/** * get instance; forwards to login page if the user is not logged in * * @access public * @return object **/ public static function getInstance($section_name = 'Start', $section_permission = 'start', $auto_header = true, $auto_auth = true) { if (!self::$instance) { self::$instance = new self(); if (!CAT_Registry::defined('CAT_INITIALIZED')) { include CAT_PATH . '/framework/initialize.php'; } $user = CAT_Users::getInstance(); if ($user->is_authenticated() == false && !defined('CAT_INSTALL_PROCESS')) { header('Location: ' . CAT_ADMIN_URL . '/login/index.php'); exit(0); } elseif (!defined('CAT_INSTALL_PROCESS')) { $user->checkPermission($section_name, $section_permission, true); } self::$instance->section_name = $section_name; global $parser; self::initPaths(); $parser->setGlobals('TEMPLATE_MENU', CAT_Helper_Template::get_template_menus()); // Auto header code if ($auto_header == true) { self::$instance->print_header(); } } return self::$instance; }
/** * * * * **/ public static function getInstance($driver) { if (!(strcasecmp(substr($driver, strlen($driver) - strlen('driver')), 'driver') === 0)) { $driver .= 'Driver'; } if (!file_exists(dirname(__FILE__) . '/Template/' . $driver . '.php')) { $s = new self(); $s->printFatalError($s->lang->translate('No such template driver: [' . $driver . ']')); } self::$_driver = $driver; if (!isset(self::$_drivers[$driver]) || !is_object(self::$_drivers[$driver])) { require dirname(__FILE__) . '/Template/DriverDecorator.php'; require dirname(__FILE__) . '/Template/' . $driver . '.php'; $driver = 'CAT_Helper_Template_' . $driver; self::$_drivers[$driver] = new CAT_Helper_Template_DriverDecorator(new $driver()); self::$_drivers[$driver]->setGlobals(array('CAT_ADMIN_URL' => CAT_ADMIN_URL, 'CAT_URL' => CAT_URL, 'CAT_PATH' => CAT_PATH, 'LEPTON_URL' => CAT_URL, 'CAT_PATH' => CAT_PATH, 'CAT_THEME_URL' => CAT_THEME_URL, 'URL_HELP' => URL_HELP)); $defs = get_defined_constants(true); foreach ($defs['user'] as $const => $value) { if (preg_match('~^DEFAULT_~', $const)) { // DEFAULT_CHARSET etc. self::$_drivers[$driver]->setGlobals($const, $value); continue; } if (preg_match('~^WEBSITE_~', $const)) { // WEBSITE_HEADER etc. self::$_drivers[$driver]->setGlobals($const, $value); continue; } if (preg_match('~^SHOW_~', $const)) { // SHOW_SEARCH etc. self::$_drivers[$driver]->setGlobals($const, $value); continue; } if (preg_match('~^FRONTEND_~', $const)) { // FRONTEND_LOGIN etc. self::$_drivers[$driver]->setGlobals($const, $value); continue; } if (preg_match('~_FORMAT$~', $const)) { // DATE_FORMAT etc. self::$_drivers[$driver]->setGlobals($const, $value); continue; } if (preg_match('~^ENABLE_~', $const)) { // ENABLE_HTMLPURIFIER etc. self::$_drivers[$driver]->setGlobals($const, $value); continue; } } // This is for old language strings global $HEADING, $TEXT, $MESSAGE; foreach (array('TEXT', 'HEADING', 'MESSAGE') as $global) { if (isset(${$global}) && is_array(${$global})) { self::$_drivers[$driver]->setGlobals($global, ${$global}); } } } return self::$_drivers[$driver]; }
public function __construct($obj) { parent::__construct(); $this->te = $obj; // get current working directory $callstack = debug_backtrace(); $this->te->paths['workdir'] = isset($callstack[0]) && isset($callstack[0]['file']) ? CAT_Helper_Directory::sanitizePath(realpath(dirname($callstack[0]['file']))) : CAT_Helper_Directory::sanitizePath(realpath(dirname(__FILE__))); if (file_exists($this->te->paths['workdir'] . '/templates')) { $this->te->paths['workdir'] .= '/templates'; } $this->te->paths['current'] = $this->te->paths['workdir']; $this->dirh = CAT_Helper_Directory::getInstance(); }
$check = str_replace('/', '\\/', CAT_Helper_Directory::sanitizePath(CAT_ADMIN_PATH)); if (preg_match('~^' . $check . '~i', $path)) { define('CAT_REQUIRE_ADMIN', true); if (!CAT_Users::getInstance()->is_authenticated()) { CAT_Users::getInstance()->handleLogin(); exit(0); } // always enable CSRF protection in backend; does not work with // AJAX so scripts called via AJAX should set this constant if (!defined('CAT_AJAX_CALL')) { //echo "class.secure is calling enableCSRFMagic<br />"; CAT_Helper_Protect::getInstance()->enableCSRFMagic(); } global $parser; if (!is_object($parser)) { $parser = CAT_Helper_Template::getInstance('Dwoo'); } // initialize template search path $parser->setPath(CAT_THEME_PATH . '/templates'); $parser->setFallbackPath(CAT_THEME_PATH . '/templates'); } } else { define('CAT_REQUIRE_ADMIN', false); } } if (!defined('CAT_INITIALIZED')) { require dirname(__FILE__) . '/initialize.php'; } $admin_dir = str_replace(CAT_PATH, '', CAT_ADMIN_PATH); $db = new database(); $direct_access_allowed = array();
/** * handle user login **/ public static function handleLogin($output = true) { global $parser; if (!is_object($parser)) { $parser = CAT_Helper_Template::getInstance('Dwoo'); } CAT_Backend::initPaths(); $val = CAT_Helper_Validate::getInstance(); $lang = CAT_Helper_I18n::getInstance(); $self = self::getInstance(); $redirect_url = $val->sanitizePost('redirect'); if (!self::is_authenticated()) { // --- login attempt --- if ($val->sanitizePost('username_fieldname')) { // get input data $user = htmlspecialchars($val->sanitizePost($val->sanitizePost('username_fieldname')), ENT_QUOTES); $pw = $val->sanitizePost($val->sanitizePost('password_fieldname')); $name = preg_match('/[\\;\\=\\&\\|\\<\\> ]/', $user) ? '' : $user; $min_length = CAT_Registry::exists('AUTH_MIN_LOGIN_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_LOGIN_LENGTH') : 5; $min_pass_length = CAT_Registry::exists('AUTH_MIN_PASS_LENGTH', false) ? CAT_Registry::get('AUTH_MIN_PASS_LENGTH') : 5; // check common issues // we do not check for too long and don't give too much hints! if (!$name) { self::setLoginError($lang->translate('Invalid credentials')); } if (!self::$loginerror && $user == '' || $pw == '') { self::setLoginError($lang->translate('Please enter your username and password.')); } if (!self::$loginerror && strlen($user) < $min_length) { self::setLoginError($lang->translate('Invalid credentials')); } if (!self::$loginerror && !CAT_Registry::defined('ALLOW_SHORT_PASSWORDS') && strlen($pw) < $min_pass_length) { self::setLoginError($lang->translate('Invalid credentials')); } if (!self::$loginerror) { $query = 'SELECT * FROM `:prefix:users` WHERE `username`=:name AND `password`=:pw'; $qAct = 'SELECT `active` FROM `:prefix:users` WHERE `username` = :name AND `password` = :pw'; $result = $self->db()->query($query, array('name' => $name, 'pw' => md5($pw))); $active = $self->db()->query($qAct, array('name' => $name, 'pw' => md5($pw))); if ($active && $result->rowCount() == 1) { // get default user preferences $prefs = self::getDefaultUserOptions(); // get basic user data $user = $result->fetchRow(MYSQL_ASSOC); // add this user's options $prefs = array_merge($prefs, self::getUserOptions($user['user_id'])); foreach (self::$sessioncols as $key) { $_SESSION[strtoupper($key)] = $user[$key]; } // ----- preferences ----- $_SESSION['LANGUAGE'] = $user['language'] != '' ? $user['language'] : (isset($prefs['language']) ? $prefs['language'] : 'DE'); $_SESSION['TIMEZONE_STRING'] = isset($prefs['timezone_string']) && $prefs['timezone_string'] != '' ? $prefs['timezone_string'] : CAT_Registry::get('DEFAULT_TIMEZONE_STRING'); $_SESSION['CAT_DATE_FORMAT'] = isset($prefs['date_format']) && $prefs['date_format'] != '' ? $prefs['date_format'] : CAT_Registry::get('CAT_DEFAULT_DATE_FORMAT'); $_SESSION['CAT_TIME_FORMAT'] = isset($prefs['time_format']) && $prefs['time_format'] != '' ? $prefs['time_format'] : CAT_Registry::get('CAT_DEFAULT_TIME_FORMAT'); if (defined('WB2COMPAT') && WB2COMPAT === true) { $wb2compat_format_map = CAT_Registry::get('WB2COMPAT_FORMAT_MAP'); $_SESSION['DATE_FORMAT'] = isset($_SESSION['CAT_DATE_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_DATE_FORMAT']] : ''; $_SESSION['TIME_FORMAT'] = isset($_SESSION['CAT_TIME_FORMAT']) ? $wb2compat_format_map[$_SESSION['CAT_TIME_FORMAT']] : ''; } date_default_timezone_set($_SESSION['TIMEZONE_STRING']); $_SESSION['SYSTEM_PERMISSIONS'] = 0; $_SESSION['MODULE_PERMISSIONS'] = array(); $_SESSION['TEMPLATE_PERMISSIONS'] = array(); $_SESSION['GROUP_NAME'] = array(); $first_group = true; foreach (explode(",", $user['groups_id']) as $cur_group_id) { $query = "SELECT * FROM `:prefix:groups` WHERE group_id=:id"; $result = $self->db()->query($query, array('id' => $cur_group_id)); $results = $result->fetch(); $_SESSION['GROUP_NAME'][$cur_group_id] = $results['name']; // Set system permissions if ($results['system_permissions'] != '') { $_SESSION['SYSTEM_PERMISSIONS'] = $results['system_permissions']; } // Set module permissions if ($results['module_permissions'] != '') { if ($first_group) { $_SESSION['MODULE_PERMISSIONS'] = explode(',', $results['module_permissions']); } else { $_SESSION['MODULE_PERMISSIONS'] = array_intersect($_SESSION['MODULE_PERMISSIONS'], explode(',', $results['module_permissions'])); } } // Set template permissions if ($results['template_permissions'] != '') { if ($first_group) { $_SESSION['TEMPLATE_PERMISSIONS'] = explode(',', $results['template_permissions']); } else { $_SESSION['TEMPLATE_PERMISSIONS'] = array_intersect($_SESSION['TEMPLATE_PERMISSIONS'], explode(',', $results['template_permissions'])); } } $first_group = false; } // foreach ( explode(",",$user['groups_id']) as $cur_group_id ) // Update the users table with current ip and timestamp $get_ts = time(); $get_ip = $_SERVER['REMOTE_ADDR']; $query = "UPDATE `:prefix:users` SET login_when=:when, login_ip=:ip WHERE user_id=:id"; $self->db()->query($query, array('when' => $get_ts, 'ip' => $get_ip, 'id' => $user['user_id'])); if ($redirect_url) { return $redirect_url; } if (self::getInstance()->checkPermission('start', 'start')) { return CAT_ADMIN_URL . '/start/index.php?initial=true'; } else { return CAT_URL . '/index.php'; } } else { if (!$active && $result->rowCount() == 1) { self::setLoginError($lang->translate('Your account has been disabled. Please contact the administrator.')); } else { self::setLoginError($lang->translate('Invalid credentials')); } } } if ($val->fromSession('ATTEMPTS') > CAT_Registry::get('MAX_ATTEMPTS') && CAT_Registry::exists('AUTO_DISABLE_USERS') && CAT_Registry::get('AUTO_DISABLE_USERS') === true) { // if we have a user name if ($name) { self::disableAccount($name); } return CAT_THEME_URL . '/templates/warning.html'; } return false; } if (!$output) { return false; } $username_fieldname = $val->createFieldname('username_'); $tpl_data = array('USERNAME_FIELDNAME' => $username_fieldname, 'PASSWORD_FIELDNAME' => $val->createFieldname('password_'), 'USERNAME' => $val->sanitizePost($username_fieldname), 'ACTION_URL' => CAT_ADMIN_URL . '/login/index.php', 'LOGIN_URL' => CAT_ADMIN_URL . '/login/index.php', 'DEFAULT_URL' => CAT_ADMIN_URL . '/start/index.php', 'WARNING_URL' => CAT_THEME_URL . '/templates/warning.html', 'REDIRECT_URL' => ADMIN_URL . '/start/index.php', 'FORGOTTEN_DETAILS_APP' => ADMIN_URL . '/login/forgot/index.php', 'MIN_USERNAME_LEN' => AUTH_MIN_LOGIN_LENGTH, 'MAX_USERNAME_LEN' => AUTH_MAX_LOGIN_LENGTH, 'MIN_PASSWORD_LEN' => AUTH_MIN_PASS_LENGTH, 'MAX_PASSWORD_LEN' => AUTH_MAX_PASS_LENGTH, 'PAGES_DIRECTORY' => PAGES_DIRECTORY, 'ATTEMPTS' => $val->fromSession('ATTEMTPS'), 'MESSAGE' => self::$loginerror); $tpl_data['meta']['LANGUAGE'] = strtolower(LANGUAGE); $tpl_data['meta']['CHARSET'] = defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : "utf-8"; $parser->output('login', $tpl_data); } else { if ($redirect_url) { header('Location: ' . $redirect_url); } if (self::getInstance()->checkPermission('start', 'start')) { header('Location: ' . CAT_ADMIN_URL . '/start/index.php'); } else { header('Location: ' . CAT_URL . '/index.php'); } } }