function csrf_protect()
{
if (count($_POST) > 0) {
if (isset($_POST['csrf_name'], $_POST['csrf_token'])) {
$valid = csrf_verify($_POST['csrf_name'], $_POST['csrf_token']);
unset($_POST['csrf_name'], $_POST['csrf_token']);
if (!$valid) {
if (is_ajax()) {
print json_encode(array('success' => false, 'message' => 'You are not authorized!'));
exit;
} else {
trigger_error("You are not authorized", E_USER_ERROR);
}
}
}
}
}
function shutdown()
{
$error = error_get_last();
if ($error['type'] === E_ERROR) {
echo json_encode(array('error' => sprintf(__('<strong>PHP Error</strong> line %s: %s'), $error['line'], $error['message'])));
}
}
/*
|--------------------------------------------------------------------------
| Prepare
|--------------------------------------------------------------------------
|
*/
header('Content-type: application/json');
$return = array();
if (!csrf_verify()) {
$return['error'] = __('Please refresh the page.');
echo json_encode($return);
die;
}
/*
|--------------------------------------------------------------------------
| Actions
|--------------------------------------------------------------------------
|
*/
switch (@$_POST['action']) {
/*
|--------------------------------------------------------------------------
| Change password
|--------------------------------------------------------------------------
/**
* Manage login
*
* @param array $files the files configuration
*
* @return [type] [description]
*/
public static function attempt($files = false)
{
if (self::isAuthSet()) {
// authentication is enabled on this instance
$user = self::getCurrentUsername();
if (is_null($user)) {
// no logged in user
if (isset($_POST['attempt'])) {
// form is posted
if (!csrf_verify()) {
$attempt = $_POST['attempt'];
$error = 2;
include_once PML_BASE . '/inc/login.inc.php';
self::release();
die;
}
$loggedin = self::signIn($_POST['username'], $_POST['password']);
if (is_array($loggedin)) {
// signed in
header("Location: " . $_POST['attempt']);
die;
} else {
// error while signing in
$attempt = $_POST['attempt'];
$error = 1;
include_once PML_BASE . '/inc/login.inc.php';
self::release();
die;
}
} else {
if (isset($_GET['signin'])) {
// sign in page when anonymous access is enabled
$attempt = isset($_GET['attempt']) ? $_GET['attempt'] : $_SERVER['REQUEST_URI'] . '?' . $_SERVER['QUERY_STRING'];
$error = 0;
include_once PML_BASE . '/inc/login.inc.php';
self::release();
die;
} else {
if (self::isAnonymousEnabled($files)) {
// Anonymous access is enabled, simply return to let anonymosu users to parse logs
return null;
} else {
// send form
$attempt = $_SERVER['REQUEST_URI'] . '?' . $_SERVER['QUERY_STRING'];
$error = 0;
include_once PML_BASE . '/inc/login.inc.php';
self::release();
die;
}
}
}
} else {
if (isset($_GET['signout'])) {
self::signOut();
self::release();
if (self::isAnonymousEnabled($files)) {
// Anonymous access, redirect to normal page
header('Location: ' . $_SERVER['PHP_SELF']);
} else {
// No anonymous access, redirect to login page
$error = 3;
$attempt = '?';
include_once PML_BASE . '/inc/login.inc.php';
}
die;
}
return $user;
}
}
return null;
}
