public function action_deleteAvatar() { // get account id from cookie $account = new \Model_Accounts(); $cookie = $account->getAccountCookie(); if (\Input::method() == 'POST') { if (!\Extension\NoCsrf::check()) { // validate token failed $output['form_status'] = 'error'; $output['form_status_message'] = \Lang::get('fslang_invalid_csrf_token'); $output['result'] = false; } else { if (!isset($cookie['account_id']) || \Model_Accounts::isMemberLogin() == false) { $output['result'] = false; } else { $output['result'] = true; $account->deleteAccountAvatar($cookie['account_id']); } } } unset($account, $cookie); if (\Input::is_ajax()) { // re-generate csrf token for ajax form to set new csrf. $output['csrf_html'] = \Extension\NoCsrf::generate(); $response = new \Response(); $response->set_header('Content-Type', 'application/json'); $response->body(json_encode($output)); return $response; } else { if (\Input::referrer() != null && \Input::referrer() != \Uri::main()) { \Response::redirect(\Input::referrer()); } else { \Response::redirect(\Uri::base()); } } }
?> <div class="alert alert-<?php echo str_replace('error', 'danger', $form_status); ?> "><button type="button" class="close" data-dismiss="alert">×</button><?php echo $form_status_message; ?> </div> <?php } ?> </div> <?php echo \Extension\NoCsrf::generate(); ?> <div class="table-responsive"> <table class="table table-striped table-hover list-logins-table table-sortable"> <thead> <tr> <th class="check-column"><input type="checkbox" name="id_all" value="" onclick="checkAll(this.form,'id[]',this.checked)" /></th> <th style="width: 24px;"></th> <th><?php echo __('accountlv_level_priority'); ?> <span class="glyphicon glyphicon-question-sign bootstrap-tooltip" data-toggle="tooltip" data-original-title="<?php echo __('accountlv_higher_priority_will_come_first'); ?>
public function action_index() { // load language \Lang::load('admin'); \Lang::load('account'); // load config from db. $cfg_values = array('member_max_login_fail', 'member_login_fail_wait_time'); $config = Model_Config::getvalues($cfg_values); $output['config'] = $config; unset($cfg_values); // set active theme for admin. this controller is not based on admin controller, then it is require to set to admin theme. $theme = \Theme::instance(); $theme->active($this->theme_system_name); // set login redirect if (\Input::get('rdr') != null) { $output['go_to'] = urlencode(\Input::get('rdr')); } else { $output['go_to'] = urlencode(\Uri::create('admin')); } // read flash message for display errors. this is REQUIRED if you coding the check login with simultaneous login detection on. // this is REQUIRED in login page. because failed 'is login' check will redirect to here. $form_status = \Session::get_flash('form_status'); if (isset($form_status['form_status']) && isset($form_status['form_status_message'])) { $output['form_status'] = $form_status['form_status']; $output['form_status_message'] = $form_status['form_status_message']; } unset($form_status); // count login fail and show captcha. if (\Session::get('login_all_fail_count', '0') >= $this->login_fail_time_show_captcha || \Session::get('show_captcha', false) === true) { $output['show_captcha'] = true; // if last time login failed is over wait time, reset it if ((time() - \Session::get('login_all_fail_time', time())) / 60 > $config['member_login_fail_wait_time']['value']) { // reset captcha requirement and wait time. \Session::set('login_all_fail_count', \Session::get('login_all_fail_count') - ($this->login_fail_time_show_captcha + 1)); // do not reset this, just reduce to fail time show captcha+1. doing this to prevent brute force attack. \Session::delete('login_all_fail_time'); \Session::delete('show_captcha'); } } // browser check $output['browser_check'] = $this->browserCheck(); // if form submitted -------------------------------------------------------------------------------------------- if (\Input::method() == 'POST') { // store data for login $data['account_identity'] = trim(\Input::post('account_identity')); if (strpos($data['account_identity'], '@') === false) { $data['account_username'] = $data['account_identity']; } else { $data['account_email'] = $data['account_identity']; } $data['account_password'] = trim(\Input::post('account_password')); // validate form. $validate = \Validation::forge(); // check username or email required $validate->add('account_identity', \Lang::get('account_username_or_email'), array(), array('required')); $validate->add('account_password', \Lang::get('account_password'), array(), array('required')); if (!\Extension\NoCsrf::check()) { // validate token failed $output['form_status'] = 'error'; $output['form_status_message'] = \Lang::get('fslang_invalid_csrf_token'); $output['input_csrf_token'] = \Extension\NoCsrf::generate(); } elseif (!$validate->run()) { // validate failed $output['form_status'] = 'error'; $output['form_status_message'] = $validate->show_errors(); if (\Input::is_ajax()) { $response = new \Response(); $response->set_header('Content-Type', 'application/json'); $response->body(json_encode($output)); return $response; } } else { // count login failed and wait if it was exceed max failed allowed. if (\Session::get('login_all_fail_count', '0') > $config['member_max_login_fail']['value'] && (time() - \Session::get('login_all_fail_time', time())) / 60 <= $config['member_login_fail_wait_time']['value']) { // continuous login failed over max fail limit. $result = Lang::get('account_login_failed_too_many', array('wait_minute' => $config['member_login_fail_wait_time']['value'], 'wait_til_time' => date('d F Y H:i:s', time() + $config['member_login_fail_wait_time']['value'] * 60))); } else { // not reach maximum limit // check if show captcha if (isset($output['show_captcha']) && $output['show_captcha'] === true) { include APPPATH . 'vendor' . DS . 'securimage' . DS . 'securimage.php'; $securimage = new \Securimage(); if ($securimage->check(\Input::post('captcha')) == false) { $result = \Lang::get('account_wrong_captcha_code'); } } // try to login. --------------------------------------------- if (!isset($result) || isset($result) && $result == null) { $result = \Model_Accounts::adminLogin($data); } } // check login result ---------------------------------------------- if ($result === true) { // success $all_fail_count = 0; \Session::delete('login_all_fail_count'); \Session::delete('login_all_fail_time'); \Session::delete('show_captcha'); if (\Input::is_ajax()) { $output['login_status'] = true; $output['form_status'] = 'success'; $output['form_status_message'] = \Lang::get('account_login_success'); if (!isset($output['go_to'])) { $output['go_to'] = \Uri::main(); } else { $output['go_to'] = urldecode($output['go_to']); } $response = new \Response(); $response->set_header('Content-Type', 'application/json'); $response->body(json_encode($output)); return $response; } else { if (isset($output['go_to'])) { \Response::redirect(urldecode($output['go_to'])); } else { \Response::redirect(\Uri::base()); } } } else { // failed $all_fail_count = \Session::get('login_all_fail_count', '0') + 1; \Session::set('login_all_fail_count', $all_fail_count); \Session::set('login_all_fail_time', time()); // if login fail count more than or equal to fail time show captcha if ($all_fail_count >= $this->login_fail_time_show_captcha) { $output['show_captcha'] = true; \Session::set('show_captcha', true); } $output['form_status'] = 'error'; $output['form_status_message'] = $result; if (\Input::is_ajax()) { $response = new \Response(); $response->set_header('Content-Type', 'application/json'); $response->body(json_encode($output)); return $response; } } } // re-populate form $output['account_identity'] = $data['account_identity']; } // <head> output ---------------------------------------------------------------------------------------------- $output['page_title'] = $this->generateTitle(\Lang::get('account_login')); $output['page_meta'][] = '<meta name="robots" content="noindex, nofollow" />'; // <head> output ---------------------------------------------------------------------------------------------- // breadcrumb ------------------------------------------------------------------------------------------------- $page_breadcrumb = []; $page_breadcrumb[0] = ['name' => \Lang::get('admin_admin_home'), 'url' => \Uri::create('admin')]; $page_breadcrumb[1] = ['name' => \Lang::get('account_login'), 'url' => \Uri::create('admin/login')]; $output['page_breadcrumb'] = $page_breadcrumb; unset($page_breadcrumb); // breadcrumb ------------------------------------------------------------------------------------------------- if (\Input::is_ajax()) { $response = new \Response(); $response->set_header('Content-Type', 'application/json'); $response->body(json_encode($output)); return $response; } else { return $theme->view('admin/templates/login/index_v', $output, false); } }
<?php $nocsrf_form_input = \Extension\NoCsrf::generate(); ?> <article class="general-page-container"> <h1><?php echo __('account_login'); ?> </h1> <?php echo \Form::open(array('action' => \Uri::main() . (isset($go_to) ? '?rdr=' . $go_to : ''), 'class' => 'form-horizontal', 'role' => 'form')); ?> <div class="form-status-placeholder"> <?php if (isset($form_status) && isset($form_status_message)) { ?> <div class="alert alert-<?php echo str_replace('error', 'danger', $form_status); ?> "><button type="button" class="close" data-dismiss="alert">×</button><?php echo $form_status_message; ?> </div> <?php } ?>
<script type="text/javascript"> // required js variables for use in .js file. var base_url = '<?php echo \Uri::base(false); ?> '; var site_url = '<?php echo getRootSiteURL(); ?> '; var theme_assets = '<?php echo Uri::createNL(\Theme::instance()->asset_path('')); ?> '; var csrf_name = '<?php echo \Config::get('security.csrf_token_key'); ?> '; var nocsrf_val = '<?php echo \Extension\NoCsrf::generate('', true); ?> '; </script> </head> <body class="html-body<?php echo $pc_class . ' ' . $page_class; ?> ">
<?php $nocsrf_form_value = \Extension\NoCsrf::generate(null, true); ?> <h1><?php echo \Uri::segment(3) == 'add' ? __('account_add') : __('account_edit'); ?> </h1> <?php echo \Extension\Form::openMultipart(array('class' => 'form-horizontal', 'role' => 'form')); ?> <div class="form-status-placeholder"> <?php if (isset($form_status) && isset($form_status_message)) { ?> <div class="alert alert-<?php echo str_replace('error', 'danger', $form_status); ?> "><button type="button" class="close" data-dismiss="alert">×</button><?php echo $form_status_message; ?> </div> <?php } ?> </div> <div class="hidden csrf-container">