function checkFields($aData, $zData = false) { // Checks fields before submission of data. global $_AUTH, $_DB, $_PE, $_SETT; // Mandatory fields. $this->aCheckMandatory = array('name', 'institute', 'address', 'city', 'countryid', 'email', 'username'); // These password fields are only not mandatory when we're editing. if (ACTION != 'edit') { $this->aCheckMandatory[] = 'password_1'; $this->aCheckMandatory[] = 'password_2'; } parent::checkFields($aData); // Email address. if (!empty($aData['email'])) { $aEmail = explode("\r\n", $aData['email']); foreach ($aEmail as $sEmail) { if (!lovd_matchEmail($sEmail)) { lovd_errorAdd('email', 'Email "' . htmlspecialchars($sEmail) . '" is not a correct email address' . ($sEmail && $sEmail == trim($sEmail) ? '' : '. Make sure there are no spaces or empty lines left in the email field') . '.'); } } } if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'create') { // Check username format. if ($aData['username'] && !lovd_matchUsername($aData['username'])) { lovd_errorAdd('username', 'Please fill in a correct username; 4 to 20 characters and starting with a letter followed by letters, numbers, dots, underscores and dashes only.'); } } if (in_array(ACTION, array('create', 'register'))) { // Does the username exist already? if ($aData['username']) { if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_USERS . ' WHERE username = ?', array($aData['username']))->fetchColumn()) { lovd_errorAdd('username', 'There is already a user with this username. Please choose another one.'); } } } // One of two password fields entered... check 'em. if ($aData['password_1'] || $aData['password_2']) { if ($aData['password_1'] && $aData['password_2']) { // Both entered. if ($aData['password_1'] != $aData['password_2']) { lovd_errorAdd('password_2', 'The \'' . (in_array(ACTION, array('edit', 'change_password')) ? 'New p' : 'P') . 'assword\' fields are not equal. Please try again.'); } else { // Password quality. if (!lovd_matchPassword($aData['password_1'])) { lovd_errorAdd('password_1', 'Your password is found too weak. Please fill in a proper password; at least 4 characters long and containing at least one number or special character.'); } } } else { if (in_array(ACTION, array('edit', 'change_password'))) { lovd_errorAdd('password_2', 'If you want to change the current password, please fill in both \'New password\' fields.'); } else { lovd_errorAdd('password_2', 'Please fill in both \'Password\' fields.'); } } } // Check given security IP range. if (!empty($aData['allowed_ip'])) { // This function will throw an error itself (second argument). $bIP = lovd_matchIPRange($aData['allowed_ip'], 'allowed_ip'); if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'edit' && $_PE[1] == $_AUTH['id']) { // Check given security IP range. if ($bIP && !lovd_validateIP($aData['allowed_ip'], $_SERVER['REMOTE_ADDR'])) { // This IP range is not allowing the current IP to connect. This ain't right. // If IP address is actually IPv6, then complain that we can't restrict at all. // Otherwise, be clear the current setting just doesn't match. if (strpos($_SERVER['REMOTE_ADDR'], ':') !== false) { // IPv6... lovd_errorAdd('allowed_ip', 'Your current IP address is IPv6 (' . $_SERVER['REMOTE_ADDR'] . '), which is not supported by LOVD to restrict access to your account.'); } else { lovd_errorAdd('allowed_ip', 'Your current IP address is not matched by the given IP range. This would mean you would not be able to get access to LOVD with this IP range.'); } } } } else { // We're not sure if $aData == $_POST. But we'll just do this. It can't harm I guess. $_POST['allowed_ip'] = '*'; } // Level can't be higher or equal than the current user. if (!empty($aData['level']) && $aData['level'] >= $_AUTH['level']) { lovd_writeLog('Error', 'HackAttempt', 'Tried to upgrade user ID ' . $_PE[1] . ' to level ' . $_SETT['user_levels'][$aData['level']] . ')'); lovd_errorAdd('level', 'User level is not permitted. Hack attempt.'); } // XSS attack prevention. Deny input of HTML. lovd_checkXSS(); }
$_AUTH['saved_work'] = !empty($_AUTH['saved_work']) ? $_AUTH['saved_work'][0] == 'a' ? unserialize($_AUTH['saved_work']) : json_decode($_AUTH['saved_work']) : array(); // Get an array of IDs of users that share their permissions with current user. $q = $_DB->query('SELECT userid_from, allow_edit FROM ' . TABLE_COLLEAGUES . ' WHERE userid_to = ?', array($_AUTH['id']), false); if ($q === false) { // Query to TABLE_COLLEAGUES failed (note: this table was introduced in 3.0-14e). // FIXME: This if can be removed (and the above query made required) // when we stop supporting upgrading from 3.0-15 or before. $_AUTH['colleagues_from'] = array(); } else { $_AUTH['colleagues_from'] = $q->fetchAllCombine(); } } } // IP based blocking. if ($_AUTH && $_AUTH['allowed_ip']) { if (!lovd_validateIP($_AUTH['allowed_ip'], $_SERVER['REMOTE_ADDR'])) { // Log the user out. session_destroy(); $_AUTH = false; $_SESSION['currdb'] = false; $_T->printHeader(); $_T->printTitle('Access denied'); lovd_showInfoTable('Your current IP address does not allow you access using this username.', 'stop'); $_T->printFooter(); exit; } } if (!$_AUTH) { // We need to check for cookies, so set whatever and check whether it's there later... if (!isset($_COOKIE['lovd_cookie_check'])) { // @ is to suppress errors in Travis test.
$_POST['referer'] = ''; } // Force use of cookies! if (!empty($_POST)) { if (!isset($_COOKIE['lovd_cookie_check'])) { // We might not have that checking cookie if this is the first page. So we want to complain only if the form has been submitted. lovd_errorAdd('', 'Cookies must be enabled before you can log in. Please enable cookies or lower your browser\'s security settings.'); } else { // We're now also accepting unlocking accounts. if (!empty($_POST['username']) && !empty($_POST['password'])) { // First, retrieve account information. $zUser = $_DB->query('SELECT * FROM ' . TABLE_USERS . ' WHERE username = ?', array($_POST['username']))->fetchAssoc(); if ($zUser) { // The user exists, now check account unlocking, locked accounts, successful and unsuccessful logins. // Instead of having inc-auth.php stop the user when his IP is not allowed to log in, it's better to do that here. if ($zUser['allowed_ip'] && !lovd_validateIP($zUser['allowed_ip'], $_SERVER['REMOTE_ADDR'])) { lovd_writeLog('Auth', 'AuthError', $_SERVER['REMOTE_ADDR'] . ' (' . gethostbyaddr($_SERVER['REMOTE_ADDR']) . ') is not in IP allow list for ' . $_POST['username'] . ': "' . $zUser['allowed_ip'] . '"'); // Provide manager information, so that the user knows where to go for help. $aManagers = $_DB->query('SELECT name, email FROM ' . TABLE_USERS . ' WHERE level = ? ORDER BY name', array(LEVEL_MANAGER))->fetchAllAssoc(); if (!$aManagers) { $aManagers = array($_SETT['admin']); } $sManagers = 'For technical assistance, please contact ' . (count($aManagers) == 1 ? 'the system\'s manager' : 'one of the system\'s managers') . ':'; foreach ($aManagers as $aManager) { $sManagers .= '<BR><A href="mailto:' . str_replace(array("\r\n", "\r", "\n"), ', ', trim($aManager['email'])) . '">' . $aManager['name'] . '</A>'; } lovd_errorAdd('', 'Your current IP address does not allow you access using this username. ' . $sManagers); } elseif ($zUser['password_autogen'] && lovd_verifyPassword($_POST['password'], $zUser['password_autogen']) && $_CONF['allow_unlock_accounts']) { // Successfully unlocking an account! Log user in. $_SESSION['auth'] = $zUser; $_AUTH =& $_SESSION['auth'];