Exemplo n.º 1
2
function removeme_post(&$a)
{
    if (!local_channel()) {
        return;
    }
    if ($_SESSION['delegate']) {
        return;
    }
    if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) {
        return;
    }
    if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) {
        return;
    }
    if ($_POST['verify'] !== $_SESSION['remove_account_verify']) {
        return;
    }
    $account = App::get_account();
    if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) {
        return;
    }
    if ($account['account_password_changed'] != NULL_DATE) {
        $d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours');
        if ($account['account_password_changed'] > d1) {
            notice(t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL);
            return;
        }
    }
    require_once 'include/Contact.php';
    $global_remove = intval($_POST['global']);
    channel_remove(local_channel(), 1 - $global_remove, true);
}
Exemplo n.º 2
2
/**
 * API Login via basic-auth or OAuth
 */
function api_login(&$a)
{
    $record = null;
    require_once 'include/oauth.php';
    // login with oauth
    try {
        $oauth = new ZotOAuth1();
        $req = OAuth1Request::from_request();
        list($consumer, $token) = $oauth->verify_request($req);
        if (!is_null($token)) {
            $oauth->loginUser($token->uid);
            App::set_oauth_key($consumer->key);
            call_hooks('logged_in', App::$user);
            return;
        }
        killme();
    } catch (Exception $e) {
        logger($e->getMessage());
    }
    // workarounds for HTTP-auth in CGI mode
    if (x($_SERVER, 'REDIRECT_REMOTE_USER')) {
        $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
        if (strlen($userpass)) {
            list($name, $password) = explode(':', $userpass);
            $_SERVER['PHP_AUTH_USER'] = $name;
            $_SERVER['PHP_AUTH_PW'] = $password;
        }
    }
    if (x($_SERVER, 'HTTP_AUTHORIZATION')) {
        $userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6));
        if (strlen($userpass)) {
            list($name, $password) = explode(':', $userpass);
            $_SERVER['PHP_AUTH_USER'] = $name;
            $_SERVER['PHP_AUTH_PW'] = $password;
        }
    }
    require_once 'include/auth.php';
    require_once 'include/security.php';
    // process normal login request
    if (isset($_SERVER['PHP_AUTH_USER'])) {
        $channel_login = 0;
        $record = account_verify_password($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
        if ($record && $record['channel']) {
            $channel_login = $record['channel']['channel_id'];
        }
    }
    if ($record['account']) {
        authenticate_success($record['account']);
        if ($channel_login) {
            change_channel($channel_login);
        }
        $_SESSION['allow_api'] = true;
        return true;
    } else {
        $_SERVER['PHP_AUTH_PW'] = '*****';
        logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG);
        log_failed_login('API login failure');
        retry_basic_auth();
    }
}
Exemplo n.º 3
0
 function post()
 {
     if (!local_channel()) {
         return;
     }
     if ($_SESSION['delegate']) {
         return;
     }
     if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) {
         return;
     }
     if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) {
         return;
     }
     if ($_POST['verify'] !== $_SESSION['remove_account_verify']) {
         return;
     }
     $account = \App::get_account();
     $account_id = get_account_id();
     if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) {
         return;
     }
     if ($account['account_password_changed'] != NULL_DATE) {
         $d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours');
         if ($account['account_password_changed'] > d1) {
             notice(t('Account removals are not allowed within 48 hours of changing the account password.') . EOL);
             return;
         }
     }
     $global_remove = intval($_POST['global']);
     account_remove($account_id, 1 - $global_remove);
 }
Exemplo n.º 4
0
function removeaccount_post(&$a)
{
    if (!local_user()) {
        return;
    }
    if (x($_SESSION, 'submanage') && intval($_SESSION['submanage'])) {
        return;
    }
    if (!x($_POST, 'qxz_password') || !strlen(trim($_POST['qxz_password']))) {
        return;
    }
    if (!x($_POST, 'verify') || !strlen(trim($_POST['verify']))) {
        return;
    }
    if ($_POST['verify'] !== $_SESSION['remove_account_verify']) {
        return;
    }
    $account = $a->get_account();
    $account_id = get_account_id();
    if (!account_verify_password($account['account_email'], $_POST['qxz_password'])) {
        return;
    }
    if ($account['account_password_changed'] != NULL_DATE) {
        $d1 = datetime_convert('UTC', 'UTC', 'now - 48 hours');
        if ($account['account_password_changed'] > d1) {
            notice(t('Account removals are not allowed within 48 hours of changing the account password.') . EOL);
            return;
        }
    }
    require_once 'include/Contact.php';
    $global_remove = intval($_POST['global']);
    account_remove($account_id, true);
}
Exemplo n.º 5
0
 /**
  * @brief Validates a username and password.
  *
  * Guest access is granted with the password "+++".
  *
  * @see \Sabre\DAV\Auth\Backend\AbstractBasic::validateUserPass
  * @param string $username
  * @param string $password
  * @return bool
  */
 protected function validateUserPass($username, $password)
 {
     require_once 'include/auth.php';
     $record = account_verify_password($username, $password);
     if ($record && $record['account_default_channel']) {
         $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", intval($record['account_id']), intval($record['account_default_channel']));
         if ($r) {
             return $this->setAuthenticated($r[0]);
         }
     }
     $r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1", dbesc($username));
     if ($r) {
         $x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1", intval($r[0]['channel_account_id']));
         if ($x) {
             // @fixme this foreach should not be needed?
             foreach ($x as $record) {
                 if (($record['account_flags'] == ACCOUNT_OK || $record['account_flags'] == ACCOUNT_UNVERIFIED) && hash('whirlpool', $record['account_salt'] . $password) === $record['account_password']) {
                     logger('password verified for ' . $username);
                     return $this->setAuthenticated($r[0]);
                 }
             }
         }
     }
     $error = 'password failed for ' . $username;
     logger($error);
     log_failed_login($error);
     return false;
 }
Exemplo n.º 6
0
Arquivo: auth.php Projeto: Mauru/red
 }
 if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') {
     $record = null;
     $addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null);
     /**
      *
      * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
      * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
      * and later plugins should not interfere with an earlier one that succeeded.
      *
      */
     call_hooks('authenticate', $addon_auth);
     if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
         $record = $addon_auth['user_record'];
     } else {
         $record = get_app()->account = account_verify_password($_POST['username'], $_POST['password']);
         if (get_app()->account) {
             $_SESSION['account_id'] = get_app()->account['account_id'];
         } else {
             notice(t('Failed authentication') . EOL);
         }
         logger('authenticate: ' . print_r(get_app()->account, true), LOGGER_DEBUG);
     }
     if (!$record || !count($record)) {
         $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
         logger($error);
         // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
         $authlog = get_config('system', 'authlog');
         if ($authlog) {
             @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
         }
Exemplo n.º 7
0
 function post()
 {
     check_form_security_token_redirectOnErr('/settings/account', 'settings_account');
     call_hooks('account_settings_post', $_POST);
     $errs = array();
     $email = x($_POST, 'email') ? trim(notags($_POST['email'])) : '';
     $techlevel = array_key_exists('techlevel', $_POST) ? intval($_POST['techlevel']) : 0;
     $account = \App::get_account();
     if ($email != $account['account_email']) {
         if (!valid_email($email)) {
             $errs[] = t('Not valid email.');
         }
         $adm = trim(get_config('system', 'admin_email'));
         if ($adm && strcasecmp($email, $adm) == 0) {
             $errs[] = t('Protected email address. Cannot change to that email.');
             $email = \App::$account['account_email'];
         }
         if (!$errs) {
             $r = q("update account set account_email = '%s' where account_id = %d", dbesc($email), intval($account['account_id']));
             if (!$r) {
                 $errs[] = t('System failure storing new email. Please try again.');
             }
         }
     }
     if ($techlevel != $account['account_level']) {
         $r = q("update account set account_level = %d where account_id = %d", intval($techlevel), intval($account['account_id']));
         info(t('Technical skill level updated') . EOL);
     }
     if ($errs) {
         foreach ($errs as $err) {
             notice($err . EOL);
         }
         $errs = array();
     }
     if (x($_POST, 'npassword') || x($_POST, 'confirm')) {
         $origpass = trim($_POST['origpass']);
         require_once 'include/auth.php';
         if (!account_verify_password($email, $origpass)) {
             $errs[] = t('Password verification failed.');
         }
         $newpass = trim($_POST['npassword']);
         $confirm = trim($_POST['confirm']);
         if ($newpass != $confirm) {
             $errs[] = t('Passwords do not match. Password unchanged.');
         }
         if (!x($newpass) || !x($confirm)) {
             $errs[] = t('Empty passwords are not allowed. Password unchanged.');
         }
         if (!$errs) {
             $salt = random_string(32);
             $password_encoded = hash('whirlpool', $salt . $newpass);
             $r = q("update account set account_salt = '%s', account_password = '******', account_password_changed = '%s' \n\t\t\t\t\twhere account_id = %d", dbesc($salt), dbesc($password_encoded), dbesc(datetime_convert()), intval(get_account_id()));
             if ($r) {
                 info(t('Password changed.') . EOL);
             } else {
                 $errs[] = t('Password update failed. Please try again.');
             }
         }
     }
     if ($errs) {
         foreach ($errs as $err) {
             notice($err . EOL);
         }
     }
     goaway(z_root() . '/settings/account');
 }
Exemplo n.º 8
0
 function post()
 {
     if (!local_channel()) {
         return;
     }
     if ($_SESSION['delegate']) {
         return;
     }
     $channel = \App::get_channel();
     logger('mod_settings: ' . print_r($_REQUEST, true));
     if (argc() > 1 && argv(1) === 'oauth' && x($_POST, 'remove')) {
         check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
         $key = $_POST['remove'];
         q("DELETE FROM tokens WHERE id='%s' AND uid=%d", dbesc($key), local_channel());
         goaway(z_root() . "/settings/oauth/");
         return;
     }
     if (argc() > 2 && argv(1) === 'oauth' && (argv(2) === 'edit' || argv(2) === 'add') && x($_POST, 'submit')) {
         check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
         $name = x($_POST, 'name') ? $_POST['name'] : '';
         $key = x($_POST, 'key') ? $_POST['key'] : '';
         $secret = x($_POST, 'secret') ? $_POST['secret'] : '';
         $redirect = x($_POST, 'redirect') ? $_POST['redirect'] : '';
         $icon = x($_POST, 'icon') ? $_POST['icon'] : '';
         $ok = true;
         if ($name == '') {
             $ok = false;
             notice(t('Name is required') . EOL);
         }
         if ($key == '' || $secret == '') {
             $ok = false;
             notice(t('Key and Secret are required') . EOL);
         }
         if ($ok) {
             if ($_POST['submit'] == t("Update")) {
                 $r = q("UPDATE clients SET\n\t\t\t\t\t\t\t\tclient_id='%s',\n\t\t\t\t\t\t\t\tpw='%s',\n\t\t\t\t\t\t\t\tclname='%s',\n\t\t\t\t\t\t\t\tredirect_uri='%s',\n\t\t\t\t\t\t\t\ticon='%s',\n\t\t\t\t\t\t\t\tuid=%d\n\t\t\t\t\t\t\tWHERE client_id='%s'", dbesc($key), dbesc($secret), dbesc($name), dbesc($redirect), dbesc($icon), intval(local_channel()), dbesc($key));
             } else {
                 $r = q("INSERT INTO clients (client_id, pw, clname, redirect_uri, icon, uid)\n\t\t\t\t\t\tVALUES ('%s','%s','%s','%s','%s',%d)", dbesc($key), dbesc($secret), dbesc($name), dbesc($redirect), dbesc($icon), intval(local_channel()));
                 $r = q("INSERT INTO xperm (xp_client, xp_channel, xp_perm) VALUES ('%s', %d, '%s') ", dbesc($key), intval(local_channel()), dbesc('all'));
             }
         }
         goaway(z_root() . "/settings/oauth/");
         return;
     }
     if (argc() > 1 && argv(1) == 'featured') {
         check_form_security_token_redirectOnErr('/settings/featured', 'settings_featured');
         call_hooks('feature_settings_post', $_POST);
         build_sync_packet();
         return;
     }
     if (argc() > 1 && argv(1) == 'tokens') {
         check_form_security_token_redirectOnErr('/settings/tokens', 'settings_tokens');
         $token_errs = 0;
         if (array_key_exists('token', $_POST)) {
             $atoken_id = $_POST['atoken_id'] ? intval($_POST['atoken_id']) : 0;
             $name = trim(escape_tags($_POST['name']));
             $token = trim($_POST['token']);
             if (!$name || !$token) {
                 $token_errs++;
             }
             if (trim($_POST['expires'])) {
                 $expires = datetime_convert(date_default_timezone_get(), 'UTC', $_POST['expires']);
             } else {
                 $expires = NULL_DATE;
             }
             $max_atokens = service_class_fetch(local_channel(), 'access_tokens');
             if ($max_atokens) {
                 $r = q("select count(atoken_id) as total where atoken_uid = %d", intval(local_channel()));
                 if ($r && intval($r[0]['total']) >= $max_tokens) {
                     notice(sprintf(t('This channel is limited to %d tokens'), $max_tokens) . EOL);
                     return;
                 }
             }
         }
         if ($token_errs) {
             notice(t('Name and Password are required.') . EOL);
             return;
         }
         if ($atoken_id) {
             $r = q("update atoken set atoken_name = '%s', atoken_token = '%s' atoken_expires = '%s' \n\t\t\t\t\twhere atoken_id = %d and atoken_uid = %d", dbesc($name), dbesc($token), dbesc($expires), intval($atoken_id), intval($channel['channel_id']));
         } else {
             $r = q("insert into atoken ( atoken_aid, atoken_uid, atoken_name, atoken_token, atoken_expires )\n\t\t\t\t\tvalues ( %d, %d, '%s', '%s', '%s' ) ", intval($channel['channel_account_id']), intval($channel['channel_id']), dbesc($name), dbesc($token), dbesc($expires));
         }
         info(t('Token saved.') . EOL);
         return;
     }
     if (argc() > 1 && argv(1) === 'features') {
         check_form_security_token_redirectOnErr('/settings/features', 'settings_features');
         // Build list of features and check which are set
         $features = get_features();
         $all_features = array();
         foreach ($features as $k => $v) {
             foreach ($v as $f) {
                 $all_features[] = $f[0];
             }
         }
         foreach ($all_features as $k) {
             if (x($_POST, "feature_{$k}")) {
                 set_pconfig(local_channel(), 'feature', $k, 1);
             } else {
                 set_pconfig(local_channel(), 'feature', $k, 0);
             }
         }
         build_sync_packet();
         return;
     }
     if (argc() > 1 && argv(1) == 'display') {
         check_form_security_token_redirectOnErr('/settings/display', 'settings_display');
         $theme = x($_POST, 'theme') ? notags(trim($_POST['theme'])) : \App::$channel['channel_theme'];
         $mobile_theme = x($_POST, 'mobile_theme') ? notags(trim($_POST['mobile_theme'])) : '';
         $preload_images = x($_POST, 'preload_images') ? intval($_POST['preload_images']) : 0;
         $user_scalable = x($_POST, 'user_scalable') ? intval($_POST['user_scalable']) : 0;
         $nosmile = x($_POST, 'nosmile') ? intval($_POST['nosmile']) : 0;
         $title_tosource = x($_POST, 'title_tosource') ? intval($_POST['title_tosource']) : 0;
         $channel_list_mode = x($_POST, 'channel_list_mode') ? intval($_POST['channel_list_mode']) : 0;
         $network_list_mode = x($_POST, 'network_list_mode') ? intval($_POST['network_list_mode']) : 0;
         $channel_divmore_height = x($_POST, 'channel_divmore_height') ? intval($_POST['channel_divmore_height']) : 400;
         if ($channel_divmore_height < 50) {
             $channel_divmore_height = 50;
         }
         $network_divmore_height = x($_POST, 'network_divmore_height') ? intval($_POST['network_divmore_height']) : 400;
         if ($network_divmore_height < 50) {
             $network_divmore_height = 50;
         }
         $browser_update = x($_POST, 'browser_update') ? intval($_POST['browser_update']) : 0;
         $browser_update = $browser_update * 1000;
         if ($browser_update < 10000) {
             $browser_update = 10000;
         }
         $itemspage = x($_POST, 'itemspage') ? intval($_POST['itemspage']) : 20;
         if ($itemspage > 100) {
             $itemspage = 100;
         }
         if ($mobile_theme == "---") {
             del_pconfig(local_channel(), 'system', 'mobile_theme');
         } else {
             set_pconfig(local_channel(), 'system', 'mobile_theme', $mobile_theme);
         }
         set_pconfig(local_channel(), 'system', 'preload_images', $preload_images);
         set_pconfig(local_channel(), 'system', 'user_scalable', $user_scalable);
         set_pconfig(local_channel(), 'system', 'update_interval', $browser_update);
         set_pconfig(local_channel(), 'system', 'itemspage', $itemspage);
         set_pconfig(local_channel(), 'system', 'no_smilies', 1 - intval($nosmile));
         set_pconfig(local_channel(), 'system', 'title_tosource', $title_tosource);
         set_pconfig(local_channel(), 'system', 'channel_list_mode', $channel_list_mode);
         set_pconfig(local_channel(), 'system', 'network_list_mode', $network_list_mode);
         set_pconfig(local_channel(), 'system', 'channel_divmore_height', $channel_divmore_height);
         set_pconfig(local_channel(), 'system', 'network_divmore_height', $network_divmore_height);
         if ($theme == \App::$channel['channel_theme']) {
             // call theme_post only if theme has not been changed
             if (($themeconfigfile = $this->get_theme_config_file($theme)) != null) {
                 require_once $themeconfigfile;
                 theme_post($a);
             }
         }
         $r = q("UPDATE channel SET channel_theme = '%s' WHERE channel_id = %d", dbesc($theme), intval(local_channel()));
         call_hooks('display_settings_post', $_POST);
         build_sync_packet();
         goaway(z_root() . '/settings/display');
         return;
         // NOTREACHED
     }
     if (argc() > 1 && argv(1) === 'account') {
         check_form_security_token_redirectOnErr('/settings/account', 'settings_account');
         call_hooks('account_settings_post', $_POST);
         //		call_hooks('settings_account', $_POST);
         $errs = array();
         $email = x($_POST, 'email') ? trim(notags($_POST['email'])) : '';
         $account = \App::get_account();
         if ($email != $account['account_email']) {
             if (!valid_email($email)) {
                 $errs[] = t('Not valid email.');
             }
             $adm = trim(get_config('system', 'admin_email'));
             if ($adm && strcasecmp($email, $adm) == 0) {
                 $errs[] = t('Protected email address. Cannot change to that email.');
                 $email = \App::$user['email'];
             }
             if (!$errs) {
                 $r = q("update account set account_email = '%s' where account_id = %d", dbesc($email), intval($account['account_id']));
                 if (!$r) {
                     $errs[] = t('System failure storing new email. Please try again.');
                 }
             }
         }
         if ($errs) {
             foreach ($errs as $err) {
                 notice($err . EOL);
             }
             $errs = array();
         }
         if (x($_POST, 'npassword') || x($_POST, 'confirm')) {
             $origpass = trim($_POST['origpass']);
             require_once 'include/auth.php';
             if (!account_verify_password($email, $origpass)) {
                 $errs[] = t('Password verification failed.');
             }
             $newpass = trim($_POST['npassword']);
             $confirm = trim($_POST['confirm']);
             if ($newpass != $confirm) {
                 $errs[] = t('Passwords do not match. Password unchanged.');
             }
             if (!x($newpass) || !x($confirm)) {
                 $errs[] = t('Empty passwords are not allowed. Password unchanged.');
             }
             if (!$errs) {
                 $salt = random_string(32);
                 $password_encoded = hash('whirlpool', $salt . $newpass);
                 $r = q("update account set account_salt = '%s', account_password = '******', account_password_changed = '%s' \n\t\t\t\t\t\twhere account_id = %d", dbesc($salt), dbesc($password_encoded), dbesc(datetime_convert()), intval(get_account_id()));
                 if ($r) {
                     info(t('Password changed.') . EOL);
                 } else {
                     $errs[] = t('Password update failed. Please try again.');
                 }
             }
         }
         if ($errs) {
             foreach ($errs as $err) {
                 notice($err . EOL);
             }
         }
         goaway(z_root() . '/settings/account');
     }
     check_form_security_token_redirectOnErr('/settings', 'settings');
     call_hooks('settings_post', $_POST);
     $set_perms = '';
     $role = x($_POST, 'permissions_role') ? notags(trim($_POST['permissions_role'])) : '';
     $oldrole = get_pconfig(local_channel(), 'system', 'permissions_role');
     if ($role != $oldrole || $role === 'custom') {
         if ($role === 'custom') {
             $hide_presence = x($_POST, 'hide_presence') && intval($_POST['hide_presence']) == 1 ? 1 : 0;
             $publish = x($_POST, 'profile_in_directory') && intval($_POST['profile_in_directory']) == 1 ? 1 : 0;
             $def_group = x($_POST, 'group-selection') ? notags(trim($_POST['group-selection'])) : '';
             $r = q("update channel set channel_default_group = '%s' where channel_id = %d", dbesc($def_group), intval(local_channel()));
             $global_perms = get_perms();
             foreach ($global_perms as $k => $v) {
                 $set_perms .= ', ' . $v[0] . ' = ' . intval($_POST[$k]) . ' ';
             }
             $acl = new \Zotlabs\Access\AccessList($channel);
             $acl->set_from_array($_POST);
             $x = $acl->get();
             $r = q("update channel set channel_allow_cid = '%s', channel_allow_gid = '%s', \n\t\t\t\t\tchannel_deny_cid = '%s', channel_deny_gid = '%s' where channel_id = %d", dbesc($x['allow_cid']), dbesc($x['allow_gid']), dbesc($x['deny_cid']), dbesc($x['deny_gid']), intval(local_channel()));
         } else {
             $role_permissions = get_role_perms($_POST['permissions_role']);
             if (!$role_permissions) {
                 notice('Permissions category could not be found.');
                 return;
             }
             $hide_presence = 1 - intval($role_permissions['online']);
             if ($role_permissions['default_collection']) {
                 $r = q("select hash from groups where uid = %d and gname = '%s' limit 1", intval(local_channel()), dbesc(t('Friends')));
                 if (!$r) {
                     require_once 'include/group.php';
                     group_add(local_channel(), t('Friends'));
                     group_add_member(local_channel(), t('Friends'), $channel['channel_hash']);
                     $r = q("select hash from groups where uid = %d and gname = '%s' limit 1", intval(local_channel()), dbesc(t('Friends')));
                 }
                 if ($r) {
                     q("update channel set channel_default_group = '%s', channel_allow_gid = '%s', channel_allow_cid = '', channel_deny_gid = '', channel_deny_cid = '' where channel_id = %d", dbesc($r[0]['hash']), dbesc('<' . $r[0]['hash'] . '>'), intval(local_channel()));
                 } else {
                     notice(sprintf('Default privacy group \'%s\' not found. Please create and re-submit permission change.', t('Friends')) . EOL);
                     return;
                 }
             } else {
                 q("update channel set channel_default_group = '', channel_allow_gid = '', channel_allow_cid = '', channel_deny_gid = '', \n\t\t\t\t\t\tchannel_deny_cid = '' where channel_id = %d", intval(local_channel()));
             }
             $r = q("update abook set abook_my_perms  = %d where abook_channel = %d and abook_self = 1", intval(array_key_exists('perms_accept', $role_permissions) ? $role_permissions['perms_accept'] : 0), intval(local_channel()));
             set_pconfig(local_channel(), 'system', 'autoperms', $role_permissions['perms_auto'] ? intval($role_permissions['perms_accept']) : 0);
             foreach ($role_permissions as $p => $v) {
                 if (strpos($p, 'channel_') !== false) {
                     $set_perms .= ', ' . $p . ' = ' . intval($v) . ' ';
                 }
                 if ($p === 'directory_publish') {
                     $publish = intval($v);
                 }
             }
         }
         set_pconfig(local_channel(), 'system', 'hide_online_status', $hide_presence);
         set_pconfig(local_channel(), 'system', 'permissions_role', $role);
     }
     $username = x($_POST, 'username') ? notags(trim($_POST['username'])) : '';
     $timezone = x($_POST, 'timezone_select') ? notags(trim($_POST['timezone_select'])) : '';
     $defloc = x($_POST, 'defloc') ? notags(trim($_POST['defloc'])) : '';
     $openid = x($_POST, 'openid_url') ? notags(trim($_POST['openid_url'])) : '';
     $maxreq = x($_POST, 'maxreq') ? intval($_POST['maxreq']) : 0;
     $expire = x($_POST, 'expire') ? intval($_POST['expire']) : 0;
     $evdays = x($_POST, 'evdays') ? intval($_POST['evdays']) : 3;
     $photo_path = x($_POST, 'photo_path') ? escape_tags(trim($_POST['photo_path'])) : '';
     $attach_path = x($_POST, 'attach_path') ? escape_tags(trim($_POST['attach_path'])) : '';
     $channel_menu = x($_POST['channel_menu']) ? htmlspecialchars_decode(trim($_POST['channel_menu']), ENT_QUOTES) : '';
     $expire_items = x($_POST, 'expire_items') ? intval($_POST['expire_items']) : 0;
     $expire_starred = x($_POST, 'expire_starred') ? intval($_POST['expire_starred']) : 0;
     $expire_photos = x($_POST, 'expire_photos') ? intval($_POST['expire_photos']) : 0;
     $expire_network_only = x($_POST, 'expire_network_only') ? intval($_POST['expire_network_only']) : 0;
     $allow_location = x($_POST, 'allow_location') && intval($_POST['allow_location']) == 1 ? 1 : 0;
     $blocktags = x($_POST, 'blocktags') && intval($_POST['blocktags']) == 1 ? 0 : 1;
     // this setting is inverted!
     $unkmail = x($_POST, 'unkmail') && intval($_POST['unkmail']) == 1 ? 1 : 0;
     $cntunkmail = x($_POST, 'cntunkmail') ? intval($_POST['cntunkmail']) : 0;
     $suggestme = x($_POST, 'suggestme') ? intval($_POST['suggestme']) : 0;
     $post_newfriend = $_POST['post_newfriend'] == 1 ? 1 : 0;
     $post_joingroup = $_POST['post_joingroup'] == 1 ? 1 : 0;
     $post_profilechange = $_POST['post_profilechange'] == 1 ? 1 : 0;
     $adult = $_POST['adult'] == 1 ? 1 : 0;
     $cal_first_day = x($_POST, 'first_day') && intval($_POST['first_day']) == 1 ? 1 : 0;
     $channel = \App::get_channel();
     $pageflags = $channel['channel_pageflags'];
     $existing_adult = $pageflags & PAGE_ADULT ? 1 : 0;
     if ($adult != $existing_adult) {
         $pageflags = $pageflags ^ PAGE_ADULT;
     }
     $notify = 0;
     if (x($_POST, 'notify1')) {
         $notify += intval($_POST['notify1']);
     }
     if (x($_POST, 'notify2')) {
         $notify += intval($_POST['notify2']);
     }
     if (x($_POST, 'notify3')) {
         $notify += intval($_POST['notify3']);
     }
     if (x($_POST, 'notify4')) {
         $notify += intval($_POST['notify4']);
     }
     if (x($_POST, 'notify5')) {
         $notify += intval($_POST['notify5']);
     }
     if (x($_POST, 'notify6')) {
         $notify += intval($_POST['notify6']);
     }
     if (x($_POST, 'notify7')) {
         $notify += intval($_POST['notify7']);
     }
     if (x($_POST, 'notify8')) {
         $notify += intval($_POST['notify8']);
     }
     $vnotify = 0;
     if (x($_POST, 'vnotify1')) {
         $vnotify += intval($_POST['vnotify1']);
     }
     if (x($_POST, 'vnotify2')) {
         $vnotify += intval($_POST['vnotify2']);
     }
     if (x($_POST, 'vnotify3')) {
         $vnotify += intval($_POST['vnotify3']);
     }
     if (x($_POST, 'vnotify4')) {
         $vnotify += intval($_POST['vnotify4']);
     }
     if (x($_POST, 'vnotify5')) {
         $vnotify += intval($_POST['vnotify5']);
     }
     if (x($_POST, 'vnotify6')) {
         $vnotify += intval($_POST['vnotify6']);
     }
     if (x($_POST, 'vnotify7')) {
         $vnotify += intval($_POST['vnotify7']);
     }
     if (x($_POST, 'vnotify8')) {
         $vnotify += intval($_POST['vnotify8']);
     }
     if (x($_POST, 'vnotify9')) {
         $vnotify += intval($_POST['vnotify9']);
     }
     if (x($_POST, 'vnotify10')) {
         $vnotify += intval($_POST['vnotify10']);
     }
     if (x($_POST, 'vnotify11')) {
         $vnotify += intval($_POST['vnotify11']);
     }
     $always_show_in_notices = x($_POST, 'always_show_in_notices') ? 1 : 0;
     $channel = \App::get_channel();
     $err = '';
     $name_change = false;
     if ($username != $channel['channel_name']) {
         $name_change = true;
         require_once 'include/channel.php';
         $err = validate_channelname($username);
         if ($err) {
             notice($err);
             return;
         }
     }
     if ($timezone != $channel['channel_timezone']) {
         if (strlen($timezone)) {
             date_default_timezone_set($timezone);
         }
     }
     set_pconfig(local_channel(), 'system', 'use_browser_location', $allow_location);
     set_pconfig(local_channel(), 'system', 'suggestme', $suggestme);
     set_pconfig(local_channel(), 'system', 'post_newfriend', $post_newfriend);
     set_pconfig(local_channel(), 'system', 'post_joingroup', $post_joingroup);
     set_pconfig(local_channel(), 'system', 'post_profilechange', $post_profilechange);
     set_pconfig(local_channel(), 'system', 'blocktags', $blocktags);
     set_pconfig(local_channel(), 'system', 'channel_menu', $channel_menu);
     set_pconfig(local_channel(), 'system', 'vnotify', $vnotify);
     set_pconfig(local_channel(), 'system', 'always_show_in_notices', $always_show_in_notices);
     set_pconfig(local_channel(), 'system', 'evdays', $evdays);
     set_pconfig(local_channel(), 'system', 'photo_path', $photo_path);
     set_pconfig(local_channel(), 'system', 'attach_path', $attach_path);
     set_pconfig(local_channel(), 'system', 'cal_first_day', $cal_first_day);
     $r = q("update channel set channel_name = '%s', channel_pageflags = %d, channel_timezone = '%s', channel_location = '%s', channel_notifyflags = %d, channel_max_anon_mail = %d, channel_max_friend_req = %d, channel_expire_days = %d {$set_perms} where channel_id = %d", dbesc($username), intval($pageflags), dbesc($timezone), dbesc($defloc), intval($notify), intval($unkmail), intval($maxreq), intval($expire), intval(local_channel()));
     if ($r) {
         info(t('Settings updated.') . EOL);
     }
     if (!is_null($publish)) {
         $r = q("UPDATE profile SET publish = %d WHERE is_default = 1 AND uid = %d", intval($publish), intval(local_channel()));
     }
     if ($name_change) {
         $r = q("update xchan set xchan_name = '%s', xchan_name_date = '%s' where xchan_hash = '%s'", dbesc($username), dbesc(datetime_convert()), dbesc($channel['channel_hash']));
         $r = q("update profile set fullname = '%s' where uid = %d and is_default = 1", dbesc($username), intval($channel['channel_id']));
     }
     \Zotlabs\Daemon\Master::Summon(array('Directory', local_channel()));
     build_sync_packet();
     //$_SESSION['theme'] = $theme;
     if ($email_changed && \App::$config['system']['register_policy'] == REGISTER_VERIFY) {
         // FIXME - set to un-verified, blocked and redirect to logout
         // Why? Are we verifying people or email addresses?
     }
     goaway(z_root() . '/settings');
     return;
     // NOTREACHED
 }
Exemplo n.º 9
0
/**
 * Simple HTTP Login
 */
function api_login(&$a)
{
    // login with oauth
    try {
        $oauth = new FKOAuth1();
        $req = OAuthRequest::from_request();
        list($consumer, $token) = $oauth->verify_request($req);
        //			list($consumer,$token) = $oauth->verify_request(OAuthRequest::from_request());
        if (!is_null($token)) {
            $oauth->loginUser($token->uid);
            $a->set_oauth_key($consumer->key);
            call_hooks('logged_in', $a->user);
            return;
        }
        echo __FILE__ . __LINE__ . __FUNCTION__ . "<pre>";
        //			var_dump($consumer, $token);
        die;
    } catch (Exception $e) {
        logger(__FILE__ . __LINE__ . __FUNCTION__ . "\n" . $e);
    }
    // workaround for HTTP-auth in CGI mode
    if (x($_SERVER, 'REDIRECT_REMOTE_USER')) {
        $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
        if (strlen($userpass)) {
            list($name, $password) = explode(':', $userpass);
            $_SERVER['PHP_AUTH_USER'] = $name;
            $_SERVER['PHP_AUTH_PW'] = $password;
        }
    }
    if (x($_SERVER, 'HTTP_AUTHORIZATION')) {
        $userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6));
        if (strlen($userpass)) {
            list($name, $password) = explode(':', $userpass);
            $_SERVER['PHP_AUTH_USER'] = $name;
            $_SERVER['PHP_AUTH_PW'] = $password;
        }
    }
    if (!isset($_SERVER['PHP_AUTH_USER'])) {
        logger('API_login: '******'WWW-Authenticate: Basic realm="Red"');
        header('HTTP/1.0 401 Unauthorized');
        die('This api requires login');
    }
    // process normal login request
    require_once 'include/auth.php';
    $channel_login = 0;
    $record = account_verify_password($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
    if (!$record) {
        $r = q("select * from channel where channel_address = '%s' limit 1", dbesc($_SERVER['PHP_AUTH_USER']));
        if ($r) {
            $x = q("select * from account where account_id = %d limit 1", intval($r[0]['channel_account_id']));
            if ($x) {
                $record = account_verify_password($x[0]['account_email'], $_SERVER['PHP_AUTH_PW']);
                if ($record) {
                    $channel_login = $r[0]['channel_id'];
                }
            }
        }
        if (!$record) {
            logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG);
            header('WWW-Authenticate: Basic realm="Red"');
            header('HTTP/1.0 401 Unauthorized');
            die('This api requires login');
        }
    }
    require_once 'include/security.php';
    authenticate_success($record);
    if ($channel_login) {
        change_channel($channel_login);
    }
    $_SESSION['allow_api'] = true;
}
Exemplo n.º 10
0
 $record = null;
 $addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null);
 /**
  *
  * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
  * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
  * and later plugins should not interfere with an earlier one that succeeded.
  *
  */
 call_hooks('authenticate', $addon_auth);
 $atoken = null;
 $account = null;
 if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
     $account = $addon_auth['user_record'];
 } else {
     $verify = account_verify_password($_POST['username'], $_POST['password']);
     if ($verify) {
         $atoken = $verify['xchan'];
         $channel = $verify['channel'];
         $account = App::$account = $verify['account'];
     }
     if (App::$account) {
         $_SESSION['account_id'] = App::$account['account_id'];
     } elseif ($atoken) {
         atoken_login($atoken);
     } else {
         notice(t('Failed authentication') . EOL);
     }
 }
 if (!($account || $atoken)) {
     $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
Exemplo n.º 11
0
 /**
  * @brief Validates a username and password.
  *
  *
  * @see \Sabre\DAV\Auth\Backend\AbstractBasic::validateUserPass
  * @param string $username
  * @param string $password
  * @return bool
  */
 protected function validateUserPass($username, $password)
 {
     require_once 'include/auth.php';
     $record = account_verify_password($username, $password);
     if ($record && $record['account']) {
         if ($record['channel']) {
             $channel = $record['channel'];
         } else {
             $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", intval($record['account']['account_id']), intval($record['account']['account_default_channel']));
             if ($r) {
                 $channel = $r[0];
             }
         }
     }
     if ($channel && $this->check_module_access($channel['channel_id'])) {
         return $this->setAuthenticated($channel);
     }
     if ($this->module_disabled) {
         $error = 'module not enabled for ' . $username;
     } else {
         $error = 'password failed for ' . $username;
     }
     logger($error);
     log_failed_login($error);
     return false;
 }
Exemplo n.º 12
0
 }
 if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') {
     $record = null;
     $addon_auth = array('username' => trim($_POST['username']), 'password' => trim($_POST['password']), 'authenticated' => 0, 'user_record' => null);
     /**
      *
      * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
      * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
      * and later plugins should not interfere with an earlier one that succeeded.
      *
      */
     call_hooks('authenticate', $addon_auth);
     if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
         $record = $addon_auth['user_record'];
     } else {
         $record = App::$account = account_verify_password($_POST['username'], $_POST['password']);
         if (App::$account) {
             $_SESSION['account_id'] = App::$account['account_id'];
         } else {
             notice(t('Failed authentication') . EOL);
         }
         logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
     }
     if (!$record || !count($record)) {
         $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
         logger($error);
         // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
         $authlog = get_config('system', 'authlog');
         if ($authlog) {
             @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
         }
Exemplo n.º 13
0
Arquivo: reddav.php Projeto: Mauru/red
 /**
  *
  * @param string $username
  * @param string $password
  */
 protected function validateUserPass($username, $password)
 {
     if (trim($password) === '+++') {
         logger('reddav: validateUserPass: guest ' . $username);
         return true;
     }
     require_once 'include/auth.php';
     $record = account_verify_password($username, $password);
     if ($record && $record['account_default_channel']) {
         $r = q("select * from channel where channel_account_id = %d and channel_id = %d limit 1", intval($record['account_id']), intval($record['account_default_channel']));
         if ($r) {
             $this->currentUser = $r[0]['channel_address'];
             $this->channel_name = $r[0]['channel_address'];
             $this->channel_id = $r[0]['channel_id'];
             $this->channel_hash = $this->observer = $r[0]['channel_hash'];
             $_SESSION['uid'] = $r[0]['channel_id'];
             $_SESSION['account_id'] = $r[0]['channel_account_id'];
             $_SESSION['authenticated'] = true;
             return true;
         }
     }
     $r = q("select * from channel where channel_address = '%s' limit 1", dbesc($username));
     if ($r) {
         $x = q("select * from account where account_id = %d limit 1", intval($r[0]['channel_account_id']));
         if ($x) {
             foreach ($x as $record) {
                 if ($record['account_flags'] == ACCOUNT_OK || $record['account_flags'] == ACCOUNT_UNVERIFIED && hash('whirlpool', $record['account_salt'] . $password) === $record['account_password']) {
                     logger('(DAV) RedBasicAuth: password verified for ' . $username);
                     $this->currentUser = $r[0]['channel_address'];
                     $this->channel_name = $r[0]['channel_address'];
                     $this->channel_id = $r[0]['channel_id'];
                     $this->channel_hash = $this->observer = $r[0]['channel_hash'];
                     $_SESSION['uid'] = $r[0]['channel_id'];
                     $_SESSION['account_id'] = $r[0]['channel_account_id'];
                     $_SESSION['authenticated'] = true;
                     return true;
                 }
             }
         }
     }
     logger('(DAV) RedBasicAuth: password failed for ' . $username);
     return false;
 }