/**
* Processes submitting of the form which is generated in
* {@link \Mibew\Controller\LoginController::showFormAction()} method.
*
* Triggers 'operatorLogin' event after operator logged in and pass to it an
* associative array with following items:
* - 'operator': array of the logged in operator info;
* - 'remember': boolean, indicates if system should remember operator.
*
* @param Request $request Incoming request.
* @return string Rendered page content.
*/
public function submitFormAction(Request $request)
{
csrf_check_token($request);
$login = $request->request->get('login');
$password = $request->request->get('password');
$remember = $request->request->get('isRemember') == 'on';
$errors = array();
$operator = operator_by_login($login);
$operator_can_login = $operator && isset($operator['vcpassword']) && check_password_hash($operator['vclogin'], $password, $operator['vcpassword']) && !operator_is_disabled($operator);
if ($operator_can_login) {
// Login the operator to the system
$this->getAuthenticationManager()->loginOperator($operator, $remember);
// Redirect the current operator to the needed page.
$target = isset($_SESSION[SESSION_PREFIX . 'backpath']) ? $_SESSION[SESSION_PREFIX . 'backpath'] : $request->getUriForPath('/operator');
return $this->redirect($target);
} else {
if (operator_is_disabled($operator)) {
$errors[] = getlocal('Your account is temporarily blocked. Please contact system administrator.');
} else {
$errors[] = getlocal("Entered login/password is incorrect");
}
}
// Rebuild login form
$request->attributes->set('errors', $errors);
return $this->showFormAction($request);
}
* limitations under the License.
*/
require_once '../libs/common.php';
require_once '../libs/operator.php';
if (check_login(false)) {
header("Location: {$mibewroot}/operator/");
exit;
}
$errors = array();
$page = array('formisRemember' => true, 'version' => $version);
if (isset($_POST['login']) && isset($_POST['password'])) {
$login = getparam('login');
$password = getparam('password');
$remember = isset($_POST['isRemember']) && $_POST['isRemember'] == "on";
$operator = operator_by_login($login);
if ($operator && isset($operator['vcpassword']) && check_password_hash($login, $password, $operator['vcpassword'])) {
$target = $password == '' ? "{$mibewroot}/operator/operator.php?op=" . intval($operator['operatorid']) : (isset($_SESSION['backpath']) ? $_SESSION['backpath'] : "{$mibewroot}/operator/index.php");
login_operator($operator, $remember, is_secure_request());
header("Location: {$target}");
exit;
} else {
$errors[] = getlocal("page_login.error");
$page['formlogin'] = $login;
}
} else {
if (isset($_GET['login'])) {
$login = getgetparam('login');
if (preg_match("/^(\\w{1,15})\$/", $login)) {
$page['formlogin'] = $login;
}
}
<?php
/*
* This file is a part of Mibew Messenger.
*
* Copyright 2005-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
require_once '../libs/common.php';
require_once '../libs/operator.php';
$operator = check_login();
$link = connect();
loadsettings_($link);
$isonline = is_operator_online($operator['operatorid'], $link);
mysql_close($link);
$page = array('version' => $version, 'localeLinks' => get_locale_links("{$mibewroot}/operator/index.php"), 'needUpdate' => $settings['dbversion'] != $dbversion, 'needChangePassword' => check_password_hash($operator['vclogin'], '', $operator['vcpassword']), 'profilePage' => "{$mibewroot}/operator/operator.php?op=" . safe_htmlspecialchars($operator['operatorid']), 'updateWizard' => "{$mibewroot}/install/", 'newFeatures' => $settings['featuresversion'] != $featuresversion, 'featuresPage' => "{$mibewroot}/operator/features.php", 'isOnline' => $isonline);
prepare_menu($operator);
start_html_output();
require '../view/menu.php';
if (isset($_GET['op'])) {
$opId = verifyparam('op', "/^\\d{1,10}\$/");
$op = operator_by_id($opId);
if (!$op) {
$errors[] = getlocal("no_such_operator");
$page['opid'] = topage($opId);
} else {
$page['formlogin'] = topage($op['vclogin']);
$page['formname'] = topage($op['vclocalename']);
$page['formemail'] = topage($op['vcemail']);
$page['formjabber'] = topage($op['vcjabbername']);
$page['formjabbernotify'] = $op['inotify'] != 0;
$page['formcommonname'] = topage($op['vccommonname']);
$page['opid'] = topage($op['operatorid']);
}
}
}
if (!$opId && !is_capable($can_administrate, $operator)) {
$errors[] = "You are not allowed to create operators";
} elseif ($opId && $opId != $operator['operatorid']) {
check_permissions($operator, $can_administrate);
}
$canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator);
$page['stored'] = isset($_GET['stored']);
$page['canmodify'] = $canmodify ? "1" : "";
$page['showjabber'] = $settings['enablejabber'] == "1";
$page['needChangePassword'] = $opId == $operator['operatorid'] ? check_password_hash($operator['vclogin'], '', $operator['vcpassword']) : FALSE;
prepare_menu($operator);
setup_operator_settings_tabs($opId, 0);
start_html_output();
require '../view/agent.php';
<?php
require_once "../include/core.php";
session_start();
loadLocale('acp');
if (isset($_POST["action"])) {
switch ($_POST["action"]) {
case 'login':
if (isset($_POST["login"]) && isset($_POST["password"])) {
$authData = array('login' => $_POST['login']);
$password = $_POST['password'];
$prep = $db->prepare("SELECT `id`, `login`, `password` FROM `" . DB_TABLE_PREFIX . "master` WHERE `disabled`=0 AND `login`=:login");
$resp = $prep->execute($authData);
$res = $prep->fetchAll();
if (count($res) == 1 && check_password_hash($password, $res[0]['password'])) {
$row = $res[0];
$_SESSION['user_id'] = $row['id'];
$_SESSION['user_login'] = $row['login'];
$_SESSION['user_theme'] = "./themes/" . $theme->name;
l('auth', 'login', 'master', $row['id'], NULL, array('ip' => $_SERVER['REMOTE_ADDR']));
redirect();
die;
} else {
l('auth', 'badlogin', 'master', NULL, NULL, array('ip' => $_SERVER['REMOTE_ADDR'], 'login' => $_POST['login']));
redirect("auth.php?badpassword=true");
die;
}
}
break;
case 'logout':
if (isset($_SESSION['user_id'])) {
/**
* Processes submitting of the form which is generated in
* {@link \Mibew\Controller\OperatorController::showEditFormAction()} method.
*
* @param Request $request Incoming request.
* @return string Rendered page content.
*/
public function submitFormAction(Request $request)
{
csrf_check_token($request);
$errors = array();
$operator = $this->getOperator();
$op_id = $request->attributes->getInt('operator_id');
$login = $request->request->get('login');
$email = $request->request->get('email');
$password = $request->request->get('password');
$password_confirm = $request->request->get('passwordConfirm');
$local_name = $request->request->get('name');
$common_name = $request->request->get('commonname');
$code = $request->request->get('code');
if (!$local_name) {
$errors[] = no_field('Name');
}
if (!$common_name) {
$errors[] = no_field('International name (Latin)');
}
// The login is needed only for new operators. If login is changed for
// existing operator the stored password hash becomes invalid.
if (!$op_id) {
if (!$login) {
$errors[] = no_field('Login');
} elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) {
$errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.');
}
}
if (!$email || !MailUtils::isValidAddress($email)) {
$errors[] = wrong_field('E-mail');
}
if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) {
$errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.');
}
if (!$op_id && !$password) {
$errors[] = no_field('Password');
}
if ($password != $password_confirm) {
$errors[] = getlocal('Entered passwords do not match');
}
$existing_operator = operator_by_login($login);
$duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_login) {
$errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.');
}
// Check if operator with specified email already exists in the database.
$existing_operator = operator_by_email($email);
$duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_email) {
$errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.');
}
if (count($errors) != 0) {
$request->attributes->set('errors', $errors);
// The form should be rebuild. Invoke appropriate action.
return $this->showFormAction($request);
}
if (!$op_id) {
// Create new operator and redirect the current operator to avatar
// page.
$new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code);
$redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid']));
return $this->redirect($redirect_to);
}
// Mix old operator's fields with updated values
$target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id);
// Set the password only if it's not an empty string.
if ($password !== '') {
$target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password);
}
// Update operator's fields in the database.
update_operator($target_operator);
// Operator's data are cached in the authentication manager, thus we need
// to manually update them.
if ($target_operator['operatorid'] == $operator['operatorid']) {
// Check if the admin has set his password for the first time.
$to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != '';
// Update operator's fields.
$this->getAuthenticationManager()->setOperator($target_operator);
// Redirect the admin to the home page if needed.
if ($to_dashboard) {
return $this->redirect($this->generateUrl('home_operator'));
}
}
// Redirect the operator to edit page again to use GET method instead of
// POST.
$redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true));
return $this->redirect($redirect_to);
}
