function login_create($email, $password, $remember_me)
{
if (empty($email) || empty($password)) {
message_error('Please enter your email and password.');
}
$user = db_select_one('users', array('id', 'passhash', 'class', 'enabled', '2fa_status'), array('email' => $email));
if (!check_passhash($password, $user['passhash'])) {
message_error('Login failed');
}
if (!$user['enabled']) {
message_generic('Ooops!', 'Your account is not enabled.
If you have just registered, this is normal - an email with instructions will be sent out closer to the event start date!
In all other cases, please contact the system administrator with any questions.');
}
login_session_create($user);
if ($remember_me) {
login_cookie_create($user);
}
log_user_ip($user['id']);
return true;
}
function login_create($email, $password, $remember_me)
{
if (empty($email) || empty($password)) {
message_error('Please enter your email and password.');
}
$user = db_select_one('users', array('id', 'passhash', 'class', 'team_name', 'enabled', '2fa_status', 'instanceID'), array('email' => $email));
$instanceInformation = db_select_one('instances', array('id', 'instanceURI', 'name', 'authoratativeAccountID', 'registrationToken'), array('id' => $user['instanceID']));
$_SESSION['UIID'] = $user['instanceID'];
$_SESSION['IID'] = $instanceInformation['id'];
$_SESSION['IRQ'] = $instanceInformation['registrationToken'];
$_SESSION['IName'] = $instanceInformation['name'];
$_SESSION['IAID'] = $instanceInformation['authoratativeAccountID'];
$_SESSION['UName'] = $user['team_name'];
if (!check_passhash($password, $user['passhash'])) {
message_error('Login failed');
}
if (!$user['enabled']) {
message_generic('Ooops!', 'Your account is not enabled.
If you have just registered, this is normal - an email with instructions will be sent out closer to the event start date!
In all other cases, please contact the system administrator with any questions.');
}
login_session_create($user);
if ($remember_me) {
login_cookie_create($user);
}
log_user_ip($user['id']);
return true;
}
} else {
if ($_POST['action'] == '2fa_enable') {
if (!validate_two_factor_auth_code($_POST['code'])) {
message_error('Incorrect code');
}
db_update('users', array('2fa_status' => 'enabled'), array('id' => $_SESSION['id']));
redirect('profile?generic_success=1');
} else {
if ($_POST['action'] == '2fa_disable') {
db_update('users', array('2fa_status' => 'disabled'), array('id' => $_SESSION['id']));
db_delete('two_factor_auth', array('user_id' => $_SESSION['id']));
redirect('profile?generic_success=1');
} else {
if ($_POST['action'] == 'reset_password') {
$user = db_select_one('users', array('passhash'), array('id' => $_SESSION['id']));
if (!check_passhash($_POST['current_password'], $user['passhash'])) {
message_error('Current password was incorrect.');
}
if (!strlen($_POST['new_password'])) {
message_error('Password cannot be empty.');
}
if ($_POST['new_password'] != $_POST['new_password_again']) {
message_error('Passwords did not match.');
}
$new_passhash = make_passhash($_POST['new_password']);
$password_set = db_update('users', array('passhash' => $new_passhash), array('id' => $_SESSION['id']));
if (!$password_set) {
message_error('Password not set.');
}
redirect('profile?generic_success=1');
}
/**
* Checks to see if the user is logged in. If not, redirects the browser
* to the admin login.
*
* @since 0.1
* @param string no_redirect - If true, then don't redirect if not logged in
* @return boolean
*/
function check_login($no_redirect = false)
{
$config = cmsms()->GetConfig();
//Handle a current login if one is in queue in the SESSION
if (isset($_SESSION['login_user_id'])) {
debug_buffer("Found login_user_id. Going to generate the user object.");
generate_user_object($_SESSION['login_user_id']);
unset($_SESSION['login_user_id']);
}
if (isset($_SESSION['login_cms_language'])) {
debug_buffer('Setting language to: ' . $_SESSION['login_cms_language']);
cms_cookies::set('cms_language', $_SESSION['login_cms_language']);
unset($_SESSION['login_cms_language']);
}
if (!isset($_SESSION["cms_admin_user_id"])) {
debug_buffer('No session found. Now check for cookies');
if (isset($_COOKIE["cms_admin_user_id"]) && isset($_COOKIE["cms_passhash"])) {
debug_buffer('Cookies found, do a passhash check');
if (check_passhash($_COOKIE["cms_admin_user_id"], $_COOKIE["cms_passhash"])) {
debug_buffer('passhash check succeeded... creating session object');
generate_user_object($_COOKIE["cms_admin_user_id"]);
} else {
debug_buffer('passhash check failed... redirect to login');
$_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"];
if (false == $no_redirect) {
redirect($config['admin_url'] . "/login.php");
}
return false;
}
} else {
debug_buffer('No cookies found. Redirect to login.');
$_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"];
if (false == $no_redirect) {
redirect($config['admin_url'] . "/login.php");
}
return false;
}
}
debug_buffer('Session found. Moving on...');
global $CMS_ADMIN_PAGE;
if ($config['debug'] === false && isset($CMS_ADMIN_PAGE)) {
if (!isset($_SESSION[CMS_USER_KEY])) {
// it's not in the session, try to grab something from cookies
if (isset($_COOKIE[CMS_SECURE_PARAM_NAME])) {
$_SESSION[CMS_USER_KEY] = $_COOKIE[CMS_SECURE_PARAM_NAME];
}
}
// now we've got to check the request
// and make sure it matches the session key
if (!isset($_SESSION[CMS_USER_KEY]) || !isset($_GET[CMS_SECURE_PARAM_NAME]) || !isset($_POST[CMS_SECURE_PARAM_NAME])) {
$v = '<no$!tgonna!$happen>';
if (isset($_GET[CMS_SECURE_PARAM_NAME])) {
$v = $_GET[CMS_SECURE_PARAM_NAME];
} else {
if (isset($_POST[CMS_SECURE_PARAM_NAME])) {
$v = $_POST[CMS_SECURE_PARAM_NAME];
}
}
if ($v != $_SESSION[CMS_USER_KEY] && !isset($config['stupidly_ignore_xss_vulnerability'])) {
debug_buffer('Session key mismatch problem... redirect to login');
if (false == $no_redirect) {
redirect($config['admin_url'] . '/login.php');
}
return false;
}
}
}
return true;
}
