/**
* checks password posting
*
* @param string $authType override of athorization type
*/
function zp_handle_password($authType = NULL, $check_auth = NULL, $check_user = NULL)
{
global $_zp_loggedin, $_zp_login_error, $_zp_current_album, $_zp_current_zenpage_page, $_zp_gallery;
if (empty($authType)) {
// not supplied by caller
$check_auth = '';
if (isset($_GET['z']) && @$_GET['p'] == 'full-image' || isset($_GET['p']) && $_GET['p'] == '*full-image') {
$authType = 'zp_image_auth';
$check_auth = getOption('protected_image_password');
$check_user = getOption('protected_image_user');
} else {
if (in_context(ZP_SEARCH)) {
// search page
$authType = 'zp_search_auth';
$check_auth = getOption('search_password');
$check_user = getOption('search_user');
} else {
if (in_context(ZP_ALBUM)) {
// album page
$authType = "zp_album_auth_" . $_zp_current_album->getID();
$check_auth = $_zp_current_album->getPassword();
$check_user = $_zp_current_album->getUser();
if (empty($check_auth)) {
$parent = $_zp_current_album->getParent();
while (!is_null($parent)) {
$check_auth = $parent->getPassword();
$check_user = $parent->getUser();
$authType = "zp_album_auth_" . $parent->getID();
if (!empty($check_auth)) {
break;
}
$parent = $parent->getParent();
}
}
} else {
if (in_context(ZP_ZENPAGE_PAGE)) {
$authType = "zp_page_auth_" . $_zp_current_zenpage_page->getID();
$check_auth = $_zp_current_zenpage_page->getPassword();
$check_user = $_zp_current_zenpage_page->getUser();
if (empty($check_auth)) {
$pageobj = $_zp_current_zenpage_page;
while (empty($check_auth)) {
$parentID = $pageobj->getParentID();
if ($parentID == 0) {
break;
}
$sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID;
$result = query_single_row($sql);
$pageobj = new ZenpagePage($result['titlelink']);
$authType = "zp_page_auth_" . $pageobj->getID();
$check_auth = $pageobj->getPassword();
$check_user = $pageobj->getUser();
}
}
}
}
}
}
if (empty($check_auth)) {
// anything else is controlled by the gallery credentials
$authType = 'zp_gallery_auth';
$check_auth = $_zp_gallery->getPassword();
$check_user = $_zp_gallery->getUser();
}
}
// Handle the login form.
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: \$authType={$authType}; \$check_auth={$check_auth}; \$check_user={$check_user}; ");
}
if (isset($_POST['password']) && isset($_POST['pass'])) {
// process login form
if (isset($_POST['user'])) {
$post_user = sanitize($_POST['user']);
} else {
$post_user = '';
}
$post_pass = $_POST['pass'];
// We should not sanitize the password
foreach (Zenphoto_Authority::$hashList as $hash => $hi) {
$auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi);
$success = $auth == $check_auth && $post_user == $check_user;
if (DEBUG_LOGIN) {
debugLog("zp_handle_password({$success}): \$post_user={$post_user}; \$post_pass={$post_pass}; \$check_auth={$check_auth}; \$auth={$auth}; \$hash={$hash};");
}
if ($success) {
break;
}
}
$success = zp_apply_filter('guest_login_attempt', $success, $post_user, $post_pass, $authType);
if ($success) {
// Correct auth info. Set the cookie.
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: valid credentials");
}
zp_setCookie($authType, $auth);
if (isset($_POST['redirect'])) {
$redirect_to = sanitizeRedirect($_POST['redirect'], true);
if (!empty($redirect_to)) {
header("Location: " . $redirect_to);
exitZP();
}
}
} else {
// Clear the cookie, just in case
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: invalid credentials");
}
zp_clearCookie($authType);
$_zp_login_error = true;
}
return;
}
if (empty($check_auth)) {
//no password on record or admin logged in
return;
}
if (($saved_auth = zp_getCookie($authType)) != '') {
if ($saved_auth == $check_auth) {
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: valid cookie");
}
return;
} else {
// Clear the cookie
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: invalid cookie");
}
zp_clearCookie($authType);
}
}
}
/**
*
* handles save of user/password
* @param object $object
*/
function processCredentials($object, $suffix = '')
{
$notify = '';
if (isset($_POST['password_enabled' . $suffix]) && $_POST['password_enabled' . $suffix]) {
if (is_object($object)) {
$olduser = $object->getUser();
} else {
$olduser = getOption($object . '_user');
}
$newuser = trim(sanitize($_POST['user' . $suffix], 3));
$pwd = trim(sanitize($_POST['pass' . $suffix]));
if (isset($_POST['disclose_password' . $suffix])) {
$pass2 = $pwd;
} else {
if (isset($_POST['pass_r' . $suffix])) {
$pass2 = trim(sanitize($_POST['pass_r' . $suffix]));
} else {
$pass2 = '';
}
}
$fail = '';
if ($olduser != $newuser) {
if (!empty($newuser) && strlen($_POST['pass' . $suffix]) == 0) {
$fail = '?mismatch=user';
}
}
if (!$fail && $pwd == $pass2) {
if (is_object($object)) {
$object->setUser($newuser);
} else {
setOption($object . '_user', $newuser);
}
if (empty($pwd)) {
if (strlen($_POST['pass' . $suffix]) == 0) {
// clear the password
if (is_object($object)) {
$object->setPassword(NULL);
} else {
setOption($object . '_password', NULL);
}
}
} else {
if (is_object($object)) {
$object->setPassword(Zenphoto_Authority::passwordHash($newuser, $pwd));
} else {
setOption($object . '_password', Zenphoto_Authority::passwordHash($newuser, $pwd));
}
}
} else {
if (empty($fail)) {
$notify = '?mismatch';
} else {
$notify = $fail;
}
}
$hint = process_language_string_save('hint' . $suffix, 3);
if (is_object($object)) {
$object->setPasswordHint($hint);
} else {
setOption($object . '_hint', $hint);
}
}
return $notify;
}
/**
* Hashes and stores the password
* @param $pwd
*/
function setPass($pwd)
{
$hash_type = getOption('strong_hash');
$pwd = Zenphoto_Authority::passwordHash($this->getUser(), $pwd, $hash_type);
$this->set('pass', $pwd);
$this->set('passupdate', date('Y-m-d H:i:s'));
$this->set('passhash', $hash_type);
return $pwd;
}
/**
* Creates a feed object from the URL parameters fetched only
*
*/
function __construct($options = NULL)
{
global $_zp_gallery, $_zp_current_admin_obj, $_zp_loggedin;
if (empty($options)) {
self::feed404();
}
$this->feedtype = $options['rss'];
parent::__construct($options);
if (isset($options['token'])) {
// The link camed from a logged in user, see if it is valid
$link = $options;
unset($link['token']);
$token = Zenphoto_Authority::passwordHash(serialize($link), '');
if ($token == $options['token']) {
$adminobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => (int) $link['user']));
if ($adminobj) {
$_zp_current_admin_obj = $adminobj;
$_zp_loggedin = $_zp_current_admin_obj->getRights();
}
}
}
// general feed setup
$channeltitlemode = getOption('RSS_title');
$this->host = html_encode($_SERVER["HTTP_HOST"]);
//channeltitle general
switch ($channeltitlemode) {
case 'gallery':
$this->channel_title = $_zp_gallery->getBareTitle($this->locale);
break;
case 'website':
$this->channel_title = getBare($_zp_gallery->getWebsiteTitle($this->locale));
break;
case 'both':
$website_title = $_zp_gallery->getWebsiteTitle($this->locale);
$this->channel_title = $_zp_gallery->getBareTitle($this->locale);
if (!empty($website_title)) {
$this->channel_title = $website_title . ' - ' . $this->channel_title;
}
break;
}
// individual feedtype setup
switch ($this->feedtype) {
case 'gallery':
if (!getOption('RSS_album_image')) {
self::feed404();
}
$albumname = $this->getChannelTitleExtra();
if ($this->albumfolder) {
$alb = newAlbum($this->albumfolder, true, true);
if ($alb->exists) {
$albumtitle = $alb->getTitle();
if ($this->mode == 'albums' || $this->collection) {
$albumname = ' - ' . html_encode($albumtitle) . $this->getChannelTitleExtra();
}
} else {
self::feed404();
}
} else {
$albumtitle = '';
}
$albumname = $this->getChannelTitleExtra();
$this->channel_title = html_encode($this->channel_title . ' ' . getBare($albumname));
$this->imagesize = $this->getImageSize();
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php';
break;
case 'news':
//Zenpage News RSS
if (!getOption('RSS_articles')) {
self::feed404();
}
$titleappendix = gettext(' (Latest news)');
switch ($this->newsoption) {
case 'withalbums':
case 'withalbums_mtime':
case 'withalbums_publishdate':
case 'withalbums_latestupdated':
$titleappendix = gettext(' (Latest news and albums)');
break;
case 'withimages':
case 'withimages_mtime':
case 'withimages_publishdate':
$titleappendix = gettext(' (Latest news and images)');
break;
default:
switch ($this->sortorder) {
case 'popular':
$titleappendix = gettext(' (Most popular news)');
break;
case 'mostrated':
$titleappendix = gettext(' (Most rated news)');
break;
case 'toprated':
$titleappendix = gettext(' (Top rated news)');
break;
case 'random':
$titleappendix = gettext(' (Random news)');
break;
}
break;
}
$this->channel_title = html_encode($this->channel_title . $this->cattitle . $titleappendix);
$this->imagesize = $this->getImageSize();
$this->itemnumber = getOption("RSS_zenpage_items");
// # of Items displayed on the feed
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php';
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
break;
case 'pages':
//Zenpage News RSS
if (!getOption('RSS_pages')) {
self::feed404();
}
switch ($this->sortorder) {
case 'popular':
$titleappendix = gettext(' (Most popular pages)');
break;
case 'mostrated':
$titleappendix = gettext(' (Most rated pages)');
break;
case 'toprated':
$titleappendix = gettext(' (Top rated pages)');
break;
case 'random':
$titleappendix = gettext(' (Random pages)');
break;
default:
$titleappendix = gettext(' (Latest pages)');
break;
}
$this->channel_title = html_encode($this->channel_title . $titleappendix);
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
break;
case 'comments':
//Comments RSS
if (!getOption('RSS_comments')) {
self::feed404();
}
if ($this->id) {
switch ($this->commentfeedtype) {
case 'album':
$table = 'albums';
break;
case 'image':
$table = 'images';
break;
case 'news':
$table = 'news';
break;
case 'page':
$table = 'pages';
break;
default:
self::feed404();
break;
}
$this->itemobj = getItemByID($table, $this->id);
if ($this->itemobj) {
$title = ' - ' . $this->itemobj->getTitle();
} else {
self::feed404();
}
} else {
$this->itemobj = NULL;
$title = NULL;
}
$this->channel_title = html_encode($this->channel_title . $title . gettext(' (latest comments)'));
if (extensionEnabled('zenpage')) {
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
}
break;
case 'null':
//we just want the class instantiated
return;
}
$this->feeditems = $this->getitems();
}
function checkAuthorization($authCode, $id)
{
global $_zp_current_admin_obj;
if (LDAP_ID_OFFSET && $id > LDAP_ID_OFFSET) {
// LDAP ID
$ldid = $id - LDAP_ID_OFFSET;
$ad = self::ldapInit(LDAP_DOMAIN);
if ($ad) {
self::ldapReader($ad);
$userData = self::ldapUser($ad, "(uidNumber={$ldid})");
if ($userData) {
$userData = array_change_key_case($userData, CASE_LOWER);
if (DEBUG_LOGIN) {
debugLogBacktrace("LDAPcheckAuthorization({$authCode}, {$ldid})");
}
$goodAuth = Zenphoto_Authority::passwordHash($userData['uid'][0], serialize($userData));
if ($authCode == $goodAuth) {
$userobj = self::setupUser($ad, $userData);
if ($userobj) {
$_zp_current_admin_obj = $userobj;
$rights = $_zp_current_admin_obj->getRights();
} else {
$rights = 0;
}
if (DEBUG_LOGIN) {
debugLog(sprintf('LDAPcheckAuthorization: from %1$s->%2$X', $authCode, $rights));
}
} else {
if (DEBUG_LOGIN) {
debugLog(sprintf('LDAPcheckAuthorization: AuthCode %1$s <> %2$s', $goodAuth, $authCode));
}
}
}
@ldap_unbind($ad);
}
}
if ($_zp_current_admin_obj) {
return $_zp_current_admin_obj->getRights();
} else {
return parent::checkAuthorization($authCode, $id);
}
}
