function login_create($email, $password, $remember_me) { if (empty($email) || empty($password)) { message_error('Please enter your email and password.'); } $user = db_select_one('users', array('id', 'passhash', 'class', 'enabled', '2fa_status'), array('email' => $email)); if (!check_passhash($password, $user['passhash'])) { message_error('Login failed'); } if (!$user['enabled']) { message_generic('Ooops!', 'Your account is not enabled. If you have just registered, this is normal - an email with instructions will be sent out closer to the event start date! In all other cases, please contact the system administrator with any questions.'); } login_session_create($user); if ($remember_me) { login_cookie_create($user); } log_user_ip($user['id']); return true; }
function login_create($email, $password, $remember_me) { if (empty($email) || empty($password)) { message_error('Please enter your email and password.'); } $user = db_select_one('users', array('id', 'passhash', 'class', 'team_name', 'enabled', '2fa_status', 'instanceID'), array('email' => $email)); $instanceInformation = db_select_one('instances', array('id', 'instanceURI', 'name', 'authoratativeAccountID', 'registrationToken'), array('id' => $user['instanceID'])); $_SESSION['UIID'] = $user['instanceID']; $_SESSION['IID'] = $instanceInformation['id']; $_SESSION['IRQ'] = $instanceInformation['registrationToken']; $_SESSION['IName'] = $instanceInformation['name']; $_SESSION['IAID'] = $instanceInformation['authoratativeAccountID']; $_SESSION['UName'] = $user['team_name']; if (!check_passhash($password, $user['passhash'])) { message_error('Login failed'); } if (!$user['enabled']) { message_generic('Ooops!', 'Your account is not enabled. If you have just registered, this is normal - an email with instructions will be sent out closer to the event start date! In all other cases, please contact the system administrator with any questions.'); } login_session_create($user); if ($remember_me) { login_cookie_create($user); } log_user_ip($user['id']); return true; }
} else { if ($_POST['action'] == '2fa_enable') { if (!validate_two_factor_auth_code($_POST['code'])) { message_error('Incorrect code'); } db_update('users', array('2fa_status' => 'enabled'), array('id' => $_SESSION['id'])); redirect('profile?generic_success=1'); } else { if ($_POST['action'] == '2fa_disable') { db_update('users', array('2fa_status' => 'disabled'), array('id' => $_SESSION['id'])); db_delete('two_factor_auth', array('user_id' => $_SESSION['id'])); redirect('profile?generic_success=1'); } else { if ($_POST['action'] == 'reset_password') { $user = db_select_one('users', array('passhash'), array('id' => $_SESSION['id'])); if (!check_passhash($_POST['current_password'], $user['passhash'])) { message_error('Current password was incorrect.'); } if (!strlen($_POST['new_password'])) { message_error('Password cannot be empty.'); } if ($_POST['new_password'] != $_POST['new_password_again']) { message_error('Passwords did not match.'); } $new_passhash = make_passhash($_POST['new_password']); $password_set = db_update('users', array('passhash' => $new_passhash), array('id' => $_SESSION['id'])); if (!$password_set) { message_error('Password not set.'); } redirect('profile?generic_success=1'); }
/** * Checks to see if the user is logged in. If not, redirects the browser * to the admin login. * * @since 0.1 * @param string no_redirect - If true, then don't redirect if not logged in * @return boolean */ function check_login($no_redirect = false) { $config = cmsms()->GetConfig(); //Handle a current login if one is in queue in the SESSION if (isset($_SESSION['login_user_id'])) { debug_buffer("Found login_user_id. Going to generate the user object."); generate_user_object($_SESSION['login_user_id']); unset($_SESSION['login_user_id']); } if (isset($_SESSION['login_cms_language'])) { debug_buffer('Setting language to: ' . $_SESSION['login_cms_language']); cms_cookies::set('cms_language', $_SESSION['login_cms_language']); unset($_SESSION['login_cms_language']); } if (!isset($_SESSION["cms_admin_user_id"])) { debug_buffer('No session found. Now check for cookies'); if (isset($_COOKIE["cms_admin_user_id"]) && isset($_COOKIE["cms_passhash"])) { debug_buffer('Cookies found, do a passhash check'); if (check_passhash($_COOKIE["cms_admin_user_id"], $_COOKIE["cms_passhash"])) { debug_buffer('passhash check succeeded... creating session object'); generate_user_object($_COOKIE["cms_admin_user_id"]); } else { debug_buffer('passhash check failed... redirect to login'); $_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"]; if (false == $no_redirect) { redirect($config['admin_url'] . "/login.php"); } return false; } } else { debug_buffer('No cookies found. Redirect to login.'); $_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"]; if (false == $no_redirect) { redirect($config['admin_url'] . "/login.php"); } return false; } } debug_buffer('Session found. Moving on...'); global $CMS_ADMIN_PAGE; if ($config['debug'] === false && isset($CMS_ADMIN_PAGE)) { if (!isset($_SESSION[CMS_USER_KEY])) { // it's not in the session, try to grab something from cookies if (isset($_COOKIE[CMS_SECURE_PARAM_NAME])) { $_SESSION[CMS_USER_KEY] = $_COOKIE[CMS_SECURE_PARAM_NAME]; } } // now we've got to check the request // and make sure it matches the session key if (!isset($_SESSION[CMS_USER_KEY]) || !isset($_GET[CMS_SECURE_PARAM_NAME]) || !isset($_POST[CMS_SECURE_PARAM_NAME])) { $v = '<no$!tgonna!$happen>'; if (isset($_GET[CMS_SECURE_PARAM_NAME])) { $v = $_GET[CMS_SECURE_PARAM_NAME]; } else { if (isset($_POST[CMS_SECURE_PARAM_NAME])) { $v = $_POST[CMS_SECURE_PARAM_NAME]; } } if ($v != $_SESSION[CMS_USER_KEY] && !isset($config['stupidly_ignore_xss_vulnerability'])) { debug_buffer('Session key mismatch problem... redirect to login'); if (false == $no_redirect) { redirect($config['admin_url'] . '/login.php'); } return false; } } } return true; }