function autologin() { if (auth_is_user_authenticated()) { return; } $t_login_method = config_get('login_method'); if ($t_login_method != BASIC_AUTH) { trigger_error("Invalid login method. ({$t_login_method})", ERROR); } $t_user_id = user_get_id_by_name($_SERVER['REMOTE_USER']); if (!$t_user_id) { trigger_error('Invalid user.', ERROR); } user_increment_login_count($t_user_id); user_reset_failed_login_count_to_zero($t_user_id); user_reset_lost_password_in_progress_count_to_zero($t_user_id); auth_set_cookies($t_user_id, true); auth_set_tokens($t_user_id); }
$f_user_id = gpc_get_string('id'); $f_confirm_hash = gpc_get_string('confirm_hash'); # force logout on the current user if already authenticated if( auth_is_user_authenticated() ) { auth_logout(); # reload the page after logout print_header_redirect( "verify.php?id=$f_user_id&confirm_hash=$f_confirm_hash" ); } $t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id ); if ( $f_confirm_hash != $t_calculated_confirm_hash ) { trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR ); } # set a temporary cookie so the login information is passed between pages. auth_set_cookies( $f_user_id, false ); user_reset_failed_login_count_to_zero( $f_user_id ); user_reset_lost_password_in_progress_count_to_zero( $f_user_id ); # fake login so the user can set their password auth_attempt_script_login( user_get_field( $f_user_id, 'username' ) ); user_increment_failed_login_count( $f_user_id ); include ( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'account_page.php' );
/** * Attempt to login the user with the given password * If the user fails validation, false is returned * If the user passes validation, the cookies are set and * true is returned. If $p_perm_login is true, the long-term * cookie is created. * @param string $p_username a prepared username * @param string $p_password a prepared password * @param bool $p_perm_login whether to create a long-term cookie * @return bool indicates if authentication was successful * @access public */ function auth_attempt_login($p_username, $p_password, $p_perm_login = false) { $t_user_id = user_get_id_by_name($p_username); $t_login_method = config_get('login_method'); if (false === $t_user_id) { if (BASIC_AUTH == $t_login_method) { $t_auto_create = true; } else { if (LDAP == $t_login_method && ldap_authenticate_by_username($p_username, $p_password)) { $t_auto_create = true; } else { $t_auto_create = false; } } if ($t_auto_create) { # attempt to create the user $t_cookie_string = user_create($p_username, md5($p_password)); if (false === $t_cookie_string) { # it didn't work return false; } # ok, we created the user, get the row again $t_user_id = user_get_id_by_name($p_username); if (false === $t_user_id) { # uh oh, something must be really wrong # @@@ trigger an error here? return false; } } else { return false; } } # check for disabled account if (!user_is_enabled($t_user_id)) { return false; } # max. failed login attempts achieved... if (!user_is_login_request_allowed($t_user_id)) { return false; } # check for anonymous login if (!user_is_anonymous($t_user_id)) { # anonymous login didn't work, so check the password if (!auth_does_password_match($t_user_id, $p_password)) { user_increment_failed_login_count($t_user_id); return false; } } # ok, we're good to login now # increment login count user_increment_login_count($t_user_id); user_reset_failed_login_count_to_zero($t_user_id); user_reset_lost_password_in_progress_count_to_zero($t_user_id); # set the cookies auth_set_cookies($t_user_id, $p_perm_login); auth_set_tokens($t_user_id); return true; }
/** * Impersonates the specified user by logging in. * * @param int $p_user_id The user id. * @return void */ function auth_impersonate($p_user_id) { auth_ensure_can_impersonate($p_user_id); auth_set_cookies($p_user_id, false); auth_set_tokens($p_user_id); }
/** * Attempt to login the user with the given password * If the user fails validation, false is returned * If the user passes validation, the cookies are set and * true is returned. If $p_perm_login is true, the long-term * cookie is created. * @param string $p_username A prepared username. * @param string $p_password A prepared password. * @param boolean $p_perm_login Whether to create a long-term cookie. * @return boolean indicates if authentication was successful * @access public */ function auth_attempt_login($p_username, $p_password, $p_perm_login = false) { $t_user_id = auth_get_user_id_from_login_name($p_username); if ($t_user_id === false) { $t_user_id = auth_auto_create_user($p_username, $p_password); if ($t_user_id === false) { return false; } } # check for disabled account if (!user_is_enabled($t_user_id)) { return false; } # max. failed login attempts achieved... if (!user_is_login_request_allowed($t_user_id)) { return false; } # check for anonymous login if (!user_is_anonymous($t_user_id)) { # anonymous login didn't work, so check the password if (!auth_does_password_match($t_user_id, $p_password)) { user_increment_failed_login_count($t_user_id); return false; } } # ok, we're good to login now # increment login count user_increment_login_count($t_user_id); user_reset_failed_login_count_to_zero($t_user_id); user_reset_lost_password_in_progress_count_to_zero($t_user_id); # set the cookies auth_set_cookies($t_user_id, $p_perm_login); auth_set_tokens($t_user_id); return true; }
require_api('lang_api.php'); require_api('print_api.php'); require_api('string_api.php'); require_api('user_api.php'); require_api('utility_api.php'); form_security_validate('account_update'); # If token is set, it's a password reset request from verify.php, and if # not we need to reauthenticate the user $t_verify_user_id = gpc_get('verify_user_id', false); $t_account_verification = $t_verify_user_id ? token_get_value(TOKEN_ACCOUNT_VERIFY, $t_verify_user_id) : false; if (!$t_account_verification) { auth_reauthenticate(); $t_user_id = auth_get_current_user_id(); } else { # set a temporary cookie so the login information is passed between pages. auth_set_cookies($t_verify_user_id, false); # fake login so the user can set their password auth_attempt_script_login(user_get_field($t_verify_user_id, 'username')); $t_user_id = $t_verify_user_id; } auth_ensure_user_authenticated(); current_user_ensure_unprotected(); $f_email = gpc_get_string('email', ''); $f_realname = gpc_get_string('realname', ''); $f_password_current = gpc_get_string('password_current', ''); $f_password = gpc_get_string('password', ''); $f_password_confirm = gpc_get_string('password_confirm', ''); $t_redirect_url = 'index.php'; # @todo Listing what fields were updated is not standard behaviour of MantisBT - it also complicates the code. $t_update_email = null; $t_update_password = null;