/** * Checks to see access is allowed to an album * Returns true if access is allowed. * There is no password dialog--you must have already had authorization via a cookie. * * @param string $albumname the album * @param string &$hint becomes populated with the password hint. * @return bool */ function checkAlbumPassword($albumname, &$hint) { global $_zp_pre_authorization, $_zp_loggedin; if (zp_loggedin(ADMIN_RIGHTS | VIEWALL_RIGHTS | ALL_ALBUMS_RIGHTS)) { return true; } if ($_zp_loggedin) { if (isMyAlbum($albumname, ALL_RIGHTS)) { return true; } // he is allowed to see it. } if (isset($_zp_pre_authorization[$albumname])) { return true; } $album = new album($_zp_gallery, $albumname); $hash = $album->getPassword(); if (empty($hash)) { $album = $album->getParent(); while (!is_null($album)) { $hash = $album->getPassword(); $authType = "zp_album_auth_" . cookiecode($album->name); $saved_auth = zp_getCookie($authType); if (!empty($hash)) { if ($saved_auth != $hash) { $hint = $album->getPasswordHint(); return false; } } $album = $album->getParent(); } // revert all tlhe way to the gallery $hash = getOption('gallery_password'); $authType = 'zp_gallery_auth'; $saved_auth = zp_getCookie($authType); if (!empty($hash)) { if ($saved_auth != $hash) { $hint = get_language_string(getOption('gallery_hint')); return false; } } } else { $authType = "zp_album_auth_" . cookiecode($album->name); $saved_auth = zp_getCookie($authType); if ($saved_auth != $hash) { $hint = $album->getPasswordHint(); return false; } } $_zp_pre_authorization[$albumname] = true; return true; }
/** *checks for album password posting */ function zp_handle_password() { global $_zp_loggedin, $_zp_login_error, $_zp_current_album; if (zp_loggedin()) { return; } // who cares, we don't need any authorization $cookiepath = WEBPATH; if (WEBPATH == '') { $cookiepath = '/'; } $check_auth = ''; if (in_context(ZP_SEARCH)) { // search page $authType = 'zp_search_auth'; $check_auth = getOption('search_password'); $check_user = getOption('search_user'); } else { if (in_context(ZP_ALBUM)) { // album page $authType = "zp_album_auth_" . cookiecode($_zp_current_album->name); $check_auth = $_zp_current_album->getPassword(); $check_user = $_zp_current_album->getUser(); if (empty($check_auth)) { $parent = $_zp_current_album->getParent(); while (!is_null($parent)) { $check_auth = $parent->getPassword(); $check_user = $parent->getUser(); $authType = "zp_album_auth_" . cookiecode($parent->name); if (!empty($check_auth)) { break; } $parent = $parent->getParent(); } } } } if (empty($check_auth)) { // anything else is controlled by the gallery credentials $authType = 'zp_gallery_auth'; $check_auth = getOption('gallery_password'); $check_user = getOption('gallery_user'); } // Handle the login form. if (isset($_POST['password']) && isset($_POST['pass'])) { $post_user = $_POST['user']; $post_pass = $_POST['pass']; $auth = md5($post_user . $post_pass); if ($_zp_loggedin = checkLogon($post_user, $post_pass)) { // allow Admin user login zp_setcookie("zenphoto_auth", $auth, time() + COOKIE_PESISTENCE, $cookiepath); } else { if ($auth == $check_auth && $post_user == $check_user) { // Correct auth info. Set the cookie. zp_setcookie($authType, $auth, time() + COOKIE_PESISTENCE, $cookiepath); } else { // Clear the cookie, just in case zp_setcookie($authType, "", time() - 368000, $cookiepath); $_zp_login_error = true; } } return; } if (empty($check_auth)) { //no password on record return; } if (($saved_auth = zp_getCookie($authType)) != '') { if ($saved_auth == $check_auth) { return; } else { // Clear the cookie zp_setcookie($authType, "", time() - 368000, $cookiepath); } } }