/** * Display the login screen. * * This screen should also check if PivotX is set up correctly. If it isn't, the * user will be redirected to the Troubleshooting or Setup screen. * */ function pageLogin($template = "normal") { global $PIVOTX; if (!isInstalled()) { pageSetupUser(); die; } $PIVOTX['template']->assign('title', __("Login")); $PIVOTX['template']->assign('heading', __("Login")); $template = getDefault($_POST['template'], $template); if (isMobile()) { $template = "mobile"; } $form = getLoginForm($template); // If a 'return to' is set, pass it onto the template, but only the 'path' and 'query' // part. This means that we do NOT allow redirects to another domain!! $returnto = getDefault($_GET['returnto'], $_POST['returnto']); if (!empty($returnto)) { $returnto = parse_url($returnto); $returnto_link = $returnto['path']; if (!empty($returnto['query'])) { $returnto_link .= '?' . $returnto['query']; } $form->setvalue('returnto', $returnto_link); } // Get the validation result $result = $form->validate(); $extraval = array(); if ($result != FORM_OK) { if (isset($_GET['resetpassword']) && isset($_GET['username']) && isset($_GET['id'])) { $form->setvalue('username', $_GET['username']); $user = $PIVOTX['users']->getUser($_GET['username']); if ($user && !empty($user['reset_id']) && $_GET['id'] == $user['reset_id']) { $extraval['pass1'] = randomString(8, true); $extraval['reset_id'] = ''; $pass = "******" . $extraval['pass1'] . "</strong>'"; $message = "<p>" . __('Your new password is %pass%.') . "</p>"; $message = str_replace('%pass%', $pass, $message); $PIVOTX['messages']->addMessage($message); $html = $message; $PIVOTX['users']->updateUser($user['username'], $extraval); $PIVOTX['events']->add('password_reset', "", $user['username']); } else { $PIVOTX['messages']->addMessage(__('Oops') . ' - ' . __('Password reset request failed.')); debug('Password reset request failed - wrong id.'); } } $PIVOTX['template']->assign("html", $html); $PIVOTX['template']->assign("form", $form->fetch(true)); } else { $val = $form->getvalues(); if ($val['resetpassword'] == 1) { $can_send_mail = true; $user = $PIVOTX['users']->getUser($val['username']); if ($user) { $extraval['reset_id'] = md5($PIVOTX['config']->get('server_spam_key') . $user['password']); $PIVOTX['users']->updateUser($user['username'], $extraval); $link = $PIVOTX['paths']['host'] . makeAdminPageLink('login') . '&resetpassword&username='******'username']) . '&id=' . $extraval['reset_id']; $can_send_mail = mailResetPasswordLink(array('name' => $user['username'], 'email' => $user['email'], 'reset_id' => $extraval['reset_id'], 'link' => $link)); } if ($can_send_mail) { // Posting this message even if an invalid username is given so // crackers can't enumerate usernames. $PIVOTX['messages']->addMessage(__('A link to reset your password was sent to your mailbox.')); } else { $PIVOTX['messages']->addMessage(__('PivotX was not able to send a mail with the reset link.')); } $PIVOTX['events']->add('request_password', "", $user['username']); $PIVOTX['template']->assign("form", $form->fetch(true)); } elseif ($PIVOTX['session']->login($val['username'], $val['password'], $val['stayloggedin'])) { // User successfully logged in... set language and go to Dashboard or 'returnto' $currentuser = $PIVOTX['users']->getUser($PIVOTX['session']->currentUsername()); $PIVOTX['languages']->switchLanguage($currentuser['language']); if (!empty($returnto_link)) { header("Location: " . $returnto_link); die; } else { if ($template == "normal") { pageDashboard(); } else { if ($template == "mobile") { header('Location: index.php'); } else { pageBookmarklet(); } } die; } } else { // User couldn't be logged in $PIVOTX['events']->add('failed_login', "", safeString($_POST['username'])); $PIVOTX['messages']->addMessage($PIVOTX['session']->getMessage()); $PIVOTX['template']->assign("form", $form->fetch(true)); } } // Check for warnings to display $PIVOTX['messages']->checkWarnings(); if ($template == "normal") { $templatename = "generic.tpl"; } else { if ($template == "mobile") { $templatename = "mobile/generic.tpl"; } else { $templatename = "bookmarklet_login.tpl"; } } renderTemplate($templatename); }
function sendPass() { global $PIVOTX; if ($user = $this->loadUser($this->input['name'])) { if ($user['name'] == $this->input['name']) { $user['reset_id'] = md5($PIVOTX['config']->get('server_spam_key') . $user['pass']); $user['pass_reset'] = randomString(10); $this->saveUser($user); $link = $PIVOTX['paths']['host'] . makeVisitorPageLink('reset_passwd') . '&name=' . urlencode($user['name']) . '&id=' . $user['reset_id']; mailResetPasswordLink(array('name' => $user['name'], 'email' => $user['email'], 'reset_id' => $user['reset_id'], 'link' => $link)); } } // Posting this message even if an invalid username is given so // crackers can't enumerate usernames. $this->input['message'] = __('A link to reset your password was sent to your mailbox.'); $text = $this->showLogin(); return $text; }