/** * Displays a login form * This is the version of the login form displayed in the content area of the * page (not the side bar). It will present all options (remote authentication * - including OpenID, new registration link, etc.) according to the current * configuration settings. * * @param array $use_config options to override some of the defaults * @return string HTML of the login form */ function SEC_loginForm($use_config = array()) { global $_CONF, $LANG01, $LANG04, $_SCRIPTS; $retval = ''; $have_remote_login = false; $default_config = array('hide_forgotpw_link' => false, 'hidden_fields' => '', 'no_oauth_login' => false, 'no_3rdparty_login' => false, 'no_openid_login' => false, 'no_newreg_link' => false, 'no_plugin_vars' => false, 'title' => $LANG04[65], 'message' => $LANG04[66], 'button_text' => $LANG04[80]); $config = array_merge($default_config, $use_config); $loginform = COM_newTemplate($_CONF['path_layout'] . 'users'); $loginform->set_file('login', 'loginform.thtml'); $loginform->set_var('start_block_loginagain', COM_startBlock($config['title'])); $loginform->set_var('lang_message', $config['message']); if ($config['no_newreg_link'] || $_CONF['disable_new_user_registration']) { $loginform->set_var('lang_newreglink', ''); } else { $loginform->set_var('lang_newreglink', $LANG04[123]); } $loginform->set_var('lang_username', $LANG04[2]); $loginform->set_var('lang_password', $LANG01[57]); if ($config['hide_forgotpw_link']) { $loginform->set_var('lang_forgetpassword', ''); $loginform->set_var('forgetpassword_link', ''); } else { $loginform->set_var('lang_forgetpassword', $LANG04[25]); $forget = COM_createLink($LANG04[25], $_CONF['site_url'] . '/users.php?mode=getpassword', array('rel' => 'nofollow')); $loginform->set_var('forgetpassword_link', $forget); } $loginform->set_var('lang_login', $config['button_text']); $loginform->set_var('lang_remote_login', $LANG04[167]); $loginform->set_var('lang_remote_login_desc', $LANG04[168]); $loginform->set_var('end_block', COM_endBlock()); // 3rd party remote authentification. $services = ''; if (!$config['no_3rdparty_login'] && $_CONF['user_login_method']['3rdparty'] && $_CONF['usersubmission'] == 0) { $modules = SEC_collectRemoteAuthenticationModules(); if (count($modules) > 0) { if (!$_CONF['user_login_method']['standard'] && count($modules) == 1) { $select = '<input type="hidden" name="service" value="' . $modules[0] . '"' . XHTML . '>' . $modules[0]; } else { // Build select $select = '<select name="service">'; if ($_CONF['user_login_method']['standard']) { $select .= '<option value="">' . $_CONF['site_name'] . '</option>'; } foreach ($modules as $service) { $select .= '<option value="' . $service . '">' . $service . '</option>'; } $select .= '</select>'; } $loginform->set_file('services', 'services.thtml'); $loginform->set_var('lang_service', $LANG04[121]); $loginform->set_var('select_service', $select); $loginform->parse('output', 'services'); $services .= $loginform->finish($loginform->get_var('output')); } } if (!empty($config['hidden_fields'])) { // allow caller to (ab)use {services} for hidden fields $services .= $config['hidden_fields']; } $loginform->set_var('services', $services); // OpenID remote authentification. if (!$config['no_openid_login'] && $_CONF['user_login_method']['openid'] && $_CONF['usersubmission'] == 0 && !$_CONF['disable_new_user_registration']) { $have_remote_login = true; $_SCRIPTS->setJavascriptFile('login', '/javascript/login.js'); $loginform->set_file('openid_login', '../loginform_openid.thtml'); $loginform->set_var('lang_openid_login', $LANG01[128]); $loginform->set_var('input_field_size', 40); // for backward compatibility - not used any more $app_url = isset($_SERVER['SCRIPT_URI']) ? $_SERVER['SCRIPT_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; $loginform->set_var('app_url', $app_url); $loginform->parse('output', 'openid_login'); $loginform->set_var('openid_login', $loginform->finish($loginform->get_var('output'))); } else { $loginform->set_var('openid_login', ''); } // OAuth remote authentification. if (!$config['no_oauth_login'] && $_CONF['user_login_method']['oauth'] && $_CONF['usersubmission'] == 0 && !$_CONF['disable_new_user_registration']) { $have_remote_login = true; $_SCRIPTS->setJavascriptFile('login', '/javascript/login.js'); $modules = SEC_collectRemoteOAuthModules(); if (count($modules) == 0) { $loginform->set_var('oauth_login', ''); } else { $html_oauth = ''; // Grab oauth icons from theme if ($_CONF['theme_oauth_icons']) { $icon_path = $_CONF['layout_url'] . '/images/'; } else { $icon_path = $_CONF['site_url'] . '/images/'; } foreach ($modules as $service) { $loginform->set_file('oauth_login', '../loginform_oauth.thtml'); $loginform->set_var('oauth_service', $service); $loginform->set_var('lang_oauth_service', $LANG01[$service]); // for sign in image $loginform->set_var('oauth_sign_in_image', $icon_path . $service . '-login-icon.png'); $loginform->parse('output', 'oauth_login'); $html_oauth .= $loginform->finish($loginform->get_var('output')); } $loginform->set_var('oauth_login', $html_oauth); } } else { $loginform->set_var('oauth_login', ''); } if ($have_remote_login) { $loginform->set_var('remote_login_class', 'remote-login-enabled'); } if (!$config['no_plugin_vars']) { PLG_templateSetVars('loginform', $loginform); } $loginform->parse('output', 'login'); $retval .= $loginform->finish($loginform->get_var('output')); return $retval; }
/** * Displays a login form * * This is the version of the login form displayed in the content area of the * page (not the side bar). It will present all options (remote authentication * - including new registration link, etc.) according to the current * configuration settings. * * @param array $use_options options to override default settings * @return string HTML of the login form * */ function SEC_loginForm($use_options = array()) { global $_CONF, $_USER, $LANG01, $LANG04; $retval = ''; $default_options = array('forgotpw_link' => true, 'hidden_fields' => '', 'oauth_login' => true, '3rdparty_login' => true, 'newreg_link' => true, 'verification_link' => false, 'plugin_vars' => true, 'prefill_user' => false, 'title' => $LANG04[65], 'message' => '', 'footer_message' => '', 'button_text' => $LANG04[80], 'form_action' => $_CONF['site_url'] . '/users.php'); $options = array_merge($default_options, $use_options); $loginform = new Template($_CONF['path_layout'] . 'users'); $loginform->set_file('login', 'loginform.thtml'); $loginform->set_var('form_action', $options['form_action']); $loginform->set_var('footer_message', $options['footer_message']); $loginform->set_var('start_block_loginagain', COM_startBlock($options['title'])); $loginform->set_var('lang_message', $options['message']); if ($options['newreg_link'] == false || $_CONF['disable_new_user_registration']) { $loginform->set_var('lang_newreglink', ''); } else { $loginform->set_var('lang_newreglink', $LANG04[123]); } $loginform->set_var('lang_username', $LANG04[2]); $loginform->set_var('lang_password', $LANG01[57]); if ($options['forgotpw_link']) { $loginform->set_var('lang_forgetpassword', $LANG04[25]); $forget = COM_createLink($LANG04[25], $_CONF['site_url'] . '/users.php?mode=getpassword', array('rel' => 'nofollow')); $loginform->set_var('forgetpassword_link', $forget); } else { $loginform->set_var('lang_forgetpassword', ''); $loginform->set_var('forgetpassword_link', ''); } $loginform->set_var('lang_login', $options['button_text']); $loginform->set_var('end_block', COM_endBlock()); // 3rd party remote authentication. $services = ''; if ($options['3rdparty_login'] && $_CONF['user_login_method']['3rdparty'] && $_CONF['usersubmission'] == 0) { $modules = SEC_collectRemoteAuthenticationModules(); if (count($modules) > 0) { if (!$_CONF['user_login_method']['standard'] && count($modules) == 1) { $select = '<input type="hidden" name="service" value="' . $modules[0] . '"/>' . $modules[0] . LB; } else { // Build select $select = '<select name="service">'; if ($_CONF['user_login_method']['standard']) { $select .= '<option value="">' . $_CONF['site_name'] . '</option>' . LB; } foreach ($modules as $service) { $select .= '<option value="' . $service . '">' . $service . '</option>' . LB; } $select .= '</select>'; } $loginform->set_file('services', 'services.thtml'); $loginform->set_var('lang_service', $LANG04[121]); $loginform->set_var('select_service', $select); $loginform->parse('output', 'services'); $services .= $loginform->finish($loginform->get_var('output')); } } if (!empty($options['hidden_fields'])) { // allow caller to (ab)use {services} for hidden fields $services .= $options['hidden_fields']; $loginform->set_var('hidden_fields', $options['hidden_fields']); } $loginform->set_var('services', $services); // OAuth remote authentication. if ($options['oauth_login'] && $_CONF['user_login_method']['oauth']) { $modules = SEC_collectRemoteOAuthModules(); if (count($modules) == 0) { $loginform->set_var('oauth_login', ''); } else { $html_oauth = ''; foreach ($modules as $service) { $loginform->set_file('oauth_login', '../loginform_oauth.thtml'); $loginform->set_var('oauth_service', $service); $loginform->set_var('oauth_service_display', ucwords($service)); // for sign in image $loginform->set_var('oauth_sign_in_image', $_CONF['site_url'] . '/images/login-with-' . $service . '.png'); $loginform->parse('output', 'oauth_login'); $html_oauth .= $loginform->finish($loginform->get_var('output')); } $loginform->set_var('oauth_login', $html_oauth); } } else { $loginform->set_var('oauth_login', ''); } if ($options['verification_link']) { $loginform->set_var('lang_verification', $LANG04[169]); $verify = COM_createLink($LANG04[25], $_CONF['site_url'] . '/users.php?mode=getnewtoken', array('rel' => 'nofollow')); $loginform->set_var('verification_link', $verify); } else { $loginform->set_var('lang_verification', ''); $loginform->set_var('verification_link', ''); } if ($options['prefill_user'] && isset($_USER['username']) && $_USER['username'] != '') { $loginform->set_var('loginname', $_USER['username']); $loginform->set_var('focus', 'passwd'); } else { $loginform->set_var('loginname', ''); $loginform->set_var('focus', 'loginname'); } if ($options['plugin_vars']) { PLG_templateSetVars('loginform', $loginform); } $loginform->parse('output', 'login'); $retval .= $loginform->finish($loginform->get_var('output')); return $retval; }
/** * Authenticates the user if authentication headers are present * * Our handling of the speedlimit here requires some explanation ... * Atompub clients will usually try to do everything without logging in first. * Since that would mean that we can't provide feeds for drafts, items with * special permissions, etc. we ask them to log in (PLG_RET_AUTH_FAILED). * That, however, means that every request from an Atompub client will count * as one failed login attempt. So doing a couple of requests in quick * succession will surely get the client blocked. Therefore * - a request without any login credentials counts as one failed login attempt * - a request with wrong login credentials counts as two failed login attempts * - if, after a successful login, we have only one failed attempt on record, * we reset the speedlimit * This still ensures that * - repeated failed logins (without or with invalid credentials) will cause the * client to be blocked eventually * - this can not be used for dictionary attacks * */ function WS_authenticate() { global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE; $uid = ''; $username = ''; $password = ''; $status = -1; if (isset($_SERVER['PHP_AUTH_USER'])) { $username = COM_applyBasicFilter($_SERVER['PHP_AUTH_USER']); $password = $_SERVER['PHP_AUTH_PW']; if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '{$username}'"); } /** this does not work! ******************************************************* } elseif (!empty($_SERVER['HTTP_X_WSSE']) && (strpos($_SERVER['HTTP_X_WSSE'], 'UsernameToken') !== false)) { // this is loosely based on a code snippet taken from Elgg (elgg.org) $wsse = str_replace('UsernameToken', '', $_SERVER['HTTP_X_WSSE']); $wsse = explode(',', $wsse); $username = ''; $pwdigest = ''; $created = ''; $nonce = ''; foreach ($wsse as $element) { $element = explode('=', $element); $key = array_shift($element); if (count($element) == 1) { $val = $element[0]; } else { $val = implode('=', $element); } $key = trim($key); $val = trim($val, "\x22\x27"); if ($key == 'Username') { $username = COM_applyBasicFilter($val); } elseif ($key == 'PasswordDigest') { $pwdigest = $val; } elseif ($key == 'Created') { $created = $val; } elseif ($key == 'Nonce') { $nonce = $val; } } if (!empty($username) && !empty($pwdigest) && !empty($created) && !empty($nonce)) { $uname = DB_escapeString($username); $pwd = DB_getItem($_TABLES['users'], 'passwd', "username = '******'"); // ... and here we would need the _unencrypted_ password if (!empty($pwd)) { $mydigest = pack('H*', sha1($nonce . $created . $pwd)); $mydigest = base64_encode($mydigest); if ($pwdigest == $mydigest) { $password = $pwd; } } } if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '$username' (via WSSE)"); } ******************************************************************************/ } elseif (!empty($_SERVER['REMOTE_USER'])) { /* PHP installed as CGI may not have access to authorization headers of * Apache. In that case, use .htaccess to store the auth header as * explained at * http://wiki.geeklog.net/wiki/index.php/Webservices_API#Authentication */ list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']); list($username, $password) = explode(':', base64_decode($auth_data)); $username = COM_applyBasicFilter($username); if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '{$username}' (via \$_SERVER['REMOTE_USER'])"); } } else { if ($WS_VERBOSE) { COM_errorLog("WS: No login given"); } // fallthrough (see below) } COM_clearSpeedlimit($_CONF['login_speedlimit'], 'wsauth'); if (COM_checkSpeedlimit('wsauth', $_CONF['login_attempts']) > 0) { WS_error(PLG_RET_PERMISSION_DENIED, 'Speed Limit exceeded'); } if (!empty($username) && !empty($password)) { if ($_CONF['user_login_method']['3rdparty']) { // remote users will have to use username@servicename $u = explode('@', $username); if (count($u) > 1) { $sv = $u[count($u) - 1]; if (!empty($sv)) { $modules = SEC_collectRemoteAuthenticationModules(); foreach ($modules as $smod) { if (strcasecmp($sv, $smod) == 0) { array_pop($u); // drop the service name $uname = implode('@', $u); $status = SEC_remoteAuthentication($uname, $password, $smod, $uid); break; } } } } } if ($status == -1 && $_CONF['user_login_method']['standard']) { $status = SEC_authenticate($username, $password, $uid); } } if ($status == USER_ACCOUNT_ACTIVE) { $_USER = SESS_getUserDataFromId($uid); PLG_loginUser($_USER['uid']); // Global array of groups current user belongs to $_GROUPS = SEC_getUserGroups($_USER['uid']); // Global array of current user permissions [read,edit] $_RIGHTS = explode(',', SEC_getUserPermissions()); if ($_CONF['restrict_webservices']) { if (!SEC_hasRights('webservices.atompub')) { COM_updateSpeedlimit('wsauth'); if ($WS_VERBOSE) { COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) does not have permission to use the webservices"); } // reset user, groups, and rights, just in case ... $_USER = array(); $_GROUPS = array(); $_RIGHTS = array(); WS_error(PLG_RET_AUTH_FAILED); } } if ($WS_VERBOSE) { COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) successfully logged in"); } // if there were less than 2 failed login attempts, reset speedlimit if (COM_checkSpeedlimit('wsauth', 2) == 0) { if ($WS_VERBOSE) { COM_errorLog("WS: Successful login - resetting speedlimit"); } COM_resetSpeedlimit('wsauth'); } } else { COM_updateSpeedlimit('wsauth'); if (!empty($username) && !empty($password)) { COM_updateSpeedlimit('wsauth'); if ($WS_VERBOSE) { COM_errorLog("WS: Wrong login credentials - counting as 2 failed attempts"); } } elseif ($WS_VERBOSE) { COM_errorLog("WS: Empty login credentials - counting as 1 failed attempt"); } WS_error(PLG_RET_AUTH_FAILED); } }
/** * Shows the user their menu options * * This shows the average Joe User their menu options. This is the user block on the left side * * @param string $help Help file to show * @param string $title Title of Menu * @param string $position Side being shown on 'left', 'right'. Though blank works not likely. * @see function COM_adminMenu * */ function COM_userMenu($help = '', $title = '', $position = '') { global $_TABLES, $_CONF, $LANG01, $LANG04, $_BLOCK_TEMPLATE; $retval = ''; if (!COM_isAnonUser()) { $usermenu = COM_newTemplate($_CONF['path_layout']); if (isset($_BLOCK_TEMPLATE['useroption'])) { $templates = explode(',', $_BLOCK_TEMPLATE['useroption']); $usermenu->set_file(array('option' => $templates[0], 'current' => $templates[1])); } else { $usermenu->set_file(array('option' => 'useroption.thtml', 'current' => 'useroption_off.thtml')); } $usermenu->set_var('block_name', str_replace('_', '-', 'user_block')); if (empty($title)) { $title = DB_getItem($_TABLES['blocks'], 'title', "name='user_block'"); } // what's our current URL? $thisUrl = COM_getCurrentURL(); $retval .= COM_startBlock($title, $help, COM_getBlockTemplate('user_block', 'header', $position)); // This function will show the user options for all installed plugins // (if any) $plugin_options = PLG_getUserOptions(); $nrows = count($plugin_options); for ($i = 0; $i < $nrows; $i++) { $plg = current($plugin_options); $usermenu->set_var('option_label', $plg->adminlabel); if (!empty($plg->numsubmissions)) { $usermenu->set_var('option_count', '(' . $plg->numsubmissions . ')'); } else { $usermenu->set_var('option_count', ''); } $usermenu->set_var('option_url', $plg->adminurl); if ($thisUrl == $plg->adminurl) { $retval .= $usermenu->parse('item', 'current'); } else { $retval .= $usermenu->parse('item', 'option'); } next($plugin_options); } $url = $_CONF['site_url'] . '/usersettings.php'; $usermenu->set_var('option_label', $LANG01[48]); $usermenu->set_var('option_count', ''); $usermenu->set_var('option_url', $url); if ($thisUrl == $url) { $retval .= $usermenu->parse('item', 'current'); } else { $retval .= $usermenu->parse('item', 'option'); } $url = $_CONF['site_url'] . '/users.php?mode=logout'; $usermenu->set_var('option_label', $LANG01[19]); $usermenu->set_var('option_count', ''); $usermenu->set_var('option_url', $url); $retval .= $usermenu->finish($usermenu->parse('item', 'option')); $retval .= COM_endBlock(COM_getBlockTemplate('user_block', 'footer', $position)); } else { $retval .= COM_startBlock($LANG01[47], $help, COM_getBlockTemplate('user_block', 'header', $position)); $login = COM_newTemplate($_CONF['path_layout']); $login->set_file('form', 'loginform.thtml'); $login->set_var('lang_username', $LANG01[21]); $login->set_var('lang_password', $LANG01[57]); $login->set_var('lang_forgetpassword', $LANG01[119]); $login->set_var('lang_login', $LANG01[58]); if ($_CONF['disable_new_user_registration']) { $login->set_var('lang_signup', ''); } else { $login->set_var('lang_signup', $LANG01[59]); } // 3rd party remote authentification. if ($_CONF['user_login_method']['3rdparty'] && !$_CONF['usersubmission']) { $modules = SEC_collectRemoteAuthenticationModules(); if (count($modules) == 0) { $user_templates->set_var('services', ''); } else { if (!$_CONF['user_login_method']['standard'] && count($modules) == 1) { $select = '<input type="hidden" name="service" value="' . $modules[0] . '"' . XHTML . '>' . $modules[0]; } else { // Build select $select = '<select name="service" id="service">'; if ($_CONF['user_login_method']['standard']) { $select .= '<option value="">' . $_CONF['site_name'] . '</option>'; } foreach ($modules as $service) { $select .= '<option value="' . $service . '">' . $service . '</option>'; } $select .= '</select>'; } $login->set_file('services', 'blockservices.thtml'); $login->set_var('lang_service', $LANG04[121]); $login->set_var('select_service', $select); $login->parse('output', 'services'); $login->set_var('services', $login->finish($login->get_var('output'))); } } else { $login->set_var('services', ''); } // OpenID remote authentification. if ($_CONF['user_login_method']['openid'] && $_CONF['usersubmission'] == 0 && !$_CONF['disable_new_user_registration']) { $login->set_file('openid_login', 'loginform_openid.thtml'); $login->set_var('lang_openid_login', $LANG01[128]); $login->set_var('input_field_size', 18); $login->set_var('app_url', $_CONF['site_url'] . '/users.php'); $login->parse('output', 'openid_login'); $login->set_var('openid_login', $login->finish($login->get_var('output'))); } else { $login->set_var('openid_login', ''); } // OAuth remote authentification. if ($_CONF['user_login_method']['oauth'] && $_CONF['usersubmission'] == 0 && !$_CONF['disable_new_user_registration']) { $modules = SEC_collectRemoteOAuthModules(); if (count($modules) == 0) { $login->set_var('oauth_login', ''); } else { $html_oauth = ''; foreach ($modules as $service) { $login->set_file('oauth_login', 'loginform_oauth.thtml'); $login->set_var('oauth_service', $service); // for sign in image $login->set_var('oauth_sign_in_image', $_CONF['site_url'] . '/images/login-with-' . $service . '.png'); $login->set_var('oauth_sign_in_image_style', ''); $login->parse('output', 'oauth_login'); $html_oauth .= $login->finish($login->get_var('output')); } $login->set_var('oauth_login', $html_oauth); } } else { $login->set_var('oauth_login', ''); } PLG_templateSetVars('loginblock', $login); $retval .= $login->finish($login->parse('output', 'form')); $retval .= COM_endBlock(COM_getBlockTemplate('user_block', 'footer', $position)); } return $retval; }
function USER_accountPanel($U, $newuser = 0) { global $_CONF, $_SYSTEM, $_TABLES, $_USER, $LANG_MYACCOUNT, $LANG04, $LANG28; $uid = $U['uid']; // set template $userform = new Template($_CONF['path_layout'] . 'admin/user/'); $userform->set_file('user', 'accountpanel.thtml'); // get users display name $display_name = COM_getDisplayName($uid); // define all the language constants... $userform->set_var(array('lang_name_legend' => $LANG04[128], 'lang_userid' => $LANG28[2], 'lang_regdate' => $LANG28[14], 'lang_lastlogin' => $LANG28[35], 'lang_username' => $LANG04[2], 'lang_fullname' => $LANG04[3], 'lang_user_status' => $LANG28[46], 'lang_password_email_legend' => $LANG04[129], 'lang_password_help_title' => $LANG04[146], 'lang_enter_current_password' => $LANG04[127], 'lang_password_help' => $LANG04[147], 'lang_old_password' => $LANG04[110], 'lang_password' => $LANG04[4], 'lang_password_conf' => $LANG04[108], 'lang_cooktime' => $LANG04[68], 'lang_email' => $LANG04[5], 'lang_email_conf' => $LANG04[124], 'lang_deleteaccount' => $LANG04[156], 'lang_deleteoption' => $LANG04[156], 'lang_button_delete' => $LANG04[96])); if (empty($uid) || $uid < 2) { $userform->set_var('lang_email_password', $LANG04[28]); } if (!empty($uid) && $uid > 1) { $curtime = COM_getUserDateTimeFormat($U['regdate']); $lastlogin = DB_getItem($_TABLES['userinfo'], 'lastlogin', "uid = '{$uid}'"); $lasttime = COM_getUserDateTimeFormat($lastlogin); } else { $U['uid'] = ''; $uid = ''; $curtime = COM_getUserDateTimeFormat(); $lastlogin = ''; $lasttime = ''; $A['status'] = USER_ACCOUNT_ACTIVE; $newuser = 1; } if ($U['uid'] == '') { $userform->set_var('user_id', $LANG28[15]); } else { $userform->set_var('user_id', $U['uid']); } $userform->set_var('regdate_timestamp', $curtime[1]); $userform->set_var('user_regdate', $curtime[0]); if (empty($lastlogin)) { $userform->set_var('user_lastlogin', $LANG28[36]); } else { $userform->set_var('user_lastlogin', $lasttime[0]); } $userform->set_var('user_name', $U['username']); $userform->set_var('fullname_value', @htmlspecialchars($U['fullname'], ENT_NOQUOTES, COM_getEncodingt())); $remote_user_display = 'none'; $remote_user_checked = ''; $pwd_disabled = ''; $remote_user_edit = 0; if ($_CONF['user_login_method']['3rdparty'] || $_CONF['user_login_method']['oauth']) { // && $U['account_type'] & REMOTE_USER /*$allow_remote_user */) { $modules = array(); if ($U['account_type'] & REMOTE_USER) { $remote_user_checked = ' checked="checked"'; $pwd_disabled = ' disabled="disabled"'; $remote_user_display = ''; if (isset($U['uid']) && $U['uid'] > 2) { $remote_user_edit = 1; } } if ($_CONF['user_login_method']['3rdparty']) { $modules = SEC_collectRemoteAuthenticationModules(); } $service_select = '<select name="remoteservice" id="remoteservice"'; if ($remote_user_edit == 1) { $service_select .= ' disabled="disabled"'; } $service_select .= '>' . LB; if (count($modules) > 0) { foreach ($modules as $service) { $service_select .= '<option value="' . $service . '"' . ($U['remoteservice'] == $service ? ' selected="selected"' : '') . '>' . $service . '</option>' . LB; } } if ($_CONF['user_login_method']['oauth']) { $modules = SEC_collectRemoteOAuthModules(); if (count($modules) > 0) { foreach ($modules as $service) { $service_select .= '<option value="' . 'oauth.' . $service . '"' . ($U['remoteservice'] == 'oauth.' . $service ? ' selected="selected"' : '') . '>' . $service . '</option>' . LB; } } } $service_select .= '</select>' . LB; $userform->set_var('remoteusername', @htmlspecialchars($U['remoteusername'], ENT_NOQUOTES, COM_getEncodingt())); $userform->set_var('remoteservice_select', $service_select); $userform->set_var('remote_user_checked', $remote_user_checked); $userform->set_var('remote_user_display', $remote_user_display); $userform->set_var('remoteuserenable', '1'); $userform->set_var('lang_remoteuser', $LANG04[163]); $userform->set_var('lang_remoteusername', $LANG04[164]); $userform->set_var('lang_remoteservice', $LANG04[165]); $userform->set_var('lang_remoteuserdata', $LANG04[166]); $userform->set_var('remote_user_disabled', ' disabled="disabled"'); if (!($U['account_type'] & LOCAL_USER)) { $userform->set_var('pwd_disabled', $pwd_disabled); } if (!($U['account_type'] & REMOTE_USER)) { $userform->set_var('remoteuserenable', ''); } } else { $userform->set_var('remoteuserenable', ''); $userform->set_var('remoteusername', ''); $userform->set_var('remoteservice_select', ''); $userform->set_var('remote_user_checked', $remote_user_checked); $userform->set_var('remote_user_display', $remote_user_display); $userform->set_var('remote_user_disabled', ' disabled="disabled"'); } $selection = '<select id="cooktime" name="cooktime">' . LB; $selection .= COM_optionList($_TABLES['cookiecodes'], 'cc_value,cc_descr', $U['cookietimeout'], 0); $selection .= '</select>'; $userform->set_var('cooktime_selector', $selection); $userform->set_var('email_value', @htmlspecialchars($U['email'], ENT_NOQUOTES, COM_getEncodingt())); $statusarray = array(USER_ACCOUNT_AWAITING_ACTIVATION => $LANG28[43], USER_ACCOUNT_AWAITING_VERIFICATION => $LANG28[16], USER_ACCOUNT_ACTIVE => $LANG28[45]); $allow_ban = true; if (!empty($uid)) { if ($U['uid'] == $_USER['uid']) { $allow_ban = false; // do not allow to ban yourself } else { if (SEC_inGroup('Root', $U['uid'])) { // editing a Root user? $count_root_sql = "SELECT COUNT(ug_uid) AS root_count FROM {$_TABLES['group_assignments']} WHERE ug_main_grp_id = 1 GROUP BY ug_uid;"; $count_root_result = DB_query($count_root_sql); $C = DB_fetchArray($count_root_result); // how many are left? if ($C['root_count'] < 2) { $allow_ban = false; // prevent banning the last root user } } } } if ($allow_ban) { $statusarray[USER_ACCOUNT_DISABLED] = $LANG28[42]; } if ($_CONF['usersubmission'] == 1 && !empty($uid)) { $statusarray[USER_ACCOUNT_AWAITING_APPROVAL] = $LANG28[44]; } asort($statusarray); $statusselect = '<select name="userstatus" id="userstatus">'; foreach ($statusarray as $key => $value) { $statusselect .= '<option value="' . $key . '"'; if ($key == $U['status']) { $statusselect .= ' selected="selected"'; } $statusselect .= '>' . $value . '</option>' . LB; } $statusselect .= '</select><input type="hidden" name="oldstatus" value="' . $U['status'] . '"/>'; $userform->set_var('user_status', $statusselect); if (!empty($uid) && $uid > 1) { $userform->set_var('plugin_namepass_name', PLG_profileEdit($uid, 'namepass', 'name')); $userform->set_var('plugin_namepass_pwdemail', PLG_profileEdit($uid, 'namepass', 'pwdemail')); } $retval = $userform->finish($userform->parse('output', 'user')); return $retval; }
/** * Authenticates the user if authentication headers are present * * Our handling of the speedlimit here requires some explanation ... * Atompub clients will usually try to do everything without logging in first. * Since that would mean that we can't provide feeds for drafts, items with * special permissions, etc. we ask them to log in (PLG_RET_AUTH_FAILED). * That, however, means that every request from an Atompub client will count * as one failed login attempt. So doing a couple of requests in quick * succession will surely get the client blocked. Therefore * - a request without any login credentials counts as one failed login attempt * - a request with wrong login credentials counts as two failed login attempts * - if, after a successful login, we have only one failed attempt on record, * we reset the speedlimit * This still ensures that * - repeated failed logins (without or with invalid credentials) will cause the * client to be blocked eventually * - this can not be used for dictionary attacks * */ function WS_authenticate() { global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE; $uid = ''; $username = ''; $password = ''; $status = -1; if (isset($_SERVER['PHP_AUTH_USER'])) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; $username = COM_applyFilter($username); $password = COM_applyFilter($password); if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '{$username}'"); } } elseif (!empty($_SERVER['REMOTE_USER'])) { /* PHP installed as CGI may not have access to authorization headers of * Apache. In that case, use .htaccess to store the auth header */ list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']); list($username, $password) = explode(':', base64_decode($auth_data)); $username = COM_applyFilter($username); $password = COM_applyFilter($password); if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '{$username}' (via \$_SERVER['REMOTE_USER'])"); } } else { if ($WS_VERBOSE) { COM_errorLog("WS: No login given"); } // fallthrough (see below) } COM_clearSpeedlimit($_CONF['login_speedlimit'], 'wsauth'); if (COM_checkSpeedlimit('wsauth', $_CONF['login_attempts']) > 0) { WS_error(PLG_RET_PERMISSION_DENIED, 'Speed Limit exceeded'); } if (!empty($username) && !empty($password)) { if ($_CONF['user_login_method']['3rdparty']) { // remote users will have to use username@servicename $u = explode('@', $username); if (count($u) > 1) { $sv = $u[count($u) - 1]; if (!empty($sv)) { $modules = SEC_collectRemoteAuthenticationModules(); foreach ($modules as $smod) { if (strcasecmp($sv, $smod) == 0) { array_pop($u); // drop the service name $uname = implode('@', $u); $status = SEC_remoteAuthentication($uname, $password, $smod, $uid); break; } } } } } if ($status == -1 && $_CONF['user_login_method']['standard']) { $status = SEC_authenticate($username, $password, $uid); } } if ($status == USER_ACCOUNT_ACTIVE) { $_USER = SESS_getUserDataFromId($uid); PLG_loginUser($_USER['uid']); // Global array of groups current user belongs to $_GROUPS = SEC_getUserGroups($_USER['uid']); // Global array of current user permissions [read,edit] $_RIGHTS = explode(',', SEC_getUserPermissions()); if ($_CONF['restrict_webservices']) { if (!SEC_hasRights('webservices.atompub')) { COM_updateSpeedlimit('wsauth'); if ($WS_VERBOSE) { COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) does not have permission to use the webservices"); } // reset user, groups, and rights, just in case ... $_USER = array(); $_GROUPS = array(); $_RIGHTS = array(); WS_error(PLG_RET_AUTH_FAILED); } } if ($WS_VERBOSE) { COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) successfully logged in"); } // if there were less than 2 failed login attempts, reset speedlimit if (COM_checkSpeedlimit('wsauth', 2) == 0) { if ($WS_VERBOSE) { COM_errorLog("WS: Successful login - resetting speedlimit"); } COM_resetSpeedlimit('wsauth'); } } else { COM_updateSpeedlimit('wsauth'); if (!empty($username) && !empty($password)) { COM_updateSpeedlimit('wsauth'); if ($WS_VERBOSE) { COM_errorLog("WS: Wrong login credentials - counting as 2 failed attempts"); } } elseif ($WS_VERBOSE) { COM_errorLog("WS: Empty login credentials - counting as 1 failed attempt"); } WS_error(PLG_RET_AUTH_FAILED); } }
/** * Shows the user login form after failed attempts to either login or access a page * requiring login. * * @return string HTML for login form * */ function loginform($hide_forgotpw_link = false, $statusmode = -1) { global $_CONF, $LANG01, $LANG04; $retval = ''; $user_templates = new Template($_CONF['path_layout'] . 'users'); $user_templates->set_file('login', 'loginform.thtml'); $user_templates->set_var('xhtml', XHTML); $user_templates->set_var('site_url', $_CONF['site_url']); if ($statusmode == 0) { $user_templates->set_var('start_block_loginagain', COM_startBlock($LANG04[114])); $user_templates->set_var('lang_message', $LANG04[115]); } elseif ($statusmode == 2) { $user_templates->set_var('start_block_loginagain', COM_startBlock($LANG04[116])); $user_templates->set_var('lang_message', $LANG04[117]); } else { $user_templates->set_var('start_block_loginagain', COM_startBlock($LANG04[65])); if ($_CONF['disable_new_user_registration']) { $user_templates->set_var('lang_newreglink', ''); } else { $user_templates->set_var('lang_newreglink', $LANG04[123]); } $user_templates->set_var('lang_message', $LANG04[66]); } $user_templates->set_var('lang_username', $LANG04[2]); $user_templates->set_var('lang_password', $LANG01[57]); if ($hide_forgotpw_link) { $user_templates->set_var('lang_forgetpassword', ''); } else { $user_templates->set_var('lang_forgetpassword', $LANG04[25]); } $user_templates->set_var('lang_login', $LANG04[80]); $user_templates->set_var('end_block', COM_endBlock()); // 3rd party remote authentification. if ($_CONF['user_login_method']['3rdparty'] && !$_CONF['usersubmission']) { $modules = SEC_collectRemoteAuthenticationModules(); if (count($modules) == 0) { $user_templates->set_var('services', ''); } else { if (!$_CONF['user_login_method']['standard'] && count($modules) == 1) { $select = '<input type="hidden" name="service" value="' . $modules[0] . '"' . XHTML . '>' . $modules[0]; } else { // Build select $select = '<select name="service">'; if ($_CONF['user_login_method']['standard']) { $select .= '<option value="">' . $_CONF['site_name'] . '</option>'; } foreach ($modules as $service) { $select .= '<option value="' . $service . '">' . $service . '</option>'; } $select .= '</select>'; } $user_templates->set_file('services', 'services.thtml'); $user_templates->set_var('lang_service', $LANG04[121]); $user_templates->set_var('select_service', $select); $user_templates->parse('output', 'services'); $user_templates->set_var('services', $user_templates->finish($user_templates->get_var('output'))); } } else { $user_templates->set_var('services', ''); } // OpenID remote authentification. if ($_CONF['user_login_method']['openid'] && $_CONF['usersubmission'] == 0 && !$_CONF['disable_new_user_registration']) { $user_templates->set_file('openid_login', '../loginform_openid.thtml'); $user_templates->set_var('lang_openid_login', $LANG01[128]); $user_templates->set_var('input_field_size', 40); $app_url = isset($_SERVER['SCRIPT_URI']) ? $_SERVER['SCRIPT_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; $user_templates->set_var('app_url', $app_url); $user_templates->parse('output', 'openid_login'); $user_templates->set_var('openid_login', $user_templates->finish($user_templates->get_var('output'))); } else { $user_templates->set_var('openid_login', ''); } $user_templates->parse('output', 'login'); $retval .= $user_templates->finish($user_templates->get_var('output')); return $retval; }
/** * Shows the user their menu options * * This shows the average Joe User their menu options. This is the user block on the left side * * @param string $help Help file to show * @param string $title Title of Menu * @param string $position Side being shown on 'left', 'right'. Though blank works not likely. * @see function COM_adminMenu * */ function COM_userMenu($help = '', $title = '', $position = '') { global $_TABLES, $_USER, $_CONF, $LANG01, $LANG04, $LANG29, $_BLOCK_TEMPLATE; $retval = ''; if (!COM_isAnonUser()) { if (empty($title)) { $title = DB_getItem($_TABLES['blocks'], 'title', "name='user_block'"); } // what's our current URL? $thisUrl = COM_getCurrentURL(); $retval .= COM_startBlock($title, $help, COM_getBlockTemplate('user_block', 'header', $position), 'user_block'); $menuData = getUserMenu(); $retval .= '<div id="usermenu"><ul class="uk-list uk-list-space">'; foreach ($menuData as $item) { $retval .= '<li><a href="' . $item['url'] . '">' . $item['label'] . '</a></li>'; } $retval .= '</ul></div>'; $retval .= COM_endBlock(COM_getBlockTemplate('user_block', 'footer')); } else { $retval .= COM_startBlock($LANG01[47], $help, COM_getBlockTemplate('login_block', 'header', $position), 'login_block'); $login = new Template($_CONF['path_layout']); $login->set_file('form', 'loginform.thtml'); $login->set_var('lang_username', $LANG01[21]); $login->set_var('lang_password', $LANG01[57]); $login->set_var('lang_forgetpassword', $LANG01[119]); $login->set_var('lang_login', $LANG01[58]); if ($_CONF['disable_new_user_registration'] == 1) { $login->set_var('lang_signup', ''); } else { $login->set_var('lang_signup', $LANG01[59]); } // 3rd party remote authentication. if ($_CONF['user_login_method']['3rdparty'] && !$_CONF['usersubmission']) { $modules = SEC_collectRemoteAuthenticationModules(); if (count($modules) == 0) { $login->set_var('services', ''); } else { if (!$_CONF['user_login_method']['standard'] && count($modules) == 1) { $select = '<input type="hidden" name="service" value="' . $modules[0] . '"/>' . $modules[0]; } else { // Build select $select = '<select name="service" id="service">'; if ($_CONF['user_login_method']['standard']) { $select .= '<option value="">' . $_CONF['site_name'] . '</option>'; } foreach ($modules as $service) { $select .= '<option value="' . $service . '">' . $service . '</option>'; } $select .= '</select>'; } $login->set_file('services', 'blockservices.thtml'); $login->set_var('lang_service', $LANG04[121]); $login->set_var('select_service', $select); $login->parse('output', 'services'); $login->set_var('services', $login->finish($login->get_var('output'))); } } else { $login->set_var('services', ''); } // OpenID remote authentication. if ($_CONF['user_login_method']['openid'] && $_CONF['usersubmission'] == 0 && !$_CONF['disable_new_user_registration']) { $login->set_file('openid_login', 'loginform_openid.thtml'); $login->set_var('lang_openid_login', $LANG01[128]); $login->set_var('input_field_size', 16); $login->set_var('app_url', $_CONF['site_url'] . '/users.php'); $login->parse('output', 'openid_login'); $login->set_var('openid_login', $login->finish($login->get_var('output'))); } else { $login->set_var('openid_login', ''); } // OAuth remote authentication. if ($_CONF['user_login_method']['oauth']) { $modules = SEC_collectRemoteOAuthModules(); if (count($modules) == 0) { $login->set_var('oauth_login', ''); } else { $html_oauth = ''; foreach ($modules as $service) { $login->set_file('oauth_login', 'loginform_oauth_block.thtml'); $login->set_var('oauth_service', $service); // for sign in image $login->set_var('oauth_sign_in_image', $_CONF['site_url'] . '/images/login-with-' . $service . '.png'); $login->set_var('oauth_sign_in_image_style', ''); $login->set_var('oauth_service_display', ucwords($service)); $login->parse('output', 'oauth_login'); $html_oauth .= $login->finish($login->get_var('output')); } $login->set_var('oauth_login', $html_oauth); } } else { $login->set_var('oauth_login', ''); } $retval .= $login->finish($login->parse('output', 'form')); $retval .= COM_endBlock(COM_getBlockTemplate('login_block', 'footer', $position)); } return $retval; }