function adminLoginMenu()
{
global $CURRENT_USER;
// login menu actions
$action = @$_REQUEST['action'];
if ($action == 'logoff') {
user_logoff();
exit;
}
if ($action == 'loginSubmit') {
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
foreach (array('username', 'password') as $field) {
// v2.52 remove leading and trailing whitespace (for usability, users accidentally add whitespace)
$_REQUEST[$field] = preg_replace("/^\\s+|\\s+\$/s", '', @$_REQUEST[$field]);
}
loginCookie_set(@$_REQUEST['username'], getPasswordDigest(@$_REQUEST['password']));
}
// load current user
$CURRENT_USER = getCurrentUser($loginExpired);
// report any errors
$errors = '';
if ($loginExpired) {
$errors .= t("You've been logged out due to inactivity, please login again to continue.");
} else {
if (!$CURRENT_USER && $action == 'loginSubmit') {
$errors .= t("Invalid username or password");
} else {
if (@$CURRENT_USER['disabled']) {
$errors .= t("Your account has been disabled.");
} else {
if (@$CURRENT_USER['isExpired']) {
$errors .= t("Your account has expired.");
}
}
}
}
if ($errors) {
alert($errors);
loginCookie_remove();
// if data in login cookie is invalid, remove login cookie so we don't keep checking it
$CURRENT_USER = false;
// if login is invalid, clear user variable
usleep(mt_rand(1000000, 3000000));
// sleep somewhere between 1-3 seconds to delay brute force attacks (random sleep time makes it so attacker can't assume slow response is failed password)
}
// if no logged in user
if (!$CURRENT_USER) {
// perform login screen maintenance actions - useful place to run common operations
if (!$action) {
createMissingSchemaTablesAndFields();
// create/update missing schemas, etc
// show helpful messages
if (!mysql_count('accounts')) {
alert(t("There are no user accounts in the database."));
}
}
// show login screen if user not logged in
showInterface('login.php', false);
exit;
}
// if user logged in
if ($CURRENT_USER) {
// reset login cookie (to update lastAccess time used to track session expiry)
loginCookie_set(@$CURRENT_USER['username'], getPasswordDigest(@$CURRENT_USER['password']));
// redirect to last url - on valid login
$redirectUrl = @$_REQUEST['redirectUrl'];
if ($redirectUrl) {
redirectBrowserToURL($redirectUrl, true);
exit;
}
}
}
if (!$result) {
$error = "MySQL Error: " . mysql_error() . "\n";
// htmlencode() not needed here as message is shown in javascript alert
// remove last inserted record
if (isset($last_insert_id)) {
mysql_query("DELETE FROM `{$escapedTableName}` WHERE num = '" . mysql_escape($last_insert_id) . "'");
}
// show error message
die($error);
}
}
// My Account - update session login details
if ($isMyAccountMenu) {
$username = @$_REQUEST['username'] ? $_REQUEST['username'] : $CURRENT_USER['username'];
$passwordHash = getPasswordDigest(coalesce(@$_REQUEST['password'], $CURRENT_USER['password']));
loginCookie_set($username, $passwordHash);
}
// User Accounts - update access levels
if (@$_REQUEST['accessList'] && @$schema['accessList']['type'] == 'accessList') {
_updateAccessList();
}
// Category Sections - update category meta data
if ($schema['menuType'] == 'category') {
updateCategoryMetadata();
}
doAction('record_postsave', $tableName, $isNewRecord, $oldRecord, $_REQUEST['num']);
### redisplay list page
print $_REQUEST['num'];
exit;
// print record number or nothing to redisplay list page (done in edit_functions.js by ajax form submit code)
//
function user_createLoginSession($username, $password = null)
{
loginCookie_set($username, getPasswordDigest($password));
}
