/**
* get instance; forwards to login page if the user is not logged in
*
* @access public
* @return object
**/
public static function getInstance($section_name = 'Start', $section_permission = 'start', $auto_header = true, $auto_auth = true)
{
if (!self::$instance) {
self::$instance = new self();
if (!CAT_Registry::defined('CAT_INITIALIZED')) {
include CAT_PATH . '/framework/initialize.php';
}
$user = CAT_Users::getInstance();
if ($user->is_authenticated() == false && !defined('CAT_INSTALL_PROCESS')) {
header('Location: ' . CAT_ADMIN_URL . '/login/index.php');
exit(0);
} elseif (!defined('CAT_INSTALL_PROCESS')) {
$user->checkPermission($section_name, $section_permission, true);
}
self::$instance->section_name = $section_name;
global $parser;
self::initPaths();
$parser->setGlobals('TEMPLATE_MENU', CAT_Helper_Template::get_template_menus());
// Auto header code
if ($auto_header == true) {
self::$instance->print_header();
}
}
return self::$instance;
}
/**
*
*
*
*
**/
public static function getInstance($driver)
{
if (!(strcasecmp(substr($driver, strlen($driver) - strlen('driver')), 'driver') === 0)) {
$driver .= 'Driver';
}
if (!file_exists(dirname(__FILE__) . '/Template/' . $driver . '.php')) {
$s = new self();
$s->printFatalError($s->lang->translate('No such template driver: [' . $driver . ']'));
}
self::$_driver = $driver;
if (!isset(self::$_drivers[$driver]) || !is_object(self::$_drivers[$driver])) {
require dirname(__FILE__) . '/Template/DriverDecorator.php';
require dirname(__FILE__) . '/Template/' . $driver . '.php';
$driver = 'CAT_Helper_Template_' . $driver;
self::$_drivers[$driver] = new CAT_Helper_Template_DriverDecorator(new $driver());
self::$_drivers[$driver]->setGlobals(array('CAT_ADMIN_URL' => CAT_ADMIN_URL, 'CAT_URL' => CAT_URL, 'CAT_PATH' => CAT_PATH, 'LEPTON_URL' => CAT_URL, 'CAT_PATH' => CAT_PATH, 'CAT_THEME_URL' => CAT_THEME_URL, 'URL_HELP' => URL_HELP));
$defs = get_defined_constants(true);
foreach ($defs['user'] as $const => $value) {
if (preg_match('~^DEFAULT_~', $const)) {
// DEFAULT_CHARSET etc.
self::$_drivers[$driver]->setGlobals($const, $value);
continue;
}
if (preg_match('~^WEBSITE_~', $const)) {
// WEBSITE_HEADER etc.
self::$_drivers[$driver]->setGlobals($const, $value);
continue;
}
if (preg_match('~^SHOW_~', $const)) {
// SHOW_SEARCH etc.
self::$_drivers[$driver]->setGlobals($const, $value);
continue;
}
if (preg_match('~^FRONTEND_~', $const)) {
// FRONTEND_LOGIN etc.
self::$_drivers[$driver]->setGlobals($const, $value);
continue;
}
if (preg_match('~_FORMAT$~', $const)) {
// DATE_FORMAT etc.
self::$_drivers[$driver]->setGlobals($const, $value);
continue;
}
if (preg_match('~^ENABLE_~', $const)) {
// ENABLE_HTMLPURIFIER etc.
self::$_drivers[$driver]->setGlobals($const, $value);
continue;
}
}
// This is for old language strings
global $HEADING, $TEXT, $MESSAGE;
foreach (array('TEXT', 'HEADING', 'MESSAGE') as $global) {
if (isset(${$global}) && is_array(${$global})) {
self::$_drivers[$driver]->setGlobals($global, ${$global});
}
}
}
return self::$_drivers[$driver];
}
public function __construct($obj)
{
parent::__construct();
$this->te = $obj;
// get current working directory
$callstack = debug_backtrace();
$this->te->paths['workdir'] = isset($callstack[0]) && isset($callstack[0]['file']) ? CAT_Helper_Directory::sanitizePath(realpath(dirname($callstack[0]['file']))) : CAT_Helper_Directory::sanitizePath(realpath(dirname(__FILE__)));
if (file_exists($this->te->paths['workdir'] . '/templates')) {
$this->te->paths['workdir'] .= '/templates';
}
$this->te->paths['current'] = $this->te->paths['workdir'];
$this->dirh = CAT_Helper_Directory::getInstance();
}
$check = str_replace('/', '\\/', CAT_Helper_Directory::sanitizePath(CAT_ADMIN_PATH));
if (preg_match('~^' . $check . '~i', $path)) {
define('CAT_REQUIRE_ADMIN', true);
if (!CAT_Users::getInstance()->is_authenticated()) {
CAT_Users::getInstance()->handleLogin();
exit(0);
}
// always enable CSRF protection in backend; does not work with
// AJAX so scripts called via AJAX should set this constant
if (!defined('CAT_AJAX_CALL')) {
//echo "class.secure is calling enableCSRFMagic<br />";
CAT_Helper_Protect::getInstance()->enableCSRFMagic();
}
global $parser;
if (!is_object($parser)) {
$parser = CAT_Helper_Template::getInstance('Dwoo');
}
// initialize template search path
$parser->setPath(CAT_THEME_PATH . '/templates');
$parser->setFallbackPath(CAT_THEME_PATH . '/templates');
}
} else {
define('CAT_REQUIRE_ADMIN', false);
}
}
if (!defined('CAT_INITIALIZED')) {
require dirname(__FILE__) . '/initialize.php';
}
$admin_dir = str_replace(CAT_PATH, '', CAT_ADMIN_PATH);
$db = new database();
$direct_access_allowed = array();
/**
* handle user login
**/
public static function handleLogin($output = true)
{
global $parser;
if (!is_object($parser)) {
$parser = CAT_Helper_Template::getInstance('Dwoo');
}
CAT_Backend::initPaths();
$val = CAT_Helper_Validate::getInstance();
$lang = CAT_Helper_I18n::getInstance();
$self = self::getInstance();
$redirect_url = $val->sanitizePost('redirect');
if (!self::is_authenticated()) {
// --- login attempt ---
if ($val->sanitizePost('username_fieldname')) {
// get input data
$user = htmlspecialchars($val->sanitizePost($val->sanitizePost('username_fieldname')), ENT_QUOTES);
$pw = $val->sanitizePost($val->sanitizePost('password_fieldname'));
$name = preg_match('/[\\;\\=\\&\\|\\<\\> ]/', $user) ? '' : $user;
$min_length = CAT_Registry::exists('AUTH_MIN_LOGIN_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_LOGIN_LENGTH') : 5;
$min_pass_length = CAT_Registry::exists('AUTH_MIN_PASS_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_PASS_LENGTH') : 5;
// check common issues
// we do not check for too long and don't give too much hints!
if (!$name) {
self::setLoginError($lang->translate('Invalid credentials'));
}
if (!self::$loginerror && $user == '' || $pw == '') {
self::setLoginError($lang->translate('Please enter your username and password.'));
}
if (!self::$loginerror && strlen($user) < $min_length) {
self::setLoginError($lang->translate('Invalid credentials'));
}
if (!self::$loginerror && !CAT_Registry::defined('ALLOW_SHORT_PASSWORDS') && strlen($pw) < $min_pass_length) {
self::setLoginError($lang->translate('Invalid credentials'));
}
if (!self::$loginerror) {
$query = 'SELECT * FROM `:prefix:users` WHERE `username`=:name AND `password`=:pw';
$qAct = 'SELECT `active` FROM `:prefix:users` WHERE `username` = :name AND `password` = :pw';
$result = $self->db()->query($query, array('name' => $name, 'pw' => md5($pw)));
$active = $self->db()->query($qAct, array('name' => $name, 'pw' => md5($pw)));
if ($active && $result->rowCount() == 1) {
// get default user preferences
$prefs = self::getDefaultUserOptions();
// get basic user data
$user = $result->fetchRow(MYSQL_ASSOC);
// add this user's options
$prefs = array_merge($prefs, self::getUserOptions($user['user_id']));
foreach (self::$sessioncols as $key) {
$_SESSION[strtoupper($key)] = $user[$key];
}
// ----- preferences -----
$_SESSION['LANGUAGE'] = $user['language'] != '' ? $user['language'] : (isset($prefs['language']) ? $prefs['language'] : 'DE');
$_SESSION['TIMEZONE_STRING'] = isset($prefs['timezone_string']) && $prefs['timezone_string'] != '' ? $prefs['timezone_string'] : CAT_Registry::get('DEFAULT_TIMEZONE_STRING');
$_SESSION['CAT_DATE_FORMAT'] = isset($prefs['date_format']) && $prefs['date_format'] != '' ? $prefs['date_format'] : CAT_Registry::get('CAT_DEFAULT_DATE_FORMAT');
$_SESSION['CAT_TIME_FORMAT'] = isset($prefs['time_format']) && $prefs['time_format'] != '' ? $prefs['time_format'] : CAT_Registry::get('CAT_DEFAULT_TIME_FORMAT');
if (defined('WB2COMPAT') && WB2COMPAT === true) {
$wb2compat_format_map = CAT_Registry::get('WB2COMPAT_FORMAT_MAP');
$_SESSION['DATE_FORMAT'] = isset($_SESSION['CAT_DATE_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_DATE_FORMAT']] : '';
$_SESSION['TIME_FORMAT'] = isset($_SESSION['CAT_TIME_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_TIME_FORMAT']] : '';
}
date_default_timezone_set($_SESSION['TIMEZONE_STRING']);
$_SESSION['SYSTEM_PERMISSIONS'] = 0;
$_SESSION['MODULE_PERMISSIONS'] = array();
$_SESSION['TEMPLATE_PERMISSIONS'] = array();
$_SESSION['GROUP_NAME'] = array();
$first_group = true;
foreach (explode(",", $user['groups_id']) as $cur_group_id) {
$query = "SELECT * FROM `:prefix:groups` WHERE group_id=:id";
$result = $self->db()->query($query, array('id' => $cur_group_id));
$results = $result->fetch();
$_SESSION['GROUP_NAME'][$cur_group_id] = $results['name'];
// Set system permissions
if ($results['system_permissions'] != '') {
$_SESSION['SYSTEM_PERMISSIONS'] = $results['system_permissions'];
}
// Set module permissions
if ($results['module_permissions'] != '') {
if ($first_group) {
$_SESSION['MODULE_PERMISSIONS'] = explode(',', $results['module_permissions']);
} else {
$_SESSION['MODULE_PERMISSIONS'] = array_intersect($_SESSION['MODULE_PERMISSIONS'], explode(',', $results['module_permissions']));
}
}
// Set template permissions
if ($results['template_permissions'] != '') {
if ($first_group) {
$_SESSION['TEMPLATE_PERMISSIONS'] = explode(',', $results['template_permissions']);
} else {
$_SESSION['TEMPLATE_PERMISSIONS'] = array_intersect($_SESSION['TEMPLATE_PERMISSIONS'], explode(',', $results['template_permissions']));
}
}
$first_group = false;
}
// foreach ( explode(",",$user['groups_id']) as $cur_group_id )
// Update the users table with current ip and timestamp
$get_ts = time();
$get_ip = $_SERVER['REMOTE_ADDR'];
$query = "UPDATE `:prefix:users` SET login_when=:when, login_ip=:ip WHERE user_id=:id";
$self->db()->query($query, array('when' => $get_ts, 'ip' => $get_ip, 'id' => $user['user_id']));
if ($redirect_url) {
return $redirect_url;
}
if (self::getInstance()->checkPermission('start', 'start')) {
return CAT_ADMIN_URL . '/start/index.php?initial=true';
} else {
return CAT_URL . '/index.php';
}
} else {
if (!$active && $result->rowCount() == 1) {
self::setLoginError($lang->translate('Your account has been disabled. Please contact the administrator.'));
} else {
self::setLoginError($lang->translate('Invalid credentials'));
}
}
}
if ($val->fromSession('ATTEMPTS') > CAT_Registry::get('MAX_ATTEMPTS') && CAT_Registry::exists('AUTO_DISABLE_USERS') && CAT_Registry::get('AUTO_DISABLE_USERS') === true) {
// if we have a user name
if ($name) {
self::disableAccount($name);
}
return CAT_THEME_URL . '/templates/warning.html';
}
return false;
}
if (!$output) {
return false;
}
$username_fieldname = $val->createFieldname('username_');
$tpl_data = array('USERNAME_FIELDNAME' => $username_fieldname, 'PASSWORD_FIELDNAME' => $val->createFieldname('password_'), 'USERNAME' => $val->sanitizePost($username_fieldname), 'ACTION_URL' => CAT_ADMIN_URL . '/login/index.php', 'LOGIN_URL' => CAT_ADMIN_URL . '/login/index.php', 'DEFAULT_URL' => CAT_ADMIN_URL . '/start/index.php', 'WARNING_URL' => CAT_THEME_URL . '/templates/warning.html', 'REDIRECT_URL' => ADMIN_URL . '/start/index.php', 'FORGOTTEN_DETAILS_APP' => ADMIN_URL . '/login/forgot/index.php', 'MIN_USERNAME_LEN' => AUTH_MIN_LOGIN_LENGTH, 'MAX_USERNAME_LEN' => AUTH_MAX_LOGIN_LENGTH, 'MIN_PASSWORD_LEN' => AUTH_MIN_PASS_LENGTH, 'MAX_PASSWORD_LEN' => AUTH_MAX_PASS_LENGTH, 'PAGES_DIRECTORY' => PAGES_DIRECTORY, 'ATTEMPTS' => $val->fromSession('ATTEMTPS'), 'MESSAGE' => self::$loginerror);
$tpl_data['meta']['LANGUAGE'] = strtolower(LANGUAGE);
$tpl_data['meta']['CHARSET'] = defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : "utf-8";
$parser->output('login', $tpl_data);
} else {
if ($redirect_url) {
header('Location: ' . $redirect_url);
}
if (self::getInstance()->checkPermission('start', 'start')) {
header('Location: ' . CAT_ADMIN_URL . '/start/index.php');
} else {
header('Location: ' . CAT_URL . '/index.php');
}
}
}
