function prooveOldPassword($form)
{
if ($form->fields["newpassword1"]->getValue() != $form->fields["newpassword2"]->getValue()) {
$form->fields["newpassword1"]->setError(" ");
$form->fields["newpassword2"]->setError(t("password.does.not.match.the.previous"));
return false;
}
if (isset($form->fields["password"]) && $form->fields["newpassword1"]->getValue() == $form->fields["password"]->getValue()) {
$form->fields["newpassword1"]->setError(t("please.take.new.password"));
return false;
}
$res = db_query("select * from {cdb_person} where id=:id", array(":id" => $_SESSION["user"]->id));
$ret = $res->fetch();
if (isset($form->fields["password"]) && !user_check_password($form->fields["password"], $ret)) {
$form->fields["password"]->setError(t("password.is.incorrect"));
} else {
$scrambled_password = scramble_password($form->fields["newpassword1"]->getValue());
$res = db_query("update {cdb_person} set password=:password where id=:id", array(":id" => $_SESSION["user"]->id, ":password" => $scrambled_password));
$oldpwd = $_SESSION["user"]->password;
addInfoMessage(t("password.changes.successfully"));
// There is no old password? Then the person logged in with a loginstr and now has to be forwarded to home
if ($oldpwd == null) {
header("Location: ?q=home");
}
}
}
function comparepassword($password, $saved)
{
require_once DRUPAL_ROOT . '/includes/password.inc';
$account = new Object();
$account->pass = $saved;
return user_check_password($password, $account);
}
/**
* Checking site administrator's username and password.
*/
function check_username_password()
{
$sitename = variable_get('site_name', "Default site name");
$usernames = array('admin', 'admin123', 'siteadmin', 'siteadmin123', $sitename);
$query = db_select('users', 'u')->fields('u', array('name'))->condition('u.uid', 1)->execute()->fetchAssoc();
if (in_array($query['name'], $usernames)) {
$data = "<li><b>Error </b>Change site administrator's username ie <b>" . $query['name'] . "</b></li>";
fwrite($GLOBALS['createdFile'], $data);
}
$passwords = array('admin', 'admin123', 'siteadmin', 'siteadmin123', $sitename);
$passwords[] = $query['name'];
$account = user_load_by_name($query['name']);
foreach ($passwords as $password) {
$pass = user_check_password($password, $account);
if ($pass == TRUE) {
$data = "<li><b>Error </b>Need to change site administrator's password immediately.</li>";
fwrite($GLOBALS['createdFile'], $data);
break;
}
}
}
/**
* Authenticate the user against the drupal db
*
* @param string $name the user name
* @param string $password the password for the above user name
* @param boolean $loadCMSBootstrap load cms bootstrap?
* @param NULL|string $realPath filename of script
*
* @return mixed false if no auth
* array(
* contactID, ufID, unique string ) if success
* @access public
*/
static function authenticate($name, $password, $loadCMSBootstrap = FALSE, $realPath = NULL)
{
require_once 'DB.php';
$config = CRM_Core_Config::singleton();
$dbDrupal = DB::connect($config->userFrameworkDSN);
if (DB::isError($dbDrupal)) {
CRM_Core_Error::fatal("Cannot connect to drupal db via {$config->userFrameworkDSN}, " . $dbDrupal->getMessage());
}
$account = $userUid = $userMail = NULL;
if ($loadCMSBootstrap) {
$bootStrapParams = array();
if ($name && $password) {
$bootStrapParams = array('name' => $name, 'pass' => $password);
}
CRM_Utils_System::loadBootStrap($bootStrapParams, TRUE, TRUE, $realPath);
global $user;
if ($user) {
$userUid = $user->uid;
$userMail = $user->mail;
}
} else {
// CRM-8638
// SOAP cannot load drupal bootstrap and hence we do it the old way
// Contact CiviSMTP folks if we run into issues with this :)
$cmsPath = $config->userSystem->cmsRootPath($realPath);
require_once "{$cmsPath}/includes/bootstrap.inc";
require_once "{$cmsPath}/includes/password.inc";
$strtolower = function_exists('mb_strtolower') ? 'mb_strtolower' : 'strtolower';
$name = $dbDrupal->escapeSimple($strtolower($name));
$sql = "\nSELECT u.*\nFROM {$config->userFrameworkUsersTableName} u\nWHERE LOWER(u.name) = '{$name}'\nAND u.status = 1\n";
$query = $dbDrupal->query($sql);
$row = $query->fetchRow(DB_FETCHMODE_ASSOC);
if ($row) {
$fakeDrupalAccount = drupal_anonymous_user();
$fakeDrupalAccount->name = $name;
$fakeDrupalAccount->pass = $row['pass'];
$passwordCheck = user_check_password($password, $fakeDrupalAccount);
if ($passwordCheck) {
$userUid = $row['uid'];
$userMail = $row['mail'];
}
}
}
if ($userUid && $userMail) {
CRM_Core_BAO_UFMatch::synchronizeUFMatch($account, $userUid, $userMail, 'Drupal');
$contactID = CRM_Core_BAO_UFMatch::getContactId($userUid);
if (!$contactID) {
return FALSE;
}
return array($contactID, $userUid, mt_rand());
}
return FALSE;
}
function user_change_email($post)
{
$r = sql_fetch_array(sql_query("SELECT user_name FROM users WHERE user_id = " . $_SESSION['user_id'] . " LIMIT 1"));
$login = $r['user_name'];
$email = strtolower(trim($post['email']));
if (is_user_openid($_SESSION['user_id']) || user_check_password($login, $post['passwd'])) {
if (is_valid_email($email)) {
$res = sql_pe("SELECT user_id FROM users WHERE user_email=? LIMIT 1", array($email));
if (sizeof($res) > 0) {
return 4;
}
sql_pe("UPDATE `users` SET `user_email`=? WHERE `user_id`=? LIMIT 1", array($email, $_SESSION['user_id']));
return 1;
} else {
return 3;
}
} else {
return 2;
}
}
if (isset($_GET['all_forms'])) {
$all_forms = (bool) $_GET['all_forms'];
} else {
$all_forms = false;
}
$answer['answer'] = get_search_results($_GET['query'], !$all_forms);
foreach ($answer['answer']['results'] as &$res) {
$parts = array();
foreach (get_book_parents($res['book_id'], true) as $p) {
$parts[] = $p['title'];
}
$res['text_fullname'] = join(': ', array_reverse($parts));
}
break;
case 'login':
$user_id = user_check_password($_POST['login'], $_POST['password']);
if ($user_id) {
$token = remember_user($user_id, false, false);
$answer['answer'] = array('user_id' => $user_id, 'token' => $token);
} else {
$answer['error'] = 'Incorrect login or password';
}
break;
case 'get_available_morph_tasks':
$answer['answer'] = array('tasks' => get_available_tasks($user_id, true));
break;
case 'get_morph_task':
if (empty($_POST['pool_id']) || empty($_POST['size'])) {
throw new UnexpectedValueException("Wrong args");
}
// timeout is in seconds
function prooveLogin($form)
{
$res = db_query("select * from {cdb_person} where (email=:email or cmsuserid=:email or id=:email) and archiv_yn=0", array(":email" => $form->fields["email"]->getValue()));
$account_inactive = false;
$account_errorcountlogin = false;
$wrong_email = true;
// Hier ist eine Schleife, da E-Mail-Adressen von Familienmitgliedern mehrfach benutzt werden k�nnen.
foreach ($res as $ret) {
$wrong_email = false;
if ($ret->loginerrorcount > 6) {
$account_errorcountlogin = true;
} else {
if (user_check_password($form->fields["password"]->getValue(), $ret)) {
if ($ret->active_yn == 0) {
$account_inactive = true;
} else {
if (!isset($form->fields["rememberMe"])) {
login_user($ret, false);
} else {
login_user($ret, $form->fields["rememberMe"]->getValue());
}
return null;
}
} else {
db_query("update {cdb_person} set loginerrorcount=loginerrorcount+1 where id={$ret->id}");
}
}
}
if ($wrong_email) {
$form->fields["email"]->setError(t('email.or.username.unknown'));
ct_log("Login failed: wrong email " . $form->fields["email"]->getValue(), 2, "-1", "login");
return false;
} else {
if ($account_inactive) {
$form->fields["email"]->setError(t('account.was.locked'));
ct_log("Login failed: Access locked " . $form->fields["email"]->getValue(), 1, "-1", "login");
return false;
} else {
if ($account_errorcountlogin) {
$form->fields["email"]->setError(t('account.was.locked.cause.of.to.many.trials'));
ct_log("Login failed: To many trials " . $form->fields["email"]->getValue(), 1, "-1", "login");
return false;
} else {
$form->fields["password"]->setError(t('wrong.password') . ' <a href="#" id="newpwd">' . t('forgot.password') . '</a>');
ct_log("Login failed: " . $form->fields["email"]->getValue() . " wrong password", 2, "-1", "login");
return false;
}
}
}
}
/**
* validate login form
* TODO: is there a difference between returning false or null?
* @param CTForm $form
* @return bool or null?
*/
function validateLogin($form)
{
$res = db_query("SELECT * FROM {cdb_person}\n WHERE (email=:email OR cmsuserid=:email OR id=:email) AND archiv_yn=0", array(":email" => $form->fields["email"]->getValue()));
$accountInactive = false;
$tooMuchLogins = false;
$wrongEmail = true;
// foreach because family emails may be used for more then one user
foreach ($res as $u) {
$wrongEmail = false;
if ($u->loginerrorcount > 6) {
$tooMuchLogins = true;
} else {
if (user_check_password($form->fields["password"]->getValue(), $u)) {
if (!$u->active_yn) {
$accountInactive = true;
} else {
login_user($u, isset($form->fields["rememberMe"]) ? $form->fields["rememberMe"]->getValue() : false);
return null;
}
} else {
db_query("UPDATE {cdb_person} SET loginerrorcount=loginerrorcount+1\n WHERE id=:id", array(':id' => $u->id));
}
}
}
if ($wrongEmail) {
$form->fields["email"]->setError(t('email.or.username.unknown'));
ct_log("Login failed: wrong email " . $form->fields["email"]->getValue(), 2, "-1", "login");
return false;
} else {
if ($accountInactive) {
$form->fields["email"]->setError(t('account.was.locked'));
ct_log("Login failed: Access locked " . $form->fields["email"]->getValue(), 1, "-1", "login");
return false;
} else {
if ($tooMuchLogins) {
$form->fields["email"]->setError(t('account.was.locked.cause.of.to.many.trials'));
ct_log("Login failed: To many trials " . $form->fields["email"]->getValue(), 1, "-1", "login");
return false;
} else {
$form->fields["password"]->setError(t('wrong.password') . ' <a href="#" id="newpwd">' . t('forgot.password') . '</a>');
ct_log("Login failed: " . $form->fields["email"]->getValue() . " wrong password", 2, "-1", "login");
return false;
}
}
}
}
/**
* Handle login request.
*
* @return the url to display when complete.
*/
function command_login()
{
global $esc_post;
//Check to see if there was an @ sign in the 'username'. This will signify that the user
//probably entered their email, and not their username.
if (strpos($_POST['username'], "@") === False) {
//there is not an "@" in the 'username', so we will assume the user entered their username
$user_opts = array('filter' => array('username' => $_POST['username']));
$users = user_data($user_opts);
} else {
//There was an "@" in the 'username',so we will assume the user entered their email address
$user_opts = array('filter' => array('email' => $_POST['username']));
$users = user_data($user_opts);
}
// Check for user
if (sizeof($users) < 1) {
error_register('No user found');
error_register('Invalid username/password');
$next = crm_url('login');
return;
}
// Check password
$user = $users[0];
$valid = user_check_password($_POST['password'], $user);
if ($valid) {
user_login($user['cid']);
$next = crm_url();
} else {
error_register('Invalid username/password');
$next = crm_url('login');
}
// Redirect to index
return $next;
}
public function checkUserCredentials($username, $password)
{
$account = user_load_by_name($username);
if (!$account) {
// An email address might have been supplied instead of the username.
$account = user_load_by_mail($username);
}
if ($account && $account->status) {
require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
return user_check_password($password, $account);
}
return FALSE;
}
