<?php if ($ucnt > 0) { ?> <input type="submit" value="<?php echo WT_I18N::translate('continue'); ?> "> <?php } ?> </p> </form><?php break; case 'cleanup2': foreach (User::all() as $user) { if (WT_Filter::post('del_' . $user->getUserId()) == '1') { Log::addAuthenticationLog('Deleted user: '******'Deleted user: '******'<br>'; $user->delete(); } } break; case 'listusers': default: echo '<table id="list">', '<thead>', '<tr>', '<th style="margin:0 -2px 1px 1px; padding:6px 0 5px;"> </th>', '<th> user-id </th>', '<th>', WT_I18N::translate('Username'), '</th>', '<th>', WT_I18N::translate('Real name'), '</th>', '<th>', WT_I18N::translate('Email'), '</th>', '<th> </th>', '<th>', WT_I18N::translate('Language'), '</th>', '<th> date_registered </th>', '<th>', WT_I18N::translate('Date registered'), '</th>', '<th> last_login </th>', '<th>', WT_I18N::translate('Last logged in'), '</th>', '<th>', WT_I18N::translate('Verified'), '</th>', '<th>', WT_I18N::translate('Approved'), '</th>', '<th style="margin:0 -2px 1px 1px; padding:3px 0 4px;"> </th>', '</tr>', '</thead>', '<tbody>', '</tbody>', '</table>'; $controller->addExternalJavascript(WT_JQUERY_DATATABLES_URL)->addExternalJavascript(WT_JQUERY_JEDITABLE_URL)->addInlineJavascript(' var oTable = jQuery("#list").dataTable({ dom: \'<"H"pf<"dt-clear">irl>t<"F"pl>\', ' . WT_I18N::datatablesI18N() . ', processing: true, serverSide: true, ajax: "' . WT_SCRIPT_NAME . '?action=loadrows",
<?php // Log out from the current session // // webtrees: Web based Family History software // Copyright (C) 2014 webtrees development team. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; either version 2 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with this program; if not, write to the Free Software // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA use WT\Auth; use WT\Log; define('WT_SCRIPT_NAME', 'logout.php'); require './includes/session.php'; if (Auth::id()) { Log::addAuthenticationLog('Logout: ' . Auth::user()->getUserName() . '/' . Auth::user()->getRealName()); Auth::logout(); } header('Location: ' . WT_SERVER_NAME . WT_SCRIPT_PATH);
WT_DB::prepare("INSERT INTO `##message` (sender, ip_address, user_id, subject, body) VALUES (? ,? ,? ,? ,?)")->execute(array($user_name, $WT_REQUEST->getClientIp(), $webmaster->getUserId(), $mail1_subject, WT_Filter::unescapeHtml($mail1_body))); } $user->setSetting('verified', 1)->setSetting('reg_timestamp', date("U"))->setSetting('reg_hashcode', null); if (!$REQUIRE_ADMIN_AUTH_REGISTRATION) { set_user_setting($user_id, 'verified_by_admin', 1); } Log::addAuthenticationLog('User ' . $user_name . ' verified their email address'); echo '<br><br>' . WT_I18N::translate('You have confirmed your request to become a registered user.') . '<br><br>'; if ($REQUIRE_ADMIN_AUTH_REGISTRATION && !$user->getSetting('verified_by_admin')) { echo WT_I18N::translate('The administrator has been informed. As soon as he gives you permission to login, you can login with your user name and password.'); } else { echo WT_I18N::translate('You can now login with your user name and password.'); } echo '<br><br>'; } else { Log::addAuthenticationLog('User ' . $user_name . ' failed to verify their email address'); echo '<br><br>'; echo '<span class="warning">'; echo WT_I18N::translate('Data was not correct, please try again'); echo '</span><br><br>'; } } else { echo '<br><br>'; echo '<span class="warning">'; echo WT_I18N::translate('Could not verify the information you entered. Please try again or contact the site administrator for more information.'); echo '</span>'; } echo '</div>'; echo '</div>'; break; }
$record->deleteRecord(); } else { header('HTTP/1.0 406 Not Acceptable'); } break; case 'delete-user': $user = User::find(WT_Filter::postInteger('user_id')); if ($user && Auth::isAdmin() && Auth::user() !== $user) { Log::addAuthenticationLog('Deleted user: '******'masquerade': $user = User::find(WT_Filter::postInteger('user_id')); if ($user && Auth::isAdmin() && Auth::user() !== $user) { Log::addAuthenticationLog('Masquerade as user: '******'HTTP/1.0 406 Not Acceptable'); } break; case 'unlink-media': // Remove links from an individual and their spouse-family records to a media object. // Used by the "unlink" option on the album (lightbox) tab. require WT_ROOT . 'includes/functions/functions_edit.php'; $source = WT_Individual::getInstance(WT_Filter::post('source', WT_REGEX_XREF)); $target = WT_Filter::post('target', WT_REGEX_XREF); if ($source && $source->canShow() && $source->canEdit() && $target) { // Consider the individual and their spouse-family records $sources = $source->getSpouseFamilies(); $sources[] = $source;
$form_email = WT_Filter::postEmail('form_email'); $form_rootid = WT_Filter::post('form_rootid', WT_REGEX_XREF); $form_theme = WT_Filter::post('form_theme', implode('|', $ALL_THEME_DIRS)); $form_language = WT_Filter::post('form_language', implode('|', array_keys(WT_I18N::installed_languages())), WT_LOCALE); $form_contact_method = WT_Filter::post('form_contact_method'); $form_visible_online = WT_Filter::postBool('form_visible_online'); // Respond to form action if ($form_action == 'update' && WT_Filter::checkCsrf()) { if ($form_username != Auth::user()->getUserName() && User::findByIdentifier($form_username)) { WT_FlashMessages::addMessage(WT_I18N::translate('Duplicate user name. A user with that user name already exists. Please choose another user name.')); } elseif ($form_email != Auth::user()->getEmail() && User::findByIdentifier($form_email)) { WT_FlashMessages::addMessage(WT_I18N::translate('Duplicate email address. A user with that email already exists.')); } else { // Change username if ($form_username != WT_USER_NAME) { Log::addAuthenticationLog('User ' . Auth::user()->getUserName() . ' renamed to ' . $form_username); Auth::user()->setUserName($form_username); } // Change password if ($form_pass1 && $form_pass1 == $form_pass2) { Auth::user()->setPassword($form_pass1); } // Change other settings Auth::user()->setRealName($form_realname)->setEmail($form_email)->setSetting('theme', $form_theme)->setSetting('language', $form_language)->setSetting('contactmethod', $form_contact_method)->setSetting('visibleonline', $form_visible_online); $WT_TREE->userPreference(WT_USER_ID, 'rootid', $form_rootid); // Reload page to pick up changes such as theme and user_id header('Location: ' . WT_SERVER_NAME . WT_SCRIPT_PATH . WT_SCRIPT_NAME); exit; } } $controller = new WT_Controller_Page();
/** * If the Facebook username or email is associated with an account, login to it. Otherwise, register a new account. * * @param object $facebookUser Facebook user * @param string $url (optional) URL to redirect to afterwards. */ private function login_or_register(&$facebookUser, $url = '') { $REQUIRE_ADMIN_AUTH_REGISTRATION = WT_Site::getPreference('REQUIRE_ADMIN_AUTH_REGISTRATION'); if ($this->getSetting('require_verified', 1) && empty($facebookUser->verified)) { $this->error_page(WT_I18N::translate('Only verified Facebook accounts are authorized. Please verify your account on Facebook and then try again')); } if (empty($facebookUser->username)) { $facebookUser->username = $facebookUser->id; } $user_id = $this->get_user_id_from_facebook_username($facebookUser->username); if (!$user_id) { if (!isset($facebookUser->email)) { $this->error_page(WT_I18N::translate('You must grant access to your email address via Facebook in order to use this website. Please uninstall the application on Facebook and try again.')); } $user = User::findByIdentifier($facebookUser->email); if ($user) { $user_id = $user->getUserId(); } } if ($user_id) { // This is an existing user so log them in if they are approved $login_result = $this->login($user_id); $message = ''; switch ($login_result) { case -1: // not validated $message = WT_I18N::translate('This account has not been verified. Please check your email for a verification message.'); break; case -2: // not approved $message = WT_I18N::translate('This account has not been approved. Please wait for an administrator to approve it.'); break; default: $user = User::find($user_id); $user->setPreference(self::user_setting_facebook_username, $this->cleanseFacebookUsername($facebookUser->username)); // redirect to the homepage/$url header('Location: ' . WT_SCRIPT_PATH . $url); return; } $this->error_page($message); } else { // This is a new Facebook user who may or may not already have a manual account if (!WT_Site::getPreference('USE_REGISTRATION_MODULE')) { $this->error_page('<p>' . WT_I18N::translate('The administrator has disabled registrations.') . '</p>'); } // check if the username is already in use $username = $this->cleanseFacebookUsername($facebookUser->username); $wt_username = substr($username, 0, 32); // Truncate the username to 32 characters to match the DB. if (User::findByIdentifier($wt_username)) { // fallback to email as username since we checked above that a user with the email didn't exist. $wt_username = $facebookUser->email; $wt_username = substr($wt_username, 0, 32); // Truncate the username to 32 characters to match the DB. } // Generate a random password since the user shouldn't need it and can always reset it. $password = md5(uniqid(rand(), TRUE)); $hashcode = md5(uniqid(rand(), true)); $preApproved = unserialize($this->getSetting('preapproved')); // From login.php: Log::addAuthenticationLog('User registration requested for: ' . $wt_username); if ($user = User::create($wt_username, $facebookUser->name, $facebookUser->email, $password)) { $verifiedByAdmin = !$REQUIRE_ADMIN_AUTH_REGISTRATION || isset($preApproved[$username]); $user->setPreference(self::user_setting_facebook_username, $this->cleanseFacebookUsername($facebookUser->username))->setPreference('language', WT_LOCALE)->setPreference('verified', '1')->setPreference('verified_by_admin', $verifiedByAdmin ? '1' : '0')->setPreference('reg_timestamp', date('U'))->setPreference('reg_hashcode', $hashcode)->setPreference('contactmethod', 'messaging2')->setPreference('visibleonline', '1')->setPreference('editaccount', '1')->setPreference('auto_accept', '0')->setPreference('canadmin', '0')->setPreference('sessiontime', $verifiedByAdmin ? WT_TIMESTAMP : '0')->setPreference('comment', @$facebookUser->birthday . "\n " . "https://www.facebook.com/" . $this->cleanseFacebookUsername($facebookUser->username)); // Apply pre-approval settings if (isset($preApproved[$username])) { $userSettings = $preApproved[$username]; foreach ($userSettings as $gedcom => $userGedcomSettings) { foreach (array('gedcomid', 'rootid', 'canedit') as $userPref) { if (empty($userGedcomSettings[$userPref])) { continue; } // Use a direct DB query instead of $tree->setUserPreference since we // can't get a reference to the WT_Tree since it checks permissions but // we are trying to give the permissions. WT_DB::prepare("REPLACE INTO `##user_gedcom_setting` (user_id, gedcom_id, setting_name, setting_value) VALUES (?, ?, ?, LEFT(?, 255))")->execute(array($user->getUserId(), $gedcom, $userPref, $userGedcomSettings[$userPref])); } } // Remove the pre-approval record unset($preApproved[$username]); $this->setSetting('preapproved', serialize($preApproved)); } // We need jQuery below global $controller; $controller = new WT_Controller_Page(); $controller->setPageTitle($this->getTitle())->pageHeader(); echo '<form id="verify-form" name="verify-form" method="post" action="', WT_LOGIN_URL, '" class="ui-autocomplete-loading" style="width:16px;height:16px;padding:0">'; echo $this->hidden_input("action", "verify_hash"); echo $this->hidden_input("user_name", $wt_username); echo $this->hidden_input("user_password", $password); echo $this->hidden_input("user_hashcode", $hashcode); echo WT_Filter::getCsrf(); echo '</form>'; if ($verifiedByAdmin) { $controller->addInlineJavaScript(' function verify_hash_success() { // now the account is approved but not logged in. Now actually login for the user. window.location = "' . $this->getConnectURL($url) . '"; } function verify_hash_failure() { alert("' . WT_I18N::translate("There was an error verifying your account. Contact the site administrator if you are unable to access the site.") . '"); window.location = "' . WT_SCRIPT_PATH . '"; } $(document).ready(function() { $.post("' . WT_LOGIN_URL . '", $("#verify-form").serialize(), verify_hash_success).fail(verify_hash_failure); }); '); } else { echo '<script>document.getElementById("verify-form").submit()</script>'; } } else { Log::addErrorLog("Facebook: Couldn't create the user account"); $this->error_page('<p>' . WT_I18N::translate('Unable to create your account. Please try again.') . '</p>' . '<div class="back"><a href="javascript:history.back()">' . WT_I18N::translate('Back') . '</a></div>'); } } }
if (preg_match('/(?!' . preg_quote(WT_SERVER_NAME, '/') . ')(((?:ftp|http|https):\\/\\/)[a-zA-Z0-9.-]+)/', $subject . $body, $match)) { $errors .= '<p class="ui-state-error">' . WT_I18N::translate('You are not allowed to send messages that contain external links.') . '</p>' . '<p class="ui-state-highlight">' . WT_I18N::translate('You should delete the “%1$s” from “%2$s” and try again.', $match[2], $match[1]) . '</p>' . Log::addAuthenticationLog('Possible spam message from "' . $from_name . '"/"' . $from_email . '", subject="' . $subject . '", body="' . $body . '"'); $action = 'compose'; } $from = $from_email; } // Ensure the user always visits this page twice - once to compose it and again to send it. // This makes it harder for spammers. switch ($action) { case 'compose': $WT_SESSION->good_to_send = true; break; case 'send': // Only send messages if we've come straight from the compose page. if (!$WT_SESSION->good_to_send) { Log::addAuthenticationLog('Attempt to send message without visiting the compose page. Spam attack?'); $action = 'compose'; } if (!WT_Filter::checkCsrf()) { $action = 'compose'; } unset($WT_SESSION->good_to_send); break; } switch ($action) { case 'compose': $controller->pageHeader()->addInlineJavascript(' function checkForm(frm) { if (frm.subject.value=="") { alert("' . WT_I18N::translate('Please enter a message subject.') . '"); document.messageform.subject.focus();
public static function checkCsrf() { if (WT_Filter::post('csrf') !== WT_Filter::getCsrfToken()) { // Oops. Something is not quite right Log::addAuthenticationLog('CSRF mismatch - session expired or malicious attack'); WT_FlashMessages::addMessage(WT_I18N::translate('This form has expired. Try again.')); return false; } return true; }