function do_login($auto_login = 0) { global $GO; global $ROW; // Are we already logged in? do_logout(); // Everybody goes home after login $GO = "Home"; // Auto login? if ($auto_login) { // Happens after registration session_regenerate_id(true); $_SESSION['logged_in'] = 1; $_SESSION['user_id'] = $auto_login; $_SESSION['fname'] = $ROW["fname"]; // This is the row used for registration $_SESSION['email_id'] = $ROW["email_id"]; } else { if (get_arg($_POST, "lemail_id") && get_arg($_POST, "lpassword")) { // Get parameters $_email_id = get_arg($_POST, "lemail_id"); $_password = get_arg($_POST, "lpassword"); // Validate ALL parameters if (!validate("Email ID", $_email_id, 5, 100, "EMAIL") || !validate("Password", $_password, 5, 100, "PASSWORD")) { add_msg('ERROR', "The email ID or password you entered is incorrect</br>"); return; } ################################################## # DB LOGIN # ################################################## $ROW = db_do_login($_email_id, $_password); if ($ROW[0]['STATUS'] == "OK" && $ROW[0]["NROWS"] == 1) { session_regenerate_id(true); $_SESSION['email_id'] = $_email_id; $_SESSION['logged_in'] = 1; $_SESSION['user_id'] = $ROW[0]["user_id"]; $_SESSION['fname'] = $ROW[0]["fname"]; add_msg('SUCCESS', "Welcome " . $ROW[0]["fname"] . "! </br>"); if ($ROW[0]["type"] == "E") { $_SESSION['employee'] = 1; // For employees store a backup of their details since they // switch roles often $_SESSION['e_user_id'] = $ROW[0]["user_id"]; $_SESSION['e_fname'] = $ROW[0]["fname"]; $_SESSION['e_email_id'] = $_email_id; } } } } // logged_in will not be set if we failed anywhere above if (!isset($_SESSION['logged_in']) || !$_SESSION['logged_in']) { add_msg('ERROR', "1The email ID or password you entered is incorrect</br>"); } }
function do_login() { global $conn; $login_error = false; if (isset($_GET['logout'])) { $logout = parse($_GET['logout'], 'int'); if ($logout == 1) { do_logout(); } } if (isset($_POST['cmt_login'])) { $username = parse($_POST['login_username'], 'string'); $password = parse($_POST['login_password'], 'string'); $sql = "SELECT password, password_salt, id FROM " . $_SESSION['TABLE_PREFIX'] . "cmt_accounts WHERE username = '******' AND c_active = '1'"; $result = db_mysql_query($sql, $conn); if (db_mysql_num_rows($result)) { if (!$username) { $login_error = true; } if (!$password) { $login_error = true; } $arr = db_mysql_fetch_array($result); if ($arr['password'] == md5($arr['password_salt'] . $password)) { $_SESSION['cmt_login'] = true; $_SESSION['cmt_id'] = $arr['id']; } else { $login_error = true; } if ($login_error) { $_SESSION['cmt_login'] = false; return print_alert('error', v('CMT_HEADLINE_LOGIN_ERROR'), v('CMT_TEXT_LOGIN_ERROR')); } } else { $_SESSION['cmt_login'] = false; return print_alert('error', v('CMT_HEADLINE_LOGIN_ERROR'), v('CMT_TEXT_LOGIN_ERROR')); } } }
require_once 'db/_user.php'; $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING); $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING); if ($auth = user_authenticate($username, $password)) { //authentifié do_login($username); // Connecté } else { //( ! array_key_exists($_POST['username'] && array_key_exists($_POST['password']))); echo "Vous devez entrer un indentifiant et mot de passe valide"; // TODO Gérer le bla bla de authentification invalide ici } // var_dump($auth);exit(); } elseif (array_key_exists('dologout', $_POST)) { // User cherche à se déconnecter do_logout(); // On le déconnecte header('Location:' . HOME_PAGE); } // ?> <?php if (!check_login()) { // Si l'utilisateur n'est pas connecté ?> <form id="login" name="login" method="post"> <label for="username">Pseudo : </label> <input type="text" name="username" id="username" value="" /> <label for="password">Mot de passe : </label> <input type="password" name="password" id="password" />
/** * proccess_request * Process the request for the public area */ private function proccess_request() { global $lang; $this->template = 404; // Default template $this->pages = $this->get_pages(); // get theme pages // Prepare te request array to use the legacy request (?v=file.ext) if (check_value($_GET['v']) && preg_match("/^\\w*\\.jpg|png|gif\$/", $_GET['v'])) { $this->base_request = '?' . $this->request_array[1]; unset($this->request_array[1]); } @session_start(); if (count($_SESSION['ImagesUp']) > 0) { $_SESSION['ImagesUp'] = array_values($_SESSION['ImagesUp']); self::$uploaded = true; } if (chevereto_config('maintenance')) { $this->base_request = 'maintenance'; } // Switch according the request switch ($this->base_request) { case '': case 'index.php': @session_start(); $_SESSION['last_upload_request'] = time(); $this->template = 'index'; break; case 'json': json_prepare(); // Do a special trick for the json action=login if ($_REQUEST['action'] == 'login') { // Check for user match... $login_user = login_user($_REQUEST['password'], $_REQUEST['keep']); if ($login_user !== false) { $json_array = array('status_code' => 200, 'status_txt' => 'logged in'); } else { $json_array = array('status_code' => 403, 'status_txt' => 'invalid login'); } } elseif ($_REQUEST['action'] == 'logout') { do_logout(); $json_array = array('status_code' => 200, 'status_txt' => 'logged out'); } $json_array = check_value($json_array) ? $json_array : array('status' => 403, 'status_txt' => 'unauthorized'); session_write_close(); die(json_output($json_array)); break; case __CHV_VIRTUALFOLDER_IMAGE__: // View request $id_public = $this->request_array[1]; $this->template = !is_upload_result() ? 'view' : 'uploaded'; self::$is_viewer = true; break; case __CHV_VIRTUALFOLDER_UPLOADED__: @session_start(); if (count($_SESSION['ImagesUp']) > 0) { $this->template = 'uploaded'; self::$doctitle = $lang['doctitle_upload_complete']; } else { $this->redirect(__CHV_BASE_URL__, 400); } break; case 'error-javascript': chevereto_die(array(get_lang_txt('critical_js_step_1'), get_lang_txt('critical_js_step_2')), 'JavaScript', array(get_lang_txt('critical_js'))); break; case '?chevereto': $this->template = 'bool'; break; // Legacy viewer // Legacy viewer case '?v=' . $_GET['v']: // View request $id_public = $_GET['v']; $this->legacy_redirect = true; break; case 'delete': case 'delete-confirm': //$delete_what = $this->request_array[1]; $id_public = $this->request_array[2]; $deleteHash = $this->request_array[3]; $this->template = $this->base_request; self::$is_viewer = true; break; case 'maintenance': $this->template = 'maintenance'; self::$doctitle = chevereto_config('doctitle'); break; default: // Pages request require_once $this->path_theme . 'pages/pages_config.php'; // We load the special pages config if (in_array($this->base_request . '.php', $this->pages) and $this->request_array[1] == '' and $pages_config[$this->base_request]['live']) { $this->template = 'pages/' . $this->base_request; self::$doctitle = $pages_config[$this->base_request]['title']; } else { $this->template = 'shorturl'; $id_public = $this->base_request; self::$is_viewer = true; } break; } // Ask for the login on index and pages if ($this->template == 'index' || $this->template == 'pages/' . $this->base_request) { if (conditional_config('private_mode')) { if (!is_logged_user()) { $doctitle = get_lang_txt('txt_enter_password') . ' - ' . chevereto_config('doctitle'); include __CHV_PATH_SYSTEM__ . 'login.php'; die; } } } if ($this->template == 'uploaded') { self::$doctitle = get_lang_txt('doctitle_upload_complete'); self::$image_info = $_SESSION['ImagesUp'][0]; self::$uploaded_images = $_SESSION['ImagesUp']; $_SESSION['ImagesUp'] = NULL; unset($_SESSION['ImagesUp']); } if (preg_match('/view|shorturl|delete/', $this->template) || $this->legacy_redirect) { // Test connection if ($this->dB->dead) { self::$doctitle = 'dB connection error'; $this->template = 404; } else { // get image info $imageID = $this->legacy_redirect ? $id_public : decodeID($id_public); self::$image_info = $this->dB->image_info($imageID); self::$id_public = $id_public; if (!is_array(self::$image_info)) { // Record? if ($this->template == 'delete-confirm') { json_output(array('status_code' => 403, 'status_txt' => 'target image doesn\'t exists')); } else { $this->template = 404; } } else { if ($this->legacy_redirect) { $this->redirect(__CHV_BASE_URL__ . __CHV_VIRTUALFOLDER_IMAGE__ . '/' . encodeID(self::$image_info['image_id']), 301); } $target = get_image_target(self::$image_info); self::$image_target = $target['image_path']; self::$image_thumb_target = $target['image_thumb_path']; self::$image_url = absolute_to_url($target['image_path']); self::$image_thumb_url = absolute_to_url($target['image_thumb_path']); self::$image_filename = self::$image_info['image_filename']; self::$image_viewer = __CHV_BASE_URL__ . __CHV_VIRTUALFOLDER_IMAGE__ . '/' . $id_public; self::$delete_image_url = __CHV_BASE_URL__ . 'delete/image/' . self::$id_public . '/' . self::$image_info['image_delete_hash']; $image_delete_proceed = !empty(self::$image_info['image_delete_hash']) && $deleteHash === self::$image_info['image_delete_hash'] ? true : false; switch ($this->template) { case 'delete': if (!$image_delete_proceed) { $this->redirect(__CHV_BASE_URL__ . __CHV_VIRTUALFOLDER_IMAGE__ . '/' . self::$id_public, 301); } self::$delete_image_confirm_url = __CHV_BASE_URL__ . 'delete-confirm/image/' . self::$id_public . '/' . self::$image_info['image_delete_hash']; self::$doctitle = get_lang_txt('doctitle_delete_confirm') . ' ' . self::$image_info['image_filename']; break; case 'delete-confirm': if (!$image_delete_proceed) { json_output(array('status_code' => 403, 'status_txt' => 'invalid delete hash')); } else { require_once __CHV_PATH_ADMIN_CLASSES__ . 'class.manage.php'; $manage = new Manage(array('id' => self::$image_info['image_id'], 'action' => 'delete')); if ($manage->dead) { $json_array = array('status_code' => 403, 'status_txt' => $manage->error); } else { $json_array = $manage->process(); } } // Make the status_txt more readable... switch ($json_array['status_code']) { case 200: $json_array['status_txt'] = get_lang_txt('txt_image_deleted'); break; default: case 403: $json_array['status_txt'] = get_lang_txt('txt_error_deleting_image'); break; } json_output($json_array); break; default: self::$doctitle = get_lang_txt('doctitle_viewing_image') . ' ' . self::$image_info['image_filename']; break; } } } } if ($this->template == 404) { status_header(404); self::$doctitle = check_value(self::$doctitle) ? self::$doctitle : get_lang_txt('txt_404_title'); } else { status_header(200); } // We load the template if ($this->template == 'bool') { exit(json_encode(true)); } else { $this->load_template(); } }
function process($user, $msg) { $action = unwrap($msg); say("< " . $action); $request_body = json_decode($action, true); if (empty($request_body)) { say("ERROR: invalid request body"); return; } if (!array_key_exists("method", $request_body) || !array_key_exists("resource", $request_body) || !array_key_exists("msg_id", $request_body)) { say("ERROR: missing mandatory property"); return; } $method = $request_body["method"]; $resource = $request_body["resource"]; $result = NULL; if ($method == "POST" && $resource == "/user") { $result = do_signup($request_body); } else { if ($method == "POST" && $resource == "/contact") { say("process login"); $result = do_login($request_body, $user); } else { if ($method == "GET" && $resource == "/contact") { say("process whoisonline"); $result = do_whoisonline($user); } else { if ($method == "DELETE" && $resource == "/contact") { say("process logout"); $result = do_logout($user); } else { if ($method == "NOTIFY" && $resource == "/contact") { say("process notify"); $result = do_notify($request_body, $user); } else { if ($resource != "/user" && $resource != "/contact") { if ($method == "POST") { $result = do_post_resource($request_body, $user); } else { if ($method == "PUT") { $result = do_put_resource($request_body, $user); } else { if ($method == "GET") { $result = do_get_resource($request_body, $user); } else { if ($method == "DELETE") { $result = do_delete_resource($request_body, $user); } else { if ($method == "SUBSCRIBE") { $result = do_subscribe_resource($request_body, $user); } else { if ($method == "NOTIFY") { $result = do_publish_resource($request_body, $user); } } } } } } } else { // this is an unknown request $result = array("code" => "failed", "reason" => "unknown command " . $method . " " . $resource); } } } } } } $result['msg_id'] = $request_body['msg_id']; header("Content-type: application/json"); $param = json_encode($result); send($user->socket, $param); }
function do_login($auto_login = 0) { global $GO; global $ROW; global $DOMAIN; // Are we already logged in? do_logout(); // Auto login? if ($auto_login) { // Happens after registration session_regenerate_id(true); $_SESSION['logged_in'] = 1; $_SESSION['user_id'] = $auto_login; $_SESSION['name'] = $ROW["name"]; // This is the row used for registration $_SESSION['email_id'] = $ROW["email_id"]; } else { if (get_arg($_POST, "lemail_id") && get_arg($_POST, "lpassword")) { // Get parameters $_email_id = get_arg($_POST, "lemail_id"); $_password = get_arg($_POST, "lpassword"); // Validate ALL parameters if (!validate("Email ID", $_email_id, 5, 100, "EMAIL") || !validate("Password", $_password, 5, 100, "PASSWORD")) { add_msg('ERROR', "The email ID or password you entered is incorrect</br>"); return; } ################################################## # DB LOGIN # ################################################## $ROW = db_do_login($_email_id, $_password, $DOMAIN); LOG_ARR("INFO", "ROW", $ROW); if ($ROW[0]['STATUS'] == "OK" && $ROW[0]["NROWS"] == 1) { session_regenerate_id(true); $_SESSION['email_id'] = $_email_id; $_SESSION['logged_in'] = 1; $_SESSION['user_id'] = $ROW[0]["user_id"]; $_SESSION['name'] = $ROW[0]["name"]; $_SESSION['is_admin'] = 0; $_SESSION['is_supervisor'] = 0; $_SESSION['is_superuser'] = 0; $_SESSION['is_viewer'] = 0; $_SESSION['travel_id'] = $ROW[0]["travel_id"]; $_SESSION['domain'] = $ROW[0]["domain"]; $_SESSION['travel_name'] = $ROW[0]["travel_name"]; if ($ROW[0]["type"] == "ADMIN") { $_SESSION['is_admin'] = 1; } if ($ROW[0]["type"] == "VIEWER") { $_SESSION['is_viewer'] = 1; } if ($ROW[0]["type"] == "SUPERVISOR") { $_SESSION['is_supervisor'] = 1; $_SESSION['supervisor_id'] = $ROW[0]["supervisor_id"]; } if ($ROW[0]["type"] == "SUPERUSER") { $_SESSION['is_superuser'] = 1; } add_msg('SUCCESS', "Welcome " . $ROW[0]["name"] . "! </br>"); } } } // logged_in will not be set if we failed anywhere above if (!isset($_SESSION['logged_in']) || !$_SESSION['logged_in']) { add_msg('ERROR', "The email ID or password you entered is incorrect</br>"); } LOG_ARR("INFO", "SESSION", $_SESSION); }
function __construct($valid_request) { global $lang, $Login, $dB; @session_start(); // Redirect plain /admin/index.php access if (preg_match('/index\\.php/', $_SERVER['REQUEST_URI'])) { $this->redirect($this->base_redirection($this->root_url), 301); } $admin_request = sanitize_path(str_replace(sanitize_path(__CHV_FOLDER_ADMIN__), "", str_replace(sanitize_path(__CHV_RELATIVE_ROOT__) . '/', "", $valid_request))); // json?blabla instead of (folder?)/admin/json?blabla $this->request_array = explode('/', $admin_request); $request_file = str_replace('//', '/', __CHV_ROOT_DIR__ . str_replace(__CHV_RELATIVE_ROOT__ == '/' ? '' : __CHV_RELATIVE_ROOT__, '', $_SERVER['REQUEST_URI'])); // Serve the static file or call the handler? if (file_exists($request_file) and !is_dir($request_file) and !preg_match('/php/', get_mime($request_file)) and trim($_SERVER['REQUEST_URI'], '/') !== trim(dirname($_SERVER['SCRIPT_NAME']), '/')) { error_reporting(0); header('Content-Type: ' . get_mime($request_file) . '; Cache-Control: no-cache; Pragma: no-cache'); die(readfile($request_file)); } // Now, deny all direct access to the other resources if ((file_exists($request_file) or is_dir($request_file)) and trim($_SERVER['REQUEST_URI'], '/') !== trim(dirname($_SERVER['SCRIPT_NAME']), '/') and !$Login->is_admin()) { status_header(403); die('Forbidden'); } // Organize the source request $request_array_explode = explode('?', $this->request_array[0]); $request_base = $request_array_explode[0]; // Now, lets do sub request according to the base request switch ($request_base) { case '': break; // admin main // admin main case 'json': json_prepare(); // Do a special trick for the json action=login if ($_REQUEST['action'] !== 'login' and !is_admin()) { $json_array = array('status_code' => 401, 'status_txt' => 'unauthorized'); } elseif ($_REQUEST['action'] == 'login') { // Check for admin match... $login_user = login_user($_REQUEST['password'], $_REQUEST['keep']); if ($login_user == 'admin') { $json_array = array('status_code' => 200, 'status_txt' => 'logged in'); } else { $json_array = array('status_code' => 403, 'status_txt' => 'invalid login'); } } elseif ($_REQUEST['action'] == 'logout') { do_logout(); $json_array = array('status_code' => 200, 'status_txt' => 'logged out'); } elseif ($_REQUEST['action'] == 'filelist') { require_once __CHV_PATH_CLASSES__ . 'class.filelist.php'; $filelist = new FileList($_REQUEST['type'], $_REQUEST['sort'], $_REQUEST['limit'], $_REQUEST['keyword']); $json_array = $filelist->filelist; } elseif ($_REQUEST['action'] == 'uploaded') { // In some point there will be a stats class that will help us to output all the stats. This is just the number of uploaded files now. $json_array = array('total' => total_images_uploaded()); // The rest of the actions are for the manage class (delete|rename|resize) } else { require_once __CHV_PATH_ADMIN_CLASSES__ . 'class.manage.php'; $manage = new Manage($_REQUEST); if ($manage->dead) { $json_array = array('status_code' => 403, 'status_txt' => $manage->error); } else { $json_array = $manage->process(); } } $json_array = check_value($json_array) ? $json_array : array('status_code' => 403, 'status_txt' => 'empty json'); die(json_output($json_array)); break; // json // json default: if (is_admin()) { status_header(404); die('Not found'); } else { status_header(403); die('Forbidden'); } break; } // Send the OK status header status_header(200); if (!is_admin()) { $doctitle = get_lang_txt('txt_enter_password') . ' - Chevereto File Manager'; require_once __CHV_PATH_SYSTEM__ . 'login.php'; } else { require_once __CHV_PATH_ADMIN_SYSTEM__ . 'header.php'; require_once __CHV_PATH_ADMIN_SYSTEM__ . 'filemanager.php'; } }