/** main program for visitors
 *
 * this routine is called from /index.php. It is the main program for visitors.
 *
 * @return void page sent to the browser
 * @todo cleanup login/logout-code
 */
function main_index()
{
    global $USER;
    global $CFG;
    global $LANGUAGE;
    /** initialise the program, setup database, read configuration, etc. */
    require_once $CFG->progdir . '/init.php';
    initialise();
    was_version_check();
    // this never returns if versions don't match
    // TODO: cleanup like in main_admin()
    // handle login/logout/continuation so we quickly find out which user is calling
    if (isset($_GET['logout'])) {
        /** loginlib.php contains both login- and logout-routines */
        require_once $CFG->progdir . '/lib/loginlib.php';
        was_logout();
        // may or may not return here
    } elseif (isset($_GET['login'])) {
        /** loginlib.php contains both login- and logout-routines */
        require_once $CFG->progdir . '/lib/loginlib.php';
        was_login(magic_unquote($_GET['login']));
        // may or may not return here
    } elseif (isset($_COOKIE[$CFG->session_name])) {
        /** dbsessionlib.php contains our own database based session handler */
        require_once $CFG->progdir . '/lib/dbsessionlib.php';
        dbsession_setup($CFG->session_name);
        if (dbsession_exists(magic_unquote($_COOKIE[$CFG->session_name]))) {
            session_start();
        }
    }
    // At this point we either have a valid session with a logged-in user
    // (indicated via existence of $_SESSION) or we are dealing with an anonymous
    // visitor with non-existing $_SESSION. Keep track of the number of calls
    // this user makes (may be logged lateron on logout).
    if (isset($_SESSION)) {
        if (!isset($_SESSION['session_counter'])) {
            // first time after login, record start time of session
            $_SESSION['session_counter'] = 1;
            $_SESSION['session_start'] = strftime("%Y-%m-%d %T");
        } else {
            $_SESSION['session_counter']++;
        }
    }
    // Now is the time to create a USER object, even when the visitor is just a passerby
    // because we can then determine easily if a visitor is allowed certain things, e.g.
    // view a protected area or something
    /** useraccount.class.php is used to define the USER object */
    require_once $CFG->progdir . '/lib/useraccount.class.php';
    if (isset($_SESSION) && isset($_SESSION['user_id'])) {
        $USER = new Useraccount($_SESSION['user_id']);
        $USER->is_logged_in = TRUE;
        $_SESSION['language_key'] = $LANGUAGE->get_current_language();
        // remember language set via _GET or otherwise
    } else {
        $USER = new Useraccount();
        $USER->is_logged_in = FALSE;
    }
    // Check for the special preview-mode
    // This allows a webmaster to preview a page in the correct environment (theme)
    // even when the page is under embargo. Note that the node_id and area_id are
    // retrieved from the session; the user only has a cryptic preview-code.
    // See pagemanagerlib.php for more information (function task_page_preview()).
    $in_preview_mode = FALSE;
    if ($USER->is_logged_in) {
        $preview_code_from_url = get_parameter_string('preview');
        if (!is_null($preview_code_from_url) && isset($_SESSION['preview_salt']) && isset($_SESSION['preview_node'])) {
            $hash = md5($_SESSION['preview_salt'] . $_SESSION['preview_node']);
            if ($hash === $preview_code_from_url) {
                $node_id = intval($_SESSION['preview_node']);
                $area_id = intval($_SESSION['preview_area']);
                $area = db_select_single_record('areas', '*', array('area_id' => $area_id));
                if ($area === FALSE) {
                    logger("Fatal error 070: cannot preview node '{$node_id}' in area '{$area_id}'");
                    error_exit('070');
                } else {
                    $tree = tree_build($area_id);
                    $in_preview_mode = TRUE;
                }
            }
        }
    }
    if ($in_preview_mode == FALSE) {
        $requested_area = get_requested_area();
        $requested_node = get_requested_node();
        $req_area_str = is_null($requested_area) ? "NULL" : strval($requested_area);
        $req_node_str = is_null($requested_node) ? "NULL" : strval($requested_node);
        if (($area = calculate_area($requested_area, $requested_node)) === FALSE) {
            logger("Fatal error 080: no valid area (request: area='{$req_area_str}', node='{$req_node_str}')");
            error_exit('080');
            // no such area
        }
        $area_id = intval($area['area_id']);
        // If $USER has no permission to view area $area_id, we simply bail out.
        // Rationale: if the user is genuine, she knows about logging in first.
        // If the user is NOT logged in and tries to view a protected area, I'd consider
        // it malicious, and in that case I won't even confirm the existence of
        // the requested area. (If a cracker simply tries areas 0,1,.. and sometimes is greeted
        // with 'please enter credentials' and sometimes with 'area does not exist', this
        // provides information to the cracker. I don't want that). Note that the error code
        // is the same as the one for non-existing area. In other words: for an unauthorised
        // visitor an existing private area is just as non-existent as a non-existing public area.
        if (db_bool_is(TRUE, $area['is_private']) && !$USER->has_intranet_permissions(ACL_ROLE_INTRANET_ACCESS, $area_id)) {
            logger(sprintf("Fatal error 080: no view permissions for area '%d' (request: area='%s', node='%s')", $area_id, $req_area_str, $req_node_str));
            error_exit('080');
            // no such area
        }
        // still here?
        // then we've got a valid $area_id and corresponding $area record.
        // now we need to figure out which $node_id to use
        $tree = tree_build($area_id);
        if (($node_id = calculate_node_id($tree, $area_id, $requested_node)) === FALSE) {
            logger(sprintf("Fatal error 080: no valid node within area '%d' (request: area='%s', node='%s')", $area_id, $req_area_str, $req_node_str));
            error_exit('080');
            // no such area
        }
    }
    // At this point we have the following in our hands
    // - a valid $area_id
    // - a valid $node_id
    // - the complete tree from area $area_id in $tree
    // - the area record from database in $area
    // - the node record from database in $tree[$node_id]['record']
    // - a flag that signals preview mode in $in_preview_mode
    // We are on our way to generate a full page with content and all,
    // but otoh we MIGHT be in the middle of a redirect, so we may have to
    // leave without showing anything at all...
    if (!empty($tree[$node_id]['record']['link_href'])) {
        update_statistics($node_id);
        if (isset($_SESSION)) {
            session_write_close();
        }
        redirect_and_exit(htmlspecialchars($tree[$node_id]['record']['link_href']));
        // exit; redirect_and_exit() never returns
    }
    /** themelib contains the theme factory */
    require_once $CFG->progdir . '/lib/themelib.php';
    // And now we know about the $area, we can carry on determining which $theme to use.
    //
    $theme = theme_factory($area['theme_id'], $area_id, $node_id);
    if ($theme === FALSE) {
        logger("Fatal error 090: cannot setup theme '{$area['theme_id']}' in area '{$area_id}'");
        error_exit('090');
    }
    // Tell the theme about the preview mode
    $theme->set_preview_mode($in_preview_mode);
    // Now all we need to do is let the module connected to node $node_id generate output
    $module_id = $tree[$node_id]['record']['module_id'];
    module_view($theme, $area_id, $node_id, $module_id);
    // Remember this visitor
    update_statistics($node_id);
    // Finally, send output to user
    $theme->send_output();
    if (isset($_SESSION)) {
        session_write_close();
    }
    // done!
    exit;
}
/** main program for serving files
 *
 * this routine is called from /file.php.
 *
 * This routine is responsible for serving files to the visitor.
 * These files are stored in a (virtual) file hierarchy that looks
 * like this.
 *
 * <pre>
 * /areas/areaname
 *       /another
 *       /stillmore
 *       ...
 * /users/username
 *       /another
 *       /stillmore
 *       ...
 * /groups/groupname
 *        /another
 *        /stillmore
 *        ...
 * /websiteatschool/program
 *                 /manual
 *                 /languages
 * </pre>
 *
 * This structure maps to the real file system as follows.  The (virtual)
 * directories /areas, /users and /groups correspond to the fysical
 * directories {$CFG->datadir}/areas, {$CFG->datadir}/users and
 * {$CFG->datadir}/groups respectively. The subdirectories correspond to
 * a (unique) area, user or group and serve as a file repository for that
 * area, user or group.
 *
 * The (virtual) top-level directory /websiteatschool is a special case.
 * It is used to serve the currently running website program code and the
 * user-defined translations of active languages.
 *
 * Before any file is transmitted to the visitor the access privileges
 * are checked.  The following rules apply.
 *
 * Access control for the /areas subdirectory
 *
 *  - an area must be active before any files are served
 *  - the visitor must have access to the private area if files are to be served
 *  - non-existing files yield a 404 Not Found error
 *  - non-existing areas also yield a 404 Not Found error
 *  - if the visitor has no access to the private area, also a 404 Not Found error is returned
 *
 * Access control for /users and /groups
 *
 *  - a user/group must be active before any files are served
 *  - non-existing users/groups yield 404 Not Found
 *  - non-existing files in existing directories also yield 404 Not Found
 *
 * Access control for /websiteatschool
 *
 *  - there is no limit on downloading the currently active program code or user-defined translations of active languages
 *
 * Note:
 * The check on '..' in the requested filename would be inconclusive if the $path
 * is encoded in invalid UTF-8: the overlong sequence 2F C0 AE 2E 2F eventually
 * yields 2F 2E 2E 2F or '/../'. Reference: RFC3629 section 10. However, we use
 * the filename processed with get_requested_filename() which already checks for
 * utf8 validity, which rules out the trick with overlong sequences.
 *
 * @return void file sent to the browser OR 404 not found on error
 */
function main_file()
{
    global $USER;
    global $CFG;
    global $WAS_SCRIPT_NAME;
    global $LANGUAGE;
    /** initialise the program, setup database, read configuration, etc. */
    require_once $CFG->progdir . '/init.php';
    initialise();
    was_version_check();
    // this never returns if versions don't match
    /** utility routines for manipulating files */
    require_once $CFG->progdir . '/lib/filelib.php';
    $filename = get_requested_filename();
    if (is_null($filename)) {
        error_exit404();
    }
    // 0 -- is the visitor logged in
    if (isset($_COOKIE[$CFG->session_name])) {
        /** dbsessionlib.php contains our own database based session handler */
        require_once $CFG->progdir . '/lib/dbsessionlib.php';
        dbsession_setup($CFG->session_name);
        if (dbsession_exists(magic_unquote($_COOKIE[$CFG->session_name]))) {
            session_start();
            if (!isset($_SESSION['session_counter'])) {
                // first time after login, record start time of session
                $_SESSION['session_counter'] = 1;
                $_SESSION['session_start'] = strftime("%Y-%m-%d %T");
            } else {
                $_SESSION['session_counter']++;
            }
        }
    }
    /** useraccount.class.php is used to define the USER object */
    require_once $CFG->progdir . '/lib/useraccount.class.php';
    if (isset($_SESSION) && isset($_SESSION['user_id'])) {
        $USER = new Useraccount($_SESSION['user_id']);
        $USER->is_logged_in = TRUE;
        $_SESSION['language_key'] = $LANGUAGE->get_current_language();
        // remember language set via _GET or otherwise
        session_write_close();
        // we no longer need this here, everything relevant is now in $USER
    } else {
        $USER = new Useraccount();
        $USER->is_logged_in = FALSE;
    }
    //
    // 1 -- does the visitor want to download the source code
    //
    $path_components = explode('/', trim(strtr($filename, '\\', '/'), '/'));
    if (strtolower($path_components[0]) == 'websiteatschool') {
        $source = isset($path_components[1]) ? strtolower($path_components[1]) : 'program';
        download_source($source);
        exit;
    }
    //
    // 2 -- no source code requested. check out regular files
    //
    $path = '/' . implode('/', $path_components);
    // 2A -- always disallow attempts to escape from tree via parent directory tricks
    if (in_array('..', $path_components)) {
        logger(sprintf("%s(): access denied for file '%s': no tricks with '/../': return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG);
        error_exit404($path);
    }
    // 2B -- check the 1st and 2nd component of the requested file
    switch ($path_components[0]) {
        case 'areas':
            $area_path = isset($path_components[1]) ? $path_components[1] : '';
            $fields = array('area_id', 'is_private');
            $where = array('is_active' => TRUE, 'path' => $area_path);
            $table = 'areas';
            if (($record = db_select_single_record($table, $fields, $where)) === FALSE) {
                logger(sprintf("%s(): access denied for file '%s': non-existing or inactive area: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG);
                error_exit404($path);
            }
            $area_id = intval($record['area_id']);
            if (db_bool_is(TRUE, $record['is_private']) && !$USER->has_intranet_permissions(ACL_ROLE_INTRANET_ACCESS, $area_id)) {
                logger(sprintf("%s(): access denied for file '%s' in private area '%d': return 404 Not Found", __FUNCTION__, $path, $area_id), WLOG_DEBUG);
                error_exit404($path);
            }
            break;
        case 'users':
            $user_path = isset($path_components[1]) ? $path_components[1] : '';
            $fields = array('user_id');
            $where = array('path' => $user_path, 'is_active' => TRUE);
            $table = 'users';
            if (($record = db_select_single_record($table, $fields, $where)) === FALSE) {
                logger(sprintf("%s(): access denied for file '%s': non-existing or inactive user: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG);
                error_exit404($path);
            }
            break;
        case 'groups':
            $group_path = isset($path_components[1]) ? $path_components[1] : '';
            $fields = array('group_id');
            $where = array('path' => $group_path, 'is_active' => TRUE);
            $table = 'groups';
            if (($record = db_select_single_record($table, $fields, $where)) === FALSE) {
                logger(sprintf("%s(): access denied for file '%s': non-existing or inactive group: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG);
                error_exit404($path);
            }
            break;
        default:
            logger(sprintf("%s(): access denied for file '%s': subdirectory '%s' not recognised: return 404 Not Found", __FUNCTION__, $path, $path_components[0]), WLOG_DEBUG);
            error_exit404($path);
            break;
    }
    // 2C -- still here? 1st and 2nd components are good but does the file exist?
    if (!is_file($CFG->datadir . $path)) {
        logger(sprintf("%s(): access denied for file '%s': file does not exist: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG);
        error_exit404($path);
    }
    //
    // At this point we confident that the file exists within the data directory and also that
    // the visitor is allowed access to the file. Now send the file to the visitor.
    //
    $name = basename($path);
    if (($bytes_sent = send_file_from_datadir($path, $name)) === FALSE) {
        logger(sprintf("Failed to send '%s' using filename '%s'", $path, $name));
        $retval = FALSE;
    } else {
        logger(sprintf("Success sending '%s' using filename '%s', size = %d bytes", $path, $name, $bytes_sent), WLOG_DEBUG);
        $retval = TRUE;
    }
    exit;
}
/** continue the session from the previous call OR exit
 *
 * This tries to resume the session that was initiated before
 * (when the user logged in succesfully). If the session cannot
 * be resumed, we logout the user, show the login screen and exit.
 * In other words: this routine guarantees that a valid session
 * exists if and when this routine returns. If the routine returns,
 * it returns the user_id.
 *
 * @return void|int on success the $user_id is returned else a logout + exit is forced
 * @uses $CFG;
 * @uses dbsessionlib.php
 */
function admin_continue_session()
{
    global $CFG;
    /** dbsessionlib.php contains our own database based session handler */
    require_once $CFG->progdir . '/lib/dbsessionlib.php';
    dbsession_setup($CFG->session_name);
    if (dbsession_exists($_COOKIE[$CFG->session_name])) {
        session_start();
    }
    if (!isset($_SESSION)) {
        admin_logout_and_exit();
    } else {
        if (!isset($_SESSION['session_counter'])) {
            // first time after login, record start time of session
            $_SESSION['session_counter'] = 1;
            $_SESSION['session_start'] = strftime("%Y-%m-%d %T");
        } else {
            $_SESSION['session_counter']++;
        }
        $user_id = $_SESSION['user_id'];
    }
    return $user_id;
}
Пример #4
0
/** execute the selected login procedure
 *
 * The login process is controlled via the parameter 'login'
 * provided by the user via 'index.php?login=N or via the
 * 'action' property in a HTML-form. These numbers correspond to the
 * LOGIN_PROCEDURE_* constants defined near the top of this file.
 * Here's a reminder:
 *
 * 1. LOGIN_PROCEDURE_NORMAL this is the usual procedure for logging in
 * 2. LOGIN_PROCEDURE_CHANGE_PASSWORD this is the procedure to change the user's password
 * 3. LOGIN_PROCEDURE_SEND_LAISSEZ_PASSER this is phase 1 of the 'forgot password' procedure
 * 4. LOGIN_PROCEDURE_SEND_BYPASS this is phase 2 of the 'forgot password' procedure
 *
 * Note that this routine only returns to the caller after either a succesful
 * regular login (i.e. after completing LOGIN_PROCEDURE_NORMAL). All the
 * other variants and error conditions yield another screen and an immediate exit and
 * hence no return to caller. If this routine returns, it returns the user_id
 * of the authenticated user (the primary key into the users table). It is up to the caller to
 * retrieve additional information about this user; any information read from the database
 * during login is discarded. This prevents password hashes still lying around.
 * 
 * Note that a successful login has the side effect of garbage collection:
 * whenever we experience a successful login any obsolete sessions are removed.
 * This makes sure that locked records eventually will be unlocked, once the corresponding
 * session no longer exists. The garbage collection routine is also called from
 * the PHP session handler every once in a while, but here we make 100% sure that
 * garbage is collected at least at every login. (Note: obsolete sessions should not
 * be a problem for visitors that are not logged in, because you have to be logged in
 * to be able to lock a record.)
 *
 * @param int $procedure the login procedure to execute
 * @param string $message the message to display when showing the login dialog
 * @return void|int no return on error, otherwise the user_id of the authenticated user
 * @uses $CFG
 * @uses dbsession_setup()
 * @uses dbsession_garbage_collection()
 */
function was_login($procedure = LOGIN_PROCEDURE_SHOWLOGIN, $message = '')
{
    global $CFG;
    // get rid of the cookie (if we received one) and the corresponding session;
    // the user's browser should NOT present us with a cookie during the login procedures.
    if (isset($_COOKIE[$CFG->session_name])) {
        was_logout();
        exit;
    }
    // If this IP-address is currently blacklisted, tell the visitor access is denied
    if (login_is_blacklisted($_SERVER['REMOTE_ADDR'])) {
        show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('access_denied', 'loginlib'));
        exit;
    }
    switch (intval($procedure)) {
        case LOGIN_PROCEDURE_NORMAL:
            if (isset($_POST['login_username']) && isset($_POST['login_password'])) {
                $username = magic_unquote($_POST['login_username']);
                $password = magic_unquote($_POST['login_password']);
                $user = authenticate_user(BY_PASSWORD, $username, $password);
                if ($user !== FALSE) {
                    login_failure_reset($_SERVER['REMOTE_ADDR']);
                    if (db_bool_is(FALSE, $user['bypass_mode'])) {
                        // valid credentials and not in a bypass mode: start session and return user_id
                        require_once $CFG->progdir . '/lib/dbsessionlib.php';
                        dbsession_setup($CFG->session_name);
                        $session_key = dbsession_create($user['user_id'], $_SERVER['REMOTE_ADDR']);
                        session_id($session_key);
                        session_start();
                        $_SESSION['session_id'] = dbsession_get_session_id($session_key);
                        $user_id = intval($user['user_id']);
                        $_SESSION['user_id'] = $user_id;
                        $_SESSION['redirect'] = $user['redirect'];
                        $_SESSION['language_key'] = $user['language_key'];
                        $_SESSION['remote_addr'] = $_SERVER['REMOTE_ADDR'];
                        $_SESSION['salt'] = $CFG->salt;
                        // allow for extra check on rogue sessions
                        $_SESSION['username'] = $username;
                        logger('login: \'' . $username . '\' (' . $user_id . '): success', WLOG_INFO, $user_id);
                        // now that we logged on successfully, make sure that obsolete sessions
                        // will not bother us (or other logged in users). Note the 900 seconds minimum duration;
                        // $time_out = max(900,intval(ini_get('session.gc_maxlifetime')));
                        global $CFG;
                        $time_out = max(900, intval($CFG->session_expiry));
                        dbsession_garbage_collection($time_out);
                        return $user_id;
                        // SUCCESS! User is logged in, tell caller!
                    } else {
                        show_login(LOGIN_PROCEDURE_CHANGE_PASSWORD, t('must_change_password', 'loginlib'));
                        exit;
                    }
                }
                // Invalid credentials; pretend we're busy (slow user down), increment failure count...
                $failure_count = login_failure_increment($_SERVER['REMOTE_ADDR'], LOGIN_PROCEDURE_NORMAL, $username);
                login_failure_delay($_SERVER['REMOTE_ADDR']);
                if ($failure_count < intval($CFG->login_max_failures)) {
                    show_login(LOGIN_PROCEDURE_NORMAL, t('invalid_credentials_please_retry', 'loginlib'));
                } elseif ($failure_count == intval($CFG->login_max_failures)) {
                    show_login(LOGIN_PROCEDURE_SEND_LAISSEZ_PASSER, t('do_you_want_to_try_forgot_password_procedure', 'loginlib'));
                } else {
                    login_failure_blacklist_address($_SERVER['REMOTE_ADDR'], 60 * intval($CFG->login_blacklist_interval), $username);
                    show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('contact_webmaster_for_new_password', 'loginlib'));
                }
            } else {
                show_login(LOGIN_PROCEDURE_NORMAL);
            }
            exit;
            break;
        case LOGIN_PROCEDURE_CHANGE_PASSWORD:
            if (isset($_POST['login_username']) && isset($_POST['login_password']) && isset($_POST['login_new_password1']) && isset($_POST['login_new_password2'])) {
                $username = magic_unquote($_POST['login_username']);
                $password = magic_unquote($_POST['login_password']);
                $new_password1 = magic_unquote($_POST['login_new_password1']);
                $new_password2 = magic_unquote($_POST['login_new_password2']);
                $user = authenticate_user(BY_PASSWORD, $username, $password);
                //
                // step 1 - perform some checks on the proposed new passwords
                //
                if ($user !== FALSE) {
                    // user authenticated: we can now also check re-use of existing passwords
                    $salt = $user['salt'];
                    $password_hash = $user['password_hash'];
                    $bypass_hash = $user['bypass_hash'];
                } else {
                    // user not authenticated so we cannot check for re-use of existing passwords
                    $salt = '';
                    $password_hash = '';
                    $bypass_hash = '';
                }
                if (!acceptable_new_password($new_password1, $new_password2, $salt, $password_hash, $bypass_hash)) {
                    show_login(LOGIN_PROCEDURE_CHANGE_PASSWORD, t('invalid_new_passwords', 'loginlib', array('{MIN_LENGTH}' => MINIMUM_PASSWORD_LENGTH, '{MIN_LOWER}' => MINIMUM_PASSWORD_LOWERCASE, '{MIN_UPPER}' => MINIMUM_PASSWORD_UPPERCASE, '{MIN_DIGIT}' => MINIMUM_PASSWORD_DIGITS)));
                    exit;
                }
                //
                // step 2 - if authenticated, actually change password and reset failure counters/blacklists
                //
                if ($user !== FALSE) {
                    // allow the user in:
                    //  - start new session,
                    //  - immediately write/close it,
                    //  - send user an email about success with changing password,
                    //  - and finally leave the user with message box on screen
                    //
                    login_change_password($user['user_id'], $new_password1);
                    login_failure_reset($_SERVER['REMOTE_ADDR']);
                    require_once $CFG->progdir . '/lib/dbsessionlib.php';
                    dbsession_setup($CFG->session_name);
                    $session_key = dbsession_create($user['user_id'], $_SERVER['REMOTE_ADDR']);
                    session_id($session_key);
                    session_start();
                    $_SESSION['session_id'] = dbsession_get_session_id($session_key);
                    $user_id = intval($user['user_id']);
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['redirect'] = $user['redirect'];
                    $_SESSION['language_key'] = $user['language_key'];
                    $_SESSION['remote_addr'] = $_SERVER['REMOTE_ADDR'];
                    $_SESSION['salt'] = $CFG->salt;
                    // allow for extra check on rogue sessions
                    $_SESSION['username'] = $username;
                    session_write_close();
                    // save the session
                    login_send_confirmation($user);
                    logger('login: \'' . $username . '\' (' . $user_id . '), change password: success', WLOG_INFO, $user_id);
                    show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('password_changed', 'loginlib'));
                    exit;
                }
                // Invalid credentials; pretend we're busy (slow user down), increment failure count...
                $failure_count = login_failure_increment($_SERVER['REMOTE_ADDR'], LOGIN_PROCEDURE_CHANGE_PASSWORD, $username);
                login_failure_delay($_SERVER['REMOTE_ADDR']);
                if ($failure_count < intval($CFG->login_max_failures)) {
                    show_login(LOGIN_PROCEDURE_CHANGE_PASSWORD, t('invalid_credentials_please_retry', 'loginlib'));
                } elseif ($failure_count == intval($CFG->login_max_failures)) {
                    show_login(LOGIN_PROCEDURE_SEND_LAISSEZ_PASSER, t('too_many_login_attempts', 'loginlib'));
                } else {
                    login_failure_blacklist_address($_SERVER['REMOTE_ADDR'], 60 * intval($CFG->login_blacklist_interval), $username);
                    show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('too_many_change_password_attempts', 'loginlib'));
                }
            } else {
                show_login(LOGIN_PROCEDURE_CHANGE_PASSWORD);
            }
            exit;
            break;
        case LOGIN_PROCEDURE_SEND_LAISSEZ_PASSER:
            if (isset($_POST['login_username']) && isset($_POST['login_email'])) {
                $username = magic_unquote($_POST['login_username']);
                $email = magic_unquote($_POST['login_email']);
                $user = authenticate_user(BY_EMAIL, $username, $email);
                if ($user !== FALSE) {
                    if (login_send_laissez_passer($user)) {
                        show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('see_mail_for_further_instructions', 'loginlib'));
                    } else {
                        show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('failure_sending_laissez_passer_mail', 'loginlib'));
                    }
                    exit;
                } else {
                    // Not authenticated; pretend we're busy (slow user down), increment failure count...
                    $failure_count = login_failure_increment($_SERVER['REMOTE_ADDR'], LOGIN_PROCEDURE_SEND_LAISSEZ_PASSER, $username);
                    login_failure_delay($_SERVER['REMOTE_ADDR']);
                    if ($failure_count < intval($CFG->login_max_failures)) {
                        show_login(LOGIN_PROCEDURE_SEND_LAISSEZ_PASSER, t('invalid_username_email_please_retry', 'loginlib'));
                    } elseif ($failure_count == intval($CFG->login_max_failures)) {
                        show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('too_many_login_attempts', 'loginlib'));
                    } else {
                        login_failure_blacklist_address($_SERVER['REMOTE_ADDR'], 60 * intval($CFG->login_blacklist_interval), $username);
                        show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('too_many_login_attempts', 'loginlib'));
                    }
                    exit;
                }
            } else {
                show_login(LOGIN_PROCEDURE_SEND_LAISSEZ_PASSER);
            }
            exit;
            break;
        case LOGIN_PROCEDURE_SEND_BYPASS:
            if (isset($_GET['code']) && isset($_GET['username'])) {
                $laissez_passer = magic_unquote($_GET['code']);
                $username = magic_unquote($_GET['username']);
            } elseif (isset($_POST['login_username']) && isset($_POST['login_laissez_passer'])) {
                $laissez_passer = magic_unquote($_POST['login_laissez_passer']);
                $username = magic_unquote($_POST['login_username']);
            } else {
                show_login(LOGIN_PROCEDURE_SEND_BYPASS);
                exit;
            }
            // still here? Then we check the laissez_passer and send a second email to the user
            $user = authenticate_user(BY_LAISSEZ_PASSER, $username, $laissez_passer);
            if ($user !== FALSE) {
                login_failure_reset($_SERVER['REMOTE_ADDR']);
                if (login_send_bypass($user)) {
                    show_login(LOGIN_PROCEDURE_NORMAL, t('see_mail_for_new_temporary_password', 'loginlib'));
                } else {
                    show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('failure_sending_temporary_password', 'loginlib'));
                }
            } else {
                $failure_count = login_failure_increment($_SERVER['REMOTE_ADDR'], LOGIN_PROCEDURE_SEND_BYPASS, $username);
                login_failure_delay($_SERVER['REMOTE_ADDR']);
                if ($failure_count < intval($CFG->login_max_failures)) {
                    show_login(LOGIN_PROCEDURE_SEND_BYPASS, t('invalid_laissez_passer_please_retry', 'loginlib'));
                } elseif ($failure_count == intval($CFG->login_max_failures)) {
                    show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('too_many_login_attempts', 'loginlib'));
                } else {
                    login_failure_blacklist_address($_SERVER['REMOTE_ADDR'], 60 * intval($CFG->login_blacklist_interval), $username);
                    show_login(LOGIN_PROCEDURE_MESSAGE_BOX, t('too_many_login_attempts', 'loginlib'));
                }
            }
            exit;
            break;
        case LOGIN_PROCEDURE_SHOWLOGIN:
            show_login(LOGIN_PROCEDURE_NORMAL, $message);
            exit;
            break;
        default:
            show_login(LOGIN_PROCEDURE_NORMAL);
            exit;
            break;
    }
}