/**
*
*
*/
function processAjaxCheck(&$dbHandler)
{
// Send a json reply, include localized strings for use in js to display a login form.
doSessionStart(true);
echo json_encode(array('validSession' => checkSessionValid($dbHandler, false), 'username_label' => lang_get('login_name'), 'password_label' => lang_get('password'), 'login_label' => lang_get('btn_login'), 'timeout_info' => lang_get('timeout_info')));
}
echo json_encode(array('success' => false, 'reason' => $gui->note));
} else {
$doRender = true;
}
} else {
$args->currentUser = $_SESSION['currentUser'];
logAuditEvent(TLS("audit_login_succeeded", $args->login, $_SERVER['REMOTE_ADDR']), "LOGIN", $args->currentUser->dbID, "users");
if ($args->action == 'ajaxlogin') {
echo json_encode(array('success' => true));
} else {
redirect($_SESSION['basehref'] . "index.php" . ($args->preqURI ? "?reqURI=" . urlencode($args->preqURI) : ""));
}
}
break;
case 'ajaxcheck':
doSessionStart();
unset($_SESSION['basehref']);
setPaths();
$validSession = checkSessionValid($db, false);
// Send a json reply, include localized strings for use in js to display a login form.
echo json_encode(array('validSession' => $validSession, 'username_label' => lang_get('login_name'), 'password_label' => lang_get('password'), 'login_label' => lang_get('btn_login')));
break;
case 'loginform':
$doRender = true;
break;
}
// BUGID 0003129
if ($doRender) {
$logPeriodToDelete = config_get('removeEventsOlderThan');
$g_tlLogger->deleteEventsFor(null, strtotime("-{$logPeriodToDelete} days UTC"));
$smarty = new TLSmarty();
/**
* General GUI page initialization procedure
* - init session
* - init database
* - check rights
* - initialize project data (if requested)
*
* @param integer $db DB connection identifier
* @param boolean $initProject (optional) Set true if adjustment of Product or
* Test Plan is required; default is FALSE
* @param boolean $bDontCheckSession (optional) Set to true if no session should be
* started
*/
function testlinkInitPage(&$db, $initProject = FALSE, $bDontCheckSession = false, $userRightsCheckFunction = null)
{
doSessionStart();
setPaths();
set_dt_formats();
doDBConnect($db);
static $pageStatistics = null;
if (!$pageStatistics && config_get('log_level') == 'EXTENDED') {
$pageStatistics = new tlPageStatistics($db);
}
if (!$bDontCheckSession) {
checkSessionValid($db);
}
if ($userRightsCheckFunction) {
checkUserRightsFor($db, $userRightsCheckFunction);
}
// adjust Product and Test Plan to $_SESSION
if ($initProject) {
initProject($db, $_REQUEST);
}
// used to disable the attachment feature if there are problems with repository path
/** @TODO this check should not be done anytime but on login and using */
global $g_repositoryType;
global $g_attachments;
global $g_repositoryPath;
$g_attachments->disabled_msg = "";
if ($g_repositoryType == TL_REPOSITORY_TYPE_FS) {
$ret = checkForRepositoryDir($g_repositoryPath);
if (!$ret['status_ok']) {
$g_attachments->enabled = FALSE;
$g_attachments->disabled_msg = $ret['msg'];
}
}
}
* Validates the CSRF tokens found in $_POST variable. Raoses user
* errors if the token is not found or invalid.
*
* @return true if validated correctly, otherwise false
*/
function csrfguard_start()
{
if (count($_POST)) {
if (!isset($_POST['CSRFName'])) {
//trigger_error("No CSRFName found, probable invalid request.",E_USER_ERROR);
//return false;
redirect($_SESSION['basehref'] . 'error.php?message=No CSRFName found, probable invalid request.');
exit;
}
// 20151107
$name = trim($_POST['CSRFName']);
$token = trim($_POST['CSRFToken']);
$good = strlen($name) > 0 && strlen($token) > 0;
if (!$good || !csrfguard_validate_token($name, $token)) {
//trigger_error("Invalid CSRF token.",E_USER_ERROR);
//return false;
redirect($_SESSION['basehref'] . 'error.php?message=Invalid CSRF token.');
exit;
}
}
}
// this way is runned always
// Need to understand if this is needed
//
doSessionStart(false);
// csrfguard_start();
/**
*
*/
function setUpEnvForAnonymousAccess(&$dbHandler, $apikey, $rightsCheck = null, $opt = null)
{
$my = array('opt' => array('setPaths' => false, 'clearSession' => false));
$my['opt'] = array_merge($my['opt'], (array) $opt);
if ($my['opt']['clearSession']) {
$_SESSION = null;
}
doSessionStart($my['opt']['setPaths']);
if (isset($_SESSION['locale']) && !is_null($_SESSION['locale'])) {
setDateTimeFormats($_SESSION['locale']);
}
doDBConnect($dbHandler);
// @since 1.9.14
$checkMode = 'paranoic';
if (property_exists($rightsCheck->args, 'envCheckMode')) {
$checkMode = $rightsCheck->args->envCheckMode;
}
switch ($checkMode) {
case 'hippie':
$tk = array('testplan', 'testproject');
break;
default:
$tk[] = intval($rightsCheck->args->tplan_id) != 0 ? 'testplan' : 'testproject';
break;
}
foreach ($tk as $ak) {
$item = getEntityByAPIKey($dbHandler, $apikey, $ak);
if (!is_null($item)) {
break;
}
}
$status_ok = false;
if (!is_null($item)) {
$_SESSION['lastActivity'] = time();
$userObj = new tlUser();
$_SESSION['currentUser'] = $userObj;
$_SESSION['userID'] = -1;
$_SESSION['locale'] = config_get('default_language');
// if user do this:
// 1. login to test link
// 2. get direct link and open in new tab or new window while still logged
// 3. logout
// If user refresh tab / window open on (2), because on (3) we destroyed
// session we have loose basehref, and we are not able to recreate it.
// Without basehref we are not able to get CSS, JS, etc.
// In this situation we destroy session, this way user is forced to login
// again in one of two ways
// a. using the direct link
// b. using traditional login
// In both way we assure that behaivour will be OK.
//
if (!isset($_SESSION['basehref'])) {
// echo $rightsCheck->redirect_target;
session_unset();
session_destroy();
if (property_exists($rightsCheck, 'redirect_target') && !is_null($rightsCheck->redirect_target)) {
redirect($rightsCheck->redirect_target);
} else {
// best guess for all features that live on ./lib/results/
redirect("../../login.php?note=logout");
}
exit;
}
if (!is_null($rightsCheck->method)) {
checkUserRightsFor($dbHandler, $rightsCheck->method, true);
}
$status_ok = true;
}
return $status_ok;
}
/**
* Purge form security tokens that are older than 3 days, or used
* for form validation.
* @param string Form name
*/
function form_security_purge($p_form_name)
{
if (PHP_CLI == php_mode() || OFF == config_get_global('form_security_validation')) {
return;
}
doSessionStart();
$t_tokens = isset($_SESSION['form_security_tokens']) ? $_SESSION['form_security_tokens'] : null;
# Short-circuit if we don't have any tokens for the given form name
if (!isset($t_tokens[$p_form_name]) || !is_array($t_tokens[$p_form_name]) || count($t_tokens[$p_form_name]) < 1) {
return;
}
# Get the form input
$t_form_token = $p_form_name . '_token';
$t_input = gpc_get_string($t_form_token, '');
# Get the date claimed by the token
$t_date = utf8_substr($t_input, 0, 8);
# Generate a date string of three days ago
$t_purge_date = date('Ymd', time() - 3 * 24 * 60 * 60);
# Purge old token data, and the currently-used token
unset($t_tokens[$p_form_name][$t_date][$t_input]);
foreach ($t_tokens as $t_form_name => $t_dates) {
foreach ($t_dates as $t_date => $t_date_tokens) {
if ($t_date < $t_purge_date) {
unset($t_tokens[$t_form_name][$t_date]);
}
}
}
$_SESSION['form_security_tokens'] = $t_tokens;
return;
}
/**
* General GUI page initialization procedure
* - init session
* - init database
*
* @param integer $db DB connection identifier
* @param boolean $checkSession (optional)
*/
function testlinkInitPage(&$db, $checkSession = true)
{
doSessionStart();
setPaths();
set_dt_formats();
doDBConnect($db);
static $pageStatistics = null;
if (!$pageStatistics && config_get('log_level') == 'EXTENDED') {
$pageStatistics = new tlPageStatistics($db);
}
if ($checkSession) {
checkSessionValid($db);
}
}
