex, $password)) { return $MESSAGE['USERS_PASSWORD_TOO_LONG']; } // Check password against DB only if a user is set if (!$userId) { return false; } if (WbAuth::CheckUser($password, (int) $userId)) { return false; } else { return $MESSAGE['USERS_PASSWORD_INCORRECT']; } }
public function __construct($config_array) { // Get language vars global $MESSAGE, $database; // use admin class constructor parent::__construct(); // Get configuration values, and set them as class vars while (list($key, $value) = each($config_array)) { $this->{strtolower($key)} = $value; } // set Redirect url .. if (!isset($this->redirect_url)) { $this->redirect_url = ''; } // Get the supplied username and passwordfield if set. // manually set by configuration array if ($this->username_fieldname != "" and $this->password_fieldname != "") { // all ok } elseif ($this->get_post('username_fieldname') != '' and $this->get_post('password_fieldname' != '')) { $this->username_fieldname = $this->get_post('username_fieldname'); $this->password_fieldname = $this->get_post('password_fieldname'); } else { $this->username_fieldname = 'username'; $this->password_fieldname = 'password'; } // fetch username and Password $this->username = $this->get_post($this->username_fieldname); $this->password = $this->get_post($this->password_fieldname); // If the url is blank, set it to the default url // We got a posted url here , dont think this is a good idea... $this->url = $this->get_post('url'); if ($this->redirect_url != '') { $this->url = $this->redirect_url; } if (strlen($this->url) < 2) { $this->url = $config_array['DEFAULT_URL']; } // Already logged in ... but we are not sure at all the user is allowed that place ... // does not feel good // Hey no input ok just display login if ($this->username == '' and $this->password == '') { $this->message = $MESSAGE['LOGIN_BOTH_BLANK']; $this->display_login(); } else { // Check if the user exists // (authenticate them, load session vars and more this does all the work) $uUserOk = WbAuth::Authenticate($this->password, $this->username); // Authentication successful if ($uUserOk === false) { //User logged-in, so redirect to default $this->url whatever it is header("Location: " . $this->url); exit(0); } else { $this->message = $uUserOk; $this->increase_attemps(); } } }
$email = ''; } else { // Check if the email exists in the database $sql = 'SELECT `user_id`,`username`,`display_name`,`email`,`last_reset`,`password` ' . 'FROM `' . TABLE_PREFIX . 'users` ' . 'WHERE `email`=\'' . $wb->add_slashes($_POST['email']) . '\''; if ($results = $database->query($sql)) { if ($results_array = $results->fetchRow()) { // Get the id, username, email, and last_reset from the above db query // Check if the password has been reset in the last 2 hours if (time() - (int) $results_array['last_reset'] < 2 * 3600) { // Tell the user that their password cannot be reset more than once per hour $errMsg = $MESSAGE['FORGOT_PASS_ALREADY_RESET']; } else { $old_pass = $results_array['password']; // Generate a random password then update the database with it $new_pass = WbAuth::GenerateRandomPassword(); $sql = 'UPDATE `' . TABLE_PREFIX . 'users` ' . 'SET `password`=\'' . WbAuth::Hash($new_pass) . '\', ' . '`last_reset`=' . time() . ' ' . 'WHERE `user_id`=' . (int) $results_array['user_id']; unset($pwh); // destroy $pwh-Object if ($database->query($sql)) { // Setup email to send $mail_to = $email; $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO']; // Replace placeholders from language variable with values $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}'); $replace = array($results_array['display_name'], WEBSITE_TITLE, $results_array['username'], $new_pass); $mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT']); // Try sending the email if ($wb->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) { $message = $MESSAGE['FORGOT_PASS_PASSWORD_RESET']; $display_form = false; } else {
// Check if the email already exists $results = $database->query("SELECT user_id FROM " . TABLE_PREFIX . "users WHERE email = '" . $admin->add_slashes($_POST['email']) . "' AND user_id <> '" . $user_id . "' "); if ($results->numRows() > 0) { if (isset($MESSAGE['USERS_EMAIL_TAKEN'])) { $admin->print_error($MESSAGE['USERS_EMAIL_TAKEN'], $js_back); } else { $admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back); } } // Prevent from renaming user to "admin" if ($username != 'admin') { $username_code = ", username = '******'"; } else { $username_code = ''; } // Update the database if ($password == "") { $query = "UPDATE " . TABLE_PREFIX . "users SET groups_id = '{$groups_id}', group_id = '{$group_id}', active = '{$active}'{$username_code}, display_name = '{$display_name}', home_folder = '{$home_folder}', email = '{$email}' WHERE user_id = '{$user_id}'"; } else { // MD5 supplied password $md5_password = WbAuth::Hash($password); $query = "UPDATE " . TABLE_PREFIX . "users SET groups_id = '{$groups_id}', group_id = '{$group_id}', active = '{$active}'{$username_code}, display_name = '{$display_name}', home_folder = '{$home_folder}', email = '{$email}', password = '******' WHERE user_id = '{$user_id}'"; } $database->query($query); if ($database->is_error()) { $admin->print_error($database->get_error(), $js_back); } else { $admin->print_success($MESSAGE['USERS_SAVED']); } // Print admin footer $admin->print_footer();
// Get the id, username, email, and last_reset from the above db query $results_array = $results->fetchRow(); // Check if the password has been reset in the last 2 hours $last_reset = $results_array['last_reset']; $time_diff = time() - $last_reset; // Time since last reset in seconds $time_diff = $time_diff / 60 / 60; // Time since last reset in hours if ($time_diff < 2) { // Tell the user that their password cannot be reset more than once per hour $message = $MESSAGE['FORGOT_PASS_ALREADY_RESET']; } else { $old_pass = $results_array['password']; // Generate a random password then update the database with it $new_pass = WbAuth::GenerateRandomPassword(); $database->query("UPDATE " . TABLE_PREFIX . "users SET password = '******', last_reset = '" . time() . "' WHERE user_id = '" . $results_array['user_id'] . "'"); if ($database->is_error()) { // Error updating database $message = $database->get_error(); } else { // Setup email to send $mail_to = $email; $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO']; // Replace placeholders from language variable with values $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}'); $replace = array($results_array['display_name'], WEBSITE_TITLE, $results_array['username'], $new_pass); $mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT']); // Try sending the email if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) { $message = $MESSAGE['FORGOT_PASS_PASSWORD_RESET']; $display_form = false;
$sql = 'SELECT `user_id` FROM `' . TABLE_PREFIX . 'users` WHERE `email` = \'' . $wb->add_slashes($email) . '\''; $results = $database->query($sql); if ($results->numRows() > 0) { if (isset($MESSAGE['USERS_EMAIL_TAKEN'])) { $wb->print_error($MESSAGE['USERS_EMAIL_TAKEN'], $js_back, false); $bSignError = true; } else { $wb->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back, false); $bSignError = true; } } if ($bSignError === false) { // Generate a random password then update the database with it $new_pass = WbAuth::GenerateRandomPassword(); // hash it $md5_password = WbAuth::Hash($new_pass); // Inser the user into the database $sql = ''; $query = "INSERT INTO " . TABLE_PREFIX . "users (group_id,groups_id,active,username,password,display_name,email) VALUES ('{$groups_id}', '{$groups_id}', '{$active}', '{$username}','{$md5_password}','{$display_name}','{$email}')"; $database->query($query); if ($database->is_error()) { // Error updating database $message = $database->get_error(); } else { // Setup email to send $mail_to = $email; $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO']; // Replace placeholders from language variable with values $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}'); $replace = array($display_name, WEBSITE_TITLE, $username, $new_pass); $mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_INFO']);