/**
* Logs in a specified ElggUser. For standard registration, use in conjunction
* with elgg_authenticate.
*
* @see elgg_authenticate
*
* @param ElggUser $user A valid Elgg user object
* @param boolean $persistent Should this be a persistent login?
*
* @return true or throws exception
* @throws LoginException
*/
function login(ElggUser $user, $persistent = false)
{
if ($user->isBanned()) {
throw new LoginException(elgg_echo('LoginException:BannedUser'));
}
// give plugins a chance to reject the login of this user (no user in session!)
if (!elgg_trigger_event('login', 'user', $user)) {
throw new LoginException(elgg_echo('LoginException:Unknown'));
}
$session = _elgg_services()->session;
// if remember me checked, set cookie with token and store token on user
if ($persistent) {
$code = md5($user->name . $user->username . time() . rand());
// @todo oooh, hashing a hash adds magical powers
_elgg_add_remember_me_cookie($user, md5($code));
$session->set('code', $code);
$cookie = new ElggCookie("elggperm");
$cookie->value = $code;
$cookie->setExpiresTime("+30 days");
elgg_set_cookie($cookie);
}
// User's privilege has been elevated, so change the session id (prevents session fixation)
$session->migrate();
$session->setLoggedInUser($user);
set_last_login($user->guid);
reset_login_failure_count($user->guid);
return true;
}
/**
* Logs in a specified ElggUser. For standard registration, use in conjunction
* with authenticate.
*
* @see authenticate
* @param ElggUser $user A valid Elgg user object
* @param boolean $persistent Should this be a persistent login?
* @return true|false Whether login was successful
*/
function login(ElggUser $user, $persistent = false)
{
global $CONFIG;
if ($user->isBanned()) {
return false;
}
// User is banned, return false.
if (check_rate_limit_exceeded($user->guid)) {
return false;
}
// Check rate limit
$_SESSION['user'] = $user;
$_SESSION['guid'] = $user->getGUID();
$_SESSION['id'] = $_SESSION['guid'];
$_SESSION['username'] = $user->username;
$_SESSION['name'] = $user->name;
$code = md5($user->name . $user->username . time() . rand());
$user->code = md5($code);
$_SESSION['code'] = $code;
if ($persistent) {
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
if (!$user->save() || !trigger_elgg_event('login', 'user', $user)) {
unset($_SESSION['username']);
unset($_SESSION['name']);
unset($_SESSION['code']);
unset($_SESSION['guid']);
unset($_SESSION['id']);
unset($_SESSION['user']);
setcookie("elggperm", "", time() - 86400 * 30, "/");
return false;
}
// Users privilege has been elevated, so change the session id (help prevent session hijacking)
session_regenerate_id();
// Update statistics
set_last_login($_SESSION['guid']);
reset_login_failure_count($user->guid);
// Reset any previous failed login attempts
// Set admin shortcut flag if this is an admin
if (isadminloggedin()) {
global $is_admin;
$is_admin = true;
}
return true;
}
/**
* Logs in a specified \ElggUser. For standard registration, use in conjunction
* with elgg_authenticate.
*
* @see elgg_authenticate
*
* @param \ElggUser $user A valid Elgg user object
* @param boolean $persistent Should this be a persistent login?
*
* @return true or throws exception
* @throws LoginException
*/
function login(\ElggUser $user, $persistent = false)
{
if ($user->isBanned()) {
throw new \LoginException(elgg_echo('LoginException:BannedUser'));
}
$session = _elgg_services()->session;
// give plugins a chance to reject the login of this user (no user in session!)
if (!elgg_trigger_before_event('login', 'user', $user)) {
throw new \LoginException(elgg_echo('LoginException:Unknown'));
}
// #5933: set logged in user early so code in login event will be able to
// use elgg_get_logged_in_user_entity().
$session->setLoggedInUser($user);
// deprecate event
$message = "The 'login' event was deprecated. Register for 'login:before' or 'login:after'";
$version = "1.9";
if (!elgg_trigger_deprecated_event('login', 'user', $user, $message, $version)) {
$session->removeLoggedInUser();
throw new \LoginException(elgg_echo('LoginException:Unknown'));
}
// if remember me checked, set cookie with token and store hash(token) for user
if ($persistent) {
_elgg_services()->persistentLogin->makeLoginPersistent($user);
}
// User's privilege has been elevated, so change the session id (prevents session fixation)
$session->migrate();
set_last_login($user->guid);
reset_login_failure_count($user->guid);
elgg_trigger_after_event('login', 'user', $user);
// if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
if (is_memcache_available()) {
$guid = $user->getGUID();
// this needs to happen with a shutdown function because of the timing with set_last_login()
register_shutdown_function("_elgg_invalidate_memcache_for_entity", $guid);
}
return true;
}
/**
* Logs in a specified ElggUser. For standard registration, use in conjunction
* with elgg_authenticate.
*
* @see elgg_authenticate
*
* @param ElggUser $user A valid Elgg user object
* @param boolean $persistent Should this be a persistent login?
*
* @return true or throws exception
* @throws LoginException
*/
function login(ElggUser $user, $persistent = false)
{
global $CONFIG;
// User is banned, return false.
if ($user->isBanned()) {
throw new LoginException(elgg_echo('LoginException:BannedUser'));
}
$_SESSION['user'] = $user;
$_SESSION['guid'] = $user->getGUID();
$_SESSION['id'] = $_SESSION['guid'];
$_SESSION['username'] = $user->username;
$_SESSION['name'] = $user->name;
// if remember me checked, set cookie with token and store token on user
if ($persistent) {
$code = md5($user->name . $user->username . time() . rand());
$_SESSION['code'] = $code;
$user->code = md5($code);
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
if (!$user->save() || !elgg_trigger_event('login', 'user', $user)) {
unset($_SESSION['username']);
unset($_SESSION['name']);
unset($_SESSION['code']);
unset($_SESSION['guid']);
unset($_SESSION['id']);
unset($_SESSION['user']);
setcookie("elggperm", "", time() - 86400 * 30, "/");
throw new LoginException(elgg_echo('LoginException:Unknown'));
}
// Users privilege has been elevated, so change the session id (prevents session fixation)
session_regenerate_id();
// Update statistics
set_last_login($_SESSION['guid']);
reset_login_failure_count($user->guid);
// Reset any previous failed login attempts
return true;
}
/**
* Validate and execute a password reset for a user.
*
* @param int $user_guid The user id
* @param string $conf_code Confirmation code as sent in the request email.
*
* @return mixed
*/
function execute_new_password_request($user_guid, $conf_code)
{
global $CONFIG;
$user_guid = (int) $user_guid;
$user = get_entity($user_guid);
if ($user) {
$saved_code = $user->getPrivateSetting('passwd_conf_code');
if ($saved_code && $saved_code == $conf_code) {
$password = generate_random_cleartext_password();
if (force_user_password_reset($user_guid, $password)) {
remove_private_setting($user_guid, 'passwd_conf_code');
// clean the logins failures
reset_login_failure_count($user_guid);
$email = elgg_echo('email:resetpassword:body', array($user->name, $password));
return notify_user($user->guid, $CONFIG->site->guid, elgg_echo('email:resetpassword:subject'), $email, NULL, 'email');
}
}
}
return FALSE;
}
/**
* Logs in a specified ElggUser. For standard registration, use in conjunction
* with elgg_authenticate.
*
* @see elgg_authenticate
*
* @param ElggUser $user A valid Elgg user object
* @param boolean $persistent Should this be a persistent login?
*
* @return true or throws exception
* @throws LoginException
*/
function login(ElggUser $user, $persistent = false)
{
// User is banned, return false.
if ($user->isBanned()) {
throw new LoginException(elgg_echo('LoginException:BannedUser'));
}
$_SESSION['user'] = $user;
$_SESSION['guid'] = $user->getGUID();
$_SESSION['id'] = $_SESSION['guid'];
$_SESSION['username'] = $user->username;
$_SESSION['name'] = $user->name;
// if remember me checked, set cookie with token and store token on user
if ($persistent) {
$code = md5($user->name . $user->username . time() . rand());
$_SESSION['code'] = $code;
$user->code = md5($code);
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
if (!$user->save() || !elgg_trigger_event('login', 'user', $user)) {
unset($_SESSION['username']);
unset($_SESSION['name']);
unset($_SESSION['code']);
unset($_SESSION['guid']);
unset($_SESSION['id']);
unset($_SESSION['user']);
setcookie("elggperm", "", time() - 86400 * 30, "/");
throw new LoginException(elgg_echo('LoginException:Unknown'));
}
// Users privilege has been elevated, so change the session id (prevents session fixation)
session_regenerate_id();
// Update statistics
set_last_login($_SESSION['guid']);
reset_login_failure_count($user->guid);
// Reset any previous failed login attempts
// if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
if (is_memcache_available()) {
// this needs to happen with a shutdown function because of the timing with set_last_login()
register_shutdown_function("_elgg_invalidate_memcache_for_entity", $_SESSION['guid']);
}
return true;
}
/**
* Logs in a specified \ElggUser. For standard registration, use in conjunction
* with elgg_authenticate.
*
* @see elgg_authenticate
*
* @param \ElggUser $user A valid Elgg user object
* @param boolean $persistent Should this be a persistent login?
*
* @return true or throws exception
* @throws LoginException
*/
function login(\ElggUser $user, $persistent = false)
{
if ($user->isBanned()) {
throw new \LoginException(elgg_echo('LoginException:BannedUser'));
}
$session = _elgg_services()->session;
// give plugins a chance to reject the login of this user (no user in session!)
if (!elgg_trigger_before_event('login', 'user', $user)) {
throw new \LoginException(elgg_echo('LoginException:Unknown'));
}
// #5933: set logged in user early so code in login event will be able to
// use elgg_get_logged_in_user_entity().
$session->setLoggedInUser($user);
// if remember me checked, set cookie with token and store hash(token) for user
if ($persistent) {
_elgg_services()->persistentLogin->makeLoginPersistent($user);
}
// User's privilege has been elevated, so change the session id (prevents session fixation)
$session->migrate();
set_last_login($user->guid);
reset_login_failure_count($user->guid);
elgg_trigger_after_event('login', 'user', $user);
return true;
}
/**
* Validate and execute a password reset for a user.
*
* @param int $user_guid The user id
* @param string $conf_code Confirmation code as sent in the request email.
*
* @return mixed
*/
function execute_new_password_request($user_guid, $conf_code)
{
global $CONFIG;
$user_guid = (int) $user_guid;
$user = get_entity($user_guid);
if ($user instanceof ElggUser) {
$saved_code = $user->getPrivateSetting('passwd_conf_code');
if ($saved_code && $saved_code == $conf_code) {
$password = generate_random_cleartext_password();
if (force_user_password_reset($user_guid, $password)) {
remove_private_setting($user_guid, 'passwd_conf_code');
// clean the logins failures
reset_login_failure_count($user_guid);
$email = '<div style="color:#333;font-size:16px;">' . elgg_echo('email:resetpassword:body', array($user->name, $password)) . '</div>';
//return notify_user($user->guid, $CONFIG->site->guid,
// elgg_echo('email:resetpassword:subject'), $email, array(), 'email');
$site_name = elgg_get_site_entity()->name;
return zhgroups_send_email($site_name, $user->email, elgg_echo('email:resetpassword:subject', array($site_name)), $email);
}
}
}
return FALSE;
}
function siteaccess_login_hook($hook, $entity_type, $returnvalue, $params)
{
if (extension_loaded("gd")) {
$username = get_input('username');
$password = get_input('password');
$valid = false;
if (!empty($username) && !empty($password)) {
if ($user = siteaccess_auth_userpass(array('username' => $username, 'password' => $password))) {
$valid = true;
} else {
$_SESSION['login_error_count']++;
}
if ($_SESSION['login_error_count'] > 3) {
if ($valid = siteaccess_validate_captcha() && $user) {
reset_login_failure_count($user->guid);
}
}
}
if (!$valid) {
register_error(elgg_echo('loginerror'));
}
} else {
$valid = true;
}
return $valid;
}
/**
* Validate and change password for a user.
*
* @param int $user_guid The user id
* @param string $conf_code Confirmation code as sent in the request email.
* @param string $password Optional new password, if not randomly generated.
*
* @return bool True on success
*/
function executeNewPasswordReset($user_guid, $conf_code, $password = null)
{
$user_guid = (int) $user_guid;
$user = get_entity($user_guid);
if ($password === null) {
$password = generate_random_cleartext_password();
$reset = true;
} else {
$reset = false;
}
if (!$user instanceof \ElggUser) {
return false;
}
$saved_code = $user->getPrivateSetting('passwd_conf_code');
$code_time = (int) $user->getPrivateSetting('passwd_conf_time');
$codes_match = _elgg_services()->crypto->areEqual($saved_code, $conf_code);
if (!$saved_code || !$codes_match) {
return false;
}
// Discard for security if it is 24h old
if (!$code_time || $code_time < time() - 24 * 60 * 60) {
return false;
}
if (!$this->forcePasswordReset($user, $password)) {
return false;
}
remove_private_setting($user_guid, 'passwd_conf_code');
remove_private_setting($user_guid, 'passwd_conf_time');
// clean the logins failures
reset_login_failure_count($user_guid);
$ns = $reset ? 'resetpassword' : 'changepassword';
$message = _elgg_services()->translator->translate("email:{$ns}:body", array($user->username, $password), $user->language);
$subject = _elgg_services()->translator->translate("email:{$ns}:subject", array(), $user->language);
notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, array(), 'email');
return true;
}
/**
* Validate and change password for a user.
*
* @param int $user_guid The user id
* @param string $conf_code Confirmation code as sent in the request email.
* @param string $password Optional new password, if not randomly generated.
*
* @return bool True on success
*/
function execute_new_password_request($user_guid, $conf_code, $password = null)
{
$user_guid = (int) $user_guid;
$user = get_entity($user_guid);
if ($password === null) {
$password = generate_random_cleartext_password();
$reset = true;
}
if (!elgg_instanceof($user, 'user')) {
return false;
}
$saved_code = $user->getPrivateSetting('passwd_conf_code');
$code_time = (int) $user->getPrivateSetting('passwd_conf_time');
if (!$saved_code || $saved_code != $conf_code) {
return false;
}
// Discard for security if it is 24h old
if (!$code_time || $code_time < time() - 24 * 60 * 60) {
return false;
}
if (force_user_password_reset($user_guid, $password)) {
remove_private_setting($user_guid, 'passwd_conf_code');
remove_private_setting($user_guid, 'passwd_conf_time');
// clean the logins failures
reset_login_failure_count($user_guid);
$ns = $reset ? 'resetpassword' : 'changepassword';
notify_user($user->guid, elgg_get_site_entity()->guid, elgg_echo("email:{$ns}:subject", array(), $user->language), elgg_echo("email:{$ns}:body", array($user->username, $password), $user->language), array(), 'email');
return true;
}
return false;
}
